Author Topic: computershello  (Read 3354 times)

0 Members and 1 Guest are viewing this topic.

July 16, 2008, 02:55:38 pm
Read 3354 times

gonzornung

  • Newbie

  • Offline
  • *

  • 1
Does anyone have any information about http://computershello.cn.  It was in a SQL injection attempt.

July 16, 2008, 03:18:34 pm
Reply #1

sowhat-x

  • Guest
http://www.malwaredomainlist.com/mdl.php?search=computershello
It was added at some earlier moment from what I can see,during May...

July 16, 2008, 03:33:37 pm
Reply #2

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
Hi gonzornung,

if i recall correctly, computershello.cn was one of the hosts targeting worldofwarcraft players mainly, as described here:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080513

i found this host, in a javascript on 9i5t.cn (on May 13th, same day it was mentioned in the shadowserver article) :
Code: [Select]
hxxp://9i5t.cn/a.js
- hxxp://computershello.cn/g.js
  - hxxp://computershello.cn/6.gif
    - le.htm (MDAC exploit)
      -> downloads hxxp://computershello.cn/test.exe
    - tt1.htm (animated cursor)
      -> downloads hxxp://61.188.38.158/images/test.exe
    - vv.js (MDAC exploit)
      -> downloads hxxp://computershello.cn/test.exe
    - old.htm (RealPlayer exploit)
    - xin.htm (RealPlayer exploit)

the binary test.exe has the following md5sum:
5c9322a95aaafbfabfaf225277867f5b

i still have the javascripts and binary.

also, check http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514 to get a rough idea about the dimension of the injection.

regards,
philipp