Re: Malicious javascript obfustication




Ant wrote:
"Wong Yung" wrote:

Wow. Thanks very much for the info. And thanks heaps for
unobfusticating the stuff in javascript. Hmmm...looking at the
castlecops link it looks like we aren't the only ones who were hacked
using the same thing. Do you have any idea why links goes to
kaonline.biz? I'm trying to work out what role they play in all of
this.

I don't know if they are involved. They say they're being attacked,
so you could report it to them, but as far as I can tell there is no
exploit if the redirect is to kaonline.biz.

If I use wget on the "e7da7.in" link, I get redirected to kaonline.
However, if I use telnet, the redirection is to:
ht_p://66.36.241.243/expd/index.php
(I've munged the "http" in case anyone's click-happy)

That's where the malicious code is, and I found a different (and more
obfuscated) exploit to what you posted before.

Where you are redirected, and what exploit is served up probably
depends on the user-agent header of the http request.

*Sigh* I couldn't get a nice simple evil guy could I? BTW what is this
other more obfusticated exploit that you found?

.



Relevant Pages

  • Re: Redirect all http request to https
    ... error messages (i.e. from the ASP page - turning ... Are your tying to redirect from the Outside or Inside? ... "To allow an initial HTTP request from an Outlook Web Access user, ...
    (microsoft.public.exchange2000.admin)
  • Re: difference between forward and sendredirect
    ... doing a redirect causes the request and response objects being lost and the client making a new http request. ... servlet/jsp, and redirect means calling the browser to call another ...
    (comp.lang.java.help)
  • RE: Redirection to Mysite from Site collections
    ... \par As for the access URL, if you don't want to the port in the url, then you will do some more job. ... \par You could generate an aspx or asp page in the hostheader web site to redirect all the request to the correct web application. ... you could use a custom ISAPI filter to get the http request and redirect them to the correct web application. ...
    (microsoft.public.sharepoint.portalserver.development)
  • Re: Malicious javascript obfustication
    ... unobfusticating the stuff in javascript. ... castlecops link it looks like we aren't the only ones who were hacked ... exploit if the redirect is to kaonline.biz. ... depends on the user-agent header of the http request. ...
    (alt.computer.security)
  • Re: Javascript error message using tags
    ... Don't redirect on JS Disabled, ... page;}else{redirect to you need to enable javascript page;} ... UA's that don't even support JS. ... browsers I have, but I wanted to know how the browsers out there react. ...
    (comp.lang.javascript)