Author Topic: Kinda funky...  (Read 8981 times)

0 Members and 1 Guest are viewing this topic.

September 04, 2009, 01:55:09 pm
Read 8981 times

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

September 04, 2009, 01:58:20 pm
Reply #1

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
Semi-random results from the concept above...
Note that you might need to play a bit around with the numerical input/urls etc...
Quote
hxxp://39y.ru:8080/index.php
hxxp://3a2.ru:8080/index.php
hxxp://3ca.ru:8080/index.php
hxxp://3e0.ru:8080/index.php
hxxp://3f6.ru:8080/index.php
hxxp://c6h.at:8080/ts/in.cgi?pepsi139
hxxp://c6p.at:8080/cache/readme.pdf
hxxp://c6p.at:8080/ts/in.cgi?pepsi140
hxxp://f5l.at:8080/ts/in.cgi?pepsi154
hxxp://x8o.ru:8080/ts/in.cgi?pepsi114
hxxp://xm0.ru:8080/cache/readme.pdf
hxxp://xm0.ru:8080/index.php
hxxp://yiiw.in:8080/index.php
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

September 04, 2009, 02:21:46 pm
Reply #2

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
out of these ptr records...
these are already blocked by google safebrowsing...

Code: [Select]
http://3a1.ru/
http://3a2.ru/
http://3b5.ru/
http://3b6.ru/
http://3b7.ru/
http://3b8.ru/
http://3b9.ru/
http://3c7.ru/
http://3c8.ru/
http://3c9.ru/
http://3ca.ru/
http://3e0.ru/
http://3f0.ru/
http://3f2.ru/
http://3f4.ru/
http://3f6.ru/
http://3f8.ru/
http://3f9.ru/
http://3soft.us/
http://6w2.ru/
http://a3l.at/
http://a5f.at/
http://a5g.at/
http://a5m.at/
http://atxh.in/
http://b1a.ru/
http://b3a.at/
http://b3a.ru/
http://b5c.at/
http://b5r.at/
http://b5z.at/
http://b6l.at/
http://b6t.at/
http://b7g.at/
http://b7p.at/
http://b8e.at/
http://b9g.at/
http://bestfindit.cn/
http://bigtopcabaret.cn/
http://bigtoprocks.cn/
http://bigtopsuper.cn/
http://blendbet.cn/
http://blockcenterplay.cn/
http://bqtl.in/
http://buyl.in/
http://c3q.at/
http://c5y.at/
http://c6h.at/
http://c6p.at/
http://c8t.at/
http://casinoslotbet.cn/
http://ce5.at/
http://cheapslotplay.cn/
http://ciqx.in/
http://coolnamemart.cn/
http://cutlot.cn/
http://cutpricepot.cn/
http://ddl-city.com/
http://f5x.at/
http://f6p.at/
http://findbigwords.cn/
http://gasa.in/
http://ggmt.in/
http://giantbeaversdiet.cn/
http://gianthighest.cn/
http://gqil.in/
http://greatliteautobest.cn/
http://greatmixlot.cn/
http://gzpf.in/
http://hotslotpot.cn/
http://hugebestbuy.cn/
http://hugebest.cn/
http://hugehighest.cn/
http://hxzv.in/
http://hyperliteautoservices.cn/
http://ipqk.in/
http://ixcx.in/
http://kkxv.in/
http://liteautoexcellent.cn/
http://liteautogreatest.cn/
http://liteautorepair.cn/
http://litedownloadfinest.cn/
http://litegreatestdirect.cn/
http://litetopdetect.cn/
http://lotultimatebet.cn/
http://ltkq.in/
http://lzwn.in/
http://mail.brandschutztechnik-hartmann.de/
http://mail.dateing.de/
http://mbdc.in/
http://mediaalias.cn/
http://mixwagerdirect.cn/
http://nanoautofinest.cn/
http://nonfatautobest.cn/
http://nqrl.in/
http://oufc.in/
http://pok.shopvideofest.cn/
http://pro-voting.com/
http://q05.ru/
http://q07.ru/
http://q0a.ru/
http://q1b.ru/
http://q38.ru/
http://q40.ru/
http://q41.ru/
http://q46.ru/
http://q47.ru/
http://q59.ru/
http://q5a.ru/
http://rbgt.in/
http://readymixbet.cn/
http://rklr.in/
http://shopvideofest.cn/
http://soac.in/
http://spzr.in/
http://superlitecarbest.cn/
http://superlottry.cn/
http://thelotbet.cn/
http://topddl.com/
http://torrentareactor.net/
http://torrentoreactor.net/
http://u1a.ru/
http://u1b.ru/
http://u9a.ru/
http://udta.in/
http://ufmr.in/
http://uppd.in/
http://vwui.in/
http://wipa.in/
http://worldnamebuy.cn/
http://www.brandschutztechnik-hartmann.de/
http://www.dateing.de/
http://www.ddl-city.com/
http://www.euddl.com/
http://www.topddl.com/
http://x0a.ru/
http://x0b.ru/
http://x3a.ru/
http://xb4.ru/
http://xb5.ru/
http://xb6.ru/
http://xb8.ru/
http://xc6.ru/
http://xc7.ru/
http://xc8.ru/
http://xd4.ru/
http://xe5.ru/
http://xe6.ru/
http://xf0.ru/
http://xf7.ru/
http://xf8.ru/
http://xf9.ru/
http://xg0.ru/
http://xg8.ru/
http://xg9.ru/
http://xh3.ru/
http://xh4.ru/
http://xh9.ru/
http://xi3.ru/
http://xj4.ru/
http://xj5.ru/
http://xj7.ru/
http://xk9.ru/
http://xm0.ru/
http://xq0.ru/
http://xq1.ru/
http://xq9.ru/
http://xr3.ru/
http://xrbw.in/
http://xt7.ru/
http://xt8.ru/
http://xv9.ru/
http://yiiw.in/
http://ynaa.in/
http://zdlz.in/
http://zeyc.in/
http://zsyr.in/

September 04, 2009, 02:31:36 pm
Reply #3

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
Lol,was just checking ptr records and reports from Wepawet... :)
Most of them seem to have been used in Wordpress injections...
http://www.google.com/search?hl=en&as_q=&as_epq=.ru%3A8080%2Findex.php
http://www.google.com/search?hl=en&as_q=&as_epq=.at%3A8080%2Findex.php
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

September 04, 2009, 02:36:16 pm
Reply #4

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem

September 04, 2009, 03:00:48 pm
Reply #5

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
Thanks ;-)
Found this while digging into the above...it's LuckySploit,but i'm not able to decode it though:  :-\
Quote
hxxp://wareshield.cn/jst.js
hxxp://lingobest.com/vsetakoe/?21983bb0a2f5476c0c4aac31c7549f5b
hxxp://lingobest.com/vsetakoe/?vvJCQwBFyq9ufi9N5FerWbKma3LY6Q+eRB5x+N6K8A==
Wepawet also fails upon it...
http://wepawet.cs.ucsb.edu/view.php?hash=99e877390656f2eb3d595996be60d4f1&t=1252076371&type=js
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

September 04, 2009, 03:44:31 pm
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
hxxp://3a2.ru:8080/index.php
hxxp://3ca.ru:8080/index.php
hxxp://3e0.ru:8080/index.php

I've seen a lot of those urls in the last weeks, but whenever I have check them, they have returned empty responses.
It doesn't matter what useragent or proxy server I use.
Can someone give me a hint how I can get any content from those sites ?
Ruining the bad guy's day

September 04, 2009, 03:46:12 pm
Reply #7

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
In most cases,adding ":8080/cache/readme.pdf" does the trick... (ip must be changed regularly also between requests etc etc...)
Haven't tested much against "/ts/in.cgi?pepsixxx" to be honest,only few random ones...
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

September 04, 2009, 04:41:34 pm
Reply #8

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
some should shut down these nameservers:

Code: [Select]
dig 3c8.ru any

; <<>> DiG 9.3.4-P1.2 <<>> 3c8.ru any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37873
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;3c8.ru.                            IN ANY

;; ANSWER SECTION:
3c8.ru.                 407     IN  A 94.102.208.74
3c8.ru.                 407     IN  A 81.209.164.65
3c8.ru.                 407     IN  A 85.17.237.5
3c8.ru.                 407     IN  A 89.200.170.230
3c8.ru.                 407     IN  A 94.75.216.155
3c8.ru.                 407     IN  NS ns1.3c8.ru.
3c8.ru.                 407     IN  NS ns2.3c8.ru.
3c8.ru.                 407     IN  NS ns3.3c8.ru.
3c8.ru.                 407     IN  NS ns4.3c8.ru.
3c8.ru.                 407     IN  SOA 3c8.ru. root.localhost. 2009090419 10800 3600 10800 3600

;; AUTHORITY SECTION:
3c8.ru.                 407     IN  NS ns4.3c8.ru.
3c8.ru.                 407     IN  NS ns1.3c8.ru.
3c8.ru.                 407     IN  NS ns2.3c8.ru.
3c8.ru.                 407     IN  NS ns3.3c8.ru.

;; ADDITIONAL SECTION:
ns1.3c8.ru.             407     IN  A 70.38.48.41
ns2.3c8.ru.             407     IN  A 202.65.134.102
ns3.3c8.ru.             407     IN  A 67.19.171.210
ns4.3c8.ru.             407     IN  A 216.24.153.206


September 04, 2009, 05:06:24 pm
Reply #9

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
slightly cross posting... here uniq md5sums for pdf exploits:

http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=148132671a7464d404dba5051bfe1957
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=3228c641929bb40475c44a26bda8531a
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=4dadf7d30997db2c84a17bb13899c708
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=5db73afbace6ebfb34e2301ac7d1209f
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=630311755ab240924955ff2001080177
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=7250d5acc0088e648bd8332d83d34262
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=72fcf004e0ca88a088ed75cad58252ab
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=7352c0f95a573d0b88b9b7f6171366c2
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=757ead51fce397101a675d9bcca9d08f
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=7ccb96c02829674f35fc542ea6a02857
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=8547052012b2b204d7c954a327dbf9e6
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=8674d407596d582f57d3d5a2a6900c66
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=8871c3a1d52fedd93ab882a150ae944a
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=acb5af7d8958c76e45eed737abee4fa5
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=be98407345288195b8c3bcfcb65a3156
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=c0ef1fc877ac3bf53cdad7389f049463
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=c2752a9dcee4f0a2f9f9ad2faf726edf
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=c9b1b7060f4a3152ace99151c4f187a2
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=cc89a8138b3c624a05a5d780b9889b7e
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=da34d2f86e53339384d3e9a8b289c1e9
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=eb1216d3d365230a717f7fd020871b27
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&md5=f0611a7832394fa697ec4a57d4da2d34

September 07, 2009, 10:56:18 am
Reply #10

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
This domains are spreading bredolab and some spam bots...