Found this nasty code, I wonder what it does? Should I be worried…?

StackOverflow https://stackoverflow.com/questions/11932567

  •  25-06-2021
  •  | 
  •  

Question

I have recently saw some free file downloading website on server log, and in in one of the site's source code had some suspicious javascript code. Should I be worried about it? as they might have run or may have installed spam inside one of our company's computer,

Code

<script type="text/javascript">
var stamp = "0529e8679c27247e794a";
var file = "74109";
var host = "fileice.net";
var _0x6675 = ["\x64\x69\x76\x2E\x6D\x65\x6E\x75\x20\x6C\x69", "\x68\x34", "\x68\x33", "\x68\x32", "\x68\x31", "\x72\x65\x70\x6C\x61\x63\x65", "\x6F\x6E\x6C\x6F\x61\x64", "\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x70\x61\x72\x65\x6E\x74", "\x68\x74\x74\x70\x3A\x2F\x2F", "\x2F\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x2E\x70\x68\x70\x3F\x66\x69\x6C\x65\x3D", "", "\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64", "\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C", "\x64\x65\x73\x63", "\x3C\x70\x3E\x54\x68\x65\x20\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x20\x77\x69\x6C\x6C\x20\x61\x75\x74\x6F\x6D\x61\x74\x69\x63\x61\x6C\x6C\x79\x20\x62\x65\x67\x69\x6E\x20\x77\x68\x65\x6E\x20\x79\x6F\x75\x20\x73\x75\x63\x63\x65\x73\x73\x66\x75\x6C\x6C\x79\x20\x66\x69\x6E\x69\x73\x68\x20\x74\x68\x65\x20\x73\x75\x72\x76\x65\x79\x20\x79\x6F\x75\x20\x68\x61\x76\x65\x20\x63\x68\x6F\x73\x65\x6E\x2E\x20\x49\x66\x20\x74\x68\x65\x20\x66\x69\x6C\x65\x20\x64\x6F\x65\x73\x20\x6E\x6F\x74\x20\x61\x75\x74\x6F\x6D\x61\x74\x69\x63\x61\x6C\x6C\x79\x20\x75\x6E\x6C\x6F\x63\x6B\x20\x61\x66\x74\x65\x72\x20\x61\x20\x6D\x69\x6E\x75\x74\x65\x2C\x20\x70\x6C\x65\x61\x73\x65\x20\x63\x68\x6F\x6F\x73\x65\x20\x61\x6E\x6F\x74\x68\x65\x72\x20\x73\x75\x72\x76\x65\x79\x20\x61\x6E\x64\x20\x63\x6F\x6D\x70\x6C\x65\x74\x65\x20\x69\x74\x2E\x3C\x2F\x70\x3E", "\x64\x69\x73\x70\x6C\x61\x79", "\x73\x74\x79\x6C\x65", "\x6C\x6F\x61\x64\x69\x6E\x67\x69\x6D\x67", "\x62\x6C\x6F\x63\x6B", "\x73\x72\x63", "\x6F\x66\x66\x65\x72\x63\x68\x65\x63\x6B", "\x6F\x66\x66\x65\x72\x63\x68\x65\x63\x6B\x2E\x70\x68\x70\x3F\x66\x69\x6C\x65\x3D", "\x26\x74\x3D", "\x73\x70\x63\x6E\x67", "\x26\x61\x6A\x61\x78", "\x31", "\x3C\x70\x3E\x59\x6F\x75\x72\x20\x66\x69\x6C\x65\x20\x68\x61\x73\x20\x62\x65\x65\x6E\x20\x75\x6E\x6C\x6F\x63\x6B\x65\x64\x21\x20\x43\x6C\x69\x63\x6B\x20\x6F\x6B\x61\x79\x20\x6F\x6E\x20\x74\x68\x65\x20\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x20\x70\x72\x6F\x6D\x70\x74\x20\x74\x6F\x20\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x20\x74\x68\x65\x20\x66\x69\x6C\x65\x2E\x3C\x2F\x70\x3E", "\x6E\x6F\x6E\x65", "\x3C\x62\x72\x2F\x3E\x3C\x62\x72\x2F\x3E", "\x70\x6F\x73\x74", "\x69\x6E\x66\x6F", "\x3C\x64\x69\x76\x20\x73\x74\x79\x6C\x65\x3D\x22\x70\x61\x64\x64\x69\x6E\x67\x3A\x20\x35\x70\x78\x20\x37\x70\x78\x3B\x20\x62\x6F\x72\x64\x65\x72\x3A\x20\x31\x70\x78\x20\x73\x6F\x6C\x69\x64\x20\x23\x65\x32\x65\x32\x65\x32\x3B\x20\x76\x65\x72\x74\x69\x63\x61\x6C\x2D\x61\x6C\x69\x67\x6E\x3A\x20\x6D\x69\x64\x64\x6C\x65\x3B\x20\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64\x2D\x63\x6F\x6C\x6F\x72\x3A\x20\x23\x46\x37\x46\x37\x46\x37\x3B\x20\x77\x69\x64\x74\x68\x3A\x20\x37\x33\x25\x3B\x22\x3E\x3C\x70\x3E", "\x3C\x2F\x70\x3E\x3C\x2F\x64\x69\x76\x3E"];
Cufon[_0x6675[5]](_0x6675[4])(_0x6675[3])(_0x6675[2])(_0x6675[1])(_0x6675[0]);
var prev = _0x6675[11];

function _(_0x2391x4) {
    return document[_0x6675[12]](_0x2391x4)
};

function launch() {
    var _0x2391x6 = 0;
    _(_0x6675[14])[_0x6675[13]] = _0x6675[15];
    _(_0x6675[18])[_0x6675[17]][_0x6675[16]] = _0x6675[19];
    _(_0x6675[21])[_0x6675[20]] = _0x6675[22] + file + _0x6675[23] + stamp;
    prev = curr;
    _(_0x6675[24])[_0x6675[13]] = _0x6675[11];
    setInterval(function () {
        if (_0x2391x6 == 0) {
            $[_0x6675[30]](_0x6675[22] + file + _0x6675[25], function (_0x2391x7) {
                if (_0x2391x7 == _0x6675[26]) {
                    _(_0x6675[14])[_0x6675[13]] = _0x6675[27];
                    _(_0x6675[18])[_0x6675[17]][_0x6675[16]] = _0x6675[28];
                    _(_0x6675[21])[_0x6675[20]] = _0x6675[11];
                    _(_0x6675[21])[_0x6675[20]] = _0x6675[22] + file + _0x6675[23] + stamp;
                    _0x2391x6 = 1;
                    prev = _0x6675[11];
                    clearinfo();
                    _(_0x6675[24])[_0x6675[13]] = _0x6675[29]
                }
            })
        } else {
            clearInterval()
        }
    }, 10000)
};

function showinfo(_0x2391x9) {
    prev = _(_0x6675[31])[_0x6675[13]];
    _(_0x6675[31])[_0x6675[13]] = _0x6675[32] + _0x2391x9 + _0x6675[33];
    curr = _(_0x6675[31])[_0x6675[13]]
};

function clearinfo() {
    _(_0x6675[31])[_0x6675[13]] = prev
};
</script>

URL

http:\\www.fileice.net/download.php?t=regular&file=rfve

Was it helpful?

Solution

Decrypting the _0x6675 array yields: 

["div.menu li","h4","h3","h2","h1","replace","onload","location","parent","http://","/download.php?file=","","getElementById","innerHTML","desc","<p>The download will automatically begin when you successfully finish the survey you have chosen. If the file does not automatically unlock after a minute, please choose another survey and complete it.</p>","display","style","loadingimg","block","src","offercheck","offercheck.php?file=","&t=","spcng","&ajax","1","<p>Your file has been unlocked! Click okay on the download prompt to download the file.</p>","none","<br/><br/>","post","info","<div style=\"padding: 5px 7px; border: 1px solid #e2e2e2; vertical-align: middle; background-color: #F7F7F7; width: 73%;\"><p>","</p></div>"]

Nothing too spectacular in my opinion.

Looks like just some obfuscated JavaScript code to prevent copying their scripts.

OTHER TIPS

You are hosting code and you don't know where it came from?

Yes. Be worried.

Pull the server offline and security audit it.

<script type="text/javascript">
var stamp = "9bdcac6591542d17c8ff";
var file = "126640";
var host = "fileice.net";

var prev = "";

// see: https://github.com/sorccu/cufon/wiki/API
Cufon.replace("h1")("h2")("h3")("h4")("div.menu li");

window.onload = function () {
    // Make sure page is in a frame
    if (window.location == window.parent.location) {
        window.location = "http://" + host + "/download.php?file=" + file;
    }
}

function _(id) {
    return document.getElementById(id);
}

function launch() {
    var offerFinished = 0;

    _("desc").innerHTML. = "<p>The download will automatically begin when you successfully finish the survey you have chosen. If the file does not automatically unlock after a minute, please choose another survey and complete it.</p>";
    _("loadingimg").style.display = "block";
    _("offercheck").src = "offercheck.php?file=" + file + "&t=" + stamp;
    _("spcng").innerHTML = "";

    prev = curr;

    setInterval(function () {
        if (offerFinished == 0) {
            // JQuery Ajax POST request
            $.post("offercheck.php?file=" + file + "&ajax", function (data) {
                if (data == "0") {
                    _("desc")["innerHTML"] = "<p>Your file has been unlocked! Click okay on the download prompt to download the file.</p>";

                    _("loadingimg").style.display = "none";
                    _("offercheck").src = "";
                    _("offercheck").src = "offercheck.php?file=" + file + "&t=" + stamp;

                    _("spcng").innerHTML = "<br/><br/>";

                    offerFinished = 1;
                    prev = "";
                    clearinfo(); 
                }
            })
        } else {
            clearInterval()
        }
    }, 10000)
};

function showinfo(info) {
    prev = _("info").innerHTML;
    _("info").innerHTML = "<div style=\"padding: 5px 7px; border: 1px solid #e2e2e2; vertical-align: middle; background-color: #F7F7F7; width: 73%;\"><p>" + info + "</p></div>";
    curr = _("info").innerHTML;
}

function clearinfo() {
    _("info").innerHTML = prev;
}
</script>

Just paste the text of your code into the cell and hit the 'decode' button here (not a promo for this site, nor do I own it etc)> http://ddecode.com/hexdecoder/

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top