Strange behaviour

Looking at my company home page, I get asked if it can set a cookie.
I've never , ever included these devices on either of the sites I've built.
Looking at the source code there is some stuff in comments I never put in
there.
I'll remove it in next day or so, but before I do can any one please tell me
what it might be?

Our hosting company (Netcetera) has just yesterday altered ftp access codes
for both sites as part of their "security review".
Seems to me this one's been hacked into.
Can anyone guess to what purpose please?
Many thanks.

The code is just after "cuckoo code". this starts off "var msg=314, d=document

This page is;- www.ossettmouldings.com/default.htm

I've only looked at one or two others - they seem OK.

John

Re: Strange behaviour

"John Clayton" wrote in message
news:flrp9t$apg$1@aioe.org...
> Looking at my company home page, I get asked if it can set a cookie.
> I've never , ever included these devices on either of the sites I've
built.
> Looking at the source code there is some stuff in comments I never put in
> there.
> I'll remove it in next day or so, but before I do can any one please tell
me
> what it might be?
>
> Our hosting company (Netcetera) has just yesterday altered ftp access
codes
> for both sites as part of their "security review".
> Seems to me this one's been hacked into.
> Can anyone guess to what purpose please?
> Many thanks.
>
> The code is just after > "cuckoo code". this starts off "var msg=314, d=document
>
> This page is;- www.ossettmouldings.com/default.htm

I don't think anyone here is going to be in a hurry to open this page.
Looks like they've added a little javascript. Posting the offending code
would be better.
Vince

Re: Strange behaviour

Well bust mah britches and call me cheeky, on Sun, 06 Jan 2008 23:47:11
GMT John Clayton scribed:

> Looking at my company home page, I get asked if it can set a cookie.
> I've never , ever included these devices on either of the sites I've
> built. Looking at the source code there is some stuff in comments I
> never put in there.
> I'll remove it in next day or so, but before I do can any one please
> tell me what it might be?
>
> Our hosting company (Netcetera) has just yesterday altered ftp access
> codes for both sites as part of their "security review".
> Seems to me this one's been hacked into.
> Can anyone guess to what purpose please?
> Many thanks.
>
> The code is just after > this "cuckoo code". this starts off "var msg=314, d=document
>
> This page is;- www.ossettmouldings.com/default.htm
>
> I've only looked at one or two others - they seem OK.

Dunno, but whatever it's theoretically suppose to do fails, anyway (-on a
secure receiver.)

58 html errors! That you or the hacker? I noticed _before_ the
doctype, among other things. -And 2 opening body tags... Tsk, tsk.

--
Neredbojias
Riches are their own reward.

Re: Strange behaviour

>> Looking at the source code there is some stuff in comments I never put in
>> there.
>> I'll remove it in next day or so, but before I do can any one please tell
> me
>> what it might be?
>>
>> Our hosting company (Netcetera) has just yesterday altered ftp access
> codes
>> for both sites as part of their "security review".
>> Seems to me this one's been hacked into.
>> Can anyone guess to what purpose please?
>> Many thanks.
>>
>> The code is just after >> this
>> "cuckoo code". this starts off "var msg=314, d=document
>>
>> This page is;- www.ossettmouldings.com/default.htm
>
> I don't think anyone here is going to be in a hurry to open this page.
> Looks like they've added a little javascript. Posting the offending code
> would be better.
> Vince
>
>
Vince,
As you say, it looks to me also like a bit of script. It reads;-



The "cookie" appears to originate from ;- tanikinata.cn

I'm just wondering what it's doiong/ attempting to do?

Re: Strange behaviour

John Clayton wrote:
>>> Looking at the source code there is some stuff in comments I never put in
>>> there.
>>> I'll remove it in next day or so, but before I do can any one please tell
>> me
>>> what it might be?
>>>
>>> Our hosting company (Netcetera) has just yesterday altered ftp access
>> codes
>>> for both sites as part of their "security review".
>>> Seems to me this one's been hacked into.
>>> Can anyone guess to what purpose please?
>>> Many thanks.
>>>
>>> The code is just after >>> this
>>> "cuckoo code". this starts off "var msg=314, d=document
>>>
>>> This page is;- www.ossettmouldings.com/default.htm
>> I don't think anyone here is going to be in a hurry to open this page.
>> Looks like they've added a little javascript. Posting the offending code
>> would be better.
>> Vince
>>
>>
> Vince,
> As you say, it looks to me also like a bit of script. It reads;-
>
>

Well the first part translates "window.status='D"

> The "cookie" appears to originate from ;- tanikinata.cn
>
> I'm just wondering what it's doiong/ attempting to do?

Something *not* good. If they have to hide it there is a reason....

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

Re: Strange behaviour

"John Clayton" wrote in message
news:fltuhi$hrg$1@aioe.org...
>
> Vince,
> As you say, it looks to me also like a bit of script. It reads;-
>
>
>
> The "cookie" appears to originate from ;- tanikinata.cn
>
> I'm just wondering what it's doiong/ attempting to do?
>
>
There isn't anyway of knowing what it was meant to achieve John without
seeing all the code.
Jonathan nailed the first line, but without the rest would be a shot in the
dark.
Vince

Re: Strange behaviour

"Neredbojias" wrote in message
news:Xns9A1DE7A65BDD5nanopandaneredbojias@85.214.90.236...
> Well bust mah britches and call me cheeky, on Sun, 06 Jan 2008 23:47:11
> GMT John Clayton scribed:
>
>> Looking at my company home page, I get asked if it can set a cookie.
>> I've never , ever included these devices on either of the sites I've
>> built. Looking at the source code there is some stuff in comments I
>> never put in there.
>> I'll remove it in next day or so, but before I do can any one please
>> tell me what it might be?

Thank you for your observations and advice people, Vince, Johnathan and
Neredbojias. I've taken the "cuckoo" js script out the back and shot it
dead - now we may never discover it's purpose in life.
I'll tidy up me html one day - ta.

John
"Live long and prosper"