Sunday, September 27, 2009

Koobface on my Facebook II

Well, while I was starting to write up a post describing what the javascript file does, I found another link for koobface on my facebook! This time from a different domain: h t t p ://www.blackjackorchestra.eu/privaledwd/. This link does the exact same thing as the one in the previous post, except for a few differences in their php script quality :), as well as a few other minor changes. In my previous post, I described how the server-side script checked to see if you gave it a valid User-Agent before sending you the javascript in the content. This site does the same thing, but I guess some debug info was left in it! Here's the content that's sent back if you send it a request that does not contain a User-Agent header:
Request & Response (using netcat): 
C:\>nc www.blackjackorchestra.eu 80
GET /privaledwd/ HTTP/1.1
HOST: www.blackjackorchestra.eu

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: PHP/5.1.1
X-Powered-By: ASP.NET
Date: Sun, 27 Sep 2009 15:32:28 GMT
Connection: close

<br />
<b>Notice</b>:  Undefined index:  HTTP_USER_AGENT in <b>d:\www\blackjackorchestra.eu\htdocs\privaledwd\index.php</b> on line <b>30</b><br />
<br />
<b>Notice</b>:  Undefined index:  HTTP_USER_AGENT in <b>d:\www\blackjackorchestra.eu\htdocs\privaledwd\index.php</b> on line <b>37</b><br />
<br />
<b>Notice</b>:  Undefined variable: rscript in <b>d:\www\blackjackorchestra.eu\htdocs\privaledwd\index.php</b> on line <b>42</b><br />
<title>Amazing Video</title>
ocwdtreifoyocrb egzcqgtcfx
<img src=afjo4blr.jpg>
ocecaahcqgeuzk qduzqsc
PHP Notice:  Undefined index:  HTTP_USER_AGENT in d:\www\blackjackorchestra.eu\htdocs\privaledwd\index.php on line 30
PHP Notice:  Undefined index:  HTTP_USER_AGENT in d:\www\blackjackorchestra.eu\htdocs\privaledwd\index.php on line 37
PHP Notice:  Undefined variable: rscript in d:\www\blackjackorchestra.eu\htdocs\privaledwd\index.php on line 42
Someone forgot to take out their debug info! Hahaha :) Well, if you do send a valid User-Agent, this is the content that gets sent back: 
zzmjqoqvri byiktuysec
<script src="9r.js"></script> 
yadoemvy ilxnsxiilmsnqbb
Also, the javascript file is exactly the same, except for different random names for the variables, and two different ip addresses. The script in the last post had these two addresses: 59.93.80.251, 79.182.37.95. The script in this post doesn't have those two addresses, but has these two instead: 217.132.126.129, 90.17.65.193. Well, I think that covers it for this new koobface url. Now onto writing about that javascript...
Posted by gnarlysec at 8:29 AM
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)