Obfuscated JavaScript Found on Web Page

Question

I got a call from a friend who has a large shopping cart web site. After a while a page would not load and you had to do a page refresh to show the page.

I'm not a html guy but can fumble around and understand the basics.

I started with firebug and found they were calling a chat service that was failing. I then checked all the web pages that had been altered since the setup of the site and deleted the chat script.

However on the same page I found the following script:

var _0x3fba = [
    "\x72\x61\x6E\x64\x6F\x6D",
    "\x66\x6C\x6F\x6F\x72",
    "\x3C\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x75\x6E\x64\x65\x66\x69\x6E\x65\x64\x22\x3E",
    "\x77\x72\x69\x74\x65",
    "\x73\x74\x6F\x70"
];

if ( Math[ _0x3fba[1] ]( ( Math[ _0x3fba[0] ]() * 3 ) + 1 ) == 3 ) {
    document[ _0x3fba[3] ]( _0x3fba[2] );
    window[ _0x3fba[4] ]();
};

After some googling I am led to believe this is Obfuscated javascript. We held our breath (it's a large site with lots of traffic) and deleted the above script and the problem went away and the site runs a lot faster.

So the million dollar question is what is this script actually doing.

I tried some online deObfuscaters but got nothing.

Answer 1

If you execute:

["\x72\x61\x6E\x64\x6F\x6D","\x66\x6C\x6F\x6F\x72","\x3C\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x75\x6E\x64\x65\x66\x69\x6E\x65\x64\x22\x3E","\x77\x72\x69\x74\x65","\x73\x74\x6F\x70"];

You'll get

["random", "floor", "<script type="text/undefined">", "write", "stop"]

so the code do:

if (Math["floor"]((Math["random"]()*3)+1)==3) {
   document["write"]('<script type="text/undefined">');
   window["stop"]();
}

The code, print <script type="text/undefined"> randomly and stop loading the page, maybe it try to crash the page randomly.

Answer 2

if (Math.floor((Math.random() * 3) + 1) == 3) {
    document.write('<script type="text/undefined">');
    window.stop();
}   

not very interesting really.