PHP/C99SHELL: Backdoors! (xtgem.com)

1. --23:09:06-- http://fiturbaru.xtgem.com/index
2. => `index.1'
3. Resolving fiturbaru.xtgem.com... 188.95.50.112
4. Connecting to fiturbaru.xtgem.com|188.95.50.112|:80... connected.
5. HTTP request sent, awaiting response... 200 OK
6. Length: unspecified [text/html]
7.  
8. ↓↓
9.  
10. <SCRIPT TYPE="text/javascript" SRC=
11. "http://ad.yieldmanager.com/imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http%3A%2F%2Ffiturbaru.xtem.com%2Findex&r=1"></SCRIPT>
12.  
13. ↓↓
14.  
15. //tor access... w/o user agent..
16.  
17. --2012-09-29 23:11:32-- http://ad.yieldmanager.com/imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http%3A%2F%2Ffiturbaru.xtem.com%2Findex&r=1
18. Resolving localhost (localhost)... 127.0.0.1, ::1
19. Connecting to localhost (localhost)|127.0.0.1|:8118... connected.
20. Proxy request sent, awaiting response... 406 Not Acceptable
21. 2012-09-29 23:11:33 ERROR 406: Not Acceptable.
22.  
23. //tor access w/ user agent...
24. --2012-09-29 23:12:01-- http://ad.yieldmanager.com/imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http%3A%2F%2Ffiturbaru.xtem.com%2Findex&r=1
25. Resolving localhost (localhost)... 127.0.0.1, ::1
26. Connecting to localhost (localhost)|127.0.0.1|:8118... connected.
27. Proxy request sent, awaiting response... 302 Found
28. Location: http://cookex.amp.yahoo.com/v2/cexposer/SIG=13o2kpq86/*http%3A//ad.yieldmanager.com/imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http%3A%2F%2Ffiturbaru.xtem.com%2Findex&r=1 [following]
29. Warning: wildcards not supported in HTTP.
30. --2012-09-29 23:12:04-- http://cookex.amp.yahoo.com/v2/cexposer/SIG=13o2kpq86/*http%3A//ad.yieldmanager.com/imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http%3A%2F%2Ffiturbaru.xtem.com%2Findex&r=1
31. Connecting to localhost (localhost)|127.0.0.1|:8118... connected.
32. Proxy request sent, awaiting response... 302 Found
33. Location: http://ad.yieldmanager.com/imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http%3A%2F%2Ffiturbaru.xtem.com%2Findex&r=1&SIG=10vnrnd5m;x-cookie=s5hf9gy86r0qz&o=3&f=iw [following]
34. --2012-09-29 23:12:07-- http://ad.yieldmanager.com/imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http%3A%2F%2Ffiturbaru.xtem.com%2Findex&r=1&SIG=10vnrnd5m;x-cookie=s5hf9gy86r0qz&o=3&f=iw
35. Connecting to localhost (localhost)|127.0.0.1|:8118... connected.
36. Proxy request sent, awaiting response... 200 OK
37. Length: 839 [application/x-javascript]
38. Saving to: `imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http:%2F%2Ffiturbaru.xtem.com%2Findex&r=1'
39. 2012-09-29 23:12:12 (1.83 MB/s) - `imp?Z=468x60&s=3233302&_salt=528650755&B=10&u=http:%2F%2Ffiturbaru.xtem.com%2Findex&r=1' saved [839/839]
40.  
41. //browser's log:
42.  
43. ActiveXObject('ShockwaveFlash.ShockwaveFlash.2');
44. ActiveXObject('ShockwaveFlash.ShockwaveFlash.3');
45. ActiveXObject('ShockwaveFlash.ShockwaveFlash.4');
46. ActiveXObject('ShockwaveFlash.ShockwaveFlash.5');
47. ActiveXObject('ShockwaveFlash.ShockwaveFlash.6');
48. ActiveXObject('ShockwaveFlash.ShockwaveFlash.7');
49. ActiveXObject('ShockwaveFlash.ShockwaveFlash.8');
50. ActiveXObject('ShockwaveFlash.ShockwaveFlash.9');
51. [2012-09-29 23:19:58] [HTTP] URL: http://ad.xtendmedia.com/iframe3?AAAAABZWMQCTWP4AAAAAAMZGOgAAAAAAAgAAAAQAAAAAAP8AAAAHERVeSAAAAAAARANHAAAAAACy5U0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANoBUAAAAAAAIAAwAAgD8AaJn7mpsllz-uNCkF3V6iP0XT2cngKKk.LIcW2c73sz9U46WbxCCwP5qZmZmZmbk.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABUnnJPO-avDH4rlZwDYn.iH5wdqK9ak15cJ5zDAAAAAA==,,http%3A%2F%2Ffiturbaru.xtem.com%2Findex,B%3D10%26Z%3D468x60%26_salt%3D528650755%26r%3D1%26s%3D3233302,a961e780-0a3f-11e2-b2c2-fbaa664cf3de,1348927931551 (Status: 200, Referrer: None)
52. [2012-09-29 23:19:58] [HTTP Redirection (Status: 302)] Content-Location: http://ad.xtendmedia.com/iframe3?AAAAABZWMQCTWP4AAAAAAMZGOgAAAAAAAgAAAAQAAAAAAP8AAAAHERVeSAAAAAAARANHAAAAAACy5U0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANoBUAAAAAAAIAAwAAgD8AaJn7mpsllz-uNCkF3V6iP0XT2cngKKk.LIcW2c73sz9U46WbxCCwP5qZmZmZmbk.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABUnnJPO-avDH4rlZwDYn.iH5wdqK9ak15cJ5zDAAAAAA==,,http%3A%2F%2Ffiturbaru.xtem.com%2Findex,B%3D10%26Z%3D468x60%26_salt%3D528650755%26r%3D1%26s%3D3233302,a961e780-0a3f-11e2-b2c2-fbaa664cf3de,1348927931551 --> Location: http://ad.yieldmanager.com/iframe3?AAAAABZWMQCTWP4AAAAAAMZGOgAAAAAAAgAAAAQAAAAAAP8AAAAHERVeSAAAAAAARANHAAAAAACy5U0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANoBUAAAAAAAIAAwAAgD8AaJn7mpsllz-uNCkF3V6iP0XT2cngKKk.LIcW2c73sz9U46WbxCCwP5qZmZmZmbk.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABUnnJPO-avDH4rlZwDYn.iH5wdqK9ak15cJ5zDAAAAAA==,,http%3A%2F%2Ffiturbaru.xtem.com%2Findex,B%3D10%26Z%3D468x60%26_salt%3D528650755%26r%3D1%26s%3D3233302,a961e780-0a3f-11e2-b2c2-fbaa664cf3de,1348927931551
53.  
54. // cat it...found IFRAME..backdooring object..
55.  
56. document.write('<iframe allowtransparency=\"true\"
57. scrolling=\"no\" marginwidth=\"0\" marginheight=\"0\"
58. frameborder=\"0\" height=\"60\" width=\"468\"
59. src=\"http://ad.xtendmedia.com/iframe3?AAAAABZWMQCTWP
60. 4AAAAAAMZGOgAAAAAAAgAAAAQAAAAAAP8AAAAHERVeSAAAAAAARAN
61. HAAAAAACy5U0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
62. AAAAAAAAAAAAAAAAAAANoBUAAAAAAAIAAwAAgD8AaJn7mpsllz-uN
63. CkF3V6iP0XT2cngKKk.LIcW2c73sz9U46WbxCCwP5qZmZmZmbk.AAA
64. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABUnnJPO-avDH4rl
65. ZwDYn.iH5wdqK9ak15cJ5zDAAAAAA==
66. ,,http%3A%2F%2Ffiturbaru.xtem.com%2Findex,B%3D10%26Z%3D468x60%26_salt%3D528650755%26r%3D1%26s%3D3233302
67. ,a961e780-0a3f-11e2-b2c2-fbaa664cf3de,1348927931551\"></iframe>');
68. var rm_data = new Object();
69. rm_data.creative_id = 16668819;
70. rm_data.offer_type = 3;
71. rm_data.entity_id = 675576;
72. if (window.rm_crex_data) {rm_crex_data.push(16668819);}
73.  
74. ↑↑ WTF Backdoor!!
75.  
76. VT:（１/４３） https://www.virustotal.com/file/ca387be9397de7173406dec7086607bd20ebc2a84fe8e6a026bea3f8787939c2/analysis/1348929146/
77.  
78. #MalwareMustDie!!