Malware Domain List

Malware Related => Malicious Domains => Topic started by: xorrox on May 22, 2009, 08:18:58 pm

Title: 62.211.68.58
Post by: xorrox on May 22, 2009, 08:18:58 pm
This machine has been hacked. Its owned by the german ISP "Hansenet" which hosts several user-websites on that box. All their user-pages have some additional JavaScipt-code attached, which opens popup-windows as soon as you click on anything, loading these popups from a domain whose name varies with time/date.

I looked at the JavaScript with Malzilla (using it for the first time), really cool tool!
Attached you find the disassembled JavaScript, i guess this is well-known malware, seems to have been written back in 2007.
Title: Re: 62.211.68.58
Post by: SysAdMini on May 22, 2009, 08:29:07 pm
Uhh, it's Mebroot.

Have you already notified Hansenet about the problem ?
Title: Re: 62.211.68.58
Post by: SysAdMini on May 22, 2009, 09:47:30 pm
I still have found only a single infected site.

Here is the wepawet report for it.

http://wepawet.cs.ucsb.edu/view.php?hash=610f7108f016e8e1d5292c8e2900d02a&t=1243029129&type=js
Title: Re: 62.211.68.58
Post by: xorrox on May 23, 2009, 08:09:13 am
I still have found only a single infected site.

Me too. There are hundreds of domains on that box, i checked something like 150 of them and found none of these infected. Only all the pages from that single user have Mebroot.

So the assumption of that user (that the server was hacked) might be wrong. He thinks so because he only uses static HTML and has not logged into that machine (via FTP) for a very long time.