Dave just found this clever JS redirect while perusing some quality spam:
<script LANGUAGE="JavaScript">
<!--
function Decode(){var temp="",i,c=0,out="";var str="60!115!99!114!105!112!116!62!13!10!102!117!110!99!116!105!111!110!32!82!40!41!123!13!10!118!97!114!32!82!101!102!61!100!111!99!117!109!101!110!116!46!114!101!102!101!114!114!101!114!59!13!10!32!13!10!105!102!32!40!82!101!102!46!105!110!100!101!120!79!102!40!39!46!103!111!111!103!108!101!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!46!109!115!110!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!46!121!97!104!111!111!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!46!97!111!108!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!46!97!115!107!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!114!101!115!117!108!116!115!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!115!101!97!114!99!104!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!115!117!99!104!101!39!41!33!61!45!49!41!13!10!32!123!32!100!111!99!117!109!101!110!116!46!119!114!105!116!101!40!39!60!115!99!114!105!112!116!32!108!97!110!103!117!97!103!101!61!34!106!97!118!97!115!99!114!105!112!116!34!62!119!105!110!100!111!39!43!39!119!46!108!111!99!97!116!105!111!110!61!34!104!116!116!112!58!47!47!119!119!119!46!100!97!118!105!100!110!97!121!108!111!114!46!99!111!46!117!107!34!60!47!115!39!43!39!99!114!105!112!116!62!39!41!125!13!10!13!10!101!108!115!101!32!123!13!10!100!111!99!117!109!101!110!116!46!119!114!105!116!101!40!39!60!115!99!114!105!112!116!32!108!97!110!103!117!97!103!101!61!34!106!97!118!97!115!99!114!105!112!116!34!62!119!105!110!100!111!39!43!39!119!46!108!111!99!97!116!105!111!110!61!34!104!116!116!112!58!47!47!119!119!119!46!103!111!111!103!108!101!46!99!111!109!34!60!47!115!39!43!39!99!114!105!112!116!62!39!41!13!10!125!13!10!125!13!10!32!13!10!82!40!41!59!13!10!32!13!10!60!47!83!99!114!105!112!116!62!";l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')temp=temp+str.charAt(c++);c++;out=out+String.fromCharCode(temp);temp="";}document.write(out);}
//-->
</script><script LANGUAGE="JavaScript">
<!--
Decode();
//-->
</script>That’s a bit wide so here’s that centre block:
60!115!99!114!105!112!116!62!13!10!102!117!110!99!116!105!111!
110!32!82!40!41!123!13!10!118!97!114!32!82!101!102!61!100!111!
99!117!109!101!110!116!46!114!101!102!101!114!114!101!114!59!
13!10!32!13!10!105!102!32!40!82!101!102!46!105!110!100!101!120!
79!102!40!39!46!103!111!111!103!108!101!46!39!41!33!61!45!49!
32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!
46!109!115!110!46!39!41!33!61!45!49!32!124!124!32!82!101!102!
46!105!110!100!101!120!79!102!40!39!46!121!97!104!111!111!46!
39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!
20!79!102!40!39!46!97!111!108!46!39!41!33!61!45!49!32!124!124!
32!82!101!102!46!105!110!100!101!120!79!102!40!39!46!97!115!
107!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!
100!101!120!79!102!40!39!114!101!115!117!108!116!115!39!41!33!
61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!
102!40!39!115!101!97!114!99!104!39!41!33!61!45!49!32!124!124!
32!82!101!102!46!105!110!100!101!120!79!102!40!39!115!117!99!
104!101!39!41!33!61!45!49!41!13!10!32!123!32!100!111!99!117!
109!101!110!116!46!119!114!105!116!101!40!39!60!115!99!114!
105!112!116!32!108!97!110!103!117!97!103!101!61!34!106!97!
118!97!115!99!114!105!112!116!34!62!119!105!110!100!111!39!
43!39!119!46!108!111!99!97!116!105!111!110!61!34!104!116!116!
112!58!47!47!119!119!119!46!100!97!118!105!100!110!97!121!
108!111!114!46!99!111!46!117!107!34!60!47!115!39!43!39!99!
114!105!112!116!62!39!41!125!13!10!13!10!101!108!115!101!32!
123!13!10!100!111!99!117!109!101!110!116!46!119!114!105!116!
101!40!39!60!115!99!114!105!112!116!32!108!97!110!103!117!
97!103!101!61!34!106!97!118!97!115!99!114!105!112!116!34!62!
119!105!110!100!111!39!43!39!119!46!108!111!99!97!116!105!
111!110!61!34!104!116!116!112!58!47!47!119!119!119!46!103!
111!111!103!108!101!46!99!111!109!34!60!47!115!39!43!39!99!
114!105!112!116!62!39!41!13!10!125!13!10!125!13!10!32!13!10!
82!40!41!59!13!10!32!13!10!60!47!83!99!114!105!112!116!62!
I’ve modified it slightly to mask its original destination. Any good programmer will instantly work out that this does but I’ll go through it for the rest of you. The big block of numbers in the middle are ASCII codepoints - numbers that represent characters in the ASCII character set. The script decodes the numbers into characters and writes them to the document. What that block represents is this:
<script>
function R(){
var Ref=document.referrer;
if (Ref.indexOf('.google.')!=-1 || Ref.indexOf('.msn.')!=-1 || Ref.indexOf('.yahoo.')!=-1 || Ref.indexOf('.aol.')!=-1 || Ref.indexOf('.ask.')!=-1 || Ref.indexOf('results')!=-1 || Ref.indexOf('search')!=-1 || Ref.indexOf('suche')!=-1)
{ document.write('</script><script language="javascript">windo'+'w.location="http://www.davidnaylor.co.uk"')}
else {
document.write('</script><script language="javascript">windo'+'w.location="http://www.google.com"')
}
}
R();
</script>Seasoned spammers will recognise this bit as a simple old-fashioned redirect.
Another variation on the old eval(unescape(…)) trick but interesting nonetheless.
For interested parties, here are some quick Python functions I bashed out to help me write this post.
def encode(s): o = "" for c in s: o += str(ord(c))+"!" return o def decode(s): return "".join(map(chr, map(int, s[:-1].split("!")))) assert decode(encode("foo")) == "foo"
Enjoy
-Rob & Dave
10 Comments
-
1
6th June 2007 @ 17:26
-
2
By any chance was this coming from two sites that had about 7m pages indexed in G? All pointing at a nice pron site?
Something like this came up in the G Webmaster Group yesterday. Interesting alright.
BTW what happened to whitehat DaveN? Year finish early?
6th June 2007 @ 18:01
-
3
Richard, mind sharing the urls?? =-)
6th June 2007 @ 18:59
-
4
Great, but how do we encode this?!
7th June 2007 @ 00:02
-
5
David I gave you a Python function to do it.
7th June 2007 @ 08:58
-
6
It was parasite stuff with redirects. Some now removed from hosting sites.
7th June 2007 @ 10:43
-
7
I’d created a similar version of this, based loosly on the eval(… version of this redirect.
This link is an encoder, you put in the url and it spits out the javascript. enjoy.
7th June 2007 @ 15:28
-
8
Cheers to Rob & Dave for the fascinating redirect and to Alfred for the encoder. Anybody know of an online decoder as well?
7th June 2007 @ 18:28
-
9
Hi. Is there a possibility that the code highlighting plugin is not working correctly here? I was actually trying to see WHAT plugin you used (I saw the code formatted nicely before) but now there’s no formatting at all.
24th February 2008 @ 23:04
-
10
Whether you love Windows 7 or hate it no one seems to be talking about one of its biggest problems. Many fancy business-friendly features are randomly tied to Windows Server 2008 R2 (also in beta) and won’t work even with older versions of Windows Server. More…
————————————————————————————————————————–
misterpoll.com…26th January 2009 @ 08:31
Copyright © 2004 - 2009 David Naylor. All rights reserved |
nicely spotted, clever stuff