Search
Member List
Calendar
Help
|
Remove Obfuscated Code [20081221b]
|
|
Dec. 22, 2008, 10:58 AM
Post: #31
|
|||
|
|||
RE: Remove Obfuscated Code [20081221b]
Siamesecat Wrote:Why is the range of the first item matched from 0 to 377? What character has a code of 377? 377 octal = FF hex = 255 Siamesecat Wrote:why the extra backslash? For proxo to match a backslash, you need a double backslash. Matching code that's \x would only match x. Siamesecat Wrote:In the third line, why is the u not inside the first set of parentheses? Looks like a match for %u or \u. Personally, I'm not familiar with either the \x, \u or %u syntax. Siamesecat Wrote:Why are you trying to match at least 5 of the expressions and no less? Can't help you there.  z12 |
|||
|
![[-]](images/ONi/collapse.gif)
|
Dec. 22, 2008, 11:02 AM
Post: #32
|
|||
|
|||
RE: Remove Obfuscated Code [20081221a]
(Dec. 22, 2008 06:56 AM)Siamesecat Wrote: There are a few things I do not understand about the match. Why is the range of the first item matched from 0 to 377? What character has a code of 377? Please see post #13 by z12 Quote:In the second line, why are there 2 backslashes before the x? I know that \x is a command prefix, but why the extra backslash? to match code such as this: Code: jQuery('\x66\x75\x6e\x63\x74\x69...Quote:In the third line, why is the u not inside the first set of parentheses? to match code such as this: Code: unescape("%uc92b%u1fb1%u0cbd%uc536...Quote:Why are you trying to match at least 5 of the expressions and no less? To avoid FPs.
|
|||
|
|
|
Dec. 23, 2008, 06:23 AM
Post: #33
|
|||
|
|||
|
RE: Remove Obfuscated Code [20081221b]
I see. Thanks for the info. What kind of script uses octal numbers? I have never seen code that does that.
Is removing such code not likely to break the page? Even just translating hex code into ASCII characters can cause problems with some pages, let alone removing it. |
|||
|
|
|
Dec. 23, 2008, 01:37 PM
Post: #34
|
|||
|
|||
RE: Remove Obfuscated Code [20081221b]
(Dec. 23, 2008 06:23 AM)Siamesecat Wrote: I see. Thanks for the info. What kind of script uses octal numbers? I have never seen code that does that. Well, I'm guessing it would be a malicious kind of script! A little googling turn up this example: http://wired-security.net/texts/maliciou...ilters.txt I just can't see why a legitimate site would need to put obfuscated code inside <script ... /script>. |
|||
|
|
|
Dec. 24, 2008, 01:55 AM
Post: #35
|
|||
|
|||
RE: Remove Obfuscated Code [20081221b]
(Dec. 23, 2008 01:37 PM)DarthTrader Wrote: ........ I've seen this kind of thing done often by idiots who think their code doesn't stink (substitute the word of your choice for "code"). It's usually because they're afraid of someone stealing their oh-so-precious super-duper special coding. Or IOW, copyright rears it's ugly head again. Sigh. It would appear that Santayana is doomed to be quoted forever. No one wants to learn that our Fearless Leader hisownself wrote a Proxo filter to render such obsfucation null and void. And so far as I know, all browsers can indeed receive and translate any of the standard encoding techniques, be it binary, octal, decimal, hex, UTF-8, hell, even straight ascii!  Merely switching the encoding from one format to another before it reaches the browser shouldn't affect the final results. If it does, then there are bigger issues going on than the encoding mechanism.HTH Oddysey I'm no longer in the rat race - the rats won't have me! |
|||
|
|
|
Dec. 24, 2008, 02:22 PM
Post: #36
|
|||
|
|||
|
RE: Remove Obfuscated Code [20081221b]
Hello,
I have found another malware site with obfuscated script code: Code: http://free-av-chek-online-tool.comBe careful with this one, and try not to look at the porn! I would suggest adding this expression to the filter: Code: |(\@([0-9])+{4,12})Merry Christmas, everyone! DarthTrader |
|||
|
|
|
« Next Oldest | Next Newest »
|