A Clever JavaScript Redirect

06.06.07

Dave just found this clever JS redirect while perusing some quality spam:

<script LANGUAGE="JavaScript">
 
<!--
 
function Decode(){var temp="",i,c=0,out="";var str="60!115!99!114!105!112!116!62!13!10!102!117!110!99!116!105!111!110!32!82!40!41!123!13!10!118!97!114!32!82!101!102!61!100!111!99!117!109!101!110!116!46!114!101!102!101!114!114!101!114!59!13!10!32!13!10!105!102!32!40!82!101!102!46!105!110!100!101!120!79!102!40!39!46!103!111!111!103!108!101!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!46!109!115!110!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!46!121!97!104!111!111!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!46!97!111!108!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!46!97!115!107!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!114!101!115!117!108!116!115!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!115!101!97!114!99!104!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!115!117!99!104!101!39!41!33!61!45!49!41!13!10!32!123!32!100!111!99!117!109!101!110!116!46!119!114!105!116!101!40!39!60!115!99!114!105!112!116!32!108!97!110!103!117!97!103!101!61!34!106!97!118!97!115!99!114!105!112!116!34!62!119!105!110!100!111!39!43!39!119!46!108!111!99!97!116!105!111!110!61!34!104!116!116!112!58!47!47!119!119!119!46!100!97!118!105!100!110!97!121!108!111!114!46!99!111!46!117!107!34!60!47!115!39!43!39!99!114!105!112!116!62!39!41!125!13!10!13!10!101!108!115!101!32!123!13!10!100!111!99!117!109!101!110!116!46!119!114!105!116!101!40!39!60!115!99!114!105!112!116!32!108!97!110!103!117!97!103!101!61!34!106!97!118!97!115!99!114!105!112!116!34!62!119!105!110!100!111!39!43!39!119!46!108!111!99!97!116!105!111!110!61!34!104!116!116!112!58!47!47!119!119!119!46!103!111!111!103!108!101!46!99!111!109!34!60!47!115!39!43!39!99!114!105!112!116!62!39!41!13!10!125!13!10!125!13!10!32!13!10!82!40!41!59!13!10!32!13!10!60!47!83!99!114!105!112!116!62!";l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')temp=temp+str.charAt(c++);c++;out=out+String.fromCharCode(temp);temp="";}document.write(out);}
 
//-->
 
</script><script LANGUAGE="JavaScript">
 
<!--
 
Decode();
 
//-->
 
</script>

That’s a bit wide so here’s that centre block:

60!115!99!114!105!112!116!62!13!10!102!117!110!99!116!105!111!
110!32!82!40!41!123!13!10!118!97!114!32!82!101!102!61!100!111!
99!117!109!101!110!116!46!114!101!102!101!114!114!101!114!59!
13!10!32!13!10!105!102!32!40!82!101!102!46!105!110!100!101!120!
79!102!40!39!46!103!111!111!103!108!101!46!39!41!33!61!45!49!
32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!
46!109!115!110!46!39!41!33!61!45!49!32!124!124!32!82!101!102!
46!105!110!100!101!120!79!102!40!39!46!121!97!104!111!111!46!
39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!
20!79!102!40!39!46!97!111!108!46!39!41!33!61!45!49!32!124!124!
32!82!101!102!46!105!110!100!101!120!79!102!40!39!46!97!115!
107!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!
100!101!120!79!102!40!39!114!101!115!117!108!116!115!39!41!33!
61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!
102!40!39!115!101!97!114!99!104!39!41!33!61!45!49!32!124!124!
32!82!101!102!46!105!110!100!101!120!79!102!40!39!115!117!99!
104!101!39!41!33!61!45!49!41!13!10!32!123!32!100!111!99!117!
109!101!110!116!46!119!114!105!116!101!40!39!60!115!99!114!
105!112!116!32!108!97!110!103!117!97!103!101!61!34!106!97!
118!97!115!99!114!105!112!116!34!62!119!105!110!100!111!39!
43!39!119!46!108!111!99!97!116!105!111!110!61!34!104!116!116!
112!58!47!47!119!119!119!46!100!97!118!105!100!110!97!121!
108!111!114!46!99!111!46!117!107!34!60!47!115!39!43!39!99!
114!105!112!116!62!39!41!125!13!10!13!10!101!108!115!101!32!
123!13!10!100!111!99!117!109!101!110!116!46!119!114!105!116!
101!40!39!60!115!99!114!105!112!116!32!108!97!110!103!117!
97!103!101!61!34!106!97!118!97!115!99!114!105!112!116!34!62!
119!105!110!100!111!39!43!39!119!46!108!111!99!97!116!105!
111!110!61!34!104!116!116!112!58!47!47!119!119!119!46!103!
111!111!103!108!101!46!99!111!109!34!60!47!115!39!43!39!99!
114!105!112!116!62!39!41!13!10!125!13!10!125!13!10!32!13!10!
82!40!41!59!13!10!32!13!10!60!47!83!99!114!105!112!116!62!

I’ve modified it slightly to mask its original destination. Any good programmer will instantly work out that this does but I’ll go through it for the rest of you. The big block of numbers in the middle are ASCII codepoints - numbers that represent characters in the ASCII character set. The script decodes the numbers into characters and writes them to the document. What that block represents is this:

<script>
function R(){
var Ref=document.referrer;
 
if (Ref.indexOf('.google.')!=-1 || Ref.indexOf('.msn.')!=-1 || Ref.indexOf('.yahoo.')!=-1 || Ref.indexOf('.aol.')!=-1 || Ref.indexOf('.ask.')!=-1 || Ref.indexOf('results')!=-1 || Ref.indexOf('search')!=-1 || Ref.indexOf('suche')!=-1)
 { document.write('</script><script language="javascript">windo'+'w.location="http://www.davidnaylor.co.uk"')}
 
else {
document.write('</script><script language="javascript">windo'+'w.location="http://www.google.com"')
}
}
 
R();
 
</script>

Seasoned spammers will recognise this bit as a simple old-fashioned redirect.

Another variation on the old eval(unescape(…)) trick but interesting nonetheless.

For interested parties, here are some quick Python functions I bashed out to help me write this post.

def encode(s):
	o = ""
	for c in s:
		o += str(ord(c))+"!"
	return o
 
def decode(s):
	return "".join(map(chr, map(int, s[:-1].split("!"))))
 
assert decode(encode("foo")) == "foo"

Enjoy

-Rob & Dave

10 Comments

  • 1

    nicely spotted, clever stuff

    Glen
    http://www.viperchill.com

    6th June 2007 @ 17:26

  • 2

    By any chance was this coming from two sites that had about 7m pages indexed in G? All pointing at a nice pron site?

    Something like this came up in the G Webmaster Group yesterday. Interesting alright.

    BTW what happened to whitehat DaveN? Year finish early? :D

    Richard Hearne
    http://www.redcardinal.ie

    6th June 2007 @ 18:01

  • 3

    Richard, mind sharing the urls?? =-)

    QuebecAmour
    http://www.quebecamour.com

    6th June 2007 @ 18:59

  • 4

    Great, but how do we encode this?!

    David

    7th June 2007 @ 00:02

  • 5

    David I gave you a Python function to do it.

    Rob Haswell

    7th June 2007 @ 08:58

  • 6

    Details here:
    http://groups.google.com/group/Google_Webmaster_Help-Indexing/browse_thread/thread/329b86d254407f88/f90d43313320646f#f90d43313320646f

    It was parasite stuff with redirects. Some now removed from hosting sites.

    Richard Hearne
    http://www.redcardinal.ie

    7th June 2007 @ 10:43

  • 7

    I’d created a similar version of this, based loosly on the eval(… version of this redirect.

    This link is an encoder, you put in the url and it spits out the javascript. enjoy.

    http://www.alfredfox.com/examples/encode/

    Freelance Website Design
    http://www.alfredfox.com

    7th June 2007 @ 15:28

  • 8

    Cheers to Rob & Dave for the fascinating redirect and to Alfred for the encoder. Anybody know of an online decoder as well?

    Winooski

    7th June 2007 @ 18:28

  • 9

    Hi. Is there a possibility that the code highlighting plugin is not working correctly here? I was actually trying to see WHAT plugin you used (I saw the code formatted nicely before) but now there’s no formatting at all.

    James

    24th February 2008 @ 23:04

  • 10

    Whether you love Windows 7 or hate it no one seems to be talking about one of its biggest problems. Many fancy business-friendly features are randomly tied to Windows Server 2008 R2 (also in beta) and won’t work even with older versions of Windows Server. More…

    ————————————————————————————————————————–
    misterpoll.com

    Cadstasynut

    26th January 2009 @ 08:31

Add a Comment

*

*

*

Come and work with David Naylor and the team Subscribe
to the David Naylor feed
Follow
David Naylor's Twitter feed
View Dave's Blog