suspicious script
17 views
Skip to first unread message
Neha Jain
Jul 15, 2010, 10:58:24 PM7/15/10
to pho...@googlegroups.com
Hello Readers,
The following script was caught by the phoneyc, today at a site http://www.fdsfaf.cn/118.htm
Though phoneyc gives JS error running it, it seems to be malicious (not sure, how to be sure is the concern). the way the source is embedded in the img tag is not usual and then the page is formatted deliberately as 404 not found. Could somebody suggest how do I analyse what is happening in this script to confirm my suspicions. Some tool for javascript sandboxing, may be..
This is the script snippet:
window.onerror=function(){return true}; var __url__ = "http://stats.dnparking.com/"; var data ='';if(top.location != self.location){data = '?d=fdsfaf.cn&u=' +escape(top.location) + '&r=' + escape(top.document.referrer) + '&sc=' + escape(screen.width+'x'+screen.height)+ '&s=' +escape(navigator.platform)+'&b=' + escape(navigator.appName); }else{data = '?d=fdsfaf.cn&u=' +escape(window.location) + '&r=' + escape(document.referrer) + '&sc=' + escape(screen.width+'x'+screen.height)+ '&s=' +escape(navigator.platform)+'&b=' + escape(navigator.appName); }document.write("<img src='" + __url__ + data +"' width=0 height=0>");<html>^M
<head><title>404 Not Found</title></head>^M
<body bgcolor="white">^M
<center><h1>404 Not Found</h1></center>^M
<hr><center>nginx/0.7.30</center>^M
</body>^M
</html>^M
--
Smiles
Neha )))))
The following script was caught by the phoneyc, today at a site http://www.fdsfaf.cn/118.htm
Though phoneyc gives JS error running it, it seems to be malicious (not sure, how to be sure is the concern). the way the source is embedded in the img tag is not usual and then the page is formatted deliberately as 404 not found. Could somebody suggest how do I analyse what is happening in this script to confirm my suspicions. Some tool for javascript sandboxing, may be..
This is the script snippet:
window.onerror=function(){return true}; var __url__ = "http://stats.dnparking.com/"; var data ='';if(top.location != self.location){data = '?d=fdsfaf.cn&u=' +escape(top.location) + '&r=' + escape(top.document.referrer) + '&sc=' + escape(screen.width+'x'+screen.height)+ '&s=' +escape(navigator.platform)+'&b=' + escape(navigator.appName); }else{data = '?d=fdsfaf.cn&u=' +escape(window.location) + '&r=' + escape(document.referrer) + '&sc=' + escape(screen.width+'x'+screen.height)+ '&s=' +escape(navigator.platform)+'&b=' + escape(navigator.appName); }document.write("<img src='" + __url__ + data +"' width=0 height=0>");<html>^M
<head><title>404 Not Found</title></head>^M
<body bgcolor="white">^M
<center><h1>404 Not Found</h1></center>^M
<hr><center>nginx/0.7.30</center>^M
</body>^M
</html>^M
--
Smiles
Neha )))))
jose nazario
Jul 17, 2010, 6:58:22 PM7/17/10
to pho...@googlegroups.com
Neha
I'm inclined to think this is just a 404 page with some tracking in it. Can you see how it is malicious?
-- jose Nazario
njain
Jul 18, 2010, 9:57:30 PM7/18/10
to phoneyc
Hello Sir,
Perhaps what you are saying is correct, as the page to which it is
redirected(i thought it would be redirected to the url src points
to ?), is not malicious.
I was not sure about its maliciousness as I already said, i am
suspicious. The src attribute of the invisible img tag has a __url__
and a dynamically updated string var data.
It is written dynamically using document.write, So, may be the page
which this img tag directs to is not safe... Its just a thought I got
while I saw the script, since it seemed unusual.
On Jul 18, 3:58 am, jose nazario <jose.monkey....@gmail.com> wrote:
> Neha
>
> I'm inclined to think this is just a 404 page with some tracking in it. Can
> you see how it is malicious?
>
> -- jose Nazario
>
> The following script was caught by the phoneyc, today at a sitehttp://www.fdsfaf.cn/118.htm
Perhaps what you are saying is correct, as the page to which it is
redirected(i thought it would be redirected to the url src points
to ?), is not malicious.
I was not sure about its maliciousness as I already said, i am
suspicious. The src attribute of the invisible img tag has a __url__
and a dynamically updated string var data.
It is written dynamically using document.write, So, may be the page
which this img tag directs to is not safe... Its just a thought I got
while I saw the script, since it seemed unusual.
On Jul 18, 3:58 am, jose nazario <jose.monkey....@gmail.com> wrote:
> Neha
>
> I'm inclined to think this is just a 404 page with some tracking in it. Can
> you see how it is malicious?
>
> -- jose Nazario
>
Reply all
Reply to author
Forward
0 new messages