A google search on "loj7g domainname" isn't giving anything but here is a background saving our own shames though.
A worm is out, intelligent Windows worm that runs on your PC and looks for FTP programs like in our case FileZilla was installed on the victim PC, and decodes its save passwords. Then it connects to those server and infects all files by writing following at the bottom of the page:
DISCLAIMER: THE CODE BELOW IS TAKEN FROM INFECTED FILE, AND IS FOR EDUCATIONAL PURPOSE ONLY!
Very interesting!
Let the hacking begin...
"echo(gzinflate(base64_decode("
So three PHP functions:
base64_decode — Decodes data encoded with MIME base64
gzinflate — Inflate a deflated string
echo - well print it
So when our dear PHP runs this part of the infected code it gives following output:
Now the guy is utilizing Javascript to do something funny,
document.createTextNode, well creates a new text node, which can be added in to any of the document element.
After that the intelligent writer has utilize all the HTML encoding, and processed a look to cleverly iterate and generate a string, what is that string?
Lets just change eval() to document.write() and bingo here is what we get:
Simple Javascript, which is creating a hidden frame and opening the URL http:///forum.php?tp=9bc7b8fc6901cd02, now I can't really connect to that URL, but pinging it returns this IP:
And the IP address belongs to:
And the whois record says:
OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EBCountry: NL
Traceroute is running for quite sometime and says this:
What else, yeah who is this superpuperdomain.com? The whois record gives clear cut name and address but I don't want to put it in my blog, if you are keen just do a whois.
See, the guy wants to know how many sites he got infected and pat his back! But every thief leaves a track, and gets caught.
And for you just keep any good anti-virus and firewall on your PC, or just be safe, be protected, get a Mac!
A worm is out, intelligent Windows worm that runs on your PC and looks for FTP programs like in our case FileZilla was installed on the victim PC, and decodes its save passwords. Then it connects to those server and infects all files by writing following at the bottom of the page:
DISCLAIMER: THE CODE BELOW IS TAKEN FROM INFECTED FILE, AND IS FOR EDUCATIONAL PURPOSE ONLY!
Very interesting!
Let the hacking begin...
"echo(gzinflate(base64_decode("
So three PHP functions:
base64_decode — Decodes data encoded with MIME base64
gzinflate — Inflate a deflated string
echo - well print it
So when our dear PHP runs this part of the infected code it gives following output:
Now the guy is utilizing Javascript to do something funny,
document.createTextNode, well creates a new text node, which can be added in to any of the document element.
After that the intelligent writer has utilize all the HTML encoding, and processed a look to cleverly iterate and generate a string, what is that string?
Lets just change eval() to document.write() and bingo here is what we get:
Simple Javascript, which is creating a hidden frame and opening the URL http://
And the IP address belongs to:
And the whois record says:
OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EBCountry: NL
Traceroute is running for quite sometime and says this:
What else, yeah who is this superpuperdomain.com? The whois record gives clear cut name and address but I don't want to put it in my blog, if you are keen just do a whois.
See, the guy wants to know how many sites he got infected and pat his back! But every thief leaves a track, and gets caught.
And for you just keep any good anti-virus and firewall on your PC, or just be safe, be protected, get a Mac!
1 comments:
>> or just be safe, be protected,
>>get a Mac!
Or Ubuntu :). Not everybody has 70K :)
Post a Comment