|
|
|
|
|
|
by mschuster91
4847 days ago
|
|
|
Just wtf does this code do? Is it supposed to fake page views on that cavadini.savedalyfield.com site in line 40? Lines 4-8 make the whole stuff only match on people redirected to the hacked site by facebook, twitter and searches.
9-32 block out search engines, maybe to prevent stuff like Googlebot detecting the malware.
The LNr env variable set on 39 acts as a primitive switch jumptable for the "cases" in 42-161... which redirect the browser using HTTP 302 Temporary Redirect to various subelements on cavadini.savedalyfield.com. |
|
|
I believe this is to extend the time before the site owner realises that the site has been compromised. They are less likely to visit via Facebook/Twitter/Search engines, so just see the normal site, even if most of their users get the compromised site.