Author Topic: jetdots.cn  (Read 3440 times)

0 Members and 1 Guest are viewing this topic.

December 10, 2008, 03:47:36 am
Read 3440 times

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
I was considering removing this host because MVPHosts is removing it:

porno-traffic.biz

and then I followed your link,

wget porno-traffic.biz/movies/in.cgi\?2

That hops over and pulls down the index.html file from jetdots.cn.  If you look at some of the
downloads in the index.html file from jetdots.cn and get some of them, i.e.:

wget hxxp://jetdots.cn/view_video.php\?viewkey\=78bd83e0a727608b5db0
wget hxxp://jetdots.cn/view_video.php\?viewkey\=2f5d98d3c79b195f2b29

You end up with a file named  ipod_mp4-windows-player.exe.  I finally learned to attach the viewkey nuber in front of each of them.  They
are all the same size for the ones I have looked at so far.  They are concatenating three sections to make up each file.  They are
(using hex the boundaries of the middle section may not be exact)

00000 - 0a1d4  :  Section one - always the same
0a1d5 - 0a21d  :  Different for each file (section two)
0a21e - 399F6  :  Section three - always the same

It is a NullSoft install package without copyright strings (7 bit), and the only 16 bit little endian strings are:

MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg

There are no 16 bit big-endian, 32 bit little-endian, or 32 bit big-endian strings.  So far no AntiVirus program
thinks it is bad (but my years of experience warn me to beware).  Well, I will check it again right now at
scanner.virus.org.

Avira AntiVir               :   DR/Zlob.Gen
Norman Virus Control  :   Zlob.DBCS

I think we have a winner.  All of them got skunked on it this morning at Jotti.  I don't know why.  But
guess what - my rule in my PAC filter?

BadDomains[i++] = ".cn";   // YOUR CHOICE - MalWare

Now you know why I have it.  If you never go to Chinese domains on your own, going to something like this one from the bounce / redirect may be the only way you will get there.  Oh yes, I am retaining the block of the  porno-traffic.biz  and  www.porno-traffic.biz in my hosts file despite yet another rule in my PAC filter stopping it.  Here are all of the files from jetdots.cn in order.

hxxp://jetdots.cn/view_video.php?viewkey=0a1841b3b3728321e708
hxxp://jetdots.cn/view_video.php?viewkey=0d4eacb9a3e6e53e5448
hxxp://jetdots.cn/view_video.php?viewkey=0d4eacb9a3e6e53e5448
hxxp://jetdots.cn/view_video.php?viewkey=1715466cd580a448cf82
hxxp://jetdots.cn/view_video.php?viewkey=1a3bb7a720b019f4f1a9
hxxp://jetdots.cn/view_video.php?viewkey=28b65688f14b84d61c61
hxxp://jetdots.cn/view_video.php?viewkey=2f5d98d3c79b195f2b29
hxxp://jetdots.cn/view_video.php?viewkey=2f5d98d3c79b195f2b29
hxxp://jetdots.cn/view_video.php?viewkey=4a3088a26bc2e6ecf760
hxxp://jetdots.cn/view_video.php?viewkey=4bd07f9bb215d59ef556
hxxp://jetdots.cn/view_video.php?viewkey=4bd07f9bb215d59ef556
hxxp://jetdots.cn/view_video.php?viewkey=50b25b4114e93a98f1eb
hxxp://jetdots.cn/view_video.php?viewkey=52123c40d2adba6a11d8
hxxp://jetdots.cn/view_video.php?viewkey=52b27eda3a12363109e8
hxxp://jetdots.cn/view_video.php?viewkey=57ab574cf005eb8a7676
hxxp://jetdots.cn/view_video.php?viewkey=5e77550897e25711e1d9
hxxp://jetdots.cn/view_video.php?viewkey=78bd83e0a727608b5db0
hxxp://jetdots.cn/view_video.php?viewkey=aa55373822c010763dd5
hxxp://jetdots.cn/view_video.php?viewkey=ab381e8be5f8318cc28a
hxxp://jetdots.cn/view_video.php?viewkey=ace2124a1a836d9fc4b6
hxxp://jetdots.cn/view_video.php?viewkey=ad1024ac95c3b208610d
hxxp://jetdots.cn/view_video.php?viewkey=add814d197af4f4bab3a
hxxp://jetdots.cn/view_video.php?viewkey=b94cb0f55994f679f595
hxxp://jetdots.cn/view_video.php?viewkey=c05c16873b05ec425cba
hxxp://jetdots.cn/view_video.php?viewkey=c05c16873b05ec425cba
hxxp://jetdots.cn/view_video.php?viewkey=c14a6e70a12f74560c02
hxxp://jetdots.cn/view_video.php?viewkey=f71b73125876103c8f6c
hxxp://jetdots.cn/view_video.php?viewkey=f7c5a0bf619f979c6cf3

I leave it up to you to replace all of those nasty "hxxp://" with either the real thing or nothing.  It has occured to me that the difference (the section in the middle) may be that viewkey string. But each of the viewkeys is only 20 bytes and the differences ran about 73 bytes on some of the files I did a hexcmp with.  Oh, hexcmp is a program I wrote to go with hexedit.  I got tired of translating octal starting at 1 to hexadecimal starting at 0 using cmp.  At least then I would have a lot of the files to hexcmp and look at the differences.