Blog

A Clever JavaScript Redirect

by

Dave just found this clever JS redirect while perusing some quality spam:

<script LANGUAGE="JavaScript">
 
<!--
 
function Decode(){var temp="",i,c=0,out="";var str="60!115!99!114!105!112!116!62!13!10!102!117!110!99!116!105!111!110!32!82!40!41!123!13!10!118!97!114!32!82!101!102!61!100!111!99!117!109!101!110!116!46!114!101!102!101!114!114!101!114!59!13!10!32!13!10!105!102!32!40!82!101!102!46!105!110!100!101!120!79!102!40!39!46!103!111!111!103!108!101!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!46!109!115!110!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!46!121!97!104!111!111!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!46!97!111!108!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!46!97!115!107!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!114!101!115!117!108!116!115!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!115!101!97!114!99!104!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!115!117!99!104!101!39!41!33!61!45!49!41!13!10!32!123!32!100!111!99!117!109!101!110!116!46!119!114!105!116!101!40!39!60!115!99!114!105!112!116!32!108!97!110!103!117!97!103!101!61!34!106!97!118!97!115!99!114!105!112!116!34!62!119!105!110!100!111!39!43!39!119!46!108!111!99!97!116!105!111!110!61!34!104!116!116!112!58!47!47!119!119!119!46!100!97!118!105!100!110!97!121!108!111!114!46!99!111!46!117!107!34!60!47!115!39!43!39!99!114!105!112!116!62!39!41!125!13!10!13!10!101!108!115!101!32!123!13!10!100!111!99!117!109!101!110!116!46!119!114!105!116!101!40!39!60!115!99!114!105!112!116!32!108!97!110!103!117!97!103!101!61!34!106!97!118!97!115!99!114!105!112!116!34!62!119!105!110!100!111!39!43!39!119!46!108!111!99!97!116!105!111!110!61!34!104!116!116!112!58!47!47!119!119!119!46!103!111!111!103!108!101!46!99!111!109!34!60!47!115!39!43!39!99!114!105!112!116!62!39!41!13!10!125!13!10!125!13!10!32!13!10!82!40!41!59!13!10!32!13!10!60!47!83!99!114!105!112!116!62!";l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')temp=temp+str.charAt(c++);c++;out=out+String.fromCharCode(temp);temp="";}document.write(out);}
 
//-->
 
</script><script LANGUAGE="JavaScript">
 
<!--
 
Decode();
 
//-->
 
</script>

That’s a bit wide so here’s that centre block:

60!115!99!114!105!112!116!62!13!10!102!117!110!99!116!105!111!
110!32!82!40!41!123!13!10!118!97!114!32!82!101!102!61!100!111!
99!117!109!101!110!116!46!114!101!102!101!114!114!101!114!59!
13!10!32!13!10!105!102!32!40!82!101!102!46!105!110!100!101!120!
79!102!40!39!46!103!111!111!103!108!101!46!39!41!33!61!45!49!
32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!
46!109!115!110!46!39!41!33!61!45!49!32!124!124!32!82!101!102!
46!105!110!100!101!120!79!102!40!39!46!121!97!104!111!111!46!
39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!
20!79!102!40!39!46!97!111!108!46!39!41!33!61!45!49!32!124!124!
32!82!101!102!46!105!110!100!101!120!79!102!40!39!46!97!115!
107!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!
100!101!120!79!102!40!39!114!101!115!117!108!116!115!39!41!33!
61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!
102!40!39!115!101!97!114!99!104!39!41!33!61!45!49!32!124!124!
32!82!101!102!46!105!110!100!101!120!79!102!40!39!115!117!99!
104!101!39!41!33!61!45!49!41!13!10!32!123!32!100!111!99!117!
109!101!110!116!46!119!114!105!116!101!40!39!60!115!99!114!
105!112!116!32!108!97!110!103!117!97!103!101!61!34!106!97!
118!97!115!99!114!105!112!116!34!62!119!105!110!100!111!39!
43!39!119!46!108!111!99!97!116!105!111!110!61!34!104!116!116!
112!58!47!47!119!119!119!46!100!97!118!105!100!110!97!121!
108!111!114!46!99!111!46!117!107!34!60!47!115!39!43!39!99!
114!105!112!116!62!39!41!125!13!10!13!10!101!108!115!101!32!
123!13!10!100!111!99!117!109!101!110!116!46!119!114!105!116!
101!40!39!60!115!99!114!105!112!116!32!108!97!110!103!117!
97!103!101!61!34!106!97!118!97!115!99!114!105!112!116!34!62!
119!105!110!100!111!39!43!39!119!46!108!111!99!97!116!105!
111!110!61!34!104!116!116!112!58!47!47!119!119!119!46!103!
111!111!103!108!101!46!99!111!109!34!60!47!115!39!43!39!99!
114!105!112!116!62!39!41!13!10!125!13!10!125!13!10!32!13!10!
82!40!41!59!13!10!32!13!10!60!47!83!99!114!105!112!116!62!

I’ve modified it slightly to mask its original destination. Any good programmer will instantly work out that this does but I’ll go through it for the rest of you. The big block of numbers in the middle are ASCII codepoints – numbers that represent characters in the ASCII character set. The script decodes the numbers into characters and writes them to the document. What that block represents is this:

<script>
function R(){
var Ref=document.referrer;
 
if (Ref.indexOf('.google.')!=-1 || Ref.indexOf('.msn.')!=-1 || Ref.indexOf('.yahoo.')!=-1 || Ref.indexOf('.aol.')!=-1 || Ref.indexOf('.ask.')!=-1 || Ref.indexOf('results')!=-1 || Ref.indexOf('search')!=-1 || Ref.indexOf('suche')!=-1)
 { document.write('</script><script language="javascript">windo'+'w.location="http://www.davidnaylor.co.uk"')}
 
else {
document.write('</script><script language="javascript">windo'+'w.location="http://www.google.com"')
}
}
 
R();
 
</script>

Seasoned spammers will recognise this bit as a simple old-fashioned redirect.

Another variation on the old eval(unescape(…)) trick but interesting nonetheless.

For interested parties, here are some quick Python functions I bashed out to help me write this post.

def encode(s):
	o = ""
	for c in s:
		o += str(ord(c))+"!"
	return o
 
def decode(s):
	return "".join(map(chr, map(int, s[:-1].split("!"))))
 
assert decode(encode("foo")) == "foo"

Enjoy

-Rob & Dave

9 Comments

  • Glen 2178 days ago

    http://www.viperchill.com

    nicely spotted, clever stuff

    Reply
  • Richard Hearne 2178 days ago

    http://www.redcardinal.ie

    By any chance was this coming from two sites that had about 7m pages indexed in G? All pointing at a nice pron site?

    Something like this came up in the G Webmaster Group yesterday. Interesting alright.

    BTW what happened to whitehat DaveN? Year finish early? :D

    Reply
  • QuebecAmour 2178 days ago

    http://www.quebecamour.com

    Richard, mind sharing the urls?? =-)

    Reply
  • David 2177 days ago

    Great, but how do we encode this?!

    Reply
  • Rob Haswell 2177 days ago

    David I gave you a Python function to do it.

    Reply
  • Richard Hearne 2177 days ago

    http://www.redcardinal.ie

    Details here:
    http://groups.google.com/group/Google_Webmaster_Help-Indexing/browse_thread/thread/329b86d254407f88/f90d43313320646f#f90d43313320646f

    It was parasite stuff with redirects. Some now removed from hosting sites.

    Reply
  • Freelance Website Design 2177 days ago

    http://www.alfredfox.com

    I’d created a similar version of this, based loosly on the eval(… version of this redirect.

    This link is an encoder, you put in the url and it spits out the javascript. enjoy.

    http://www.alfredfox.com/examples/encode/

    Reply
  • Winooski 2177 days ago

    Cheers to Rob & Dave for the fascinating redirect and to Alfred for the encoder. Anybody know of an online decoder as well?

    Reply
  • James 1915 days ago

    Hi. Is there a possibility that the code highlighting plugin is not working correctly here? I was actually trying to see WHAT plugin you used (I saw the code formatted nicely before) but now there’s no formatting at all.

    Reply

Write your comment

Optional

The Bronco Family
Work With Us