Inetguards
A few minutes ago, my ICQ password was hacked, it was written on my behalf: “Look at what you have with the system, I constantly get viruses from you. scan your computer here, everything heals quickly inetguards.com and there you can make it so that the account cannot be hacked. ”
Followed the link, looked at the source
Yeah, the script decrypts something.
Apparently, this is not enough for him and he still decrypts:
What after doing should translate us to inetguards.com/f4e50176f7b4297adb3776ed25706ac8 .
I went there and got the same page ... I updated it - a block by IP, the site does not respond to requests.
The investigation is ongoing.
whois says that the domain is registered to Andrei Luchenko.
By the way, the ip for the domain has already changed, and was: 78.140.152.146 (there is an assumption that it is still working).
')
We will look for other methods. While I am deciphering the session time on the site is expiring, we do not have time ... I will put the sniffer and take the risk!
If you follow the link browser - the server gives an error 403 ...
Well, let us consider in order what it does.
hstr is the string that the server generates.
It stands for:
Take the ascii code of each character, add one and translate it into a character again.
The result was a new script that was added to the document.
What is there? Of course, new decryption. This time everything is easier, just urlencode. Make unescape and get ...
We get another script that counts md5 from some string
( for example, like this: hex_md5 ('b2eb45d8838702e4f8483cb70a6d2f81')
And add it through the slash to our current url'u.
What will wait for us at that end - I don’t know if any of you got to the end after all - please write, I will be very grateful.
My guess: the server generates a pair of keys, one in encrypted form (first, urlencode + javascript, then subtraction from the charcode + javascript) sends to the client. That quite quickly decrypts, generates md5 hash and follows the link. What is there - I do not know ...
Got to the site.
Title: White PC, protect your computer.
Center: Flash, represents virus scan. Clicking inside we get faces. agreement.
After the license agreement, an offer to send an SMS to the number: 3858 (The cost on the website is 2 rubles, the cost in reality is 300-360 rubles)
Administrative Contact:
Lucenko Andrey
Email: phonecontroller@bk.ru
Organization: Private person
Address: ul. Profsouznaya, 22, kv.340
City: Moscow
State: Moscow obl.
ZIP: 345768
Country: RU
Phone: +7.4345234567
Fax: +7.4934524567
Sent a letter to the company that registered this number.
As soon as I receive the answer, I will immediately publish it.
Thank you all very much for your patience, I go to bed.
Followed the link, looked at the source
Yeah, the script decrypts something.
Apparently, this is not enough for him and he still decrypts:
'/'+hex_md5('b2eb45d8838702e4f8483cb70a6d2f81')What after doing should translate us to inetguards.com/f4e50176f7b4297adb3776ed25706ac8 .
I went there and got the same page ... I updated it - a block by IP, the site does not respond to requests.
The investigation is ongoing.
whois says that the domain is registered to Andrei Luchenko.
By the way, the ip for the domain has already changed, and was: 78.140.152.146 (there is an assumption that it is still working).
')
Latest news:
We will look for other methods. While I am deciphering the session time on the site is expiring, we do not have time ... I will put the sniffer and take the risk!
More recent news:
If you follow the link browser - the server gives an error 403 ...
Well, let us consider in order what it does.
The first
hstr is the string that the server generates.
It stands for:
for(i = 0;i < 358;i++)document.write(String.fromCharCode(hstr.charCodeAt(i) + 1));Take the ascii code of each character, add one and translate it into a character again.
The second
The result was a new script that was added to the document.
What is there? Of course, new decryption. This time everything is easier, just urlencode. Make unescape and get ...
Third
We get another script that counts md5 from some string
( for example, like this: hex_md5 ('b2eb45d8838702e4f8483cb70a6d2f81')
And add it through the slash to our current url'u.
What will wait for us at that end - I don’t know if any of you got to the end after all - please write, I will be very grateful.
My guess: the server generates a pair of keys, one in encrypted form (first, urlencode + javascript, then subtraction from the charcode + javascript) sends to the client. That quite quickly decrypts, generates md5 hash and follows the link. What is there - I do not know ...
Well, the latest news
Got to the site.
Title: White PC, protect your computer.
Center: Flash, represents virus scan. Clicking inside we get faces. agreement.
After the license agreement, an offer to send an SMS to the number: 3858 (The cost on the website is 2 rubles, the cost in reality is 300-360 rubles)
Whois data:
Administrative Contact:
Lucenko Andrey
Email: phonecontroller@bk.ru
Organization: Private person
Address: ul. Profsouznaya, 22, kv.340
City: Moscow
State: Moscow obl.
ZIP: 345768
Country: RU
Phone: +7.4345234567
Fax: +7.4934524567
And finally
Sent a letter to the company that registered this number.
As soon as I receive the answer, I will immediately publish it.
Thank you all very much for your patience, I go to bed.
Source: https://habr.com/ru/post/80979/
All Articles