Author Topic: *stats.php - a tiny riddle (Read 8061 times)

michajp · January 13, 2014, 02:54:09 am

Something flying under the radar since at least December 2013 ...

Compromised legitimate websites containing inserted "*stats.php" links.
Details: http://michajp.blogspot.jp/2013/12/the-stats-which-arent.html

On _first_ access, user will be redirected to:
1.

Code: [Select]

hxxp://skriperstreet300.com/index.php

(Formerly also skriperstreet100 and skriperstreet200.)

From there, another URL is retrieved, sample:
2.

Code: [Select]

hxxp://skriperstreet300.com/1389580315/0ecca5400e5c2a0bcd6c01256de902fb.js

The .js contains another URL, leading to another set of URLs, example:
3.

Code: [Select]

zltxny.contractorchemist.pw/9-4fd5Y8-44f-f_17-2C186-d09U7Ge993b-af-d23Bc-aP.html
zltxny.contractorchemist.pw/418253043/1388286480.jar
zltxny.contractorchemist.pw/418253043/1388286480.pdf
zltxny.contractorchemist.pw/f/1388286480/418253043/6

The links in 2. and 3. seem to change with extreme speed. Only few minutes after grabbing code from "contractorchemist.pw", the domain was no more resolvable.