what is this script

Re: what is this script

abuse <abuse@127.0.0. 1> writes:
[color=blue]
> this script is on a web page i visit i am not a java or any other code
> programmer. is this malicious? should i be leary of this site?[/color]

[color=blue]
> <script language="Shone nScript 712.0"><!--[/color]

I can see that you use a rewriting proxy (most likely Proxomitron).
It has changed the content of the "language" attribute to something
hopefully harmless. Most likely, your browser will ignore this
script because it doesn't understand "ShonenScri pt">
[color=blue]
> {var doc=document; var url=escape(doc. NoLocation.href ); var
> date_ob=new Date();
> doc.Cracker='h2 =o; path=/;';var bust=date_ob.ge tSeconds();[/color]

Here I guess the proxy has replaced ".cookie" with ".Cracker". This
script attempts to set a cookie called "h2" with the value "o".
[color=blue]
> if(doc.Cracker. indexOf('e=llo' ) <= 0 && doc.Cracker.ind exOf('2=o') > 0){[/color]

It then does some testing on the cookies. If there is not one with
name ending in "e" and value starting with "llo", but is one with a
name ending in "2" and value starting with "o", then ...
[color=blue]
> doc.write('<scr '+'ipt language="javas cript"[/color]

it inserts a script tag on the page with a src file from ...
[color=blue]
> src="http://media.fastclick .net');[/color]

something that definitly smells like advertising.
[color=blue]
> doc.write('/w/pop.cgi?sid=299 5&m=2&v=1.5&u=' +url+'&c='+bust +'"></scr'+'ipt>');
> doc.Cracker='he =llo; path=/;';}} // -->
> </script>[/color]

Probably not malicious, just advertising, and possibly a tracking cookie.
I'd just keep my proxy running.

/L
--
Lasse Reichstein Nielsen - lrn@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'

Re: what is this script

Lasse Reichstein Nielsen wrote:[color=blue]
> abuse <abuse@127.0.0. 1> writes:
>
>[color=green]
>>this script is on a web page i visit i am not a java or any other code
>>programmer. is this malicious? should i be leary of this site?[/color]
>
>
>[color=green]
>><script language="Shone nScript 712.0"><!--[/color]
>
>
> I can see that you use a rewriting proxy (most likely Proxomitron).
> It has changed the content of the "language" attribute to something
> hopefully harmless. Most likely, your browser will ignore this
> script because it doesn't understand "ShonenScri pt">
>[color=green]
>>{var doc=document; var url=escape(doc. NoLocation.href ); var
>>date_ob=new Date();
>>doc.Cracker=' h2=o; path=/;';var bust=date_ob.ge tSeconds();[/color]
>
>
> Here I guess the proxy has replaced ".cookie" with ".Cracker". This
> script attempts to set a cookie called "h2" with the value "o".
>
>[color=green]
>>if(doc.Cracke r.indexOf('e=ll o') <= 0 && doc.Cracker.ind exOf('2=o') > 0){[/color]
>
>
> It then does some testing on the cookies. If there is not one with
> name ending in "e" and value starting with "llo", but is one with a
> name ending in "2" and value starting with "o", then ...
>
>[color=green]
>>doc.write('<s cr'+'ipt language="javas cript"[/color]
>
>
> it inserts a script tag on the page with a src file from ...
>
>[color=green]
>>src="http://media.fastclick .net');[/color]
>
>
> something that definitly smells like advertising.
>
>[color=green]
>>doc.write('/w/pop.cgi?sid=299 5&m=2&v=1.5&u=' +url+'&c='+bust +'"></scr'+'ipt>');
>>doc.Cracker=' he=llo; path=/;';}} // -->
>></script>[/color]
>
>
> Probably not malicious, just advertising, and possibly a tracking cookie.
> I'd just keep my proxy running.
>
> /L[/color]
thanks