{"id":2180,"date":"2008-12-28T18:23:47","date_gmt":"2008-12-28T18:23:47","guid":{"rendered":"http:\/\/www.bargh.co.uk\/blog\/?p=67"},"modified":"2008-12-28T18:23:47","modified_gmt":"2008-12-28T18:23:47","slug":"malware-and-7speedinfo","status":"publish","type":"post","link":"https:\/\/bargh.co.uk\/blog\/malware-and-7speedinfo\/","title":{"rendered":"Malware and 7speed.info"},"content":{"rendered":"<p>You have found this post because you&#8217;re trying to find out about an attack from 7speed.info a malware site that has somehow infected your web site causing virus alert warnings from programs such as Avast. I struggled to find out information searching Google for an answer when it happened to me yesterday. I fumbled around and eventually found the way to resolve it thanks to Scott of <a href=\"http:\/\/mtminds.com\/\" target=\"_blank\">MTMinds<\/a>.<\/p>\n<p>The site has managed to get to your directory (web folders) and added some javascript to certain pages so that the malware (combination of malicious and software) is activated.\u00a0 You need to do two things.<\/p>\n<p>First <strong>make your site secure<\/strong> using new stronger passwords on your server access point and when using ftp. Change these passwords immediately. Use passwords with 8 to 12 character length that are not meaningful words just a string of letters (upper &amp; lower), punctuation and numbers. I now use this site to generate ones automatically\u00a0 for me: <a href=\"http:\/\/www.pctools.com\/guides\/password\/\" target=\"_blank\">PC Tools Secure Password Generator.<\/a><\/p>\n<p>Second find any files that have been &#8220;infected&#8221; and <strong>remove the offending javascript<\/strong>.<\/p>\n<p>The javascript from 7speed.info was placed in the first line of the body on most of my sites, and finding it on ones I&#8217;d created using html and basic structures was easy&#8230;once I knew what I was looking for! But on sites built using templates such as WordPress and Drupal it was a more challenging discovery. So I&#8217;ve written this blog to help speed up your investigation and repair.<\/p>\n<p>The javascript looks like this at the beginning <span style=\"color: #ff0000;\">&lt;script language=JavaScript&gt;<\/span> then the functiion follows with<span style=\"color: #ff0000;\"> function hilbnb25(z)<\/span> the hilbnb bit might be a different set of charachters on your page but it always seems to follow with (z) Next is\u00a0 <span style=\"color: #ff0000;\">{var c=z.length,m=1024<\/span> and then a huge string of letters and numbers ending with <span style=\"color: #ff0000;\">&lt;\/script&gt;&lt;!&#8211; <em>your domain host<\/em> &#8211;&gt;<\/span><br \/>\nIf you take all this out the problem is resolved.\u00a0 Back up just in case you make a mistake.<\/p>\n<p><strong>To find the javascript<\/strong><br \/>\nI have several sites and found the easiest way to see if my site was infected was to use the information menu on FireFox Web Developer extension. And then searched for 7speed.info. It highlighted any code on the site. I could then locate the page via ftp and delete the code.<\/p>\n<p><strong>Pages affected<\/strong><br \/>\nIn my experience it was <strong>Index.html<\/strong> and <strong>index.php<\/strong> pages infected on basic sites<br \/>\n<strong>Header.php<\/strong> and <strong>Footer.php<\/strong> on basic sites with include files.<\/p>\n<p>On <strong>Drupal<\/strong> templates you need to go into the directory of the theme you are using and locate the <strong>page.tpl.php<\/strong> file<\/p>\n<p>On <strong>PHP Fusion<\/strong> edit the <strong>subheader.php<\/strong> and <strong>footer.php<\/strong> files<\/p>\n<p>On <strong>WordPress<\/strong> go into the theme directory and edit the <strong>header.php<\/strong> and <strong>footer.php<\/strong> files.<\/p>\n<p>Hope that helps.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You have found this post because you&#8217;re trying to find out about an attack from 7speed.info a malware site that has somehow infected your web site causing virus alert warnings from programs such as Avast. I struggled to find out information searching Google for an answer when it happened to me yesterday. I fumbled around [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1296],"tags":[1351,1374,1842,2261],"class_list":["post-2180","post","type-post","status-publish","format-standard","hentry","category-helping-hand","tag-attack","tag-bastard-hackers-javascript","tag-malware","tag-virus"],"_links":{"self":[{"href":"https:\/\/bargh.co.uk\/blog\/wp-json\/wp\/v2\/posts\/2180","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bargh.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bargh.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bargh.co.uk\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/bargh.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=2180"}],"version-history":[{"count":0,"href":"https:\/\/bargh.co.uk\/blog\/wp-json\/wp\/v2\/posts\/2180\/revisions"}],"wp:attachment":[{"href":"https:\/\/bargh.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=2180"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bargh.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=2180"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bargh.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=2180"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}