Re: Malicious javascript obfustication




Ant wrote:
"Wong Yung" wrote:

Wow. Thanks very much for the info. And thanks heaps for
unobfusticating the stuff in javascript. Hmmm...looking at the
castlecops link it looks like we aren't the only ones who were hacked
using the same thing. Do you have any idea why links goes to
kaonline.biz? I'm trying to work out what role they play in all of
this.

I don't know if they are involved. They say they're being attacked,
so you could report it to them, but as far as I can tell there is no
exploit if the redirect is to kaonline.biz.

If I use wget on the "e7da7.in" link, I get redirected to kaonline.
However, if I use telnet, the redirection is to:
ht_p://66.36.241.243/expd/index.php
(I've munged the "http" in case anyone's click-happy)

That's where the malicious code is, and I found a different (and more
obfuscated) exploit to what you posted before.

Where you are redirected, and what exploit is served up probably
depends on the user-agent header of the http request.

*Sigh* I couldn't get a nice simple evil guy could I? BTW what is this
other more obfusticated exploit that you found?

.