what is happening with my site?
- Started
- Last post
- 21 Responses
- epigraph
Can someone take a look at my site and source and tell me what the extra code after the </html> tag is and where it came from?
I can upload the original files, and get rid of it, but want to know what it is....
It shows up on my site as text: www.jamesguild.com
- zenmasterfoo0
is that some google analytics code? definitely javascript remnants...
- epigraph0
I was thinking it was from analytics, but I've had analytics for a while and it just started showing up
- WrappedInBooks0
looks like you have a '>' before
'=round(0+40+40+40+40)))||($_3[r... _1166005164(32)&&$_3[round(0+0.2...- is that not you .js?WrappedInBooks
- not sure I know what you mean. I am by no means knowadgable about js. Strictly cut and paste for meepigraph
- oh I got cha, no it's not mine. don't know where it came fromepigraph
- detritus0
Site's not running right now as far as I can tell - are you running it from an older version of Wordpress? Perhaps it's some kind of malicious JS injection?
- epigraph0
it's not wordpress, can you put malicious JS in a reg site?
- ********0
unreachable, infinite loop = fucked.
- ********0
looks like you have: base64_decode hack
google it
- 74LEO0
whats with your2009 site? trying to install a javascript on my puter?
- 74LEO0
http://www.jguilddesign.com/ <-- tries to install javascript
- shit, really? Is this a server problem? Do I need to contact my host?epigraph
- epigraph0
How did you find the design site? It's not linked to the main site
- acescence0
looks like that's php, not javascript. $GLOBALS[], echo.
- epigraph0
Any idea what to do Jason?
- You just changed the whole site.********
- haha no! it's jguild haha********
- You just changed the whole site.
- acescence0
ftp that html file and send it to your host, change all of your passwords, restore all the files.
I'd be curious to see all of the code there if you'd be willing to copy the original and post it in pastebin, the fact that there's some remnant php on the page means it wasn't parsed properly, so it doesn't appear their hack attempt is actually working.
- it s working , the site is unreachable********
- how did I just look at the page 5 minutes ago to identify what was there?acescence
- and everyone else above who posted some of the failed php. I don't think it magically fixed itselfacescence
- just fucking click the link ffs********
- oh look, it's back up again. also, you're a world fucking class retard.acescence
- yes it's backup again, ascence! lol********
- it s working , the site is unreachable
- epigraph0
muddah fukkah
- epigraph0
Was gonna post that to pastebin, but can't log in via ftp or through my host anymore. Guess I'll drop them a line. Thanks all. =)
Muddah fukkah!
- acescence0
well it's back up again, likely an unrelated issue with the host.
- epigraph0
yeah back up..... Thanks for lookin into this man!
here is the html for www.jamesguild.com:
http://pastebin.com/dxvBM2dmThe same php is at the bottom of www.jguilddesign.com as well(same hosting account), but there are no fragments displaying and view souce shows this:
http://pastebin.com/bNSqqWrU
- acescence0
well, I'm not sure exactly what it's trying to accomplish. the php has a bunch of encoded curl functions, which are used to transfer data from urls. i think it's passing something to a remote script that tailors the javascript to your server/server's IP in some way. that bit of javascript on the other page is trying to load something from http://firstreader.in/x/ which is in turn just forwarding to google.com/404/, possibly because I'm not running it on the server from which it originated.
anyway, I'd send it all to your host and have them investigate further.