Malware Domain List

Malware Related => Malicious Domains => Topic started by: cjeremy on May 27, 2008, 04:24:52 am

Title: chliyi.com sql injection
Post by: cjeremy on May 27, 2008, 04:24:52 am
Looks like another SQL injection occured.  Here are the urls from my analysis:

Code: [Select]
www.chliyi.com/reg.js  (iframe injected)
     www.chliyi.com/img/info.htm (vbscript obfustication)
            www.chliyi.com/img/real.htm  (exploit)
            www.chliyi.com/img/new.htm  (exploit)
            www.chliyi.com/img/help.htm  (exploit)
                    www.jj120.net/inc/fuckjp.exe  (bin from exploits)
                                www.hanme.cn/chs/faq/WLoader.exe  (gets this after above bin executes)
                                www.hanme.cn/chs/faq/FLoader.exe   (and then gets this)
                               

Virustotal results:
fuckjp.exe: http://www.virustotal.com/analisis/b886b982b374a082346c133c365415be
WLoader.exe: http://www.virustotal.com/analisis/5b3b142871a2c6e8d16dfad0eeebcc7d
FLoader.exe: http://www.virustotal.com/analisis/79157bf7e81c27b5d58eca72cbd24e28


Looks like ~10,000 sites have been hit by this. 
Title: Re: chliyi.com sql injection
Post by: JohnC on May 27, 2008, 05:37:19 pm
Thank you.