Could someone explain this facebook script? XSS?

Question

<script type="text/javascript" src="/aes.js" ></script>
<script>
function toNumbers(d){
 var e=[];
 d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});
 return e
}
function toHex(){
 for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);
 return e.toLowerCase()
 }
var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("23408f94661caf2c92c0cf7da64ab661");
document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; 
document.cookie="referrer="+escape(document.referrer); 
location.href="http://of3trade0912achieve20.dc7.us/?ckattempt=1";
</script>

I'm a layman whose friend's Facebook account was compromised and was posting a link to a site with this script on it everywhere.

I'm curious and would appreciate if someone could explain what this script is doing.

It's probably a worm, replace the last few lines with `console.log` for the variables — Paul S., Dec 09 '15 at 20:10

score 1 · Answer 1 · answered Dec 09 '15 at 20:19

1

It sets 2 cookies, one of them using some encrytion stuff, with a 22 year expiration date, and the other one saving the name of the referring page, then it redirects the page to a different page, "http://of3trade0912achieve20.dc7.us/?ckattempt=1".

answered Dec 09 '15 at 20:19

I wrestled a bear once.

22,983
19
69
116

score 0 · Answer 2 · answered Dec 09 '15 at 20:26

0

You won't understand in the majority of cases the entire script. It is because the script is encrypted to avoid coping. That's why many pages have the same structure or patron. Var e:[/.t]+l.String... blah blah blah!

answered Dec 09 '15 at 20:26

Rodolfo Lanshore

97
1
1
11

Could someone explain this facebook script? XSS?

2 Answers2