0

When looking at a hacked site I found the following redirect:

<html><head><div style='display:none'>http://www.example1.net</div>
<meta http-equiv='refresh' content='1;http://www.example2.org/?q=EDdrug'>
</head><body></body></html>

I found an explanation for how the second part of the redirect worked here:

Redirect from an HTML page

My browser redirects to the 2nd URL. I would like to understand what the first part of this redirect is doing. I am assuming that is probably there for other types of browsers. Can someone explain it to me?

Community
  • 1
  • 1
David Stevens
  • 1

1 Answers1

0

I will explain line by line:

<html><head><div style='display:none'>http://www.example1.net</div>

Here an html page,head part and a div is started using the <html>,<head> and <div> tags. The </div>ends the started div and also it is invisible due to its attribute <div style='display:none'>.

That's all for the first line and it does not redirect to the url in the first line because it is just served as plain text.Actually by starting a div the head tag is closed.

The second line:

<meta http-equiv='refresh' content='1;http://www.example2.org/?q=EDdrug'>

It does is to redirect to the given URL within the content attribute after a second(content='1;).

The third line:

It closes the html tag and also starts a body tag and closes it without any data inside.It also ends the head tag again which is ended by the use of a tag inside the head tag

If you want more clarification feel free to comment and ask

ABHISHEK V ASHOK
  • 89
  • 15
  • You're wrong about the third line. The div has already implicitly closed the head and started the body, so the `` tags are discarded as errors. – Quentin Mar 21 '15 at 10:56
  • Updated and sorry for that. I hope you could up vote so that I can continue my work @Quentin. Sorry if I asked for an upvote – ABHISHEK V ASHOK Mar 21 '15 at 11:05
  • Why would a hacker bother with that first line if it does nothing? The real domains that I replaced with example1.net and example2.org are both active rogue pharmacy sites with obvious pharmacy site names. – David Stevens Mar 23 '15 at 02:10
  • It is so as to confuse you.I now doubt that there are some more script in the page or the page is being validated by a server @DavidStevens – ABHISHEK V ASHOK Mar 23 '15 at 10:37
  • Just for your information. No reply is required. There was nothing more on the page. The redirect page was sent to the browser by a script in a PHP file. The script determined what was sent. If the user agent was not a search site bot and the referrer was a search site page then it sent the redirect page. If the user agent was a search site bot it would send a spammy page to the bot to create search listings. If the user agent was a browser and referrer was not a search site then it sent a 404 to the browser. – David Stevens Mar 24 '15 at 15:46
  • @DavidStevens I did't understand the above – ABHISHEK V ASHOK Mar 25 '15 at 06:22