My first guess would be that this is strictly an exploratory probe
form posting. The script drops in some sort of long string as an
alert and then returns in a few days to see if it's popped up anywhere
on the site or in Google. By recording the unique strings locally,
they will be able to automatically detect sites that don't strip
javascript and are vulnerable to a javascript Cross Site Scripting
attack. Sure, this message just says gibberish, but the next attack
might say "Please enter your username and password below".
Interestingly, by posting this to cf-community you may trigger their
scripts if it shows up in Google. Their automated systems would be
very likely to associate your site with HOF's archive and then a human
would be dispatched to see if the correlation was worthy of further
investigation.
I also emailed a info-sec friend of mine to see if he has any opinions
about it...
-Cameron
On 9/30/05, Robert Munn <[EMAIL PROTECTED]> wrote:
> we had some script kiddies trying to hack a form using some kind of automated
> attack. the common thread of all the attacks is an attempt to launch
> something like this either using JS or VBScript:
>
> alert("SPIXSSZ2lLQ1Zpa0VmMENMRGJTV0I2c3lndz09YWRkcmVzcwSSXIPS")
>
> Unfortunately for their attack, the form just saves to a text file.
>
> Anyone know how to translate this little message? I don't even know what the
> encoding is...
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble
Ticket application
http://www.houseoffusion.com/banners/view.cfm?bannerid=48
Message: http://www.houseoffusion.com/lists.cfm/link=i:5:175601
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.5
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
