SHARE
TWEET

Even XXXSpam Links is F*SMART to grab referer now...:-) #MMD

MalwareMustDie Oct 26th, 2012 128 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Even Spam Links is SO SMART grabbing referer now...:-) #MMD
  2. ------------------------
  3.  
  4. $ myfetch h00p://anallovevid.com/1010/in.cgi
  5.  
  6. --h00p_proxy = h00p://192.168.7.11:8118"
  7. --output-document="./sample"
  8. --referer="h00p://www.google.com/search?q=youtube"
  9. --user-agent="Mozila/4.3 (X11; U; MacOSX)"
  10. --target=h00p://anallovevid.com/1010/in.cgi
  11.  
  12. --00:15:07--  h00p://anallovevid.com/1010/in.cgi
  13.            => `./sample'
  14. Connecting to 192.168.7.11:8118... connected.
  15. Proxy request sent, awaiting response... 200 OK
  16. Length: unspecified [text/html]
  17. 00:15:08 (8.26 KB/s) - `./sample' saved [2256]
  18.  
  19. ------------------------
  20.  
  21. // voila! ↓
  22.  
  23. <div style="background:#ffffff;width:100%;height:100%;">
  24. <a href='h00p://anallovevid.com/1010/in.cgi?default&hdrxu=0&skhdv=0&ptwwd=1&pzlek=0'><font color="#ffffff">Click here</font></a>
  25. </div>
  26.  
  27. // voila! ↓
  28.  
  29. <script type="text/javascript"><!--
  30.  
  31. var hdrxu = 0;
  32. if( top.frames.length ) hdrxu = 1;
  33.  
  34.  
  35. var skhdv = 0;
  36. datawindow=Size();
  37. if( datawindow[0] < 301 || datawindow[1] < 201 ) skhdv=1;
  38. if( Width() < 301 || Height() < 201 ) skhdv=1;
  39.  
  40.  
  41. window.location=urlde("tluafed?igc.ni/0101/moc.divevollana//:ptth")+"&hdrxu="+hdrxu+"&skhdv="+skhdv+"&pzlek=2941759435&ur=1&h00p_REFERER=h00p%3A%2F%2Fwww%2Egoogle%2Ecom%2Fsearch%3Fq%3Dyoutube";
  42.  
  43. function urlde(s)
  44. {
  45.         return s.split("").reverse().join("");
  46. }
  47.  
  48. function Size() {
  49.   var myWidth = 0, myHeight = 0;
  50.   if( typeof( window.innerWidth ) == 'number' ) {
  51.     //Non-IE
  52.     myWidth = window.innerWidth;
  53.     myHeight = window.innerHeight;
  54.   } else if( document.documentElement && ( document.documentElement.clientWidth || document.documentElement.clientHeight ) ) {
  55.     //IE 6+ in 'standards compliant mode'
  56.     myWidth = document.documentElement.clientWidth;
  57.     myHeight = document.documentElement.clientHeight;
  58.   } else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) {
  59.     //IE 4 compatible
  60.     myWidth = document.body.clientWidth;
  61.     myHeight = document.body.clientHeight;
  62.   }
  63.  
  64.         return [ myWidth, myHeight ];
  65. }
  66.  
  67. function Width() {
  68.         return Results (
  69.                 window.innerWidth ? window.innerWidth : 0,
  70.                 document.documentElement ? document.documentElement.clientWidth : 0,
  71.                 document.body ? document.body.clientWidth : 0
  72.         );
  73. }
  74. function Height() {
  75.         return Results (
  76.                 window.innerHeight ? window.innerHeight : 0,
  77.                 document.documentElement ? document.documentElement.clientHeight : 0,
  78.                 document.body ? document.body.clientHeight : 0
  79.         );
  80. }
  81. function Results(n_win, n_docel, n_body) {
  82.         var n_result = n_win ? n_win : 0;
  83.         if (n_docel && (!n_result || (n_result > n_docel)))
  84.                 n_result = n_docel;
  85.         return n_body && (!n_result || (n_result > n_body)) ? n_body : n_result;
  86. }
  87.  
  88. //--></script>
  89.  
  90.  
  91. ーーーーーーーーーーー
  92.  
  93. // requestsing.....
  94.  
  95. h00p://anallovevid.com/1010/in.cgi?default&hdrxu=0&skhdv=0&pzlek=2941759435&ur=1&h00p_REFERER=h00p%3A%2F%2Fwww%2Egoogle%2Ecom%2Fsearch%3Fq%3Dyoutube
  96.  
  97.  
  98. // ↑looks my referer url was put into the request's referer, interesting...
  99. // so these morons is checking wether the referer real / match or not ..
  100. // sorry we are SMARTER!
  101.  
  102. // let's making a plastic surgery of the target url...
  103. h00p://anallovevid.com/1010/in.cgi?default&hdrxu=0&skhdv=0&pzlek=2941759435&ur=1&h00p_REFERER=h00p%3A%2F%2Fanallovevid%2Ecom%2F1010%2Fin%2Ecgi%3Fdefault
  104.  
  105. // make exactly same referer url
  106. h00p://anallovevid.com/1010/in.cgi?default
  107.  
  108.  
  109. $ myfetch "h00p://anallovevid.com/1010/in.cgi?default&hdrxu=0&skhdv=0&pzlek=2941759435&ur=1&h00p_REFERER=h00p%3A%2F%2Fanallovevid%2Ecom%2F1010%2Fin%2Ecgi%3Fdefault"
  110.  
  111. --h00p_proxy = h00p://192.168.7.11:8118"
  112. --referer="h00p://anallovevid.com/1010/in.cgi?default"
  113. --user-agent="Mozila/4.3(X11; U; MacOSX)"
  114. --target="h00p://anallovevid.com/1010/in.cgi?default&hdrxu=0&skhdv=0&pzlek=2941759435&ur=1&h00p_REFERER=h00p%3A%2F%2Fanallovevid%2Ecom%2F1010%2Fin%2Ecgi%3Fdefault"
  115. --output-document=""./sample2""
  116.  
  117.  
  118. --00:28:41--  h00p://anallovevid.com/1010/in.cgi?default&hdrxu=0&skhdv=0&pzlek=2941759435&ur=1&h00p_REFERER=h00p%3A%2F%2Fanallovevid%2Ecom%2F1010%2Fin%2Ecgi%3Fdefault
  119.            => `./sample2'
  120. Connecting to 192.168.7.11:8118... connected.
  121. Proxy request sent, awaiting response... 302 Found
  122. Location: h00p://anallovevid.com/index.php [following]
  123. --00:28:48--  h00p://anallovevid.com/index.php
  124.            => `./sample2'
  125. Connecting to 192.168.7.11:8118... connected.
  126. Proxy request sent, awaiting response... 200 OK
  127. Length: 5,162 (5.0K) [text/html]
  128. 00:29:00 (1.59 KB/s) - `./sample2' saved [5162/5162]
  129.  
  130.  
  131. // not we got index.php...
  132. // what's this?
  133.  
  134. $ head ./sample2
  135.  
  136. <title>XXX Search :: blowjob</title>
  137. <meta h00p-equiv="Content-Type" content="text/html; charset=UTF-8" />
  138. <meta h00p-equiv="refresh" content="600; URL=search.php?q=blowjob" />
  139. <link rel="STYLESHEET" type="text/css" href="/templates/adult-9/search.css">
  140.  
  141. // my goodness.. I rest my case...LOL
  142.  
  143. #MalwareMustDie
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top