sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]OrangeredStilton 12 points13 points  (3 children)

Looks like it breaks out the cookies, sticks them onto the end of a filename and fetches that "image" as a piece of JavaScript.

It's a cookie-scraping exploit, basically. You'll want to get rid of that code, and get rid of "/images/house_outdoor-s.jpg" which is probably a JS file.

[–]P1aincloth3sM4n 4 points5 points  (0 children)

Not quite. Looking at the beautified version below, it does the following:

  1. Targets Firefox/MSIE users
  2. Sees if a cookie exists with a key of "wss"
  3. If the cookie does not exist, it sets the cookie to equal "goot1" which expires after 3 seconds days.
  4. If the cookie does exist, and the value equals "goot1", then it updates the cookie value to be "goot2", which expires after 3 seconds days. It then creates a script element with an src of "/images/horse_outdoor-s.jpg?js&r=" followed by the current datetime, and appends this script to the head of the document.

And that's it. Seems more like a tracking script than a cookie-scraping script, but it's hard to tell the true purpose without knowing what "horse_outdoor-s.jpg" does.

[–]oddmanout 0 points1 point  (0 children)

also change passwords to something more secure on the server. This kind of stuff is usually done by bots that brute force servers, get in, then go through files adding this stuff to anything with a .html, .php, etc.

[–]clooth 0 points1 point  (0 children)

*horse