I've been getting these weird code on my site. Here is a sample "#74ed9f# if(empty($doo)) {$doo = "";echo $doo;} #/74ed9f# ".
My antivirus also gets alerted when I received visit my site. Here is my site's link http://callumco.com/agranex_cms/

What is this and how to fix?


This is a new Code Injection technique which is executed with the help of a XSS attack.

With the help of XSS the code in injection in everything which comes form Database and this code injection injects a Javascript Source which is called in you web pages.
Due to execution of these remote javascript source this problem occurs.

Please check in your code for** XSS vulnerability** and fix them.
Use tools like Wapiti and Acunetix for the same.

Where is this XSS attack came from? Can I blame my server provider?

Please check the website code..
filter and sanitize every input variable for script tags and addslashes.
use htmlentites for XSS thing and addslashes for sql injection.

there is nothing for the service provider to do in this.

If you look at the source code for the html in browser you will see a script inserted into the jquery load method (probably through the search box):

// the script is inserted after this code

The script is encoded in a way using character codes, and you can decode it using fromCharCode function. This code is then executed using eval. It checks/sets a cookie and opens an iframe, positioned off your screen. The source for the iframe is a php script (http://davidedwardsphotos.com/cubsdb/64P2WFxK + php exstencion) which I could not access anymore.

See the code in attached pdf.

It is important that you sanitize all input by removing all the tags from the input data using i.e htmlspecialchars() function if there is a chance that the input will get to the html code (as in your case).

hi how to remover this #74ed9f# code from site???

Do as suggested above... Install python 2.7.x, and download wapiti as suggested by sinhaksaurabh.

Download python here, Download wapiti here .

  1. If running this on windows, Extract the Wapiti src directory in in C:\wapiti.

  2. Open the windows command prompt, or the command prompt python.

  3. type python on the prompt. It should give you the version of python installed on your system. If you don't see similar to this

    Python 2.7.5 (default, May 15 2013, 22:44:16) [MSC v.1500 64 bit on win 32

the python installation failed.. you must try re-intalling it.

  1. Follow the instruction on how to use the wapiti.

Example of usage: Windows

cd c:\wapiti\src 
# python wapiti.py http://yourDomainDotCom 

You can also define the method of attack such as xss:get , exec:post and all. Just add the this option after the command ( shown in the documentation).

-m "-all,xss:get,exec:post"

And make sure to add -n the number of urls you need to test, otherwise, it may go on infinite loop.

Sample usage added after the first and second commands

-n 30

Don't forget to set the report type in the end..

here is a clean report example

Attacks details
SQL Injection
No vulnerabilities found
Blind SQL Injection
No vulnerabilities found
File Handling
No vulnerabilities found
Cross Site Scripting
No vulnerabilities found
No vulnerabilities found
Commands execution
No vulnerabilities found
Resource consumption
No vulnerabilities found
Htaccess Bypass
No vulnerabilities found
Backup file
No vulnerabilities found
Potentially dangerous file

command used

cd c:\wapiti\src

python wapitiy.py http://localhost/register.php -f html -o registrationformtest

the report will be available for viewing as html page at wapiti\src\registrationformtest\index.html

test login script

python wapitiy.py http://localhost/login.php -f html -o loginformtest

test search form processor

python wapitiy.py http://localhost/search.php -f html -o searchformtest