Malicious Domains - eoin.miller

[eoin.miller]

borat-carrer.com/img/index.php - Phoenix Exploit Kit

[eoin.miller]

trade-yourauto.info/s/index.php - Phoenix Exploit Kit
trade-yourauto.info/s/tmp/des.jar - Java Exploit

[eoin.miller]

jazzstibbtm.com/aa/index.php - phoenix exploit kit
79.135.152.222/a/index.php - phoenix exploit kit
brittnom.com/038512946/news.php - phoenix exploit kit

http://193.169.235.225/?q=Z5249FKA1J61R99H14NWY1W0J6VOWW67ZECX0K1Y8N4DO010Y52DNG9D847NNN4TV4VL0Y9V79UU09XWZW8D9ZE50K0XEJISRkiJU06WW47XUUpVmsnMyVaMkk2Qj8iMitKBmlybWoCfB9uCGANdzMBTQElAU50d3BfdlkMACh%252BegVkbw1veFZgW28CXWFmVl09Nj9nATgIaH0GCH0GAQcGTSM4NQ%253D%253D - Fake Scanner Page

http://193.169.235.225/?q=asdf - payload (can be anything after the q= really)

[eoin.miller]

http://h26heh1.co.cc/x6dmrk2/  - drive by

jsunpack results:
http://jsunpack.jeek.org/dec/go?report=8f812b03d3390d1476b1c4f112e62cd4c8496ae2

[eoin.miller]

http://stepanola.in:8080/axb/ - drive by (eleonore IIRC)

[eoin.miller]

Phoenix Exploit Kit:
68.68.20.113 - fun.anexelymoweq.in

Redirector (second stage):
78.46.75.144 - verystrangeone.com/in.cgi?13

Redirector (first stage):
174.137.146.174 - 174.137.146.174/?cbb=27867330230596

[eoin.miller]

Seeing this one being redirected to by hacked Drupal websites:

Phoenix Exploit Kit:
62.122.73.51 - http://besimorr.com/images/start.php?id=vlnd

Other hostnames via passive DNS:

Code: [Select]

cubbypa.com  A  62.122.73.51
ns1.cubbypa.com  A  62.122.73.51
ns2.cubbypa.com  A  62.122.73.51
chinapinkpig.com  A  62.122.73.51
ns1.chinapinkpig.com  A  62.122.73.51
ns2.chinapinkpig.com  A  62.122.73.51
boxberil.com  A  62.122.73.51
ns1.boxberil.com  A  62.122.73.51
ns2.boxberil.com  A  62.122.73.51
disreco.com  A  62.122.73.51
ns1.disreco.com  A  62.122.73.51
ns2.disreco.com  A  62.122.73.51
besimorr.com  A  62.122.73.51
ns1.besimorr.com  A  62.122.73.51
ns2.besimorr.com  A  62.122.73.51
delilit.com  A  62.122.73.51
ns1.delilit.com  A  62.122.73.51
ns2.delilit.com  A  62.122.73.51
ns1.youtubesxx.com  A  62.122.73.51
ns2.youtubesxx.com  A  62.122.73.51
62.122.73.52 seems to be bound to the same host as well:

Code: [Select]

boxberil.com  A  62.122.73.52
shoughbo.com  A  62.122.73.52
ns1.shoughbo.com  A  62.122.73.52
ns2.shoughbo.com  A  62.122.73.52
delilit.com  A  62.122.73.52
youtubesxx.com  A  62.122.73.52
heh:
/home/shayai/public_html/index.php

I <3 php error reporting

[eoin.miller]

Another phoenix kit having traffic driven to it from exploited domains:

http://boxberil.com/images/start.php?id=vlnd

[eoin.miller]

More phoenix:

91.193.192.90 - http://7tokk.cz.cc/vo/ithsaoj.php

Uses SEO poisoning to drive users to it.

[Seedler]

A while back I configured DNS to not resolve any co.cc or cz.cc domains at all.  I have not had any business impact after doing this and this and this is for a Fortune 500 company.  I recommend you do the same.

-Seedler

[SysAdMini]

A while back I configured DNS to not resolve any co.cc or cz.cc domains at all.  I have not had any business impact after doing this and this and this is for a Fortune 500 company.  I recommend you do the same.

-Seedler

I blocked co.cc and cz.cc domains on proxy servers of a large company and haven't had any business impact. I can recommend that too.

[eoin.miller]

A while back I configured DNS to not resolve any co.cc or cz.cc domains at all.  I have not had any business impact after doing this and this and this is for a Fortune 500 company.  I recommend you do the same.

-Seedler

I blocked co.cc and cz.cc domains on proxy servers of a large company and haven't had any business impact. I can recommend that too.

We do that as well for an 80k+ user network. I also wrote the Snort sigs that look for these domains in HTTP requests and alert on them as suspicious through the EmergingThreats snort users group

[eoin.miller]

More Phoenix:
thruleni.com/images/start.php?id=wag5 - 62.122.73.53

IP is already in theMDL with another hostname but is listed as "fake av".

[eoin.miller]

Phoenix Kits:

advancedwebanalytic.com/stats/fnktcnfza3.php
zlenbigret.com/03oofm059mw.php?s=IBCCL

[eoin.miller]

More phoenix:

web-statistics-css.ru/n3/xndobob.php

anyone going to bible.com is getting redirected to this currently.