InformAction Forums

Posted: **Fri Jun 05, 2009 2:30 am**

Hi, I've come accross a site which runs the following script which turns out is an attack script of some sort. The problem is that this is apparently Javascript which has run despite NoScript being enabled against the page. Running 1.9.3.3.

It's probably better if I don't link the site, but here's the page source:

Code: Select all

<html>
<head>
<title>Relocate</title>
<script language="javascript">
	var url = window.location.href;
	if (url.charAt(url.length - 1) != "/")
		url = url + "/";
	var s = url.indexOf("//") + 2;
	var e = url.indexOf("@");
	if (e > 0) {
		var atpart = url.substring(s, e);
		var newurl = url.substring(0, s) + url.substring(e + 1 , url.length);
		window.location = newurl + "~" + atpart + "/";
	} else {
		window.location= "/index.html";
	}
</script>
<meta http-equiv="refresh" content="4" url="/index.html">
</head>
<body>
<noscript>
Sorry, your browser does not support Java Script.
</noscript>
</body>
</html>

Posted: **Fri Jun 05, 2009 5:57 am**

It's better to have full context for this kind of question.
You may safely indicate a site by disarming the protocol, for example:

httz://noscript.net

Posted: **Fri Jun 05, 2009 8:21 am**

The source code you quoted is pretty innocuous (there's no "attack" whatsoever). It just checks if there's an user name specificied in the URL (like http://someuser@somesite.com) and, if it's found, redirects to http://somesite.com/~someuser/, which is the standard URL for "someuser's home" since the Web was still an Unix-only thing. If the URL contains no username, it redirects to index.html.
After that script, there's a <META> refresh element which automatically redirects to index.html if scripts aren't running. What you're observing as a "running script" it's probably just the behavior of this <META> refresh. No script can run if the site is not whitelisted by NoScript. Period.

Posted: **Sat Jun 06, 2009 12:39 am**

Agreed, this code is harmless and many shared hosting plans also recommend/use a case based redirect for ASP sites because some server refreshes are not valid for shared hosting. Anyway, its harmless and regardless of harmful or harmless, if its a script and the site is not whitelisted, it WILL NOT run with NS enabled, unless you have enabled domain by default checked in the settings.

InformAction Forums

Site runs script

Site runs script

Re: Site runs script

Re: Site runs script

Re: Site runs script