Recently I came across some webpages that were referring to the Redkit malware. The page that I was directed to contained some javascript like the following:
!40!12!f!25!25!25!25!25!25!25!25!69!74!68!7a!72
!6a!73!79!33!6c!6a!79!4a!71!6a!72!6a!73!79!47!7e
!4e!69!2d!2c!76
Then I noticed in the javascript that it was subtracting 5 from the hex values after the !40 was converted to a hex value.
So I built this quick python script to convert the hex to decimal subtract 5 and then back to hex. (I also noticed another webpage variation that would subtract 7)
#!/usr/bin/env python
ins = open("temp", "r")
array = []
for line in ins:
print hex(int(line, 16) - 5)
Then I used the hex to ASCII converter to pull the websites out that I was interested in seeing that were being obfuscated.
Subscribe to:
Post Comments (Atom)
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist... -
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them... -
I ran a Nikto scan and found the following vulnerability in the report that it produces: "OSVDB-637: Enumeration of users is possible...
-
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th... -
In the honeypot I found over 276 requests for cgi files that could be accessed to leverage the shellshock vulnerability documented as CVE-20...
No comments:
Post a Comment