Author Topic: aervrfhu.ru - Bredolab/Oficla Check In Site  (Read 3593 times)

0 Members and 1 Guest are viewing this topic.

February 25, 2010, 05:23:40 pm
Read 3593 times

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Seeing infected hosts reach back out to aervrfhu.ru to check in:

Code: [Select]
GET /kjflth/bb.php?v=200&id=833711035&b=5541074310&tm=52 HTTP/1.1
User-Agent: Opera\9.64
Host: aervrfhu.ru

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 25 Feb 2010 14:23:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.11
Vary: Accept-Encoding,User-Agent
Content-Length: 37
[info]delay:45|upd:0|backurls:[/info]

This trips several snort alerts. Additionally this IP is listed in the MDL with other host names for running the YES exploit kit and Bredolab:

http://www.malwaredomainlist.com/mdl.php?search=193.104.94.45

February 25, 2010, 05:31:00 pm
Reply #1

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Mal-Aware