[Dshield] Unexpected html code ?
Ryan McConigley
ryan at csse.uwa.edu.au
Mon Aug 25 05:39:01 GMT 2008
We got an interesting call from our network guys the other day. Apparently their monitoring software had detected two machines on our network exhibiting bot-like behaviour and would I look into it. So I've been poking, proding and thumping the machines to see what I can discover.
Firstly, I'll admit there is a possibility these machines could be infected with some sort of bot. If they've got a rootkit installed I wouldn't expect to see anything anyway, but doing a full portscan doesn't pull up anything other than the expected Windows ports.
I asked the network guy for more detailed information and the best he could come up with was "the traffic is weird" he gave the destination IP and the ports and they go to port 8080 on a machine in China. Not quite a red flag, especially considering both the people using the machines are from China and both their PhDs involve network traffic.
The network guy has recommended a rebuild, but I want to find something more suspicious myself since the machines in question aren't really a standard build (Ahh, for a SOE, but I digress...)
Anyway, I've been doing a full packet dump on the IPs. Still haven't noticed any unusual traffic, but I did notice some weird javascript in some html. It looks like -->
if (!document.mmm_fo) {
eval(function(A,G){return A.replace(/(\w+)/g,function(a,b){return G[parseInt(b,36)]})}("0(1 2==\n\"3\"\n) 4 2=5 6();0(1 2.7==\n\"3\"\n) 2.7=5 6();0(1 2.7.8==\n\"3\"\n) 2.7.8=5 6();0(1 2.7.9==\n\"3\"\n) 2.7.9=5 6();2.7.a=b(c,d,e,f,g,h,i,j,k,l,m){0 (!n.o||!n.p) q;r.s=m?m:\n\'t\'\n;r.u=2.7.8.v(r.s);r.w=5 6();r.x=5 6();r.y=5 z();r.i=i;0(c) r.10(\n\'c\'\n,c);0(d) r.10(\n\'d\'\n,d);0(e) r.10(\n\'11\'\n,e);0(f) r.10(\n\'12\'\n,f);0(g) r.10(\n\'13\'\n,5 2.7.14(g.15().16(\n\".\"\n)));r.17=2.7.9.18(r.19(\n\'13\'\n),i);0(h) r.1a(\n\'1b\'\n,h);4 1c=j?j:\n\'1d\'\n;r.1a(\n\'j\'\n,1c);4 1e=(k)?k:1f.1g;r.10(\n\'k\'\n,1e);r.10(\n\'l\'\n,\n\'\'\n);0(l) r.10(\n\'l\'\n,l);}\n2.7.a.1h={10:b(1i,1j){r.y[1i]=1j;},19:b(1i){q r.y[1i];},1a:b(1i,1j){r.w[1i]=1j;},1k:b(){q r.w;},1l:b(1i,1j){r.x[1i]=1j;},1m:b(1i){q r.x[1i];},1n:b(){q r.x;},1o:b(1p,1q){4 1r=n.o(\n\'1s\'\n);1r.10(\n\'1i\'\n,1p);1r.10(\n\'1j\'\n,1q);q 1r;},1t:b(){4 1u=5 z();4 1v;4 x=r.1n();1w(1v 1x x){1u.1y(1v+\n\"=\"\n+x[1v]);}\nq 1u;},1z:b(){4 20=\n\"\"\n;0 (21.22&&21.23&&21.23.24){0 (r.19(\n\"25\"\n)) r.1l(\n\"26\"\n,\n\"27\"\n);20=\n\'<28 29=\"2a/2b-2c-2d\" 2e=\"\'\n+r.19(\n\'c\'\n)+\n\'\" 11=\"\'\n+r.19(\n\'11\'\n)+\n\'\" 12=\"\'\n+r.19(\n\'12\'\n)+\n\'\"\'\n;20+=\n\' d=\"\'\n+r.19(\n\'d\'\n)+\n\'\" 1i=\"\'\n+r.19(\n\'d\'\n)+\n\'\" \'\n;4 w=r.1k();1w(4 1v 1x w){20+=[1v]+\n\'=\"\'\n+w[1v]+\n\'\" \'\n;}\n4 2f=r.1t().2g(\n\"&\"\n);0 (2f.24>2h){20+=\n\'2i=\"\'\n+2f+\n\'\"\'\n;}\n20+=\n\'/>\'\n;} 2j {0 (r.19(\n\"25\"\n)) r.1l(\n\"26\"\n,\n\"2k\"\n);20=\n\'<2l d=\"\'\n+r.19(\n\'d\'\n)+\n\'\" 2m=\"2n:2o-2p-2q-2r-2s\" 11=\"\'\n+r.19(\n\'11\'\n)+\n\'\" 12=\"\'\n+r.19(\n\'12\'\n)+\n\'\">\'\n;20+=\n\'<1s 1i=\"2t\" 1j=\"\'\n+r.19(\n\'c\'\n)+\n\'\" />\'\n;4 w=r.1k();1w(4 1v 1x w){20+=\n\'<1s 1i=\"\'\n+1v+\n\'\" 1j=\"\'\n+w[1v]+\n\'\" />\'\n;}\n4 2f=r.1t().2g(\n\"&\"\n);0(2f.24>2h) 20+=\n\'<1s 1i=\"2i\" 1j=\"\'\n+2f+\n\'\" />\'\n;20+=\n\"</2l>\"\n;}\nq 20;},2u:b(2v){0(r.i){4 2w=5 2.7.14([2x,2h,2y]);0 (r.17.2z(2w)&&!r.17.2z(r.19(\n\'13\'\n))){r.10(\n\'25\'\n,30);r.1l(\n\"31\"\n,32(r.19(\n\'k\'\n)));n.33=n.33.34(2h,35)+\n\" - 36 37 38\"\n;r.1l(\n\"39\"\n,n.33);}} 2j {r.10(\n\'25\'\n,3a);}\n0(r.u||r.19(\n\'25\'\n)||r.17.2z(r.19(\n\'13\'\n))){4 1p=(1 2v==\n\'3b\'\n)?n.p(2v):2v;1p.3c=r.1z();}2j{0(r.19(\n\'l\'\n) !=\n\"\"\n){n.1g.3d(r.19(\n\'l\'\n));}}}}\n2.7.9.18=b(3e,3f){4 14=5 2.7.14(2h,2h,2h);0(21.22&&21.23.24){4 2b=21.22[\n\"3g 36\"\n];0(2b&&2b.3h){14=5 2.7.14(2b.3h.3d(\n/([3i-3j]|[3k-3l]|\\3m)+/,\n\"\"\n).3d(\n/(\\3m+3n|\\3m+3o[2h-3p]+)/,\n\".\"\n).16(\n\".\"\n));}}2j{3q{4 3r=5 3s(\n\"3t.3t\"\n);1w (4 3u=3v;3r!=3w;3u++){3r=5 3s(\n\"3t.3t.\"\n+3u);14=5 2.7.14([3u,2h,2h]);}}3x(3y){}\n0 (3e&&14.3z>3e.3z) q 14;0 (!3e||((3e.40 !=2h||3e.41 !=2h)&&14.3z==3e.3z)||14.3z !=2x||3f){3q{14=5 2.7.14(3r.42(\n\"$13\"\n).16(\n\" \"\n)[43].16(\n\",\"\n));}3x(3y){}}}\nq 14;}\n2.7.14=b(44){r.3z=45(44[2h])||2h;r.40=45(44[43])||2h;r.41=45(44[46])||2h;}\n2.7.14.1h.2z=b(47){0(r.3z<47.3z) q 3a;0(r.3z>47.3z) q 30;0(r.40<47.40) q 3a;0(r.40>47.40) q 30;0(r.41<47.41) q 3a;q 30;}\n2.7.8={v:b(1s){4 1c=n.1g.48||n.1g.49.4a;0(1c){4 4b=1c.4c(1s+\n\"=\"\n);4 4d=(1c.4c(\n\"&\"\n,4b)>-43)?1c.4c(\n\"&\"\n,4b):1c.24;0 (1c.24>43&&4b>-43){q 1c.4e(1c.4c(\n\"=\"\n,4b)+43,4d);}}\nq\n\"\"\n;},4f:b(1p){4g (1p.4h()) 1p.4i(1p.4j);}}\n0 (z.1h.1y==3w){z.1h.1y=b(4k){r[r.24]=4k;q r.24;}}\n4 4l=2.7.8.v;4 a=2.7.a;n.4m=43;","if,typeof,net,undefined,var,new,Object,m3,util,FlashObjectUtil,FlashObject,function,swf,id,w,h,ver,c,useExpressInstall,quality,xiRedirectUrl,redirectUrl,detectKey,document,createElement,getElementById,return,this,DETECT_KEY,detectflash,skipDetect,getRequestParameter,params,variables,attributes,Array,setAttribute,width,height,version,PlayerVersion,toString,split,installedVer,getPlayerVersion,getAttribute,addParam,bgcolor,q,high,xir,window,location,prototype,name,value,getParams,addVariable,getVariable,getVariables,createParamTag,n,v,p,param,getVariablePairs,variablePairs,key,for,in,push,getFlashHTML,flashNode,navigator,plugins,mimeTypes,length,doExpressInstall,MMplayerType,PlugIn,embed,type,application,x,shockwave,flash,src,pairs,join,0,flashvars,else,ActiveX,object,classid,clsid,D27CDB6E,AE6D,11cf,96B8,444553540000,movie,write,elementId,expressInstallReqVer,6,65,versionIsValid,true,MMredirectURL,escape,title,slice,47,Flash,Player,Installation,MMdoctitle,false,string,innerHTML,replace,reqVer,xiInstall,Shockwave,description,a,z,A,Z,s,r,b,9,try,axo,ActiveXObject,ShockwaveFlash,i,3,null,catch,e,major,minor,rev,GetVariable,1,arrVersion,parseInt,2,fv,search,href,hash,startIndex,indexOf,endIndex,substring,removeChildren,while,hasChildNodes,removeChild,firstChild,item,getQueryParamValue,mmm_fo".split(",")));
}
var MAX_dbc22eec = '';
MAX_dbc22eec += "<"+"div id=\'m3_ed13431b7de701405d703f25da7c8b5b\' style=\'display: inline;\'><"+"img src=\'http://fun.ynet.com/www/images/1x1.gif\' alt=\'\' title=\'\' border=\'0\' /><"+"/div>\n";
MAX_dbc22eec += "<"+"script type=\'text/javascript\'>\n";
MAX_dbc22eec += "<"+"!--// <"+"![CDATA[\n";
MAX_dbc22eec += "var fo = new FlashObject(\'http://fun.ynet.com/www/images/728__90.swf?alink1=http%3A%2F%2Frec.ynet.com%2Fck.php%3Foaparams%3D2__bannerid%3D724__zoneid%3D573__cb%3D%7Brandom%7D__maxdest%3Dhttp%3A%2F%2Fwww.ftchinese.com%2Fsc%2Fcpa%2Findex.jsp%3Fid%3D005000097%26ccode%3D2G081008&atar1=_blank\', \'mymovie\', \'728\', \'90\', \'7\');\n";
MAX_dbc22eec += "fo.addParam(\'wmode\',\'transparent\');\n";
MAX_dbc22eec += "fo.skipDetect = true;\n";
MAX_dbc22eec += "fo.write(\'m3_ed13431b7de701405d703f25da7c8b5b\');\n";
MAX_dbc22eec += "// ]]> -->\n";
MAX_dbc22eec += "<"+"/script>\n";
document.write(MAX_dbc22eec);
I decoded that top part to get:
if(typeof net== "undefined" ) var net=new Object();if(typeof net.m3== "undefined" ) net.m3=new Object();if(typeof net.m3.util== "undefined" ) net.m3.util=new Object();if(typeof net.m3.FlashObjectUtil== "undefined" ) net.m3.FlashObjectUtil=new Object();net.m3.FlashObject=function(swf,id,w,h,ver,c,useExpressInstall,quality,xiRedirectUrl,redirectUrl,detectKey){if (!document.createElement||!document.getElementById) return;this.DETECT_KEY=detectKey?detectKey: 'detectflash' ;this.skipDetect=net.m3.util.getRequestParameter(this.DETECT_KEY);this.params=new Object();this.variables=new Object();this.attributes=new Array();this.useExpressInstall=useExpressInstall;if(swf) this.setAttribute( 'swf' ,swf);if(id) this.setAttribute( 'id' ,id);if(w) this.setAttribute( 'width' ,w);if(h) this.setAttribute( 'height' ,h);if(ver) this.setAttribute( 'version' ,new net.m3.PlayerVersion(ver.toString().split( "." )));this.installedVer=net.m3.FlashObjectUtil.getPlayerVersion(this.getAttribute( 'version' ),useExpressInstall);if(c) this.addParam( 'bgcolor' ,c);var q=quality?quality: 'high' ;this.addParam( 'quality' ,q);var xir=(xiRedirectUrl)?xiRedirectUrl:window.location;this.setAttribute( 'xiRedirectUrl' ,xir);this.setAttribute( 'redirectUrl' , '' );if(redirectUrl) this.setAttribute( 'redirectUrl' ,redirectUrl);} net.m3.FlashObject.prototype={setAttribute:function(name,value){this.attributes[name]=value;},getAttribute:function(name){return this.attributes[name];},addParam:function(name,value){this.params[name]=value;},getParams:function(){return this.params;},addVariable:function(name,value){this.variables[name]=value;},getVariable:function(name){return this.variables[name];},getVariables:function(){return this.variables;},createParamTag:function(n,v){var p=document.createElement( 'param' );p.setAttribute( 'name' ,n);p.setAttribute( 'value' ,v);return p;},getVariablePairs:function(){var variablePairs=new Array();var key;var variables=this.getVariables();for(key in variables){variablePairs.push(key+ "=" +variables[key]);} return variablePairs;},getFlashHTML:function(){var flashNode= "" ;if (navigator.plugins&&navigator.mimeTypes&&navigator.mimeTypes.length){if (this.getAttribute( "doExpressInstall" )) this.addVariable( "MMplayerType" , "PlugIn" );flashNode= '
Which seems to be a check to install a flash player, but doesn't provide any links to a flash player. Then in the lower half there are links to flash objects which may or may not be suspicious. (They look like banner ads when I opened them in a sandbox).
So firstly is bad? If its not, any idea why someone would try to encode the first half. And next question, does anyone know of anywhere/thing/way where I could check to see if this is an exploit or just a false alarm?
Cheers,
Ryan.
--
Ryan McConigley - Systems Administrator _.-,
Computer Science University of Western Australia .--' '-._
Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 _/`- _ '.
Ryan[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ryan '----'._`.----. \
` \;
"You're just jealous because the voices are talking to me" ;_\
More information about the Dshield
mailing list