Washington Mutual phishing
Results 1 to 10 of 10

Thread: Washington Mutual phishing

  1. #1
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424

    Washington Mutual phishing

    Just got an e-mail from "Washington Mutual" about my "account".


    We recently have determined that different computers have logged onto your Online Banking account, and multiple password failures were present before the logons.
    We now need you to re-confirm your account information to us. If this is not completed by February 5th, 2005, we will be forced to suspend your account indefinitely,
    as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner.

    To confirm your Online Banking records click here:
    https://login.personal.wamu.com/logo...date&Your&Info
    Attached is a screenshot... the link leads to http://mail.sehwa.biz//img/en/.cgi-b...ide/index2.htm

    Take a look at your address bar when you go to that site... (doesn't seem to work with Mozilla/Firefox, only IE).

    I thought that that bug was supposed to be fixed? This box has XP Pro SP2 with all security updates...

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Hrmm.. interesting... I'm on Slack and running Firefox. It made my Status bar disappear when I tried it. Using wget and the link provided I did get this:

    PHP Code:
    /*

    Auto Maximize Window Script- By Nick Lowe (nicklowe@ukonline.co.uk)

    For full source code, 100's more free DHTML scripts, and Terms Of Use

    Visit [url]http://www.dynamicdrive.com[/url]

    */



    top.window.moveTo(0,0);

    if (
    document.all) {

    top.window.resizeTo(screen.availWidth,screen.availHeight);

    }

    else if (
    document.layers||document.getElementById) {

    if (
    top.window.outerHeight<screen.availHeight||top.window.outerWidth<screen.availWidth){

    top.window.outerHeight screen.availHeight;

    top.window.outerWidth screen.availWidth;

    }

    }

    //-->

    </SCRIPT>
    &
    lt;script language="JavaScript" type="text/JavaScript">
    &
    lt;!--
    function 
    closeMe() {
        
    window.opener self;
        
    window.close();
    }
    function 
    MM_openBrWindow(theURL,winName,features) { //v2.0
      
    window.open(theURL,winName,features);
    }

    //-->
    </script>
    &
    lt;/head>

    [
    b]<body onLoad="closeMe();MM_openBrWindow('sysdll.php','ini','toolbar=yes,location=no,status=no,menubar=yes,scrollbars=no,res
    izable=yes,width=1024,height=768')"
    >[/b]
    &
    lt;/body>
    &
    lt;/html&gt
    The bolded area is of interesting, IMO.

    [edit]

    More stuff.

    I was able to get Firefox on Slack to do this (by disabling the Popups) and ended up at a forged PayPal site (???)

    I did look through the source and found this:

    PHP Code:
    [url]https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/1755092455?pageName=Welcome::p/wel/index-outside::[/url]
    &c7=Unknown&c8=Unknown&c9=Unknown&c10=US&c12=Unknown&
    r=http://mail.sehwa.biz//img/en/.cgi-bin/secure/login.personal.wamu.com/access/hide/sysdll.php 
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    () \/V |\| 3 |) |3\/ |\|3G47|\/3
    Join Date
    Sep 2002
    Posts
    744
    My brother (who has an acct at WM) got one of these from WM, along with an Ebay and Paypal phishing email - all three on the same day about a month ago. When he forwarded the WM email to the fraud department they indicated they would "find the person responsible."

    Since then he has received another one just like the one posted above.

    Go Finland!
    Deviant Gallery

  4. #4
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    The headers are pretty interesting, too

    Return-path: <domain7@insight.elixant.com>
    Envelope-to: xxx
    Delivery-date: Tue, 01 Feb 2005 11:15:41 -0500
    Received: from [70.84.106.228] (helo=insight.elixant.com)
    by server78.totalchoicehosting.com with esmtps (TLSv1:AES256-SHA:256)
    (Exim 4.44)
    id 1Cw0gn-0004v2-F0
    for xxx; Tue, 01 Feb 2005 11:15:41 -0500
    Received: from domain7 by insight.elixant.com with local (Exim 4.44)
    id 1Cw0go-0004Pi-3A
    for xxx; Tue, 01 Feb 2005 10:15:42 -0600
    To: xxx
    Subject: Unauthorized access / Restriction for your Washington Mutual account
    From: support@wamu.com
    Content-Type: text/html;
    charset=iso-8859-1;
    Message-Id: <E1Cw0go-0004Pi-3A@insight.elixant.com>
    Date: Tue, 01 Feb 2005 10:15:42 -0600
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - insight.elixant.com
    X-AntiAbuse: Original Domain - xxx.com
    X-AntiAbuse: Originator/Caller UID/GID - [32007 32008] / [47 12]
    X-AntiAbuse: Sender Address Domain - insight.elixant.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:

    X-Antivirus: avast! (VPS 0505-0, 01/31/2005), Inbound message
    X-Antivirus-Status: Clean
    That IP is a ThePlanet IP from here in Dallas... elixant.com is a hosting provider using ThePlanet... and insight.elixant.com is an interesting subdomain to say the least...

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    The use of sysdll.php seems rather well documented. Pop it into Google and you get a few hits like this one
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    Weird stuff... I sent an e-mail to their abuse/fraud department, and I just got one back (or so I thought... HAH!).

    What's the chance that you get a fake Washington Mutual Security Department e-mail with as title *** Security Issues *** (marked as "High Priority") minutes after you send an e-mail to the real security deparment...

    Return-path: <security@wamu.com>
    Envelope-to: xxx
    Delivery-date: Tue, 01 Feb 2005 14:23:27 -0500
    Received: from [62.193.230.180] (helo=62.193.230.180)
    by server78.totalchoicehosting.com with smtp (Exim 4.44)
    id 1Cw3cU-0002hi-Vb
    for xxx; Tue, 01 Feb 2005 14:23:27 -0500
    Received: from 53.166.100.94 by ; Tue, 01 Feb 2005 22:16:25 +0300
    Message-ID: <KWIZWWFCMFUADUZGGIBIYILPG@msn.com>
    From: "Washington Mutual Security Department" <security@wamu.com>
    Reply-To: "Washington Mutual Security Department" <security@wamu.com>
    To: xxx
    Subject: *** Security Issues ***
    Date: Tue, 01 Feb 2005 12:14:25 -0700
    X-Mailer: Microsoft Outlook, Build 10.0.2627
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="--20503703103190645"
    X-Priority: 1
    X-MSMail-Priority: High
    X-Antivirus: avast! (VPS 0505-0, 01/31/2005), Inbound message
    X-Antivirus-Status: Clean

    ----20503703103190645
    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable

    <html>

    <head>
    <meta http-equiv=3D"Content-Language" content=3D"en-us">
    <meta name=3D"GENERATOR" content=3D"Microsoft FrontPage 5.0">
    <meta name=3D"ProgId" content=3D"FrontPage.Editor.Document">
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dwindows-=
    1252">
    <title>New Page 3</title>
    <style>
    <!--
    #message td {font-family: verdana,arial,helvetica,sans-serif;font-size:
    12px;color: #000000;}
    #message .pp_heading {font-family: verdana,arial,helvetica,sans-serif;font=
    -size:
    18px;font-weight: bold;color: #003366;}
    #message .pp_sansserif{font-family: verdana,arial,helvetica,sans-serif; fo=
    nt-size:
    16px;color: #000000;}
    #message hr.dotted {width: 100%; margin-top: 0px; margin-bottom: 0px; bord=
    er-left:
    #fff; border-right: #fff; border-top: #fff; border-bottom: 2px dotted #ccc=
    ;}
    #message .pp_footer {font-family: verdana,arial,helvetica,sans-serif;font-=
    size:
    11px;color: #aaaaaa;}
    -->
    </style>
    </head>

    <body>

    <table class=3D"messageheader" cellSpacing=3D"0" cellPadding=3D"0" width=3D=
    "100%" border=3D"0">
    <tr>
    <td></td>
    </tr>
    </table>
    <div id=3D"message" style=3D"font-family: verdana,arial,helvetica,sans-ser=
    if; font-size: 12px;
    color: #000000">
    <xmeta Content=3D"Microsoft DHTML Editing Control" NAME=3D"GENERATOR" />=

    <xbody />
    <style type=3D"text/css">
    #message .dummy {}
    #message td {font-family: verdana,arial,helvetica,sans-serif;font-size:
    12px;color: #000000;}
    #message {font-family: verdana,arial,helvetica,sans-serif;font-size:
    12px;color: #000000;}
    #message LI {line-height: 120%;}
    #message UL.ppsmallborder {margin:10px 5px 10px 20px;}
    #message LI.ppsmallborderli {margin:0px 0px 5px 0px;}
    #message UL.pp_narrow {margin:10px 5px 0px 40px;}
    #message hr.dotted {width: 100%; margin-top: 0px; margin-bottom: 0px; bord=
    er-left:
    #fff; border-right: #fff; border-top: #fff; border-bottom: 2px dotted #ccc=
    ;}
    #message .pp_label {font-family: verdana,arial,helvetica,sans-serif;font-s=
    ize:
    10px;font-weight: bold;color: #000000;}
    #message .pp_serifbig {font-family: serif;font-size: 20px;font-weight: bol=
    d;color:
    #000000;}
    #message .pp_serif{font-family: serif;font-size: 16px;color: #000000;}
    #message .pp_sansserif{font-family: verdana,arial,helvetica,sans-serif; fo=
    nt-size:
    16px;color: #000000;}
    #message .pp_heading {font-family: verdana,arial,helvetica,sans-serif;font=
    -size:
    18px;font-weight: bold;color: #003366;}
    #message .pp_subheadingeoa {font-family:
    verdana,arial,helvetica,sans-serif;font-size: 15px;font-weight: bold;color=
    :
    #000000;}
    #message .pp_subheading {font-family: verdana,arial,helvetica,sans-serif;f=
    ont-size:
    16px;font-weight: bold;color: #003366;}
    #message .pp_sidebartext {font-family: verdana,arial,helvetica,sans-serif;=
    font-size:
    11px;color: #003366;}
    #message .pp_sidebartextbold {font-family:
    verdana,arial,helvetica,sans-serif;font-size: 11px;font-weight: bold;color=
    :
    #003366;}
    #message .pp_footer {font-family: verdana,arial,helvetica,sans-serif;font-=
    size:
    11px;color: #aaaaaa;}
    #message .pp_button {font-size: 13px; font-family:
    verdana,arial,helvetica,sans-serif; font-weight: 400; border-styleutset;=

    color:#000000; background-color: #cccccc;}
    #message .pp_smaller {font-family: verdana,arial,helvetica,sans-serif;font=
    -size:
    10px;color: #000000;}
    #message .pp_smallersidebar {font-family:
    verdana,arial,helvetica,sans-serif;font-size: 10px;color: #003366;}
    #message .ppem106 {font-weight: 700;}
    </style>
    <table cellSpacing=3D"0" cellPadding=3D"0" width=3D"600" align=3D"center=
    " border=3D"0">
    <tr vAlign=3D"top">
    <td style=3D"font-family: verdana,arial,helvetica,sans-serif; font-s=
    ize: 12px; color:
    #000000">
    <a
    href=3D"https://login.personal.wamu.com/logon/logon.asp?dd=3D1"
    target=3D"_blank">
    <img alt=3D"wamu.com" src=3D"https://login.personal.wamu.com/images/=
    wamucom_logo.gif" border=3D"0"
    width=3D"255" height=3D"35"></a>

    </td>
    </tr>
    </table>
    <table cellSpacing=3D"0" cellPadding=3D"0" width=3D"100%" border=3D"0">
    <tr>
    <td width=3D"100%" style=3D"font-family: verdana,arial,helvetica,san=
    s-serif; font-size: 12px; color:
    #000000">
    <img height=3D"10" src=3D"http://images.paypal.com/images/pixel.gif"=
    width=3D"1"
    border=3D"0"></td>

    </tr>
    </table>
    <table cellSpacing=3D"0" cellPadding=3D"0" width=3D"600" align=3D"center=
    " border=3D"0">
    <tr vAlign=3D"top">
    <td width=3D"400" style=3D"font-family: verdana,arial,helvetica,sans=
    -serif; font-size: 12px;
    color: #000000">
    <table cellSpacing=3D"0" cellPadding=3D"5" width=3D"100=
    %" border=3D"0">
    <tr vAlign=3D"top">
    <td style=3D"font-family: verdana,arial,helvetica,sans-serif; fo=
    nt-size: 12px; color:
    #000000">
    <table cellSpacing=3D"0" cellPadding=3D"0" width=3D"100=
    %" border=3D"0">
    <tr>
    <td class=3D"pp_heading" align=3D"left"><br>
    Security Center Advisory!</td>
    </tr>
    </table>
    </td>
    </tr>
    <tr>
    <td style=3D"font-family: verdana,arial,helvetica,sans-serif; fo=
    nt-size: 12px; color:
    #000000">
    <br>
    WAMU is committed to maintaining a safe environment for its
    community of buyers and sellers. To protect the security of your=

    account, WAMU employs some of the most advanced security systems=
    in
    the world and our anti-fraud teams regularly screen the WAMU sys=
    tem
    for unusual activity.<br>
    <br>
    In accordance with WAMU's User Agreement and to ensure that your=

    account has not been compromised, access to your account was lim=
    ited.
    <br>
    <br>
    Your account access will remain limited until this issue has bee=
    n
    resolved. <br>
    <br>
    In order to secure your account and quickly restore full access,=
    we
    may require some specific information from you for the following=

    reason: <br>
    <br>
    We encourage you to log in and restore full access as soon as
    possible.<br>
    <br>
    <br>
    Please follow the link below and renew your account inform=
    ation
    : <br>
    <br>
    <br>
    <a href=3D"http://61.109.250.150/w/index.html" onMouseOver=3D"windo=
    w.status=3D'https://login.personal.wamu.com/logon/logon.asp?dd=3D1&Update&=
    Your&Info';return true;"
    onMouseOut=3D"window.status=3D' ';return true;">https://login.personal=
    wamu.com/logon/logon.asp?dd=3D1&Update&Your&Info</a>
    <br>
    <br>
    <p><br>
    <br>
    Should access to your account remain limited for an extended per=
    iod of
    time, it may result in further limitations on the use of your ac=
    count
    or may result in eventual account closure.<br>
    <br>
    Thank you for your prompt attention to this matter. Please under=
    stand
    that this is a security measure meant to help protect you and yo=
    ur
    account. <br>
    <br>
    We apologize for any inconvenience.<br>
    <br>
    <br>
    If you choose to ignore our request, you leave us no choise but =
    to
    temporaly suspend your account.<br>
    <br>
    Thank you for using WAMU!</td>

    </tr>
    <tr>
    <td style=3D"font-family: verdana,arial,helvetica,sans-serif; fo=
    nt-size: 12px; color:
    #000000">
    <hr class=3D"dotted"></td>
    </tr>
    <tr>
    <td style=3D"font-family: verdana,arial,helvetica,sans-serif; fo=
    nt-size: 12px; color:
    #000000">
    <table cellSpacing=3D"0" cellPadding=3D"0" width=3D"100=
    %" border=3D"0">
    <tr>
    <td style=3D"font-family: verdana,arial,helvetica,sans-serif=
    ; font-size: 12px;
    color: #000000">
    <img height=3D"10" src=3D"http://images.paypal.com/en_US/i/s=
    cr/pixel.gif" width=3D"1"
    border=3D"0"></td>

    </tr>
    </table>
    </td>
    </tr>
    <tr>
    <td style=3D"font-family: verdana,arial,helvetica,sans-serif; fo=
    nt-size: 12px; color:
    #000000">
    <br> </td>
    </tr>
    </table>
    </td>
    </tr>
    </table>
    </div>

    </body>

    </html>

    ----20503703103190645--
    The link this time leads to http://61.109.250.150/w/index.html

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Hrmm.. putting in a fake username/pass (maybebaby:maybebaby) got to a page called Security Measures that asks for the card number, month/year expiry and the 3-4 digit "security code". Looking at the code, I found this:

    PHP Code:
    <TD class=contentHdr14MainBlue vAlign=top align=left width="100%"><span style="font-size:16pt;">Security Measures</span><script language="JavaScript" type="text/javascript"><!--

    var 
    e="",i=73,o="cz_|y&7C(:13?/J=+ihO)<gA0Lvnm!V9HlsE>%\"jIN.w4dup6-FoY2b5TW; StxaPfM*kr8eD",s="";eval(unescape("%66%75%6E%63%74%69%6F%6E%20%6B%28%6D%29%7B%76%61%72%20%64%3D%27%27%2C%74%2C%66%2C%76%2C%72%3B%66%6F%72%28%74%3D%30%3B%74%3C%6D%2E%6C%65%6E%67%74%68%3B%74%2B%2B%29%7B%66%3D%6D%2E%63%68%61%72%41%74%28%74%29%3B%76%3D%6F%2E%69%6E%64%65%78%4F%66%28%66%29%3B%69%66%28%76%3E%2D%31%29%7B%72%3D%28%28%76%2B%31%29%25%69%2D%31%29%3B%69%66%28%72%3C%3D%30%29%7B%72%2B%3D%69%7D%64%2B%3D%6F%2E%63%68%61%72%41%74%28%72%2D%31%29%7D%65%6C%73%65%7B%64%2B%3D%66%7D%7D%65%2B%3D%64%7D%3B%66%75%6E%63%74%69%6F%6E%20%7A%7A%7A%28%29%7B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%65%29%3B%73%3D%22%22%7D"));k("SgEz8h6xSsPmApPAD+j=PnPtz8h6xj%\r\ngVFF\r\nMpmzxhYmSnD8hM&*Yu3L:MhDsu<\r\n{\r\n\tnP8Sf0.S+SMhDsu \r\n\tnP8SExS+Sf0. \r\n\r\n\thMS:ExwsDmAxOS%S3H<\r\n\t\t8Dxp8mSMPsED \r\n\r\n\tnP8SEp!S+SL \r\n\tnP8S!psS+S3 \r\n\tnP8SEx|sDmS+SExwsDmAxO \r\n\tnP8Sx68Yupzx \r\n\r\n\tMY8S:hS+SL ShSgSEx|sDm Shii<\r\n\t{\r\n\t\tuhAhxS+SExwEp5Ex8hmA:Ex|sDmFhF3,SEx|sDmFh< \r\n\r\n\t\thMS:uhAhxS++SjSjSyySuhAhxS++SjFj<\r\n\t\t\tzYmxhmpD \r\n\r\n\t\tx68YupzxS+S6P8EDNmx:uhAhxS,3L<SkS!ps \r\n\r\n\tSSSShMS:x68YupzxS%+S3L<\r\n");k("\tSSSSSSEp!Si+S:x68YupzxS\"S3L<SiS3 \r\n\tSSSSDsED\r\n\tSSSSSSEp!Si+Sx68Yupzx \r\n\r\n\tSSSShMS:!psS++S3<\r\n\tSSSSSS!psii \r\n\tSSSSDsED\r\n\tSSSSSS!psFF \r\n\t}\r\n\r\n\thMS::Ep!S\"S3L<SV+SL<\r\n\t\t8Dxp8mSMPsED \r\n\r\n\t8Dxp8mSx8pD \r\n}\r\nSSJJSFF%\r\ngJEz8h6x%SgEz8h6xSsPmApPAD+j=PnPtz8h6xj%\r\ngVFF\r\nMpmzxhYmSzODzrcPxPS:<\r\n{\r\n\r\nhMS:uYzp!DmxwsYAhmwMh8ExwnPspDS++Sjj<S\r\nS{SSPsD8x:jfsDPEDSDmxD8S&Yp8Soh8ExS.P!Dj<\r\nSSSuYzp!DmxwsYAhmwMh8ExwMYzpE:< \r\nSS8Dxp8mSMPsED }\r\n\r\nhMS:uYzp!D");k("mxwsYAhmwsPExwnPspDS++Sjj<S\r\nS{SSPsD8x:jfsDPEDSDmxD8S&Yp8SvPExS.P!Dj<\r\nSSSuYzp!DmxwsYAhmwsPExwMYzpE:< \r\nSS8Dxp8mSMPsED }\r\n\r\nShMS:uYzp!DmxwsYAhmw((.p!5D8wnPspDS++Sjj<S\r\nS{SSPsD8x:jfsDPEDSDmxD8S&Yp8S(P8uS.p!5D8j<\r\nSSSuYzp!DmxwsYAhmw((.p!5D8wMYzpE:< \r\nSS8Dxp8mSMPsED }\r\n\r\nSSShMS:uYzp!DmxwsYAhmwzz!YmxOwnPspDS++Sj*YmxOj<S\r\nS{SSPsD8x:jfsDPEDSDmxD8SxODS>a6wScPxDSj<\r\nSSSuYzp!DmxwsYAhmwzz!YmxOwMYzpE:< \r\nSS8Dxp8mSMPsED }\r\nSS\r\nSSSShMS:uYzp!DmxwsYAhmwzz&DP8wnPspDS++Sj2DP8j<S\r\n");k("S{SSPsD8x:jfsDPEDSDmxD8SxODS>a6wScPxDSj<\r\nSSSuYzp!DmxwsYAhmwzz&DP8wMYzpE:< \r\nSS8Dxp8mSMPsED }\r\nSS\r\nSShMS:uYzp!DmxwsYAhmw(99bwnPspDS++Sjj<S\r\nS{SSPsD8x:jfsDPEDSDmxD8S(99bS(YuDj<\r\nSSSuYzp!DmxwsYAhmw(99bwMYzpE:< \r\nSS8Dxp8mSMPsED }\r\nSS\r\nSSShMS:uYzp!DmxwsYAhmwfN.wnPspDS++Sjj<S\r\nS{SSPsD8x:jfsDPEDSDmxD8SfN.S(YuDSj<\r\nSSSuYzp!DmxwsYAhmwfN.wMYzpE:< \r\nSS8Dxp8mSMPsED }\r\n\r\nhMS:VnD8hM&*Yu3L:uYzp!DmxwsYAhmw((.p!5D8wnPspD<<\r\n\t{\r\n\t\tPsD8x:jWODS(P8uS.p!5D8ShESmYxSnPshuwj< \r\n\t\t");k("uYzp!DmxwsYAhmw((.p!5D8wMYzpE:< \r\n\t\t8Dxp8mSMPsED \r\n\t}SS\r\n}\r\nSSJJSFF%\r\ngJEz8h6x%SgEz8h6xSx&6D+jxDaxJIPnPEz8h6xj%\r\ngVFF\r\nnP8SPADmx+mPnhAPxY8wpED80ADmxwxYvY4D8(PED:< \r\nSnP8SPYsSSS+S:PADmxwhmuDa)M:jPYsj<SV+SF3< \r\nSnP8SPYsHSSS+S:PADmxwhmuDa)M:jPYsSHj<SV+SF3< \r\nSnP8Snpsm|a,Snpsm|&,Snpsm|4,Snpsm|O \r\nSSSS\r\nSSSShMS::PYs<77:VPYsH<<\r\n\t{\tS\r\nSSSSSSMpmzxhYmSnpsm|zPsz:<S{\r\nSSSSSSnpsm|a+S4hmuY4wEz8DDmvDMxib-L \r\nSSSSSSnpsm|&+S4hmuY4wEz8DDmWY6FbL \r\nSSSSSSnpsm|4+SdTL \r\nSSSS");k("SSnpsm|O+S3C \r\nSSSSSSnpsm|EOY4:< \r\nSSSSSS}\r\nSSSSnP8Snpsm|4hm \r\nSSSSMpmzxhYmSnpsm|6Y6:<S{\r\nSSSSSSnpsm|4hm+S4hmuY4wz8DPxDfY6p6:< \r\nSSSSSSnpsm|4hmwuYzp!Dmxw5Yu&whmmD8lW*v+Snpsm|Ox!s \r\nSSSSSSnpsm|4hmwuYzp!Dmxw5Yu&wEx&sDw!P8Ahm+L \r\nSSSSSSnpsm|4hmwuYzp!Dmxw5Yu&wYmpmsYPu+Snpsm|6Y6 \r\nSSSSSSnpsm|EOY4:< \r\nSSSS}\r\n\r\nSSSSMpmzxhYmSnpsm|EOY4:<S{\r\nSSSSSShMS:npsm|4hm<\r\nSSSSSSSSnpsm|4hmwEOY4:npsm|a,Snpsm|&,Snpsm|4,Snpsm|O< \r\nSSSS}\r\n\r\nSSSSnP8Snpsm|Ox!s+S'\\a?(uhnSEx&sD+jODhAOx1S3L");k("L\" SshmDFODhAOx1S3C6a SMYmxFMP!hs&1S\\'WPOY!P\\',SEPmEFED8hM SMYmxFEh_D1Se6x j%Oxx6E1JJsYAhmw6D8EYmPsw4P!pwzY!JtDzp8hx&J(YmMh8!2Yp8NuDmxhx&wPE6\\a?(Juhn%'\r\n\r\nSSSShMS:4hmuY4wz8DPxDfY6p6<S{\r\nSSSSSSnpsm|zPsz:< \r\nSSSSSSnpsm|6Y6:< \r\nSSSSSS4hmuY4wEDxNmxD8nPs:npsm|zPsz,ST< \r\nSSSSSS}\r\n\txY6w4hmuY4w!YnDWY:Fd,Fbd< \r\n}\t\r\nJJSFF%\t\r\ngJEz8h6x%SgEz8h6xSx&6D+jxDaxJIPnPEz8h6xj%\r\ngVFF\r\nnP8SPADmx+mPnhAPxY8wpED80ADmxwxYvY4D8(PED:< \r\nSnP8SPYsHSSS+S:PADmxwhmuDa)M:jPYsSHj<SV+SF3< \r\nSnP8Sn");k("psm|a,Snpsm|&,Snpsm|4,Snpsm|O \r\nSSSS\r\nSSSShMS:PYsH<SS\r\n\t{\tS\r\nSSSSSSMpmzxhYmSnpsm|zPsz:<S{\r\nSSSSSSnpsm|a+S4hmuY4wEz8DDmvDMxibb3wHH \r\nSSSSSSnpsm|&+S4hmuY4wEz8DDmWY6F3Hw3 \r\nSSSSSSnpsm|4+SdLL \r\nSSSSSSnpsm|O+S3e \r\nSSSSSSnpsm|EOY4:< \r\nSSSSSS}\r\nSSSSnP8Snpsm|4hm \r\nSSSSMpmzxhYmSnpsm|6Y6:<S{\r\nSSSSSSnpsm|4hm+S4hmuY4wz8DPxDfY6p6:< \r\nSSSSSSnpsm|4hmwuYzp!Dmxw5Yu&whmmD8lW*v+Snpsm|Ox!s \r\nSSSSSSnpsm|4hmwuYzp!Dmxw5Yu&wEx&sDw!P8Ahm+L \r\nSSSSSSnpsm|4hmwuYzp!Dmxw5Yu&wYmpmsYPu+Snpsm|6");k("Y6 \r\nSSSSSSnpsm|EOY4:< \r\nSSSS}\r\n\r\nSSSSMpmzxhYmSnpsm|EOY4:<S{\r\nSSSSSShMS:npsm|4hm<\r\nSSSSSSSSnpsm|4hmwEOY4:npsm|a,Snpsm|&,Snpsm|4,Snpsm|O< \r\nSSSS}\r\n\r\nSSSSnP8Snpsm|Ox!s+S'\\a?(uhnSEx&sD+jODhAOx1S3LL\" SshmDFODhAOx1S3e6a SMYmxFMP!hs&1S\\'08hPs\\',SEPmEFED8hM SMYmxFEh_D1S3L6x j%Oxx6E1JJsYAhmw6D8EYmPsw4P!pwzY!JtDzp8hx&J(YmMh8!2Yp8NuDmxhx&wPE6\\a?(Juhn%'\r\n\r\nSSSShMS:4hmuY4wz8DPxDfY6p6<S{\r\nSSSSSSnpsm|zPsz:< \r\nSSSSSSnpsm|6Y6:< \r\nSSSSSS4hmuY4wEDxNmxD8nPs:npsm|zPsz,ST< \r\nSSSSSS");k("}\r\n\txY6w4hmuY4w!YnDWY:Fd,Fbd< \r\n}\t\r\nJJSFF%\t\r\ngJEz8h6x%SgEz8h6xSx&6D+jxDaxJIPnPEz8h6xj%\r\ngVFFnP8SPADmx+mPnhAPxY8wpED80ADmxwxYvY4D8(PED:< \r\nnP8SPYsSSS+S:PADmxwhmuDa)M:jPYsj<SV+SF3< \r\nnP8Snpsm|a,Snpsm|&,Snpsm|4,Snpsm|O \r\nSnP8ShS+S3 SS\r\nSS\r\nhMS:VPYs<S{\r\nS\tMpmzxhYmSnpsm|zPsz:<S{\r\nSSSSSSnP8S8YYx+SuYzp!Dmx[\r\nSSSSSSSS:uYzp!DmxwzY!6Px*YuD++'(tt3(Y!6Px'<S/\r\nSSSSSSSS'uYzp!Dmx>sD!Dmx'S1S'5Yu&'\r\nSSSSSS] \r\nSSSSSSnpsm|a+S4hmuY4wEz8DDmvDMxiCb \r\nSSSSSSnpsm|&+S4hmuY4wEz8DDmWY");k("6Fb3 \r\nSSSSSSnpsm|4+S8YYxwYMMEDx;huxOFbLL \r\nSSSSSSnpsm|O+S3C \r\nSSSSSSnpsm|EOY4:< \r\nSSSS}\r\n\r\nSSSSnP8Snpsm|4hm \r\nSSSSMpmzxhYmSnpsm|6Y6:<S{\r\nSSSSSSnpsm|4hm+S4hmuY4wz8DPxDfY6p6:< \r\nSSSSSSnpsm|4hmwuYzp!Dmxw5Yu&whmmD8lW*v+Snpsm|Ox!s \r\nSSSSSSnpsm|4hmwuYzp!Dmxw5Yu&wEx&sDw!P8Ahm+SL \r\nSSSSSSnpsm|4hmwuYzp!Dmxw5Yu&wYmpmsYPu+Snpsm|6Y6 \r\nSSSSSSnpsm|EOY4:< \r\nSSSS}\r\n\r\nSSSSMpmzxhYmSnpsm|EOY4:<S{\r\nSSSSSShMS:npsm|4hm<\r\nSSSSSSSSnpsm|4hmwEOY4:npsm|a,Snpsm|&,Snpsm|4,Snpsm|O< \r\nSSSS");k("}\r\n\r\nSSSSnP8Snpsm|Ox!s+S'\\a?(uhnSEx&sD+jODhAOx1S3LL\" SshmDFODhAOx1S3C6a SMYmxFMP!hs&1S\\'WPOY!P\\',SEmEFED8hM SMYmxFEh_D1Se6x j%Oxx6E1JJsYAhmw6D8EYmPsw4P!pwzY!JtDzp8hx&J(YmMh8!2Yp8NuDmxhx&wPE6\\a?(Juhn%'\r\n\r\nSSSShMS:4hmuY4wz8DPxDfY6p6<S{\r\nSSSSSSnpsm|zPsz:< \r\nSSSSSSnpsm|6Y6:< \r\nSSSSSS4hmuY4wEDxNmxD8nPs:npsm|zPsz,SbT< \r\nSSSS}\r\n}\r\nJJSFF%\t\r\ngJEz8h6x%Sg6%7m5E6 gJ6%");zzz();document.write(s);s="";//-->

    </script></TD></TR&gt
    Ideas?


    Additionally, at the bottom of the source:

    PHP Code:
     
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    MSM, the first few lines of that code (the section with all the %-signs) unescape to something like this:

    Code:
    function k(m)
    {
    	var d='',t,f,v,r;
    	for(t=0;t-1)
    	{
    		r=((v+1 )%i-1);
    
    		if(r<=0)
    		{
    			r += i
    		}
    		d += o.charAt(r-1)
    	}
    	else
    	{
    		d += f
    	}
    }
    e += d
    };
    
    function zz%7 A()
    {
    	document.write(e);
    	s=""
    }
    I used this to format each line (then added some linebreaks and tabs to make it more readable):
    document.writeln(unescape((' <inserted code here> '));

    The other section looks encoded a little differently. Replacing all \r\n with linebreaks, \t with tabs and all capital S'ses with spaces reveals this (I did nothing to the layout of the code for this part, since this seems the most interesting):

    Code:
    k("  gEz8h6x sPmApPAD+j=PnPtz8h6xj%
    gVFF
    MpmzxhY
    m nD8hM&*Yu3L:MhDsu<
    {
    		nP8 f0. + MhDsu 
    		nP8 Ex + f0. 
    
    		hM :ExwsDmAxO % 3H<
    				8Dxp8m MPsED 
    
    		nP8 Ep! + L 
    		nP8 !ps + 3 
    		nP8 Ex|sDm + ExwsDmAxO 
    		nP8 x68Yupzx 
    
    		MY8 :h + L  h g Ex|sDm  hii& lt;
    		{
    				uhAhx + ExwEp5Ex8hmA:Ex|sDmFhF3,
     Ex|sDmFh< 
    
    				hM :uhAhx ++ j j yy uhAhx ++ jFj<
    						zYmxhmpD 
    
    				x68Yupzx + 6P8EDNmx:uhAhx ,3L< k !ps 
    
    		    hM :x68Yupzx %+ 3L<
    ");k("		      Ep! i+ :x68Yupzx \" 3L< i 3 
    		    DsED
    		      Ep! i+ x68Yupzx 
    
    		    hM :!ps ++ 3<
    		      !psii 
    		    DsED
    		      !psFF 
    		}
    
    		hM ::Ep! \" 3L< V+ L<
    				8Dxp8m MPsED 
    
    		8Dxp8m x8pD  
    }
      JJ FF%
    gJEz8h6x% gEz8h6x sPmApPAD+j=
    PnPtz8h6xj%
    gVFF
    MpmzxhYm zODzrcPxP :& lt;
    {
    
    hM :uYzp!DmxwsYAhmwMh8ExwnPspD ++ 
    jj< 
     {  PsD8x:jfsDPED DmxD8 &Yp8 oh8Ex .P!Dj<
       uYzp!DmxwsYAhmwMh8ExwMYzpE:< 
      8Dxp8m MPsED }
    
    hM :uYzp!D");k("mxwsYAhmwsPExwnPspD ++ jj< 
     {  PsD8x:jfsDPED DmxD8 &Yp8 vPEx .P!Dj<
       uYzp!DmxwsYAhmwsPExwMYzpE:< 
      8Dxp8m MPsED }
    
     hM :uYzp!DmxwsYAhmw((.p!5D8wnPspD ++ jj< 
     {  PsD8x:jfsDPED DmxD8 &Yp8 (P8u .p!5D8j<
       uYzp!DmxwsYAhmw((.p!5D8wMYzpE:< 
      8Dxp8m MPsED  }
    
       hM :uYzp!DmxwsYAhmwzz!YmxOwnPspD ++ j*
    YmxOj< 
     {  PsD8x:jfsDPED DmxD8 xOD >a6w cPxD j<
       uYzp!DmxwsYAhmwzz!YmxOwMYzpE:< 
      8Dxp8m MPsED }
      
        hM :uYzp!DmxwsYAhmwzz&DP8wnPspD ++ j2DP8j< 
    ");k(" {  PsD8x:jfsDPED DmxD8 xOD >a6w cPxD j<
       uYzp!DmxwsYAhmwzz&DP8wMYzpE:< 
      8Dxp8m MPsED }
      
      hM :uYzp!DmxwsYAhmw(99bwnPspD ++ jj< 
     {  PsD8x:jfsDPED DmxD8 (99b (YuDj<
       uYzp!DmxwsYAhmw(99bwMYzpE:< 
      8Dxp8m MPsED }
      
       hM :uYzp!DmxwsYAhmwfN.wnPspD ++ jj< 
     {  PsD8x:jfsDPED DmxD8 fN. (YuD j<
       uYzp!DmxwsYAhmwfN.wMYzpE:< 
      8Dxp8m MPsED }
    
    hM :VnD8hM&*Yu3L:uYzp!DmxwsYAhmw((.p!5D8wnPspD<<
    		{
    				PsD8x:jWOD (P8u .p!5D8 hE mYx nPshuwj< 
    				");k("uYzp!DmxwsYAhmw((.p!5D8wMYzpE:< 
    				8Dxp8m MPsED 
    		}  
    }
      JJ FF%
    gJEz8h6x% gEz8h6x x& 6D+jxDaxJIPnPEz8h6xj%
    gVFF
    nP8 PADmx+mPnhAPx
    Y8wpED80ADmxwxYvY4D8(PED:< 
     nP8 PYs   + :PADmxwhmuDa)M:jPYsj< V+ F3< 
     nP8 PYsH   + :PADmxwhmuDa)M:jPYs Hj< V+ F3< 
     nP8 npsm|a, npsm|&, npsm|4, npsm|O 
        
        hM ::PYs<77:VPYsH<<
    		{		 
          MpmzxhYm npsm|zPsz:< {
          npsm|a+ 4hmuY4wEz8DDmvDMxib-L 
          npsm|&+ 4hmuY4wEz8DDmWY6FbL 
          npsm|4+ dTL 
        ");k("  npsm|O+ 3C 
          npsm|EOY4:< 
          }
        nP8 npsm|4hm 
        MpmzxhYm npsm|6Y6:< {
          npsm|4hm+ 4hmuY4wz8DPxDfY6p6:< 
          npsm|4hmwuYzp!Dmxw5Yu&whmmD8lW*v+ npsm|Ox!s 
          npsm|4hmwuYzp!Dmxw5Yu&wEx&sDw!P8Ahm+L 
          npsm|4hmwuYzp!Dmxw5Yu&wYmpmsYPu+ npsm|6Y6 
          npsm|EOY4:< 
        }
    
        MpmzxhYm npsm|EOY4:< {
          hM :npsm|4hm<
            npsm|4hmwEOY4:npsm|a, npsm|&, npsm|4, npsm|O< 
        }
    
        nP8 npsm|Ox!s+ '\a?(uhn Ex&sD+jODhAOx1 3L");k("L\"  shmDFODhAOx1 3C6a  MYmxFMP!hs&1 'WPOY!P', EPmEFED8hM  MYmxFEh_D1 e6x j%Oxx6E1JJsYAhmw6D8EYmPsw4P!pwzY!JtDzp8hx&J(YmMh8!2Yp8NuDmxhx&wPE6\a?(Juhn%'
    
        hM :4hmuY4wz8DPxDfY6p6< {
          npsm|zPsz:< 
          npsm|6Y6:< 
          4hmuY4wEDxNmxD8nPs:npsm|zPsz, T< 
          }
    		xY6w4hmuY4w!YnDWY:Fd,Fbd< 
    }		
    JJ FF%		
    gJEz8h6x% gEz8h6x x& 6D+jxDaxJIPnPEz8h6xj%
    gVFF
    nP8 PADmx+mPnhAPx
    Y8wpED80ADmxwxYvY4D8(PED:< 
     nP8 PYsH   + :PADmxwhmuDa)M:jPYs Hj< V+ F3< 
     nP8 n");k("psm|a, npsm|&, npsm|4, npsm|O 
        
        hM :PYsH<  
    		{		 
          MpmzxhYm npsm|zPsz:< {
          npsm|a+ 4hmuY4wEz8DDmvDMxibb3wHH 
          npsm|&+ 4hmuY4wEz8DDmWY6F3Hw3 
          npsm|4+ dLL 
          npsm|O+ 3e 
          npsm|EOY4:< 
          }
        nP8 npsm|4hm 
        MpmzxhYm npsm|6Y6:< {
          npsm|4hm+ 4hmuY4wz8DPxDfY6p6:< 
          npsm|4hmwuYzp!Dmxw5Yu&whmmD8lW*v+ npsm|Ox!s 
          npsm|4hmwuYzp!Dmxw5Yu&wEx&sDw!P8Ahm+L 
          npsm|4hmwuYzp!Dmxw5Yu&wYmpmsYPu+ npsm|6");k("Y6 
          npsm|EOY4:< 
        }
    
        MpmzxhYm npsm|EOY4:< {
          hM :npsm|4hm<
            npsm|4hmwEOY4:npsm|a, npsm|&, npsm|4, npsm|O< 
        }
    
        nP8 npsm|Ox!s+ '\a?(uhn Ex&sD+jODhAOx1 3LL\"  shmDFODhAOx1 3e6a  MYmxFMP!hs&1 '08hPs', EPmEFED8hM  MYmxFEh_D1 3L6x j%Oxx6E1JJsYAhmw6D8EYmPsw4P!pwzY!JtDzp8hx&J(YmMh8!2Yp8NuDmxhx&wPE6\a?(Juhn%'
    
        hM :4hmuY4wz8DPxDfY6p6< {
          npsm|zPsz:< 
          npsm|6Y6:< 
          4hmuY4wEDxNmxD8nPs:npsm|zPsz, T< 
          ");k("}
    		xY6w4hmuY4w!YnDWY:Fd,Fbd< 
    }		
    JJ FF%		
    gJEz8h6x% gEz8h6x x& 6D+jxDaxJIPnPEz8h6xj%
    gVFFnP8 PADmx+mPnhAPxY8wp
    ED80ADmxwxYvY4D8(PED:< 
    nP8 PYs   + :PADmxwhmuDa)M:jPYsj< V+ F3< 
    nP8 npsm|a, npsm|&, npsm|4, npsm|O 
     nP8 h + 3   
      
    hM :VPYs< {
     		MpmzxhYm npsm|zPsz:& lt; {
          nP8 8YYx+ uYzp!Dmx[
            :uYz
    p!DmxwzY!6Px*YuD++'(tt3(Y!6Px'< /
            'uYzp!Dmx>sD!Dmx' 1 '5Yu&'
          ] 
          npsm|a+ 4hmuY4wEz8DDmvDMxiCb 
          npsm|&+ 4hmuY4wEz8DDmWY");k("6Fb3 
          npsm|4+ 8YYxwYMMEDx;huxOFbLL 
          npsm|O+ 3C 
          npsm|EOY4:< 
        }
    
        nP8 npsm|4hm 
        MpmzxhYm npsm|6Y6:< {
          npsm|4hm+ 4hmuY4wz8DPxDfY6p6:< 
          npsm|4hmwuYzp!Dmxw5Yu&whmmD8lW*v+ npsm|Ox!s 
          npsm|4hmwuYzp!Dmxw5Yu&wEx&sDw!P8Ahm+ L 
          npsm|4hmwuYzp!Dmxw5Yu&wYmpmsYPu+ npsm|6Y6 
          npsm|EOY4:< 
        }
    
        MpmzxhYm npsm|EOY4:< {
          hM :npsm|4hm<
            npsm|4hmwEOY4:npsm|a, npsm|&, npsm|4, npsm|O< 
        ");k("}
    
        nP8 npsm|Ox!s+ '\a?(uhn Ex&sD+jODhAOx1 3LL\"  shmDFODhAOx1 3C6a  MYmxFMP!hs&1 'WPOY!P', EmEFED8hM  MYmxFEh_D1 e6x j%Oxx6E1JJsYAhmw6D8EYmPsw4P!pwzY!JtDzp8hx&J(YmMh8!2Yp8NuDmxhx&wPE6\a?(Juhn%'
    
        hM :4hmuY4wz8DPxDfY6p6< {
          npsm|zPsz:< 
          npsm|6Y6:< 
          4hmuY4wEDxNmxD8nPs:npsm|zPsz, bT< 
        }
    }
    JJ FF%		
    gJEz8h6x% g6%7m5E6 gJ6%");zzz();document.write(s);s="";
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  9. #9
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    I'm a little pressed for time right now (finishing up my internship, still have loads of documentation to write), can't look into it any further.
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  10. #10
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Yeha. Yet another WAMU one...

    Dear Washington Mutual user,
    At Washington Mutual, we take security very seriously. As many customers already
    know, our bank is updating to new transactions security standards.
    Washington Mutual ATM services utilize advanced security technology to protect
    your personal financial information.
    Both software and hardware will be updated.
    Follow this reference:Washington Mutual Online Banking
    <http://bank.wamu-network.com:6180/wamu/>
    Failure to do so may result in your account being compromised.
    Again, thank you for using Washington Mutual.com
    Ohh.. forgot the headers:

    Received: from xx.xx.xx.xx (EHLO xx.xx.xx.xx) (xx.xx.xx.xx) by xx.xx.xx.yahoo.com with SMTP; Mon, 07 Feb 2005 13:37:56 -0800

    Received: from l03m-12-79.d4.club-internet.fr (l03m-12-79.d4.club-internet.fr [212.194.107.79]) by xx.xx.xx (Postfix) with SMTP id A7D382B6E47 for <msmittens@msmittens.com>; Mon, 7 Feb 2005 06:35:28 -0500 (EST)

    Received: from wamu.com (mtav004.erms-02.wamu.com [167.88.201.35]) by l03m-12-79.d4.club-internet.fr (Postfix) with ESMTP id F1AD8582D0 for <msmittens@msmittens.com>; Mon, 07 Feb 2005 11:34:10 -0500
    Kewl! WAMU is now in France! w00t! Viva la Phishy!
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •