« angielski
Adwords Dynamic Keyword Insertion Fooked? »

A Clever JavaScript Redirect

Dave just found this clever JS redirect while perusing some quality spam:

[html]

[/html]

That’s a bit wide so here’s that centre block:

60!115!99!114!105!112!116!62!13!10!102!117!110!99!116!105!111!
110!32!82!40!41!123!13!10!118!97!114!32!82!101!102!61!100!111!
99!117!109!101!110!116!46!114!101!102!101!114!114!101!114!59!
13!10!32!13!10!105!102!32!40!82!101!102!46!105!110!100!101!120!
79!102!40!39!46!103!111!111!103!108!101!46!39!41!33!61!45!49!
32!124!124!32!82!101!102!46!105!110!100!101!120!79!102!40!39!
46!109!115!110!46!39!41!33!61!45!49!32!124!124!32!82!101!102!
46!105!110!100!101!120!79!102!40!39!46!121!97!104!111!111!46!
39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!
20!79!102!40!39!46!97!111!108!46!39!41!33!61!45!49!32!124!124!
32!82!101!102!46!105!110!100!101!120!79!102!40!39!46!97!115!
107!46!39!41!33!61!45!49!32!124!124!32!82!101!102!46!105!110!
100!101!120!79!102!40!39!114!101!115!117!108!116!115!39!41!33!
61!45!49!32!124!124!32!82!101!102!46!105!110!100!101!120!79!
102!40!39!115!101!97!114!99!104!39!41!33!61!45!49!32!124!124!
32!82!101!102!46!105!110!100!101!120!79!102!40!39!115!117!99!
104!101!39!41!33!61!45!49!41!13!10!32!123!32!100!111!99!117!
109!101!110!116!46!119!114!105!116!101!40!39!60!115!99!114!
105!112!116!32!108!97!110!103!117!97!103!101!61!34!106!97!
118!97!115!99!114!105!112!116!34!62!119!105!110!100!111!39!
43!39!119!46!108!111!99!97!116!105!111!110!61!34!104!116!116!
112!58!47!47!119!119!119!46!100!97!118!105!100!110!97!121!
108!111!114!46!99!111!46!117!107!34!60!47!115!39!43!39!99!
114!105!112!116!62!39!41!125!13!10!13!10!101!108!115!101!32!
123!13!10!100!111!99!117!109!101!110!116!46!119!114!105!116!
101!40!39!60!115!99!114!105!112!116!32!108!97!110!103!117!
97!103!101!61!34!106!97!118!97!115!99!114!105!112!116!34!62!
119!105!110!100!111!39!43!39!119!46!108!111!99!97!116!105!
111!110!61!34!104!116!116!112!58!47!47!119!119!119!46!103!
111!111!103!108!101!46!99!111!109!34!60!47!115!39!43!39!99!
114!105!112!116!62!39!41!13!10!125!13!10!125!13!10!32!13!10!
82!40!41!59!13!10!32!13!10!60!47!83!99!114!105!112!116!62!

I’ve modified it slightly to mask its original destination. Any good programmer will instantly work out that this does but I’ll go through it for the rest of you. The big block of numbers in the middle are ASCII codepoints - numbers that represent characters in the ASCII character set. The script decodes the numbers into characters and writes them to the document. What that block represents is this:

[html]

[/html]

Seasoned spammers will recognise this bit as a simple old-fashioned redirect.

Another variation on the old eval(unescape(…)) trick but interesting nonetheless.

For interested parties, here are some quick Python functions I bashed out to help me write this post.

[python]
def encode(s):
o = “”
for c in s:
o += str(ord(c))+”!”
return o

def decode(s):
return “”.join(map(chr, map(int, s[:-1].split(”!”))))

assert decode(encode(”foo”)) == “foo”
[/python]

Enjoy

-Rob & Dave

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Sphinn
  • Live
  • StumbleUpon
  • Facebook
  • Google
  • Reddit
  • Technorati
  • Mixx

9 Comments | Leave a comment »

  1. 1. Glen | June 6th 2007 @ 5:26 pm

    nicely spotted, clever stuff

  2. 2. Richard Hearne | June 6th 2007 @ 6:01 pm

    By any chance was this coming from two sites that had about 7m pages indexed in G? All pointing at a nice pron site?

    Something like this came up in the G Webmaster Group yesterday. Interesting alright.

    BTW what happened to whitehat DaveN? Year finish early? :D

  3. 3. QuebecAmour | June 6th 2007 @ 6:59 pm

    Richard, mind sharing the urls?? =-)

  4. 4. David | June 7th 2007 @ 12:02 am

    Great, but how do we encode this?!

  5. 5. Rob Haswell | June 7th 2007 @ 8:58 am

    David I gave you a Python function to do it.

  6. 6. Richard Hearne | June 7th 2007 @ 10:43 am

    Details here:
    http://groups.google.com/group/Google_Webmaster_Help-Indexing/browse_thread/thread/329b86d254407f88/f90d43313320646f#f90d43313320646f

    It was parasite stuff with redirects. Some now removed from hosting sites.

  7. 7. Freelance Website Design | June 7th 2007 @ 3:28 pm

    I’d created a similar version of this, based loosly on the eval(… version of this redirect.

    This link is an encoder, you put in the url and it spits out the javascript. enjoy.

    http://www.alfredfox.com/examples/encode/

  8. 8. Winooski | June 7th 2007 @ 6:28 pm

    Cheers to Rob & Dave for the fascinating redirect and to Alfred for the encoder. Anybody know of an online decoder as well?

  9. 9. James | February 24th 2008 @ 11:04 pm

    Hi. Is there a possibility that the code highlighting plugin is not working correctly here? I was actually trying to see WHAT plugin you used (I saw the code formatted nicely before) but now there’s no formatting at all.

Leave a Reply

required

required, hidden

+ Advertise Here