Quttera also detects 2 sispicious files here: (Compacted using Packer in PHP)
/modules/mod_rokajaxsearch/js/rokajaxsearch.js
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [['this var=if new({Element:"options.inject",class:{\'function\':div,\'arrow\':selectedEl,\'left\':goog']] of length 9910 which may point to obfuscation or shellcode.
Threat dump:
http://jsunpack.jeek.org/?report=169734b13eb9cb40de81f03274d27e8b00696637File size[byte]: 15933
File type: ASCII
MD5: 02DA0CC0BBA4D40702EA5FA7FD5AC036
Scan duration[sec]: 0.497000
/plugins/system/rokbox/rokbox.js
Severity: Potentially Suspicious
Reason: Detected potentially suspicious content.
Details: Detected potentially suspicious initialization of function pointer to JavaScript method write <code> __tmpvar1083890297 = write; <code/>
Threat dump:
http://jsunpack.jeek.org/?report=cff0a2a31ace7b2f3bc35fa33b8fb13eab25ead1 File size[byte]: 22076
File type: ASCII
MD5: 764636E4B741E13F6D3BCED66420A102
Scan duration[sec]: 0.162000
avast! Web Shield blocks this code as JS:Agent-HA[Trj] here -> htxp://stackoverflow.com/questions/2731345/what-exactly-does-this-piece-of-javascript-do
pol