Infection chains

To help webmasters find and remove malicious code faster, Yandex shows the host chains through which malicious code is loaded to the user's browser when the user views the infected pages.

This information helps to determine which block on the page loads malicious code.

For example, if the chain is:

You should take one of the actions to stop the site from spreading malicious code:

  • Delete part of the web server page or the script that adds the <script> or <iframe> tag to the infected-2.htm page. The tag loads the block from marthamio.cu.cc or redirects to this site.

  • Ask the owners of marthamio.cu.cc to fix their site so that it doesn't issue blocks that load other blocks from groogle.cu.cc/?said=3333&q=facebook;

  • Stop the spreading of malicious code from the aroymac.cu.cc/main.php?page=362ae50582a6bb40 resource.

Web server malicious code that writes a tag loading the block with marthamio.cu.cc or a redirect to it, can be obfuscated:

  • Intentionally made incomprehensible or unreadable. Look for the script parts that weren't written by you, especially the ones that have no structure and indentations.

  • Encoded. Such elements contain lines of meaningless characters and use the eval, base64_decode, gzuncompress, gzinflate, ob_start, str_rot13, assert, create_function, preg_replace functions.

  • Hidden in a .htaccess structure and other configuration files of the web server, scripting language interpreter, templates and CMS settings.

  • Dynamically loaded from a third-party web server (PHP functions file_get_contents, curl_exec, and so on).

The web server malicious code may reappear after removal due to:

  • The web server backdoor.

  • Compromised web server passwords (FTP, SSH), hosting or CMS administrator panel.

  • Hacking the server by changing the root password or adding users with the necessary rights.

  • A backdoor or a bot on the webmaster's computer that allows to manage web server remotely and change the pages on behalf of the webmaster.

Web browser malicious code can be obfuscated with similar methods. It can use the eval, document.write, document.location, document.URL, window.location, window.navigate structures, overridden "src" elements of DOM, objects loaded with the <object> , <embed> tags, ActiveX, and changes in the page code made by downloaded objects. Also, pay attention to long scripts and unnecessary string operations, such as reassigning or merging multiple lines into one.