Any Security problems in rollover.js many versions past?

[JimC]

This isn't going to be the most detailed of posts.
I'm helping out a chap who has health issues, and his site has been penetrated. He created his site, which is static and not regularly updated, back in 2010, and the files tell me he used netobjects fusion essentials.
<META NAME="Generator" CONTENT="NetObjects Fusion*Essentials*(http://www.netobjects.com)">.
Unfortunately he's having trouble locating the site parent and the software. Fortunately he has got a backup of the html, so we've fixed the damage, but I'm trying to work out how it got hit. Guessing the ftp password is one possibility of course, but I've identified three different assaults, apparently for different lowlives, so it seems unlikely.

Another possibility is some kind of assault via a netobjects feature. He is using a rollover.js for navigation menus, which I am sure would have come with his version of Essentials, which version I'm unable to identify. It starts with

// Handles rollover images for NN3+ and IE4+
var loaded = new Array();
var F_menuIsEntered = false;
var F_menuIsCreated = false;
var F_menuAgt = navigator.userAgent.toLowerCase();
var F_menuIsGecko = (F_menuAgt.indexOf('gecko') != -1);
var F_menuIsOpera = (F_menuAgt.indexOf('opera') != -1);
var F_menuSubmenu;
var F_menuTable = new Array();

function F_loadRollover(image,imageName,menu) {


Unfortunately js is not in my skill set. Is it known whether there are any css injection or other vulnerabilities in this, and if so is an improved version available? Other than that there's no js or anything else that looks like a potential vector.

The third possibility, and my favourite to be honest, is that the problem lies elsewhere in the hoster, but there's nothing we can do about that.

[gotFusion]

More than likely a password/access has been breached. Either his or the hosts.

This is assuming that they do not use any database content where a injection attack could occur

I recommend to my customers to use passwords between 17 and 19 characters made up of random upper/lower case letters, numbers and special characters and to NOT let their computer remember the password for web based log ins (control panel etc).

A password like admin will be hacked instantly whereas one like jYv4X9Lsq$zg&xWud is a bit harder to crack and not worth the time or effort for prankster hackers.

Oh... javascripts routines are not insecure as they do not allow server side access

[JimC]

More than likely a password/access has been breached. Either his or the hosts.

Reasonable passwords (12 character random), no databases, no active or dynamic content, no forms, nothing writing to server. No edits to the site since 2010. Apparently three or 4 small penetrations some months apart, but all in last 18 months. I suspect the hosting company have been compromised elsewhere, but there are no logs available from the hosting company so how to tell. Anyway, if I can cross rollover.js off the list that's good.

[gotFusion]

The host should be able to tell you how and where the breech occurred.

If they can't, you need to find another host.

[JimC]

Thanks for the assistance.