[Dshield] Unexpected html code ?
Johannes B Ullrich
jullrich at euclidian.com
Wed Aug 27 12:20:01 GMT 2008
This looks just like what is left behind by a lot of the SQL injection
exploits. Look at the timestamp on the file and check the web log for
that timeframe. Doesn't always work, but with these type exploits it
should. Then rebuild.
On Aug 25, 2008, at 1:39, Ryan McConigley <ryan at csse.uwa.edu.au> wrote:
>
> We got an interesting call from our network guys the other day.
> Apparently their monitoring software had detected two machines on
> our network exhibiting bot-like behaviour and would I look into it.
> So I've been poking, proding and thumping the machines to see what I
> can discover.
>
> Firstly, I'll admit there is a possibility these machines could
> be infected with some sort of bot. If they've got a rootkit
> installed I wouldn't expect to see anything anyway, but doing a full
> portscan doesn't pull up anything other than the expected Windows
> ports.
>
> I asked the network guy for more detailed information and the
> best he could come up with was "the traffic is weird" he gave the
> destination IP and the ports and they go to port 8080 on a machine
> in China. Not quite a red flag, especially considering both the
> people using the machines are from China and both their PhDs involve
> network traffic.
>
> The network guy has recommended a rebuild, but I want to find
> something more suspicious myself since the machines in question
> aren't really a standard build (Ahh, for a SOE, but I digress...)
>
> Anyway, I've been doing a full packet dump on the IPs. Still
> haven't noticed any unusual traffic, but I did notice some weird
> javascript in some html. It looks like -->
>
> if (!document.mmm_fo) {
> eval(function(A,G){return A.replace(/(\w+)/g,function(a,b){return
> G[parseInt(b,36)]})}("0(1 2==\n\"3\"\n) 4 2=5 6();0(1 2.7==\n
> \"3\"\n) 2.7=5 6();0(1 2.7.8==\n\"3\"\n) 2.7.8=5 6();0(1 2.7.9==\n
> \"3\"\n) 2.7.9=5 6();2.7.a=b(c,d,e,f,g,h,i,j,k,l,m){0 (!n.o||!n.p)
> q;r.s=m?m:\n\'t\'\n;r.u=2.7.8.v(r.s);r.w=5 6();r.x=5 6();r.y=5
> z();r.i=i;0(c) r.10(\n\'c\'\n,c);0(d) r.10(\n\'d\'\n,d);0(e) r.10(\n
> \'11\'\n,e);0(f) r.10(\n\'12\'\n,f);0(g) r.10(\n\'13\'\n,5 2.7.14(g.
> 15().16(\n\".\"\n)));r.17=2.7.9.18(r.19(\n\'13\'\n),i);0(h) r.1a(\n
> \'1b\'\n,h);4 1c=j?j:\n\'1d\'\n;r.1a(\n\'j\'\n,1c);4 1e=(k)?k:1f.
> 1g;r.10(\n\'k\'\n,1e);r.10(\n\'l\'\n,\n\'\'\n);0(l) r.10(\n\'l
> \'\n,l);}\n2.7.a.1h={10:b(1i,1j){r.y[1i]=1j;},19:b(1i){q r.y[1i];},
> 1a:b(1i,1j){r.w[1i]=1j;},1k:b(){q r.w;},1l:b(1i,1j){r.x[1i]=1j;},
> 1m:b(1i){q r.x[1i];},1n:b(){q r.x;},1o:b(1p,1q){4 1r=n.o(\n\'1s\'\n);
> 1r.10(\n\'1i\'\n,1p);1r.10(\n\'1j\'\n,1q);q 1r;},1t:b(){4 1u=5 z();4
> 1v;4 x=r.1n();1w(1v 1x x){1u.1y(1v+\n\"=\"\n+x[1v]);}\nq 1u;},1z:b()
> {4 20=\n\"\"\n;0 (21.22&&21.23&&21.23.24){0 (r.19(\n\"25\"\n)) r.
> 1l(\n\"26\"\n,\n\"27\"\n);20=\n\'<28 29=\"2a/2b-2c-2d\" 2e=\"\'\n+r.
> 19(\n\'c\'\n)+\n\'\" 11=\"\'\n+r.19(\n\'11\'\n)+\n\'\" 12=\"\'\n+r.
> 19(\n\'12\'\n)+\n\'\"\'\n;20+=\n\' d=\"\'\n+r.19(\n\'d\'\n)+\n\'\"
> 1i=\"\'\n+r.19(\n\'d\'\n)+\n\'\" \'\n;4 w=r.1k();1w(4 1v 1x w)
> {20+=[1v]+\n\'=\"\'\n+w[1v]+\n\'\" \'\n;}\n4 2f=r.1t().2g(\n\"&\"\n);
> 0 (2f.24>2h){20+=\n\'2i=\"\'\n+2f+\n\'\"\'\n;}\n20+=\n\'/>\'\n;} 2j
> {0 (r.19(\n\"25\"\n)) r.1l(\n\"26\"\n,\n\"2k\"\n);20=\n\'<2l d=\"\'\n
> +r.19(\n\'d\'\n)+\n\'\" 2m=\"2n:2o-2p-2q-2r-2s\" 11=\"\'\n+r.19(\n
> \'11\'\n)+\n\'\" 12=\"\'\n+r.19(\n\'12\'\n)+\n\'\">\'\n;20+=\n\'<1s
> 1i=\"2t\" 1j=\"\'\n+r.19(\n\'c\'\n)+\n\'\" />\'\n;4 w=r.1k();1w(4 1v
> 1x w){20+=\n\'<1s 1i=\"\'\n+1v+\n\'\" 1j=\"\'\n+w[1v]+\n\'\" />\'\n;}
> \n4 2f=r.1t().2g(\n\"&\"\n);0(2f.24>2h) 20+=\n\'<1s 1i=\"2i\" 1j=
> \"\'\n+2f+\n\'\" />\'\n;20+=\n\"</2l>\"\n;}\nq 20;},2u:b(2v){0(r.i)
> {4 2w=5 2.7.14([2x,2h,2y]);0 (r.17.2z(2w)&&!r.17.2z(r.19(\n
> \'13\'\n))){r.10(\n\'25\'\n,30);r.1l(\n\"31\"\n,32!
> (r.19(\n
> \'k\'\n)));n.33=n.33.34(2h,35)+\n\" - 36 37 38\"\n;r.1l(\n\"39\"\n,n.
> 33);}} 2j {r.10(\n\'25\'\n,3a);}\n0(r.u||r.19(\n\'25\'\n)||r.17.2z(r.
> 19(\n\'13\'\n))){4 1p=(1 2v==\n\'3b\'\n)?n.p(2v):2v;1p.3c=r.
> 1z();}2j{0(r.19(\n\'l\'\n) !=\n\"\"\n){n.1g.3d(r.19(\n\'l\'\n));}}}}
> \n2.7.9.18=b(3e,3f){4 14=5 2.7.14(2h,2h,2h);0(21.22&&21.23.24){4
> 2b=21.22[\n\"3g 36\"\n];0(2b&&2b.3h){14=5 2.7.14(2b.3h.3d(\n/
> ([3i-3j]|[3k-3l]|\\3m)+/,\n\"\"\n).3d(\n/(\\3m+3n|\\3m+3o[2h-3p]+)/,
> \n\".\"\n).16(\n\".\"\n));}}2j{3q{4 3r=5 3s(\n\"3t.3t\"\n);1w (4
> 3u=3v;3r!=3w;3u++){3r=5 3s(\n\"3t.3t.\"\n+3u);14=5 2.7.14([3u,2h,
> 2h]);}}3x(3y){}\n0 (3e&&14.3z>3e.3z) q 14;0 (!3e||((3e.40 !=2h||3e.
> 41 !=2h)&&14.3z==3e.3z)||14.3z !=2x||3f){3q{14=5 2.7.14(3r.42(\n
> \"$13\"\n).16(\n\" \"\n)[43].16(\n\",\"\n));}3x(3y){}}}\nq
> 14;}\n2.7.14=b(44){r.3z=45(44[2h])||2h;r.40=45(44[43])||2h;r.
> 41=45(44[46])||2h;}\n2.7.14.1h.2z=b(47){0(r.3z<47.3z) q 3a;0(r.
> 3z>47.3z) q 30;0(r.40<47.40) q 3a;0(r.40>47.40) q 30;0(r.41<47.41) q
> 3a;q 30;}\n2.7.8={v:b(1s){4 1c=n.1g.48||n.1g.49.4a;0(1c){4 4b=1c.
> 4c(1s+\n\"=\"\n);4 4d=(1c.4c(\n\"&\"\n,4b)>-43)?1c.4c(\n\"&\"\n,4b):
> 1c.24;0 (1c.24>43&&4b>-43){q 1c.4e(1c.4c(\n\"=\"\n,4b)+43,4d);}}\nq\n
> \"\"\n;},4f:b(1p){4g (1p.4h()) 1p.4i(1p.4j);}}\n0 (z.1h.1y==3w){z.1h.
> 1y=b(4k){r[r.24]=4k;q r.24;}}\n4 4l=2.7.8.v;4 a=2.7.a;n.
> 4m=
> 43;
> ","
> if,
> typeof,
> net,
> undefined,
> var,
> new,
> Object,
> m3,
> util,
> FlashObjectUtil,
> FlashObject,
> function,
> swf,
> id,
> w,h
> ,ver,
> c,u
> seExpressInstall,
> quality,
> xiRedirectUrl,
> redirectUrl,
> detectKey,
> document,
> createElement,
> getElementById,
> return,
> this,
> DETECT_KEY,
> detectflash,
> skipDetect,
> getRequestParameter,
> params,
> variables,
> attributes,
> Array,
> setAttribute,
> width,
> height,
> version,
> PlayerVersion,
> toString,
> split,
> installedVer,
> getPlayerVersion,
> getAttribute,
> addParam,
> bgcolor,
> q,h
> igh,
> xir,
> window,
> location,
> prototype,
> name,
> value,
> getParams,
> addVariable,
> getVariable,
> getVariables,
> createParamTag,
> n,v
> ,p,
> param,
> getVariablePairs,
> variablePairs,
> key,
> for,
> in,
> push,
> getFlashHTML,
> flashNode,
> navigator,
> plugins,
> mimeTypes,
> length,
> doExpressInstall,
> MMplayerType,PlugIn,embed,type,application,x,shockwave,flash,s!
> rc,pairs
> ,join,0,flashvars,else,ActiveX,object,classid,clsid,D27CDB6E,AE6D,
> 11cf,96B8,444553540000,movie,write,elementId,expressInstallReqVer,
> 6,65,versionIsValid,true,MMredirectURL,escape,title,slice,
> 47,
> Flash,
> Player,
> Installation,
> MMdoctitle,
> false,
> string,
> innerHTML,
> replace,reqVer,xiInstall,Shockwave,description,a,z,A,Z,s,r,b,
> 9,try,axo,ActiveXObject,ShockwaveFlash,i,
> 3,null,catch,e,major,minor,rev,GetVariable,1,arrVersion,parseInt,
> 2,f
> v,s
> earch,
> href,
> hash,
> startIndex,
> indexOf,
> endIndex,
> substring,
> removeChildren,
> while,
> hasChildNodes,
> removeChild,firstChild,item,getQueryParamValue,mmm_fo".split(",")));
> }
> var MAX_dbc22eec = '';
> MAX_dbc22eec += "<"+"div id=\'m3_ed13431b7de701405d703f25da7c8b5b\'
> style=\'display: inline;\'><"+"img src=\'http://fun.ynet.com/www/images/1x1.gif\'
> alt=\'\' title=\'\' border=\'0\' /><"+"/div>\n";
> MAX_dbc22eec += "<"+"script type=\'text/javascript\'>\n";
> MAX_dbc22eec += "<"+"!--// <"+"![CDATA[\n";
> MAX_dbc22eec += "var fo = new FlashObject(\'http://fun.ynet.com/www/images/728__90.swf?alink1=http%3A%2F%2Frec.ynet.com%2Fck.php%3Foaparams%3D2__bannerid%3D724__zoneid%3D573__cb%3D%7Brandom%7D__maxdest%3Dhttp%3A%2F%2Fwww.ftchinese.com%2Fsc%2Fcpa%2Findex.jsp%3Fid%3D005000097%26ccode%3D2G081008&atar1=_blank\'
> , \'mymovie\', \'728\', \'90\', \'7\');\n";
> MAX_dbc22eec += "fo.addParam(\'wmode\',\'transparent\');\n";
> MAX_dbc22eec += "fo.skipDetect = true;\n";
> MAX_dbc22eec += "fo.write(\'m3_ed13431b7de701405d703f25da7c8b5b\');
> \n";
> MAX_dbc22eec += "// ]]> -->\n";
> MAX_dbc22eec += "<"+"/script>\n";
> document.write(MAX_dbc22eec);
>
>
> I decoded that top part to get:
>
> if(typeof net== "undefined" ) var net=new Object();if(typeof
> net.m3== "undefined" ) net.m3=new Object();if(typeof net.m3.util==
> "undefined" ) net.m3.util=new Object();if(typeof
> net.m3.FlashObjectUtil== "undefined" ) net.m3.FlashObjectUtil=new
> Object(
> );n
> et.
> m3.
> FlashObject=
> function(
> swf,
> id,
> w,h
> ,ver,c,useExpressInstall,quality,xiRedirectUrl,redirectUrl,detectKey)
> {if (!document.createElement||!document.getElementById)
> return;this.DETECT_KEY=detectKey?detectKey:
> 'detectflash'
> ;t
> his.
> skipDetect=
> net.m3.util.getRequestParameter(this.DETECT_KEY);this.params=new
> Object();this.variables=new Object();this.attributes=new
> Array();this.useExpressInstall=useExpressInstall;if(swf)
> this.setAttribute( 'swf' ,swf);if(id)
> this.setAttribute( 'id' ,id);if(w)
> this.setAttribute( 'width' ,w);if(h)
> this.setAttribute( 'height' ,h);if(ver)
> this.setAttribute( 'version' ,new
> net.
> m3.
> PlayerVersion(
> ver.
> toString(
> ).s
> plit(
>
> "."
> ))
> );t
> his.
> installedVer=
> net.
> m3.
> FlashObjectUtil.
> getPlayerVersion(
> this.getAttribute( 'version' ),useExpressInstall);if(c)
> this.addParam( 'bgcolor' ,c);var q=quality?quality:
> 'high' ;this.addParam( 'quality' ,q);var xir=(xiRedirectUrl)?
> xiRedirectUrl:window.
> location;
> this.
> setAttribute(
> 'xiRedirectUrl' ,xir);this.setAttribute( 'redirectUrl' ,
> '' );if(redirectUrl)
> this.setAttribute( 'redirectUrl' ,redirectUrl);}
> net.m3.FlashObject.prototype={setAttribute:function(name,value)
> {this.attributes[name]=value;},getAttribute:function(name){return
> this.attributes[name];},addParam:function(name,value)
> {this.params[name]=value;},getParams:function(){return
> this.params;},addVariable:function(name,value)
> {this.variables[name]=value;},getVariable:function(name){return
> this.variables[name];},getVariables:function(){return
> this.variables;},createParamTag:function(n,v){var
> p=d
> ocument.
> createElement(
>
> 'param'
> );p.setAttribute( 'name' ,n);p.setAttribute( 'value' ,v);return
> p;},getVariablePairs:function(){var variablePairs=new Array();var
> key;var variables=this.getVariables();for(key in variables)
> {variablePairs.push(key+ "=" +variables[key]);} return var!
> iablePai
> rs;},getFlashHTML:function(){var flashNode= "" ;if
> (navigator.plugins&&navigator.mimeTypes&&navigator.mimeTypes.length)
> {if (this.getAttribute( "doExpressInstall" ))
> this.addVariable( "MMplayerType" , "PlugIn" );flashNode= '
>
> Which seems to be a check to install a flash player, but doesn't
> provide any links to a flash player. Then in the lower half there
> are links to flash objects which may or may not be suspicious.
> (They look like banner ads when I opened them in a sandbox).
>
> So firstly is bad? If its not, any idea why someone would try to
> encode the first half. And next question, does anyone know of
> anywhere/thing/way where I could check to see if this is an exploit
> or just a false alarm?
>
> Cheers,
> Ryan.
> --
> Ryan McConigley - Systems Administrator _.-,
> Computer Science University of Western Australia .--'
> '-._
> Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 _/`-
> _ '.
> Ryan[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ryan
> '----'._`.----. \
>
> ` \;
> "You're just jealous because the voices are talking to
> me" ;_\
>
>
>
>
> _______________________________________________
> Dshield mailing list
> Dshield at lists.sans.org
> To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list
More information about the Dshield
mailing list