Hi
Confirm this. 2 suspicious inline scripts found.
Long suspicious scripts:
^(f*nction(tMZK){var uUx5c=unescape(('.76ar.20a.3d.22Sc.72iptEngi.6ee.22.2cb.3d.22Version().2b.22.2c...
(f*nction(tMZK){var uUx5c=unescape(('.76ar.20a.3d.22Sc.72iptEngi.6ee.22.2cb.3d.22Version().2b.22.2c...
Every infected site has it’s own modification of the script. However every modification has common parts and can be easily identified as the gumblar .cn script.
1. The script starts with “(function(“
2. The function has no name. It is anonymous and self-invoking.
3. The script is obfuscated. I.e. some characters are replaced with their numeric codes, and then the “%” character replaced with some orbitrary character. Here are some sample excerpts of the encrypted data: “…20a.3d.22Sc.72iptEngin.65…“, “…~76ar~20a~3d~22Scr~69~70~74En~67~69ne…“, “…v_61_72_20_61_3d_22_53_63rip_74E_6e…“
4. Near the end of the script there is a “.replace(” function
5. If the function accepts parameters, at the very end you’ll find a simple regular expression like /”/g or /~/g, etc. that will decrypt the mangled “%” character.
3 When the script is executed (every time someone visits the infected web page), another script from “gumblar . cn/rss/” is silently loaded and executed.
4 This code is usually injected right before the <body> tag. I saw a web page with eight(!) <body> tags (yeah, invalid HTML) and the gumblar scripts were injected before each of them,
polonus