RSS
 

createCSS farligare än den ser ut

12 Apr

Jag upptäckte för några dagar sen en större malwareattack. Vanliga hemsidor hackas och html-kod som anropar extern javascriptkod läggs in på indexsidorna. Jag har lokaliserat 284 olika sidor som används för visa javascriptkoden, samtliga sidor har antagligen hackats.

http://213.175.200.227/js.php
http://213.175.200.233/js.php
http://4nicetime.com/search.php
http://70.86.154.56/js.php
http://abarquitectos.com.pe/search.php
http://abecasinsight.com/search.php
http://agmorganizasyon.com/search.php
http://aircodeac.com/search.php
http://air-link.ws/js.php
http://akyurtemlak.net/counter.php
http://akyurtemlak.net/js.php
http://albagrafica.com/counter.php
http://alcrealty.com/js.php
http://alomextrusions.com/js.php
http://alom.in/js.php
http://alqreenxp.com/js.php
http://aluminiumcasting.net/js.php
http://anekinox.comlu.com/search.php
http://animeshowtime.com/js.php
http://anvikur.tmweb.ru/js.php
http://anwarulquranonline.com/search.php
http://apicons.com.ar/search.php
http://apolomedicspa.com/search.php
http://arabnursing.org/search.php
http://arrowsoleight.com/search.php
http://art.milleniumstudio.pl/js.php
http://assca.fr/search.php
http://attackmediagroup.com/search.php
http://attakornw.comuv.com/search.php
http://autosjulios.com/js.php
http://babychicny.com/search.php
http://balticaniechorze.pl/search.php
http://batecho.eu/js.php
http://beninmarket.com/search.php
http://bestforexacademy.com/js.php
http://biegajski.pl/js.php
http://billrobinsonmusic.com/search.php
http://blogswho.com/search.php
http://bodyfashionperu.com/search.php
http://bodyhome.co.uk/js.php
http://briancampbell.co.uk/js.php
http://buygiftstoindia.com/search.php
http://bymixproduction.com/counter.php
http://callieandcompany.com/search.php
http://canas-bg.com/js.php
http://carreramaleconcampeche.com/js.php
http://casadown.herobo.com/search.php
http://catcumhuriyetyibo.k12.tr/js.php
http://catmuftulugu.gov.tr/js.php
http://cef.co.pt/js.php
http://cennetpansiyon.com/search.php
http://centurycfs.com/js.php
http://chicharito.pl/js.php
http://chipmaster.pt/counter.php
http://cihanbeylininsesigazetesi.com/search.php
http://cinkfranchise.com/search.php
http://clientzone.saturn.tj/js.php
http://cnslis.com/search.php
http://colincampbell.co.uk/js.php
http://comfortseatings.com/search.php
http://computerscienceandmedia.com/search.php
http://cyber-ink.com/search.php
http://dalyanhaber.com/js.php
http://dalyanhomes.net/js.php
http://dalyanrentacar.com/js.php
http://dalyantr.com/js.php
http://debianne.webd.pl/search.php
http://denturessheffield.co.uk/js.php
http://design-maniacs.com/search.php
http://diehlsorchard.com/search.php
http://dl.rap-melody.com/search.php
http://d-mubd3.com/search.php
http://donnamania.com/search.php
http://dreaklandmt2.com/js.php
http://duygusalforum.net/js.php
http://ecoalarm.org/js.php
http://ecofriendlyartists.com/search.php
http://eglen.biz/counter.php
http://ekudakov.ru/js.php
http://emma-bunton.net/search.php
http://energieressourcen.eu/js.php
http://equine-mortality.com/js.php
http://erenerdogan.com.tr/js.php
http://escortbayanla.com/search.php
http://escort-siteleri.net/search.php
http://estudio-zero.com/search.php
http://evelyncampbell.co.uk/js.php
http://extremoskateparkmovil.com/search.php
http://eynesil28.com/search.php
http://eyupliseliler.com/search.php
http://f-3.com.sg/search.php
http://fashionjolik.com/js.php
http://fatmagulunsucuneizle.in/js.php
http://fethiyecarrental.net/js.php
http://filoilkogretim.com/counter.php
http://forextradingglobal.com/js.php
http://fotosnimka.com/js.php
http://four-directions.org/search.php
http://fragata.com.ar/js.php
http://freestyles.xaa.pl/search.php
http://gamefountain.com/js.php
http://gencer.org/js.php
http://GERIH.ORG/search.php
http://girlsgames.me/js.php
http://godswithguns.site90.com/search.php
http://goldensilkscreening.com/search.php
http://gomezteam.ro/search.php
http://goodandbaddrivers.hostzi.com/search.php
http://gpz1357.pdnetworks.pl/js.php
http://grzenio.webd.pl/js.php
http://hairizate.com/search.php
http://harikatatil.com/search.php
http://haydikampa.com/search.php
http://herkimer.com/search.php
http://herocyn.com/search.php
http://highpoint-asia.com/js.php
http://hkorte.net/search.php
http://hkorte.nl/search.php
http://hospital-noticias.com/search.php
http://hosting0013924.az.pl/js.php
http://hsbilisim.net/search.php
http://ideascampechanas.com/js.php
http://ilanozel.com/search.php
http://immobilien-ml.com/search.php
http://influx-website-promotion.com/search.php
http://internetmarketing-tips.net/js.php
http://introplastik.ru/js.php
http://inversionesminerasartc.com/search.php
http://istanbulkulturdans.com/js.php
http://jkarquitectos.com/search.php
http://Kadiyadra.org/js.php
http://kastamonuhaber37.com/search.php
http://katolik4motion.hostoi.com/search.php
http://katosteelthai.com/search.php
http://keynetikfusion.com/search.php
http://khadijahtulquran.com/search.php
http://ki123web.info/search.php
http://konhaber.com/js.php
http://kumarscars.com/search.php
http://l2agony.site90.net/search.php
http://lafaramizda.com/counter.php
http://letfollow.us/js.php
http://limarbis.webd.pl/search.php
http://linkads.in/js.php
http://livezilla.802-x.com/search.php
http://lowcost-car-insurance.com/search.php
http://maciejweigel.pl/js.php
http://marketingnorg.nl/js.php
http://masozescort.com/counter.php
http://mbld.co.uk/search.php
http://mercancicekevi.com/search.php
http://miechowianka.krakow.pl/js.php
http://mijnbernerbende.nl/js.php
http://miloevents.com/js.php
http://mothabroon.com/search.php
http://mujeres-gratis.com/search.php
http://municipiodecampeche.gob.mx/js.php
http://my-garden.pl/js.php
http://nagalla.com/search.php
http://nass.nanolv.com/counter.php
http://navtrack.eu/js.php
http://neotravel.xaa.pl/search.php
http://neroli.com.pl/counter.php
http://neroli.com.pl/js.php
http://neroli.com.pl/search.php
http://networkfairy.com/search.php
http://newperformance.pt/search.php
http://obuwiewl.webd.pl/search.php
http://oceanpacifico.com/js.php
http://oh-geri.fanfusion.org/search.php
http://ohmysole.com/search.php
http://olayspor.net/search.php
http://omegasystems.eu/counter.php
http://optimistbenin.com/search.php
http://osiolkowo.xpag.pl/search.php
http://paintball35.com/js.php
http://pancampeche.org/js.php
http://passionostra.com/js.php
http://pawelmakowski.pl/js.php
http://perih.milleniumstudio.pl/js.php
http://perubrand.com/search.php
http://pesat11jakarta.co.cc/search.php
http://pharmtechsonly.com/search.php
http://pink2cake.com/js.php
http://pirci.com/counter.php
http://pixelwebware.com/js.php
http://pixelwebware.in/js.php
http://pixin.com/js.php
http://playguitarmusiclessons.com/search.php
http://policysimulator.org/counter.php
http://prosuregroup.com/js.php
http://przejrzystaoswiata.pl/js.php
http://psa.krakow.pl/counter.php
http://psa.krakow.pl/js.php
http://puertociudad.mx/js.php
http://pvp-forum.com/js.php
http://quadrapol.milleniumstudio.pl/js.php
http://radicalcosmetics.com/search.php
http://raswiedza.xaa.pl/search.php
http://rewards-palace.com/search.php
http://riarenterprises.com/search.php
http://rifatozkan.com.tr/search.php
http://ropaultra.uphero.com/search.php
http://rotaryklubpancevo.org/search.php
http://sagitta.cp5.win.pl/js.php
http://saglikalemi.com/js.php
http://salecyprus.com/js.php
http://scresurs.kz/js.php
http://secretsimages.com/js.php
http://sharpwebmarketing.com/search.php
http://shatrappz.com/search.php
http://shopriderphilippines.com/search.php
http://shsilver.com/search.php
http://skoopa.com/js.php
http://skracanie.pl/js.php
http://small-servers.com/js.php
http://soal.comuv.com/search.php
http://soscz.ru/js.php
http://starcevo.org.rs/search.php
http://steljanjazaj.host56.com/search.php
http://studiodada.biz/js.php
http://studiodada.biz/search.php
http://support.802-x.com/search.php
http://tanierodzinnezakupy.vot.pl/counter.php
http://targulbisericesc.eu/search.php
http://tazzandersonenterprises.com/search.php
http://tearapy-thailand.com/search.php
http://tekstlandschap.nl/search.php
http://telecomfoundation.com.pk/search.php
http://telemundial.tv/search.php
http://terkom.pl/search.php
http://testzone.saturn.tj/js.php
http://tinydl9.netau.net/search.php
http://tmeg.info/search.php
http://travelbymile.com/js.php
http://unicornteleservices.com/search.php
http://uniqueclassicvideo.com/search.php
http://up.milleniumstudio.pl/js.php
http://vacha.org.in/js.php
http://watorachacha.com/search.php
http://wmakler.star-kom.pl/js.php
http://woweb.biz/js.php
http://www.3doi.com/js.php
http://www.3doq.com/js.php
http://www.acnenomorev.info/js.php
http://www.adamsforwarding.com/js.php
http://www.advertisewithventure.com/js.php
http://www.agen-gamat.com/counter.php
http://www.agmorganizasyon.com/js.php
http://www.andhraruchi.com/search.php
http://www.ankarahavalari.net/counter.php
http://www.ankarahavalari.net/js.php
http://www.avv-roermond.nl/counter.php
http://www.bbwonlinedating.info/js.php
http://www.bestfullgames.com/js.php
http://www.bm69.com/js.php
http://www.broilmastergrills.org/js.php
http://www.butterflyfashion.eu/js.php
http://www.charliesheennews.info/js.php
http://www.floridagas.net/js.php
http://www.forextradingglobal.com/js.php
http://www.freemuslimpartner.com/search.php
http://www.gazetevan.com/js.php
http://www.gemininirman.com/js.php
http://www.geranges.info/js.php
http://www.immobilien-ml.com/search.php
http://www.internetmarketing-tips.net/js.php
http://www.mediapembelajaranonline.web.id/js.php
http://www.m-norte.net/js.php
http://www.mortgagecapped.com/js.php
http://www.myspice.ro/js.php
http://www.obatalami-2u.com/search.php
http://www.optikazoom.si/search.php
http://www.pfmfastdl.ptclans.info/js.php
http://www.protegeanalytics.com/search.php
http://www.ruyacafe.net/js.php
http://www.saglikalemi.com/js.php
http://www.therioclub.com/search.php
http://www.vallesmanteniments.com/js.php
http://www.vallesmanteniments.com/search.php
http://www.zintec.be/js.php
http://yalecontrols.com/search.php
http://zarabianiewnecie24.com.pl/js.php
http://zlinki.com/search.php

Javascriptet som anropas ser till en början oskyldig ut, namnet på funktionen är createCSS och scriptet kontrollerar user agent och kör en datumfunktion. Jag har inte gått genom de exakta funktionerna i scriptet men en trolig gissning är att user agenten kontrolleras för att se att det är en riktig webbläsare som körs och att även datumfunktionen kontrollerar detta.

Men efter dessa kommando blir scriptet mer uppenbart. Jag har lagt till radbrytningen för tydlighetens skull och bara tagit med början av den krypterade delen av scriptet.

Resultatet av javascriptkoden är att den via iframe anropar en ny sida. De 284 sidor jag hittat anropar någon av:

http://offers.daddycrafts.com/news/2010
http://builder.rockstargraphicdesign.com/news/2010
http://top.threejonline.com/news/last

Just nu lyckas jag dock endast få dessa sidor att ge 404-fel eller skicka vidare till Google. Men man kan se att något inte är som det ska vara. Testar jag att hämta http://offers.daddycrafts.com/news/2010 med wget rapporteras det att webbservern är lighthttpd.

Går jag in på sidan med Firefox får jag däremot felmeddelande som anger att det är webbservern nginx som körs.

 

Tags: , , ,

Lämna en kommentar