Full Disclosure mailing list archives
Malicious Javascript from "Hack Peoples Passwords" spam
From: "Maxime Ducharme" <maxime () pandore-design com>
Date: Wed, 5 Nov 2003 11:33:11 -0500
Hi all, I received a spam pinting on a link which contains suspicious javascript. The code seems protected with some kind of "script encoder", I'd like to know which tool it is or any other similar. I started decoding the script and I put the fils here : http://www.pandore-design.com/security/spam/2003-11-05/ The spam source is in "Hack Peoples Passwords ..." txt file. The first loaded file is http://www.phosphorescent@200.206.191.202/LOU/index.html which I saved under "index_1.dat"in my site. index_2.dat have a part of script decoded. index_3.dat is a little further. index_3_unsp.dat contains what is outputted by the first script. I found that this script loads via an hidden frame this other URL : http://www.phosphorescent@200.206.191.202/LOU/98653.htm which contains similar script, but pops up this other URL instead : http://sf1000.registeredsite.com/~user990682/LOU/PASS/index.html I'm now at this step (did had time to got further yet), but there are some parts of the scripts which I could not decode. These parts do not seem to be used like (in index_3.dat) : var vm66=6743; CQPaeh='OBSKrOawObqEOjOMjJIgSfWO'; ... these lines seems to be added only to make the script bigger and harder to read, but I'm not sure. Someone with more experience may find something else ? Thanks for replies --------------------------------------------------------------- Maxime Ducharme Administrateur reseau, Programmeur _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Malicious Javascript from "Hack Peoples Passwords" spam Maxime Ducharme (Nov 05)