I've stumbled upon a trick where browser display an error page (php mysql error, cpanel error, or page not found) with HTTP response 200, but instead, it contains malicious JavaScript code on the backend to exploit users when the page is loaded.
 |
| Deceiving Error Page with HTTP Response 200 |
I've never encounter error page with HTTP response 404 and still contains the JavaScript code to redirect users to exploit page until recently. Silly me, as I always thought that 404 error page would give a genuine page not found error (a reason to be lazy :P).
 |
| 404 Error Page (with HTTP Response 404) |
 |
| Embedded JS Files from Drupal CMS |
That error page contains several script tag with Drupal default JavaScript files as its sources. Unfortunately, all of the JavaScript files has been appended with obfuscated code redirecting users to malicious site through iframe.
 |
| Embedded Obfuscated JS Code |
 |
| Deobfuscated JS Code |
This trick is quite nice to deceive analysts with lack of attention to details, especially when they solely looks for HTTP response code as their first filters to start their analysis.
Another trick that might need to be handled carefully such as redirection to domain parking page, where we might think that the malicious site has already brought down by hosting company.