Hi, On Thu, 20 May 2004, Ron Snyder wrote:
> I'm getting a bunch of virus alerts from mcafee for "Exploit-objectdata", > and I'm pretty sure the stuff below is what's triggering it. The text in > the sendmail data file (pulled straight from the df*) is exactly as you see > it below (including the '=' in the right column), with the exception that > I've changed "object data" to "xxxx" in order to hopefully avoid any other > alerts that folks might have. > > > </font></CENTER><xxxx=3D"http://&#= > 119;ww.fatbonusc&#= > 97;sino.com/pag= > 01;.php"> > > > Are there programs that can be used to decode this, so I can see exactly > what this converts to w/o doing it by hand? > Is this actually an attack? Try this one-liner: cat sample_spam.txt | spamassassin -d | \ perl -MHTML::Entities -pe 'decode_entities($_);' | less The above translates to </font></CENTER><xxxx=3D"http://www.fatbonuscasino.com/page.php";> The -n and -p flags to perl are very helpful when doing crazy one-liners like this. Also see man pages for xargs and cut. hth, -- Bob
