CODEWITHSUNDEEP
javascripthtml
user2696666
user2696666

Reputation: 85

Unknown script/swf gets added under body

3 weeks ago i putted my website online now after 3 weeks a strange script under the body tag appears. Thing is, it is not inserted in the code so i can't remove it. I run a codeigniter website. The thing is all my permissions were on 777. I changed it but still the script and SWF object were added under the body tag.

swf and script that are added.

<div id="dp_swf_engine" style="position: absolute; width: 1px; height: 1px;">
</body>
<script src="http://i.spigotjs.info/opt_1398856699078/opt_content.js?partner=spig&channel=spigFF&appTitle=" type="application/x-javascript">
</html>

Upvotes: 2

Views: 448

Answers (2)

jorisx
jorisx

Reputation: 11

The extension "Awesome screenshot" installs this "dp_swf_engine.swf" thing ...

This is the file: http://www.ajaxcdn.org/swf.swf and you can easily decode and view the code here:http://www.showmycode.com/ it seems to have lots of google analytics code?!

Not sure if it does any harm... anyone with some action script eye who can see whats going on here ?

J!

Upvotes: 0

Aaron Digulla
Aaron Digulla

Reputation: 328594

There are several places where such a script can be injected:

  1. A cracker might have gained access to your server and modified the sources. Download the software onto a different computer and compare it with the latest version from your version control system. Don't use version control? Start right now.

    This code is often hard to find since it's encrypted. So you really need to check every single line of code.

  2. A cracker might have installed a filter or front end on the server. That means the requests are intercepted by some other software, sent to your code for processing and then modified afterwards.

    I'm not aware of any Trojans which do this but in theory, they can install new system libraries or kernel modules which do this kind of filtering, so they are very hard to find. If that's the case, wipe the server and install everything from a clean source.

  3. Do you get the same script for other sites, too? Then your local browser may be infected.

    Try to install another browser and update your anti-virus software.

  4. If you use the Google webmaster tools, then Google will do a virus check of your site. If they find something, you'll get a warning on the dashboard.

Important: If your server was tainted, you need to tell your visitors about this. If you have their email addresses, send them an email telling them about the incident and how to clean their computers.

You should also put a big fat warning on the front page, so recurring visitors are warned.

Upvotes: 1

Related Questions