this damn virus on my website. I can not find and codes. I wonder could you help on where can I find?this damn virus on my website. I can not find and codes. I wonder could you help on where can I find?
I’ve been tracking this (SutraTDS) from a network forensics perspective for almost a month. What I’m seeing is that it only infects .js files…and it infects all of them. The last site I was checking out was throwing the bundled malicious JS files for everything on the server. I copied the text from the packets for 3 different samples, and they all generate the same deobfuscated code. I ran in to one site last night where I didn’t notice that it was a Plesk site.
I’m curious as to why they haven’t moved the exploit site IP. It’s blocked in our network. I’m waiting for them to change it. The latest URL is hxxp://king-profit[dot]ru/in.cgi?7. DNS A record points to 22.214.171.124. If the pattern changes, I’ll post back. This is supposed to be BHEK related, but I haven’t found a machine in our network that has been infected yet.
I think the JS they are using is pretty creative, but once you see the pattern, it is easy to spot. From a web server perspective, I’m sure it can be annoying. It appears that once the valid website is compromised, it is being cleaned rather quickly. From an intrusion detection perspective, it’s easy to track…it all depends on what IPs they are using.