I have recently saw some free file downloading website on server log, and in in one of the site's source code had some suspicious javascript code. Should I be worried about it? as they might have run or may have installed spam inside one of our pany's puter,
Code
<script type="text/javascript">
var stamp = "0529e8679c27247e794a";
var file = "74109";
var host = "fileice";
var _0x6675 = ["\x64\x69\x76\x2E\x6D\x65\x6E\x75\x20\x6C\x69", "\x68\x34", "\x68\x33", "\x68\x32", "\x68\x31", "\x72\x65\x70\x6C\x61\x63\x65", "\x6F\x6E\x6C\x6F\x61\x64", "\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x70\x61\x72\x65\x6E\x74", "\x68\x74\x74\x70\x3A\x2F\x2F", "\x2F\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x2E\x70\x68\x70\x3F\x66\x69\x6C\x65\x3D", "", "\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64", "\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C", "\x64\x65\x73\x63", "\x3C\x70\x3E\x54\x68\x65\x20\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x20\x77\x69\x6C\x6C\x20\x61\x75\x74\x6F\x6D\x61\x74\x69\x63\x61\x6C\x6C\x79\x20\x62\x65\x67\x69\x6E\x20\x77\x68\x65\x6E\x20\x79\x6F\x75\x20\x73\x75\x63\x63\x65\x73\x73\x66\x75\x6C\x6C\x79\x20\x66\x69\x6E\x69\x73\x68\x20\x74\x68\x65\x20\x73\x75\x72\x76\x65\x79\x20\x79\x6F\x75\x20\x68\x61\x76\x65\x20\x63\x68\x6F\x73\x65\x6E\x2E\x20\x49\x66\x20\x74\x68\x65\x20\x66\x69\x6C\x65\x20\x64\x6F\x65\x73\x20\x6E\x6F\x74\x20\x61\x75\x74\x6F\x6D\x61\x74\x69\x63\x61\x6C\x6C\x79\x20\x75\x6E\x6C\x6F\x63\x6B\x20\x61\x66\x74\x65\x72\x20\x61\x20\x6D\x69\x6E\x75\x74\x65\x2C\x20\x70\x6C\x65\x61\x73\x65\x20\x63\x68\x6F\x6F\x73\x65\x20\x61\x6E\x6F\x74\x68\x65\x72\x20\x73\x75\x72\x76\x65\x79\x20\x61\x6E\x64\x20\x63\x6F\x6D\x70\x6C\x65\x74\x65\x20\x69\x74\x2E\x3C\x2F\x70\x3E", "\x64\x69\x73\x70\x6C\x61\x79", "\x73\x74\x79\x6C\x65", "\x6C\x6F\x61\x64\x69\x6E\x67\x69\x6D\x67", "\x62\x6C\x6F\x63\x6B", "\x73\x72\x63", "\x6F\x66\x66\x65\x72\x63\x68\x65\x63\x6B", "\x6F\x66\x66\x65\x72\x63\x68\x65\x63\x6B\x2E\x70\x68\x70\x3F\x66\x69\x6C\x65\x3D", "\x26\x74\x3D", "\x73\x70\x63\x6E\x67", "\x26\x61\x6A\x61\x78", "\x31", "\x3C\x70\x3E\x59\x6F\x75\x72\x20\x66\x69\x6C\x65\x20\x68\x61\x73\x20\x62\x65\x65\x6E\x20\x75\x6E\x6C\x6F\x63\x6B\x65\x64\x21\x20\x43\x6C\x69\x63\x6B\x20\x6F\x6B\x61\x79\x20\x6F\x6E\x20\x74\x68\x65\x20\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x20\x70\x72\x6F\x6D\x70\x74\x20\x74\x6F\x20\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x20\x74\x68\x65\x20\x66\x69\x6C\x65\x2E\x3C\x2F\x70\x3E", "\x6E\x6F\x6E\x65", "\x3C\x62\x72\x2F\x3E\x3C\x62\x72\x2F\x3E", "\x70\x6F\x73\x74", "\x69\x6E\x66\x6F", "\x3C\x64\x69\x76\x20\x73\x74\x79\x6C\x65\x3D\x22\x70\x61\x64\x64\x69\x6E\x67\x3A\x20\x35\x70\x78\x20\x37\x70\x78\x3B\x20\x62\x6F\x72\x64\x65\x72\x3A\x20\x31\x70\x78\x20\x73\x6F\x6C\x69\x64\x20\x23\x65\x32\x65\x32\x65\x32\x3B\x20\x76\x65\x72\x74\x69\x63\x61\x6C\x2D\x61\x6C\x69\x67\x6E\x3A\x20\x6D\x69\x64\x64\x6C\x65\x3B\x20\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64\x2D\x63\x6F\x6C\x6F\x72\x3A\x20\x23\x46\x37\x46\x37\x46\x37\x3B\x20\x77\x69\x64\x74\x68\x3A\x20\x37\x33\x25\x3B\x22\x3E\x3C\x70\x3E", "\x3C\x2F\x70\x3E\x3C\x2F\x64\x69\x76\x3E"];
Cufon[_0x6675[5]](_0x6675[4])(_0x6675[3])(_0x6675[2])(_0x6675[1])(_0x6675[0]);
var prev = _0x6675[11];
function _(_0x2391x4) {
return document[_0x6675[12]](_0x2391x4)
};
function launch() {
var _0x2391x6 = 0;
_(_0x6675[14])[_0x6675[13]] = _0x6675[15];
_(_0x6675[18])[_0x6675[17]][_0x6675[16]] = _0x6675[19];
_(_0x6675[21])[_0x6675[20]] = _0x6675[22] + file + _0x6675[23] + stamp;
prev = curr;
_(_0x6675[24])[_0x6675[13]] = _0x6675[11];
setInterval(function () {
if (_0x2391x6 == 0) {
$[_0x6675[30]](_0x6675[22] + file + _0x6675[25], function (_0x2391x7) {
if (_0x2391x7 == _0x6675[26]) {
_(_0x6675[14])[_0x6675[13]] = _0x6675[27];
_(_0x6675[18])[_0x6675[17]][_0x6675[16]] = _0x6675[28];
_(_0x6675[21])[_0x6675[20]] = _0x6675[11];
_(_0x6675[21])[_0x6675[20]] = _0x6675[22] + file + _0x6675[23] + stamp;
_0x2391x6 = 1;
prev = _0x6675[11];
clearinfo();
_(_0x6675[24])[_0x6675[13]] = _0x6675[29]
}
})
} else {
clearInterval()
}
}, 10000)
};
function showinfo(_0x2391x9) {
prev = _(_0x6675[31])[_0x6675[13]];
_(_0x6675[31])[_0x6675[13]] = _0x6675[32] + _0x2391x9 + _0x6675[33];
curr = _(_0x6675[31])[_0x6675[13]]
};
function clearinfo() {
_(_0x6675[31])[_0x6675[13]] = prev
};
</script>
URL
http:\\www.fileice/download.php?t=regular&file=rfve
I have recently saw some free file downloading website on server log, and in in one of the site's source code had some suspicious javascript code. Should I be worried about it? as they might have run or may have installed spam inside one of our pany's puter,
Code
<script type="text/javascript">
var stamp = "0529e8679c27247e794a";
var file = "74109";
var host = "fileice";
var _0x6675 = ["\x64\x69\x76\x2E\x6D\x65\x6E\x75\x20\x6C\x69", "\x68\x34", "\x68\x33", "\x68\x32", "\x68\x31", "\x72\x65\x70\x6C\x61\x63\x65", "\x6F\x6E\x6C\x6F\x61\x64", "\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x70\x61\x72\x65\x6E\x74", "\x68\x74\x74\x70\x3A\x2F\x2F", "\x2F\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x2E\x70\x68\x70\x3F\x66\x69\x6C\x65\x3D", "", "\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64", "\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C", "\x64\x65\x73\x63", "\x3C\x70\x3E\x54\x68\x65\x20\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x20\x77\x69\x6C\x6C\x20\x61\x75\x74\x6F\x6D\x61\x74\x69\x63\x61\x6C\x6C\x79\x20\x62\x65\x67\x69\x6E\x20\x77\x68\x65\x6E\x20\x79\x6F\x75\x20\x73\x75\x63\x63\x65\x73\x73\x66\x75\x6C\x6C\x79\x20\x66\x69\x6E\x69\x73\x68\x20\x74\x68\x65\x20\x73\x75\x72\x76\x65\x79\x20\x79\x6F\x75\x20\x68\x61\x76\x65\x20\x63\x68\x6F\x73\x65\x6E\x2E\x20\x49\x66\x20\x74\x68\x65\x20\x66\x69\x6C\x65\x20\x64\x6F\x65\x73\x20\x6E\x6F\x74\x20\x61\x75\x74\x6F\x6D\x61\x74\x69\x63\x61\x6C\x6C\x79\x20\x75\x6E\x6C\x6F\x63\x6B\x20\x61\x66\x74\x65\x72\x20\x61\x20\x6D\x69\x6E\x75\x74\x65\x2C\x20\x70\x6C\x65\x61\x73\x65\x20\x63\x68\x6F\x6F\x73\x65\x20\x61\x6E\x6F\x74\x68\x65\x72\x20\x73\x75\x72\x76\x65\x79\x20\x61\x6E\x64\x20\x63\x6F\x6D\x70\x6C\x65\x74\x65\x20\x69\x74\x2E\x3C\x2F\x70\x3E", "\x64\x69\x73\x70\x6C\x61\x79", "\x73\x74\x79\x6C\x65", "\x6C\x6F\x61\x64\x69\x6E\x67\x69\x6D\x67", "\x62\x6C\x6F\x63\x6B", "\x73\x72\x63", "\x6F\x66\x66\x65\x72\x63\x68\x65\x63\x6B", "\x6F\x66\x66\x65\x72\x63\x68\x65\x63\x6B\x2E\x70\x68\x70\x3F\x66\x69\x6C\x65\x3D", "\x26\x74\x3D", "\x73\x70\x63\x6E\x67", "\x26\x61\x6A\x61\x78", "\x31", "\x3C\x70\x3E\x59\x6F\x75\x72\x20\x66\x69\x6C\x65\x20\x68\x61\x73\x20\x62\x65\x65\x6E\x20\x75\x6E\x6C\x6F\x63\x6B\x65\x64\x21\x20\x43\x6C\x69\x63\x6B\x20\x6F\x6B\x61\x79\x20\x6F\x6E\x20\x74\x68\x65\x20\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x20\x70\x72\x6F\x6D\x70\x74\x20\x74\x6F\x20\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x20\x74\x68\x65\x20\x66\x69\x6C\x65\x2E\x3C\x2F\x70\x3E", "\x6E\x6F\x6E\x65", "\x3C\x62\x72\x2F\x3E\x3C\x62\x72\x2F\x3E", "\x70\x6F\x73\x74", "\x69\x6E\x66\x6F", "\x3C\x64\x69\x76\x20\x73\x74\x79\x6C\x65\x3D\x22\x70\x61\x64\x64\x69\x6E\x67\x3A\x20\x35\x70\x78\x20\x37\x70\x78\x3B\x20\x62\x6F\x72\x64\x65\x72\x3A\x20\x31\x70\x78\x20\x73\x6F\x6C\x69\x64\x20\x23\x65\x32\x65\x32\x65\x32\x3B\x20\x76\x65\x72\x74\x69\x63\x61\x6C\x2D\x61\x6C\x69\x67\x6E\x3A\x20\x6D\x69\x64\x64\x6C\x65\x3B\x20\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64\x2D\x63\x6F\x6C\x6F\x72\x3A\x20\x23\x46\x37\x46\x37\x46\x37\x3B\x20\x77\x69\x64\x74\x68\x3A\x20\x37\x33\x25\x3B\x22\x3E\x3C\x70\x3E", "\x3C\x2F\x70\x3E\x3C\x2F\x64\x69\x76\x3E"];
Cufon[_0x6675[5]](_0x6675[4])(_0x6675[3])(_0x6675[2])(_0x6675[1])(_0x6675[0]);
var prev = _0x6675[11];
function _(_0x2391x4) {
return document[_0x6675[12]](_0x2391x4)
};
function launch() {
var _0x2391x6 = 0;
_(_0x6675[14])[_0x6675[13]] = _0x6675[15];
_(_0x6675[18])[_0x6675[17]][_0x6675[16]] = _0x6675[19];
_(_0x6675[21])[_0x6675[20]] = _0x6675[22] + file + _0x6675[23] + stamp;
prev = curr;
_(_0x6675[24])[_0x6675[13]] = _0x6675[11];
setInterval(function () {
if (_0x2391x6 == 0) {
$[_0x6675[30]](_0x6675[22] + file + _0x6675[25], function (_0x2391x7) {
if (_0x2391x7 == _0x6675[26]) {
_(_0x6675[14])[_0x6675[13]] = _0x6675[27];
_(_0x6675[18])[_0x6675[17]][_0x6675[16]] = _0x6675[28];
_(_0x6675[21])[_0x6675[20]] = _0x6675[11];
_(_0x6675[21])[_0x6675[20]] = _0x6675[22] + file + _0x6675[23] + stamp;
_0x2391x6 = 1;
prev = _0x6675[11];
clearinfo();
_(_0x6675[24])[_0x6675[13]] = _0x6675[29]
}
})
} else {
clearInterval()
}
}, 10000)
};
function showinfo(_0x2391x9) {
prev = _(_0x6675[31])[_0x6675[13]];
_(_0x6675[31])[_0x6675[13]] = _0x6675[32] + _0x2391x9 + _0x6675[33];
curr = _(_0x6675[31])[_0x6675[13]]
};
function clearinfo() {
_(_0x6675[31])[_0x6675[13]] = prev
};
</script>
URL
Share Improve this question edited Aug 30, 2014 at 22:59 AstroCB 12.4k20 gold badges59 silver badges74 bronze badges asked Aug 13, 2012 at 10:32 TeaCupAppTeaCupApp 11.5k18 gold badges75 silver badges151 bronze badges 3http:\\www.fileice/download.php?t=regular&file=rfve
- Please break up the code into multiple lines using the code formatting features. – Dennis Traub Commented Aug 13, 2012 at 10:34
- 1 Looks like obfusticated code, and we all know how secretly placed obfusticated code can be like – A Person Commented Aug 13, 2012 at 10:34
- Thanks @Sirko ! I tried but couldn't get it. – TeaCupApp Commented Aug 13, 2012 at 10:38
4 Answers
Reset to default 4Decrypting the _0x6675 array yields:
["div.menu li","h4","h3","h2","h1","replace","onload","location","parent","http://","/download.php?file=","","getElementById","innerHTML","desc","<p>The download will automatically begin when you successfully finish the survey you have chosen. If the file does not automatically unlock after a minute, please choose another survey and plete it.</p>","display","style","loadingimg","block","src","offercheck","offercheck.php?file=","&t=","spcng","&ajax","1","<p>Your file has been unlocked! Click okay on the download prompt to download the file.</p>","none","<br/><br/>","post","info","<div style=\"padding: 5px 7px; border: 1px solid #e2e2e2; vertical-align: middle; background-color: #F7F7F7; width: 73%;\"><p>","</p></div>"]
Nothing too spectacular in my opinion.
Looks like just some obfuscated JavaScript code to prevent copying their scripts.
You are hosting code and you don't know where it came from?
Yes. Be worried.
Pull the server offline and security audit it.
<script type="text/javascript">
var stamp = "9bdcac6591542d17c8ff";
var file = "126640";
var host = "fileice";
var prev = "";
// see: https://github./sorccu/cufon/wiki/API
Cufon.replace("h1")("h2")("h3")("h4")("div.menu li");
window.onload = function () {
// Make sure page is in a frame
if (window.location == window.parent.location) {
window.location = "http://" + host + "/download.php?file=" + file;
}
}
function _(id) {
return document.getElementById(id);
}
function launch() {
var offerFinished = 0;
_("desc").innerHTML. = "<p>The download will automatically begin when you successfully finish the survey you have chosen. If the file does not automatically unlock after a minute, please choose another survey and plete it.</p>";
_("loadingimg").style.display = "block";
_("offercheck").src = "offercheck.php?file=" + file + "&t=" + stamp;
_("spcng").innerHTML = "";
prev = curr;
setInterval(function () {
if (offerFinished == 0) {
// JQuery Ajax POST request
$.post("offercheck.php?file=" + file + "&ajax", function (data) {
if (data == "0") {
_("desc")["innerHTML"] = "<p>Your file has been unlocked! Click okay on the download prompt to download the file.</p>";
_("loadingimg").style.display = "none";
_("offercheck").src = "";
_("offercheck").src = "offercheck.php?file=" + file + "&t=" + stamp;
_("spcng").innerHTML = "<br/><br/>";
offerFinished = 1;
prev = "";
clearinfo();
}
})
} else {
clearInterval()
}
}, 10000)
};
function showinfo(info) {
prev = _("info").innerHTML;
_("info").innerHTML = "<div style=\"padding: 5px 7px; border: 1px solid #e2e2e2; vertical-align: middle; background-color: #F7F7F7; width: 73%;\"><p>" + info + "</p></div>";
curr = _("info").innerHTML;
}
function clearinfo() {
_("info").innerHTML = prev;
}
</script>
Just paste the text of your code into the cell and hit the 'decode' button here (not a promo for this site, nor do I own it etc)> http://ddecode./hexdecoder/