"Wong Yung" wrote:

> Wow. Thanks very much for the info. And thanks heaps for
> unobfusticating the stuff in javascript. Hmmm...looking at the
> castlecops link it looks like we aren't the only ones who were hacked
> using the same thing. Do you have any idea why links goes to
> kaonline.biz? I'm trying to work out what role they play in all of
> this.

I don't know if they are involved. They say they're being attacked,
so you could report it to them, but as far as I can tell there is no
exploit if the redirect is to kaonline.biz.

If I use wget on the "e7da7.in" link, I get redirected to kaonline.
However, if I use telnet, the redirection is to:
ht_p://66.36.241.243/expd/index.php
(I've munged the "http" in case anyone's click-happy)

That's where the malicious code is, and I found a different (and more
obfuscated) exploit to what you posted before.

Where you are redirected, and what exploit is served up probably
depends on the user-agent header of the http request.