Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

Re^3: Malicious Perl Scripts & Web Development

by Lotus1 (Vicar)
on Apr 12, 2019 at 20:35 UTC ( #1232515=note: print w/replies, xml ) Need Help??


in reply to Re^2: Malicious Perl Scripts & Web Development
in thread Malicious Perl Scripts & Web Development

Interesting. I'll let the Monks who are more experienced with web development comment overall but I noticed the print decode_base64("PHNj.... and decided to try to decode it. It is some JavaScript(?) that has been encoded. It seems to just be doing keyword color highlighting for some program code. I first used a webpage to decode it and then the following script.

use strict; use warnings; use MIME::Base64 qw(decode_base64); print decode_base64("PHNjcmlwdD5mdW5jdGlvbiBjb2xvcihjb2RlKXt2YXIgcz1bX +Tt2YXIgYz0iJyI7cmV0dXJuIGNvZGUucmVwbGFjZSgvXGIoY2FzZXxjYXRjaHxjb250aW +51ZXxkb3xlbmRkb3xlbHNlfGVsaWZ8ZWxzZWlmfGlmZGVmfGlmbmRlZnxlbmRpZnxmb3J +8Zm9yZWFjaHxpZnxmaXxzd2l0Y2h8dHJ5fHR5cGVvZnx3aGlsZXx3aXRofGJyZWFrfGlu +Y2x1ZGV8cmVxdWlyZXxyZXF1aXJlX29uY2V8Zm9wZW58ZnB1dHN8ZnJlYWR8ZmlsZV9nZ +XRfY29udGVudHN8ZmlsZV9wdXRfY29udGVudHN8cHJlZ19yZXBsYWNlfGltcG9ydHxleG +NlcHR8ZGVmaW5lfGRlZmluZWR8dW5kZWYpXGIvZ2ltLCc8c3Bhbj4kMTwvc3Bhbj4nKS5 +yZXBsYWNlKC8oe3x9KS9naW0sJzxzcGFuPiQxPC9zcGFuPicpLnJlcGxhY2UoL1xiKGZ1 +bmN0aW9ufHN1YnxkZWZ8dm9pZHxpbnR8cmV0dXJufGV2YWx8YXNzZXJ0fGV4ZWNsfGV4Z +WN2fGV4ZWN2ZXxleGVjfGV4ZWNwfGRpZVwoXCkpXGIvZ2ltLCc8Yj48Zm9udCBjb2xvcj +0jMDBmZmZmPiQxPC9mb250PjwvYj4nKS5yZXBsYWNlKC9cYihzdHJ1Y3R8ZXhpdHxjbGF +zc3xzeXN0ZW18cHJpbnR8cHJpbnRmfGVjaG98c3ByaW50ZnxmcHJpbnRmfHZhclxzKVxi +L2dpbSwnPGI+JDE8L2I+JykucmVwbGFjZSgvXGIoMHhbXGRhLXpdK3xcZCspXGIvZ2ltL +CAnPGZvbnQgY29sb3I9I2ZmYTA3YT4kMTwvZm9udD4nKS5yZXBsYWNlKC8oXFx4W1xkYS +16XSopL2dpbSwgJzxmb250IGNvbG9yPSNmZmEwN2E+JDE8L2ZvbnQ+JykucmVwbGFjZSg +vXGIoaHR0cFw6XC9cLypcLz98aHR0cHNcOlwvXC8qXC8/fGZ0cFw6XC9cLypcLz8pXGIv +Z2ltLCc8dT48Zm9udCBjb2xvcj0jZmFmYWQyPiQxPC91PjwvZm9udD4nKS5yZXBsYWNlK +C8oIi4qPyJ8Jy4qPycpL2csJzxmb250IGNvbG9yPSNmYWZhZDI+JDE8L2ZvbnQ+Jykucm +VwbGFjZSgvKFwvXCouKlwqXC98XC9cLy4qKS9naW0sJzxmb250IGNvbG9yPSM2OTY5Njk ++JDE8L2ZvbnQ+JykucmVwbGFjZSgvKFwvXCpbXHNcU10qP1wqXC8pL2dpbSwnPGZvbnQg +Y29sb3I9IzY5Njk2OT4kMTwvZm9udD4nKS5yZXBsYWNlKC8oXiMuKiQpL2dpbSwnPGI+P +GZvbnQgY29sb3I9IzY5Njk2OT4kMTwvZm9udD48L2I+JykucmVwbGFjZSgvKFwkW19hLX +owLTldKikvZ2ltLCc8Yj48Zm9udCBjb2xvcj0jOThmYjk4PiQxPC9mb250PjwvYj4nKS5 +yZXBsYWNlKC88cihcZCspPi9naW0sZnVuY3Rpb24obWF0Y2gsaWQpe3ZhciByPXNbaWQt +MV07dmFyIGNzcz1yLm1hdGNoKC9eKFwvXC98XC9cKnwtKS8pPydjb21tZW50JzpyLm1hd +GNoKC9eWyYnXS8pPydzdHJpbmcnOidyZWdleHAnO3JldHVybiAnPHNwYW4gY2xhc3M9Ii +crY3NzKyciPicrcisnPC9zcGFuPic7fSl9O2Z1bmN0aW9uIGNoYW5nZVRleHQoKXt2YXI +gYT1kb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnY2Njb2RlZScpLmlubmVySFRNTDthPWNv +bG9yKGEpO2RvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdjY2NvZGVlJykuaW5uZXJIVE1MP +WE7fTwvc2NyaXB0Pg==");

The result is:

<script>function color(code){var s=[];var c="'";return code.replace(/\ +b(case|catch|continue|do|enddo|else|elif|elseif|ifdef|ifndef|endif|fo +r|foreach|if|fi|switch|try|typeof|while|with|break|include|require|re +quire_once|fopen|fputs|fread|file_get_contents|file_put_contents|preg +_replace|import|except|define|defined|undef)\b/gim,'<span>$1</span>') +.replace(/({|})/gim,'<span>$1</span>').replace(/\b(function|sub|def|v +oid|int|return|eval|assert|execl|execv|execve|exec|execp|die\(\))\b/g +im,'<b><font color=#00ffff>$1</font></b>').replace(/\b(struct|exit|cl +ass|system|print|printf|echo|sprintf|fprintf|var\s)\b/gim,'<b>$1</b>' +).replace(/\b(0x[\da-z]+|\d+)\b/gim, '<font color=#ffa07a>$1</font>') +.replace(/(\\x[\da-z]*)/gim, '<font color=#ffa07a>$1</font>').replace +(/\b(http\:\/\/*\/?|https\:\/\/*\/?|ftp\:\/\/*\/?)\b/gim,'<u><font co +lor=#fafad2>$1</u></font>').replace(/(".*?"|'.*?')/g,'<font color=#fa +fad2>$1</font>').replace(/(\/\*.*\*\/|\/\/.*)/gim,'<font color=#69696 +9>$1</font>').replace(/(\/\*[\s\S]*?\*\/)/gim,'<font color=#696969>$1 +</font>').replace(/(^#.*$)/gim,'<b><font color=#696969>$1</font></b>' +).replace(/(\$[_a-z0-9]*)/gim,'<b><font color=#98fb98>$1</font></b>') +.replace(/<r(\d+)>/gim,function(match,id){var r=s[id-1];var css=r.mat +ch(/^(\/\/|\/\*|-)/)?'comment':r.match(/^[&']/)?'string':'regexp';ret +urn '<span class="'+css+'">'+r+'</span>';})};function changeText(){va +r a=document.getElementById('cccodee').innerHTML;a=color(a);document. +getElementById('cccodee').innerHTML=a;}</script>

I reformatted it slightly to try to make sense of it but I don't have the time or patience to take this any further. Good luck.

<script> function color(code){var s=[];var c="'"; return code.replace( /\b(case|catch|continue|do|enddo|else|elif|elseif|ifdef|ifndef|endif|f +or|foreach|if|fi|switch|try|typeof|while|with|break|include|require|r +equire_once|fopen|fputs|fread|file_get_contents|file_put_contents|pre +g_replace|import|except|define|defined|undef)\b/gim, '<span>$1</span>').replace(/({|})/gim, '<span>$1</span>').replace(/\b(function|sub|def|void|int|return|eval|a +ssert|execl|execv|execve|exec|execp|die\(\))\b/gim, '<b><font color=#00ffff>$1</font></b>').replace(/\b(struct|exit|class| +system|print|printf|echo|sprintf|fprintf|var\s)\b/gim, '<b>$1</b>').replace(/\b(0x[\da-z]+|\d+)\b/gim, '<font color=#ffa07a>$1</font>').replace(/(\\x[\da-z]*)/gim, '<font color=#ffa07a>$1</font>').replace(/\b(http\:\/\/*\/?|https\:\/\ +/*\/?|ftp\:\/\/*\/?)\b/gim, '<u><font color=#fafad2>$1</u></font>').replace(/(".*?"|'.*?')/g, '<font color=#fafad2>$1</font>').replace(/(\/\*.*\*\/|\/\/.*)/gim, '<font color=#696969>$1</font>').replace(/(\/\*[\s\S]*?\*\/)/gim, '<font color=#696969>$1</font>').replace(/(^#.*$)/gim, '<b><font color=#696969>$1</font></b>').replace(/(\$[_a-z0-9]*)/gim, '<b><font color=#98fb98>$1</font></b>').replace(/<r(\d+)>/gim, function(match,id){var r=s[id-1]; var css=r.match(/^(\/\/|\/\*|-)/)?'comment':r.match(/^[&']/)?'string': +'regexp';return '<span class="'+css+'">'+r+'</span>';})}; function changeText(){var a=document.getElementById('cccodee').innerHT +ML; a=color(a); document.getElementById('cccodee').innerHTML=a;} </script>

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1232515]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (7)
As of 2021-01-20 21:12 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Notices?