Peter Bargh

words pictures sounds
December 28th, 2008 by Peter Bargh

Malware and 7speed.info

You have found this post because you’re trying to find out about an attack from 7speed.info a malware site that has somehow infected your web site causing virus alert warnings from programs such as Avast. I struggled to find out information searching Google for an answer when it happened to me yesterday. I fumbled around and eventually found the way to resolve it thanks to Scott of MTMinds.

The site has managed to get to your directory (web folders) and added some javascript to certain pages so that the malware (combination of malicious and software) is activated.  You need to do two things.

First make your site secure using new stronger passwords on your server access point and when using ftp. Change these passwords immediately. Use passwords with 8 to 12 character length that are not meaningful words just a string of letters (upper & lower), punctuation and numbers. I now use this site to generate ones automatically  for me: PC Tools Secure Password Generator.

Second find any files that have been “infected” and remove the offending javascript.

The javascript from 7speed.info was placed in the first line of the body on most of my sites, and finding it on ones I’d created using html and basic structures was easy…once I knew what I was looking for! But on sites built using templates such as WordPress and Drupal it was a more challenging discovery. So I’ve written this blog to help speed up your investigation and repair.

The javascript looks like this at the beginning <script language=JavaScript> then the functiion follows with function hilbnb25(z) the hilbnb bit might be a different set of charachters on your page but it always seems to follow with (z) Next is  {var c=z.length,m=1024 and then a huge string of letters and numbers ending with </script><!– your domain host –>
If you take all this out the problem is resolved.  Back up just in case you make a mistake.

To find the javascript
I have several sites and found the easiest way to see if my site was infected was to use the information menu on FireFox Web Developer extension. And then searched for 7speed.info. It highlighted any code on the site. I could then locate the page via ftp and delete the code.

Pages affected
In my experience it was Index.html and index.php pages infected on basic sites
Header.php and Footer.php on basic sites with include files.

On Drupal templates you need to go into the directory of the theme you are using and locate the page.tpl.php file

On PHP Fusion edit the subheader.php and footer.php files

On WordPress go into the theme directory and edit the header.php and footer.php files.

Hope that helps.

Leave a Reply

Your email address will not be published. Required fields are marked *