Find malicious link

  • ampersand
  • Born
  • Born
  • ampersand
  • Posts: 2

Post 3+ Months Ago

I need to find the method a previous developer is using to link to a malicious page on a clients site. The link is in the navbar (also a couple other places). It looks fine when viewing the source - but links to a malicious page. So I am assuming it is using a obfuscation method. I have tried disabling JavaScript and the link still goes to the page - so I have eliminated a JavaScript method - is this right?

Also I have done a few more well known techniques to find the source of the link.

I have done a grep -r maliciouspage.html * in the server root for the final malicious page
I have also:
grep ri body * | grep i iframe | grep i hidden - to find hidden iframes
grep -ri unescape * | grep -i eval - to find instances of unescape and eval in the same file
grep -r base64 * - to find instances of base64

but am pulling a major blank. Can anyone please help me with any other techniques I can try from the command line etc?
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Daemonguy
  • Moderator
  • Web Master
  • User avatar
  • Posts: 2700
  • Loc: Somewhere outside the box in Sarasota, FL.

Post 3+ Months Ago

Does it have #include anywhere? Or is it embedding a CSS file?
  • ampersand
  • Born
  • Born
  • ampersand
  • Posts: 2

Post 3+ Months Ago

Sorry I'm not sure I understand what you mean?

Post Information

  • Total Posts in this topic: 3 posts
  • Users browsing this forum: No registered users and 1 guest
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.