Advertisement
unixfreaxjp

PHP/C99SHELL: Backdoors! (xtgem.com)

Sep 29th, 2012
212
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. --23:09:06-- http://fiturbaru.xtgem.com/index
  2. => `index.1'
  3. Resolving fiturbaru.xtgem.com... 188.95.50.112
  4. Connecting to fiturbaru.xtgem.com|188.95.50.112|:80... connected.
  5. HTTP request sent, awaiting response... 200 OK
  6. Length: unspecified [text/html]
  7.  
  8. ↓↓
  9.  
  10. <SCRIPT TYPE="text/javascript" SRC=
  11. "http://ad.yieldmanager.com/imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http%3A%2F%2Ffiturbaru.xtem.com%2Findex&r=1"></SCRIPT>
  12.  
  13. ↓↓
  14.  
  15. //tor access... w/o user agent..
  16.  
  17. --2012-09-29 23:11:32-- http://ad.yieldmanager.com/imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http%3A%2F%2Ffiturbaru.xtem.com%2Findex&r=1
  18. Resolving localhost (localhost)... 127.0.0.1, ::1
  19. Connecting to localhost (localhost)|127.0.0.1|:8118... connected.
  20. Proxy request sent, awaiting response... 406 Not Acceptable
  21. 2012-09-29 23:11:33 ERROR 406: Not Acceptable.
  22.  
  23. //tor access w/ user agent...
  24. --2012-09-29 23:12:01-- http://ad.yieldmanager.com/imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http%3A%2F%2Ffiturbaru.xtem.com%2Findex&r=1
  25. Resolving localhost (localhost)... 127.0.0.1, ::1
  26. Connecting to localhost (localhost)|127.0.0.1|:8118... connected.
  27. Proxy request sent, awaiting response... 302 Found
  28. Location: http://cookex.amp.yahoo.com/v2/cexposer/SIG=13o2kpq86/*http%3A//ad.yieldmanager.com/imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http%3A%2F%2Ffiturbaru.xtem.com%2Findex&r=1 [following]
  29. Warning: wildcards not supported in HTTP.
  30. --2012-09-29 23:12:04-- http://cookex.amp.yahoo.com/v2/cexposer/SIG=13o2kpq86/*http%3A//ad.yieldmanager.com/imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http%3A%2F%2Ffiturbaru.xtem.com%2Findex&r=1
  31. Connecting to localhost (localhost)|127.0.0.1|:8118... connected.
  32. Proxy request sent, awaiting response... 302 Found
  33. Location: http://ad.yieldmanager.com/imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http%3A%2F%2Ffiturbaru.xtem.com%2Findex&r=1&SIG=10vnrnd5m;x-cookie=s5hf9gy86r0qz&o=3&f=iw [following]
  34. --2012-09-29 23:12:07-- http://ad.yieldmanager.com/imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http%3A%2F%2Ffiturbaru.xtem.com%2Findex&r=1&SIG=10vnrnd5m;x-cookie=s5hf9gy86r0qz&o=3&f=iw
  35. Connecting to localhost (localhost)|127.0.0.1|:8118... connected.
  36. Proxy request sent, awaiting response... 200 OK
  37. Length: 839 [application/x-javascript]
  38. Saving to: `imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http:%2F%2Ffiturbaru.xtem.com%2Findex&r=1'
  39. 2012-09-29 23:12:12 (1.83 MB/s) - `imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http:%2F%2Ffiturbaru.xtem.com%2Findex&r=1' saved [839/839]
  40.  
  41. //browser's log:
  42.  
  43. ActiveXObject('ShockwaveFlash.ShockwaveFlash.2');
  44. ActiveXObject('ShockwaveFlash.ShockwaveFlash.3');
  45. ActiveXObject('ShockwaveFlash.ShockwaveFlash.4');
  46. ActiveXObject('ShockwaveFlash.ShockwaveFlash.5');
  47. ActiveXObject('ShockwaveFlash.ShockwaveFlash.6');
  48. ActiveXObject('ShockwaveFlash.ShockwaveFlash.7');
  49. ActiveXObject('ShockwaveFlash.ShockwaveFlash.8');
  50. ActiveXObject('ShockwaveFlash.ShockwaveFlash.9');
  51. [2012-09-29 23:19:58] [HTTP] URL: http://ad.xtendmedia.com/iframe3?AAAAABZWMQCTWP4AAAAAAMZGOgAAAAAAAgAAAAQAAAAAAP8AAAAHERVeSAAAAAAARANHAAAAAACy5U0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANoBUAAAAAAAIAAwAAgD8AaJn7mpsllz-uNCkF3V6iP0XT2cngKKk.LIcW2c73sz9U46WbxCCwP5qZmZmZmbk.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABUnnJPO-avDH4rlZwDYn.iH5wdqK9ak15cJ5zDAAAAAA==,,http%3A%2F%2Ffiturbaru.xtem.com%2Findex,B%3D10%26Z%3D468x60%26_salt%3D528650755%26r%3D1%26s%3D3233302,a961e780-0a3f-11e2-b2c2-fbaa664cf3de,1348927931551 (Status: 200, Referrer: None)
  52. [2012-09-29 23:19:58] [HTTP Redirection (Status: 302)] Content-Location: http://ad.xtendmedia.com/iframe3?AAAAABZWMQCTWP4AAAAAAMZGOgAAAAAAAgAAAAQAAAAAAP8AAAAHERVeSAAAAAAARANHAAAAAACy5U0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANoBUAAAAAAAIAAwAAgD8AaJn7mpsllz-uNCkF3V6iP0XT2cngKKk.LIcW2c73sz9U46WbxCCwP5qZmZmZmbk.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABUnnJPO-avDH4rlZwDYn.iH5wdqK9ak15cJ5zDAAAAAA==,,http%3A%2F%2Ffiturbaru.xtem.com%2Findex,B%3D10%26Z%3D468x60%26_salt%3D528650755%26r%3D1%26s%3D3233302,a961e780-0a3f-11e2-b2c2-fbaa664cf3de,1348927931551 --> Location: http://ad.yieldmanager.com/iframe3?AAAAABZWMQCTWP4AAAAAAMZGOgAAAAAAAgAAAAQAAAAAAP8AAAAHERVeSAAAAAAARANHAAAAAACy5U0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANoBUAAAAAAAIAAwAAgD8AaJn7mpsllz-uNCkF3V6iP0XT2cngKKk.LIcW2c73sz9U46WbxCCwP5qZmZmZmbk.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABUnnJPO-avDH4rlZwDYn.iH5wdqK9ak15cJ5zDAAAAAA==,,http%3A%2F%2Ffiturbaru.xtem.com%2Findex,B%3D10%26Z%3D468x60%26_salt%3D528650755%26r%3D1%26s%3D3233302,a961e780-0a3f-11e2-b2c2-fbaa664cf3de,1348927931551
  53.  
  54. // cat it...found IFRAME..backdooring object..
  55.  
  56. document.write('<iframe allowtransparency=\"true\"
  57. scrolling=\"no\" marginwidth=\"0\" marginheight=\"0\"
  58. frameborder=\"0\" height=\"60\" width=\"468\"
  59. src=\"http://ad.xtendmedia.com/iframe3?AAAAABZWMQCTWP
  60. 4AAAAAAMZGOgAAAAAAAgAAAAQAAAAAAP8AAAAHERVeSAAAAAAARAN
  61. HAAAAAACy5U0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  62. AAAAAAAAAAAAAAAAAAANoBUAAAAAAAIAAwAAgD8AaJn7mpsllz-uN
  63. CkF3V6iP0XT2cngKKk.LIcW2c73sz9U46WbxCCwP5qZmZmZmbk.AAA
  64. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABUnnJPO-avDH4rl
  65. ZwDYn.iH5wdqK9ak15cJ5zDAAAAAA==
  66. ,,http%3A%2F%2Ffiturbaru.xtem.com%2Findex,B%3D10%26Z%3D468x60%26_salt%3D528650755%26r%3D1%26s%3D3233302
  67. ,a961e780-0a3f-11e2-b2c2-fbaa664cf3de,1348927931551\"></iframe>');
  68. var rm_data = new Object();
  69. rm_data.creative_id = 16668819;
  70. rm_data.offer_type = 3;
  71. rm_data.entity_id = 675576;
  72. if (window.rm_crex_data) {rm_crex_data.push(16668819);}
  73.  
  74. ↑↑ WTF Backdoor!!
  75.  
  76. VT:(1/43) https://www.virustotal.com/file/ca387be9397de7173406dec7086607bd20ebc2a84fe8e6a026bea3f8787939c2/analysis/1348929146/
  77.  
  78. #MalwareMustDie!!
Advertisement
RAW Paste Data Copied
Advertisement