replace call after the giant messy string:
It removes most of the special characters, turning it into a normal URL:
(I manually changed
Note that the regex could have been simplified to
If you look at the script, you'll see that it's a very simple script that injects a hidden IFRAME containing the path
/index.php?ys from the same domain.
I requested that page in Fiddler, and it had no content.