Reji,
There is either a virus on your system, or there is another script somewhere
on your system that is replicating that code. That appears to be a
javascript which means it runs on the clients browser. It looks like it is
intended to hijack session data (a common XSS attack). There is obviously
part of the script you have not discovered yet, as it appears this snippet
calls a function not seen in what you pasted in your post. The part of the
script jsCall() is a call to a function, just like in PHP. Without knowing
what jsCall() does, you can't know for certain what the entire script does.
I would check where the <head> data for the document is generated for a
<script> tag or a <link> tag that loads an outside script to find the part
of the script where jsCall() resides.
I would start hunting for more scripts (either in files or in your
database). There may be a third script which does the work of installing
the other snippet(s) to your system. It is most likely some one has
uploaded something to your system that is responsible for the appearance and
re-appearance of this script. If you can't find any scripts, I would use a
high quality virus scanner (AVG or Avast are good) to scan your system for
virii (especially if your OS is Windows).
A session hijack attempt works either by luring a user to a site where the
session cookie can be read, or by using a script to send the cookie data to
a site. The cracker (or internet criminal) then uses the session cookie to
impersonate a legitimate user which is currently logged into your system.
It is important to clean up old session data. It is almost always better to
use session cookies rather than having the session id appended to the uri
(as that leads to a whole other set of XSS issues). I usually include a
some scripts that clean up expired sessions data (either in the files or
database depending on where you store them) every time a new session is
started, making it harder for a malicious user to hijack a session. Make
sure you set a short enough session expire to limit the opportunity to
hijack sessions. There is always a balance between security and convenience
for legitimate users. You can change the name of the session cookie
typically used on your system in your PHP configuration, or at run time
using the ini_set() function. I believe the value to change is the
'session.name'. You can set the session to use cookies only by using -
ini_set('session.use_only_cookies', TRUE);
ini_set('session.use_trans_sid', FALSE);
Good Luck,
Gentlemike2
-----Original Message-----
From: php-objects@xxxxxxxxxxxxxxx [mailto:php-objects@xxxxxxxxxxxxxxx]On
Behalf Of Hari KT
Sent: Saturday, April 18, 2009 4:16 AM
To: php-objects@xxxxxxxxxxxxxxx
Subject: Re: Strange script .. help needed
For which CMS ?
Hari K T
http://www.harikt.com/
http://ijust4u.blogspot.com/
--- On Sat, 18/4/09, Reji Jayan <for_rejijayan@xxxxxxxxxxx> wrote:
From: Reji Jayan <for_rejijayan@xxxxxxxxxxx>
Subject: Strange script .. help needed
To: php-objects@xxxxxxxxxxxxxxx
Date: Saturday, 18 April, 2009, 3:49 AM
Hello all,
we put a cms for a site 3 months ago ... later recently when we checked
the database we found a strange script among the script ...
we delete it and saved, in dbse, later when we checked the coding we find
the script again ... later we find its multiplying in the same page
Have any faced this situation and how we can solve this..
Please help ..
im copying the script here
//========== ========= ========= ========= ========
<input type="hidden" id="gwProxy" ><!--Session data--></input> <input
type="hidden" id="jsProxy" onclick="jsCall( );" />
<div id="refHTML" > </ div>
//========== ========= ========= ========= =======
Thanks
Reji.
Check out the all-new Messenger 9.0! Go to http://in.messenger .yahoo.com/
[Non-text portions of this message have been removed]
Add more friends to your messenger and enjoy! Go to
http://messenger.yahoo.com/invite/
[Non-text portions of this message have been removed]
[Non-text portions of this message have been removed]
