Author Topic: I-frames serving Exploits/ 59.53.91.189  (Read 3008 times)

0 Members and 1 Guest are viewing this topic.

August 10, 2010, 08:44:06 pm
Read 3008 times

detro

  • Newbie

  • Offline
  • *

  • 5
Unfortunately i do not have a sandbox or netflow at my disposal but i came across this outbound request on our network, the ip correlates to an older Zeus v2 server though after running it through numerous online analyzers, i found it to host some nasty iframes pointing to some known malicious java and .pdf exploits.

http://oooooo1.ru Exploits being served
Hidden I-frames in the above point to
http://baymediagroup.com:8080/?pid=14
Which had the following show up in URLvoid,

http://wepawet.cs.ucsb.edu/view.php?hash=affed39dae0585650a79aa1478d6f91f&t=1281121042&type=js

If i come across any new ones ill throw them in this thread. Any further investigation to determine whether it is hosting a C&C or just the exploits i came across would be helpful. Thanks.