Author Topic: Malicious Domains - eoin.miller  (Read 12994 times)

0 Members and 1 Guest are viewing this topic.

September 03, 2010, 05:26:26 pm
Reply #15

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
borat-carrer.com/img/index.php - Phoenix Exploit Kit

September 03, 2010, 09:30:34 pm
Reply #16

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
trade-yourauto.info/s/index.php - Phoenix Exploit Kit
trade-yourauto.info/s/tmp/des.jar - Java Exploit

September 07, 2010, 05:59:51 pm
Reply #17

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
jazzstibbtm.com/aa/index.php - phoenix exploit kit
79.135.152.222/a/index.php - phoenix exploit kit
brittnom.com/038512946/news.php - phoenix exploit kit

http://193.169.235.225/?q=Z5249FKA1J61R99H14NWY1W0J6VOWW67ZECX0K1Y8N4DO010Y52DNG9D847NNN4TV4VL0Y9V79UU09XWZW8D9ZE50K0XEJISRkiJU06WW47XUUpVmsnMyVaMkk2Qj8iMitKBmlybWoCfB9uCGANdzMBTQElAU50d3BfdlkMACh%252BegVkbw1veFZgW28CXWFmVl09Nj9nATgIaH0GCH0GAQcGTSM4NQ%253D%253D - Fake Scanner Page

http://193.169.235.225/?q=asdf - payload (can be anything after the q= really)

September 07, 2010, 08:00:28 pm
Reply #18

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179

September 07, 2010, 08:34:44 pm
Reply #19

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
http://stepanola.in:8080/axb/ - drive by (eleonore IIRC)

December 06, 2010, 04:16:34 pm
Reply #20

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Phoenix Exploit Kit:
68.68.20.113 - fun.anexelymoweq.in

Redirector (second stage):
78.46.75.144 - verystrangeone.com/in.cgi?13

Redirector (first stage):
174.137.146.174 - 174.137.146.174/?cbb=27867330230596






January 07, 2011, 11:32:15 pm
Reply #21

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Seeing this one being redirected to by hacked Drupal websites:

Phoenix Exploit Kit:
62.122.73.51 - http://besimorr.com/images/start.php?id=vlnd

Other hostnames via passive DNS:

Code: [Select]
cubbypa.com  A  62.122.73.51
ns1.cubbypa.com  A  62.122.73.51
ns2.cubbypa.com  A  62.122.73.51
chinapinkpig.com  A  62.122.73.51
ns1.chinapinkpig.com  A  62.122.73.51
ns2.chinapinkpig.com  A  62.122.73.51
boxberil.com  A  62.122.73.51
ns1.boxberil.com  A  62.122.73.51
ns2.boxberil.com  A  62.122.73.51
disreco.com  A  62.122.73.51
ns1.disreco.com  A  62.122.73.51
ns2.disreco.com  A  62.122.73.51
besimorr.com  A  62.122.73.51
ns1.besimorr.com  A  62.122.73.51
ns2.besimorr.com  A  62.122.73.51
delilit.com  A  62.122.73.51
ns1.delilit.com  A  62.122.73.51
ns2.delilit.com  A  62.122.73.51
ns1.youtubesxx.com  A  62.122.73.51
ns2.youtubesxx.com  A  62.122.73.51

62.122.73.52 seems to be bound to the same host as well:

Code: [Select]
boxberil.com  A  62.122.73.52
shoughbo.com  A  62.122.73.52
ns1.shoughbo.com  A  62.122.73.52
ns2.shoughbo.com  A  62.122.73.52
delilit.com  A  62.122.73.52
youtubesxx.com  A  62.122.73.52

heh:
/home/shayai/public_html/index.php

I <3 php error reporting

January 12, 2011, 08:46:11 am
Reply #22

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Another phoenix kit having traffic driven to it from exploited domains:

http://boxberil.com/images/start.php?id=vlnd

January 12, 2011, 07:34:44 pm
Reply #23

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
More phoenix:

91.193.192.90 - http://7tokk.cz.cc/vo/ithsaoj.php

Uses SEO poisoning to drive users to it.

January 12, 2011, 09:25:16 pm
Reply #24

Seedler

  • Newbie

  • Offline
  • *

  • 4
A while back I configured DNS to not resolve any co.cc or cz.cc domains at all.  I have not had any business impact after doing this and this and this is for a Fortune 500 company.  I recommend you do the same.

-Seedler

January 12, 2011, 11:27:23 pm
Reply #25

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
A while back I configured DNS to not resolve any co.cc or cz.cc domains at all.  I have not had any business impact after doing this and this and this is for a Fortune 500 company.  I recommend you do the same.

-Seedler

I blocked co.cc and cz.cc domains on proxy servers of a large company and haven't had any business impact. I can recommend that too.
Ruining the bad guy's day

January 14, 2011, 10:40:19 pm
Reply #26

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
A while back I configured DNS to not resolve any co.cc or cz.cc domains at all.  I have not had any business impact after doing this and this and this is for a Fortune 500 company.  I recommend you do the same.

-Seedler

I blocked co.cc and cz.cc domains on proxy servers of a large company and haven't had any business impact. I can recommend that too.

We do that as well for an 80k+ user network. I also wrote the Snort sigs that look for these domains in HTTP requests and alert on them as suspicious through the EmergingThreats snort users group ;)

January 14, 2011, 10:41:46 pm
Reply #27

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
More Phoenix:
thruleni.com/images/start.php?id=wag5 - 62.122.73.53

IP is already in theMDL with another hostname but is listed as "fake av".



February 02, 2011, 07:03:36 pm
Reply #28

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Phoenix Kits:

advancedwebanalytic.com/stats/fnktcnfza3.php
zlenbigret.com/03oofm059mw.php?s=IBCCL


February 14, 2011, 07:57:40 pm
Reply #29

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
More phoenix:

web-statistics-css.ru/n3/xndobob.php

anyone going to bible.com is getting redirected to this currently.