Is there ever an excuse for using this URL-encoding script?

Hi forum friends,

For the example see my jsunpack link given further down. We see such an attack reported here at Wordpress dot org forums: http://wordpress.org/support/topic/website-is-being-redirected
Here the decoding of similar injected javascript is being discussed at stackoverflow dot com: http://stackoverflow.com/questions/3391623/decode-some-injected-javascript
user409021 on that link in his posting comes up with the proper decoding of the malcode.

See for the injected script input here: -http://jsunpack.jeek.org/?report=fffdca68ca4bbe507421f9f3519ef75551a7f23a
Go there only if security savvy, with script blocking active and inside a virtual environment.

What we have seen is an Adsense hijacking script that is redirecting visitors after 5-15 secs or right away to earn on fraudulent clicks. Good to know that avast webshield detects this as JS:Downloader-IR[Trj] and blocks the website or the file right away!

polonus

Hi Polonus,

The Stackoverflow link you mention, I stumbled upon it as well.

The script you give at jsunpack, it appears to be only partial.
The script starts to define “a” as a variable, but there is no " at the end.
Variable “a” doesn’t look like your normal JavaScript, if it even is JavaScript.

Like when someone clicks on a link that leads to this site that the provider ‘gets money for each click’, runs their coding, then redirects the user to the other site? ???

The culprit is in line 3 SyntaxError: unterminated string literal (attached 2): HTML decodes to JS as shown attached (attached 1) viewer code?

polonus