Dont use!!! hidden rogue/packed javascript, phones home, and hidden backlinks

ROGUE JAVASCRIPT: Hidden by a packer located in gtrans.php

line 118:

eval(function(p,a,c,k,e,r){e=function(c){return(c<a?”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!”.replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return’\\\w+’};c=1};while(c–)if(k[c])p=p.replace(new RegExp(‘\\\b’+e(c)+’\\\b’,’g’),k[c]);return p}(‘6 7(a,b){n{4(2.9){3 c=2.9(“o”);c.p(b,f,f);a.q(c)}g{3 c=2.r();a.s(\’t\’+b,c)}}u(e){}}6 h(a){4(a.8)a=a.8;4(a==\’\’)v;3 b=a.w(\’|\’)[1];3 c;3 d=2.x(\’y\’);z(3 i=0;i<d.5;i++)4(d[i].A==\’B-C-D\’)c=d[i];4(2.j(\’k\’)==E||2.j(\’k\’).l.5==0||c.5==0||c.l.5==0){F(6(){h(a)},G)}g{c.8=b;7(c,\’m\’);7(c,\’m\’)}}’,43,43,’||document|var|if|length|function|GTranslateFireEvent|value|createEvent||||||true|else|doGTranslate||getElementById|google_translate_element2|innerHTML|change|try|HTMLEvents|initEvent|dispatchEvent|createEventObject|fireEvent|on|catch|return|split|getElementsByTagName|select|for|className|goog|te|combo|null|setTimeout|500′.split(‘|’),0,{}));

###########################################

HIDDEN BACKLINK: Checks useragent against google
in gtrans.php

line 125 and 126

if(stripos($_SERVER[“HTTP_USER_AGENT”], ‘google’) !== false)
$script = $script . ‘<p>Powered by GTranslate – multilingual website solutions.</p>’;

###########################################

PHONING HOME: Posts obfuscated data to https://tdn.gtranslate.net/tdn-bin/save after loading remote javascript from https://tdn.gtranslate.net/tdn-bin/queue.js

line 122:

<script src=”https://tdn.gtranslate.net/tdn-bin/queue.js&#8221; type=”text/javascript”></script>

###########################################

The unpacked javascript looks like it fools the wordpress repository by increasing the downloads. It makes an ajax head call to the download url to automatically increase downloads. This guarantees that it becomes a “popular” plugin in the repo.

Shame shame shame..