Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Javascript malware on website

  • Please log in to reply
1 reply to this topic

#1 atomas


  • Members
  • 1 posts
  • Local time:07:12 AM

Posted 02 January 2016 - 04:38 PM

Sucuri scanner shows sirious javascript malware infection on one of websites in Joomla witch I adminitsrate (from some weaks). I scanned and cleeaned files of website by ClamAv and BitDefender, there were many infections and suspicious code when I viewed the source in browser, I cleaned the database, actualize the JCE, and now the source in the web browser is completly clean, but some scanners still shows malware infection, for example Quttera: 




  1. <!--rk_czxV1dv1UTfErdQy30--><scripttype="text/javascript">document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%4A%61%76%61%53%63%72%69%70%74%22%3E
  2. %66%75%6E%63%74%69%6F%6E%20%64%6E%6E%56%69%65%77%53%74%61%74%65%28%29
  3. %7B
  4. %76%61%72%20%61%3D%30%2C%6D%2C%76%2C%74%2C%7A%2C%78%3D%6E%65%77%20%41%72%72%61%79%28%27%39%30%39%31%39%36%38%33%37%36%27%2C%27%38%38%38%37%39%31%38%31%39%32%38%31%38%37%38%36%33%34%37%33%37%34%39%31%38%37%38%34%39%33%39%32%37%37%33%35%39%32%38%37%38%38%33%34%32%31%33%33%33%33%33%33%33%33%38%38%39%36%27%2C%27%37%37%38%


I cant find this code viewing the source of indicated url in my browser, the scanner wrote too:



Procedure: unescape has been called with a string containing hidden JavaScript code <script>%0Afunction dnnViewState()%0A{%0Avar a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787','949990793917947998942577939317'),l=x.length;%0Awhile(++a<=l){m=x[l-a];%0At=z='';%0Afor(v=0;v<m.length;){t+=m.charAt(v++);%0Aif(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);%0At='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();%0A</script>.


Is it possible to hide the javascript code? I don't now any way to do this, so I should find the code in te browser source... I can't...

What to do? :radioactive:

BC AdBot (Login to Remove)


#2 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,580 posts
  • Gender:Male
  • Location:USA
  • Local time:12:12 AM

Posted 03 January 2016 - 10:58 PM

Some malware will target certain browsers, as it is trying to exploit particular weaknesses (e.g. IE typically). It might not be outputting unless you visit in a different browser.


It will be very important to manually scrub the site of any suspicious files and malicious code. This can be a tedious task if there are many files to the website. If you have a clean backup, I would restore that if possible.


I would also change any FTP or administrative panel passwords you have to be cautious. You never know how much access someone has once they have successfully gained control of the website.

Edited by Demonslay335, 03 January 2016 - 10:58 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users