f



Javascript with %%%%%%?

Hi,I had this guy post some spam to my site and now I'm on a mission tofind out who it is.  He's got a site that redirects you elsewhere, inthat site I hit stop on the browser so I could see it.  It containedthis script:SCRIPT type='text/javascript'>var ibnfbpy="%3c%73c%72%69pt%20"+""+"%74%79"+"p%65%3d%27%74ex"+"%74%2f%6a%61%76%61s%63%72%69%70%74%27%3e%0a%77i%6ed%6f%77%2e%6c%6f%63a%74%69%6fn%2e%68%72ef%3d%22%68t%74%70%"+"3a%2f%2f"+"%78%61%6e%61x%37%37%37"+"%70%69%6c%6c%73%2e%63o%6d%2f%71%2eph%"+"70%3f%61%66f%3d%31%26%71%3d%70%"+"68%65%6e%74"+"%65%72m%69ne%22%3b%0a%3c%2f"+"%73%63%72%69p%74%3e";document.writeln(unescape(ibnfbpy));</SCRIPTIs it just a redirecting script or something else?
0
azwarking
12/21/2007 7:49:04 AM
comp.lang.java.programmer 52714 articles. 1 followers. Post Follow

5 Replies
1012 Views

Similar Articles

[PageSpeed] 46

On Dec 20, 11:49=A0pm, azwarking <msue...@gmail.com> wrote:> Hi,>> I had this guy post some spam to my site and now I'm on a mission to> find out who it is. =A0He's got a site that redirects you elsewhere, in> that site I hit stop on the browser so I could see it. =A0It contained> this script:>> SCRIPT type=3D'text/javascript'>> var ibnfbpy=3D"%3c%73c%72%69pt%20"+""+"%74%79"+"p%65%3d%27%74ex"+"%74%2f> %6a%61%76%61s%63%72%69%70%74%27%3e%0a%77i%6ed%6f%77%2e%6c%6f%63a> %74%69%6fn%2e%68%72ef%3d%22%68t%74%70%"+"3a%2f%2f"+"%78%61%6e%61x> %37%37%37"+"%70%69%6c%6c%73%2e%63o%6d%2f%71%2eph%"+"70%3f%61%66f%3d> %31%26%71%3d%70%"+"68%65%6e%74"+"%65%72m%69ne%22%3b%0a%3c> %2f"+"%73%63%72%69p%74%3e";> document.writeln(unescape(ibnfbpy));> </SCRIPT>> Is it just a redirecting script or something else?Wrong group; comp.lang.javascript is -thataway-> and has nothing to dowith Java.  Followup-to set.Those patterns are URL-escaped byte values representing some text,followed by a short snippet of code to tell the javascript engine toprint the un-escaped version of the string on the page.  The bytevalues are probably ascii text; they're stored as pairs of hex digits,with one byte per %AB sequence.  Decoding it yourself should be fairlytrivial.-o
0
Owen
12/21/2007 8:43:23 AM
azwarking wrote:> Hi,> > I had this guy post some spam to my site and now I'm on a mission to> find out who it is.  He's got a site that redirects you elsewhere, in> that site I hit stop on the browser so I could see it.  It contained> this script:> > SCRIPT type='text/javascript'>> var ibnfbpy="%3c%73c%72%69pt%20"+""+"%74%79"+"p%65%3d%27%74ex"+"%74%2f> %6a%61%76%61s%63%72%69%70%74%27%3e%0a%77i%6ed%6f%77%2e%6c%6f%63a> %74%69%6fn%2e%68%72ef%3d%22%68t%74%70%"+"3a%2f%2f"+"%78%61%6e%61x> %37%37%37"+"%70%69%6c%6c%73%2e%63o%6d%2f%71%2eph%"+"70%3f%61%66f%3d> %31%26%71%3d%70%"+"68%65%6e%74"+"%65%72m%69ne%22%3b%0a%3c> %2f"+"%73%63%72%69p%74%3e";> document.writeln(unescape(ibnfbpy));> </SCRIPT> > Is it just a redirecting script or something else?> Please ask in comp.lang.javascript-- Sabine Dinis BlochbergerOp3racionalwww.op3racional.eu
0
Sabine
12/21/2007 9:28:25 AM
Owen Jacobson said the following on 12/21/2007 3:43 AM:
> On Dec 20, 11:49 pm, azwarking <msue...@gmail.com> wrote:
>> Hi,
>>
>> I had this guy post some spam to my site and now I'm on a mission to
>> find out who it is.  He's got a site that redirects you elsewhere, in
>> that site I hit stop on the browser so I could see it.  It contained
>> this script:
>>
>> SCRIPT type='text/javascript'>
>> var ibnfbpy="%3c%73c%72%69pt%20"+""+"%74%79"+"p%65%3d%27%74ex"+"%74%2f
>> %6a%61%76%61s%63%72%69%70%74%27%3e%0a%77i%6ed%6f%77%2e%6c%6f%63a
>> %74%69%6fn%2e%68%72ef%3d%22%68t%74%70%"+"3a%2f%2f"+"%78%61%6e%61x
>> %37%37%37"+"%70%69%6c%6c%73%2e%63o%6d%2f%71%2eph%"+"70%3f%61%66f%3d
>> %31%26%71%3d%70%"+"68%65%6e%74"+"%65%72m%69ne%22%3b%0a%3c
>> %2f"+"%73%63%72%69p%74%3e";
>> document.writeln(unescape(ibnfbpy));
>> </SCRIPT
>>
>> Is it just a redirecting script or something else?
> 
> Wrong group; comp.lang.javascript is -thataway-> and has nothing to do
> with Java.  Followup-to set.
> 
> Those patterns are URL-escaped byte values representing some text,
> followed by a short snippet of code to tell the javascript engine to
> print the un-escaped version of the string on the page.  The byte
> values are probably ascii text; they're stored as pairs of hex digits,
> with one byte per %AB sequence.  Decoding it yourself should be fairly
> trivial.

<script type='text/javascript'>
window.location.href="http://xanax777pills.com/q.php?aff=1&q=phentermine";
</script>

That is all it writes. Nothing more, nothing less.

-- 
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/
0
Randy
12/21/2007 9:42:53 AM
azwarking wrote:> Hi,> > I had this guy post some spam to my site and now I'm on a mission to> find out who it is.  He's got a site that redirects you elsewhere, in> that site I hit stop on the browser so I could see it.  It contained> this script:> > SCRIPT type='text/javascript'>> var ibnfbpy="%3c%73c%72%69pt%20"+""+"%74%79"+"p%65%3d%27%74ex"+"%74%2f> %6a%61%76%61s%63%72%69%70%74%27%3e%0a%77i%6ed%6f%77%2e%6c%6f%63a> %74%69%6fn%2e%68%72ef%3d%22%68t%74%70%"+"3a%2f%2f"+"%78%61%6e%61x> %37%37%37"+"%70%69%6c%6c%73%2e%63o%6d%2f%71%2eph%"+"70%3f%61%66f%3d> %31%26%71%3d%70%"+"68%65%6e%74"+"%65%72m%69ne%22%3b%0a%3c> %2f"+"%73%63%72%69p%74%3e";> document.writeln(unescape(ibnfbpy));> </SCRIPT> > Is it just a redirecting script or something else?> While others have correctly pointed you to the proper newsgroup, I happened to find the answer you need :-)Yes, the encoded the redirect into a obfuscated text.It redirects to some spam site.-- Daniel Pitts' Tech Blog: <http://virtualinfinity.net/wordpress/>
0
Daniel
12/21/2007 6:58:41 PM
On Dec 21, 11:58 am, Daniel Pitts<newsgroup.spamfil...@virtualinfinity.net> wrote:> azwarking wrote:> > Hi,>> > I had this guy post some spam to my site and now I'm on a mission to> > find out who it is.  He's got a site that redirects you elsewhere, in> > that site I hit stop on the browser so I could see it.  It contained> > this script:>> > SCRIPT type='text/javascript'>> > var ibnfbpy="%3c%73c%72%69pt%20"+""+"%74%79"+"p%65%3d%27%74ex"+"%74%2f> > %6a%61%76%61s%63%72%69%70%74%27%3e%0a%77i%6ed%6f%77%2e%6c%6f%63a> > %74%69%6fn%2e%68%72ef%3d%22%68t%74%70%"+"3a%2f%2f"+"%78%61%6e%61x> > %37%37%37"+"%70%69%6c%6c%73%2e%63o%6d%2f%71%2eph%"+"70%3f%61%66f%3d> > %31%26%71%3d%70%"+"68%65%6e%74"+"%65%72m%69ne%22%3b%0a%3c> > %2f"+"%73%63%72%69p%74%3e";> > document.writeln(unescape(ibnfbpy));> > </SCRIPT>> > Is it just a redirecting script or something else?>> While others have correctly pointed you to the proper newsgroup, I> happened to find the answer you need :-)>> Yes, the encoded the redirect into a obfuscated text.>> It redirects to some spam site.>> --> Daniel Pitts' Tech Blog: <http://virtualinfinity.net/wordpress/>Thanks Daniel!  LOL... big smile...
0
azwarking
12/21/2007 8:03:47 PM
Reply: