Author Topic: alternative-tv.atwebpages.com > philipsmp3cdpc.org > beststabilityscans.com  (Read 7458 times)

0 Members and 1 Guest are viewing this topic.

April 04, 2009, 05:09:58 pm
Read 7458 times

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Decoding the script shows it takes you to;

hxxp://philipsmp3cdpc.org/in.php?s=korshun&p=hxxp://alternative-tv.atwebpages.com/FinalFourGameTimes.html

Which downloads;

hxxp://beststabilityscans.com/install.exe

.... and yep, a rogue it be .....

in.php contains the following lil snippet, which decodes to;

Code: [Select]
\x64\x69\x61\x6C\x6F\x67\x57\x69\x64\x74\x68\x3A\x31\x30\x32\x34\x70\x78\x3B\x20\x64\x69\x61\x6C\x6F\x67\x48\x65\x69\x67\x68\x74\x3A\x37\x36\x38\x70\x78\x3B\x20\x64\x69\x61\x6C\x6F\x67\x54\x6F\x70\x3A\x30\x70\x78\x3B\x20\x64\x69\x61\x6C\x6F\x67\x4C\x65\x66\x74\x3A\x30\x70\x78\x3B\x20\x65\x64\x67\x65\x3A\x52\x61\x69\x73\x65\x64\x3B\x20\x63\x65\x6E\x74\x65\x72\x3A\x30\x3B\x20\x68\x65\x6C\x70\x3A\x30\x3B\x20\x72\x65\x73\x69\x7A\x61\x62\x6C\x65\x3A\x31\x3B\x20\x73\x63\x72\x6F\x6C\x6C\x3A\x31\x3B\x20\x73\x74\x61\x74\x75\x73\x3A\x30","\x20\x73\x63\x72\x6F\x6C\x6C\x62\x61\x72\x73\x3D\x30\x2C\x6D\x65\x6E\x75\x62\x61\x72\x3D\x31\x2C\x74\x6F\x6F\x6C\x62\x61\x72\x3D\x31\x2C\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x3D\x30\x2C\x70\x65\x72\x73\x6F\x6E\x61\x6C\x62\x61\x72\x3D\x31\x2C\x73\x74\x61\x74\x75\x73\x3D\x30\x2C\x72\x65\x73\x69\x7A\x61\x62\x6C\x65\x3D\x31","\x37\x66\x30\x39\x63\x39\x65\x31\x63\x35\x35\x66\x37\x64\x36\x33\x66\x30\x32\x39\x30\x39\x61\x31\x34\x63\x31\x61\x34\x35\x65\x30","\x36\x42\x46\x35\x32\x41\x35\x32\x2D\x33\x39\x34\x41\x2D\x31\x31\x44\x33\x2D\x42\x31\x35\x33\x2D\x30\x30\x43\x30\x34\x46\x37\x39\x46\x41\x41\x36
Escapes to;

Code: [Select]
dialogWidth:1024px; dialogHeight:768px; dialogTop:0px; dialogLeft:0px; edge:Raised; center:0; help:0; resizable:1; scroll:1; status:0"," scrollbars=0,menubar=1,toolbar=1,location=0,personalbar=1,status=0,resizable=1","7f09c9e1c55f7d63f02909a14c1a45e0","6BF52A52-394A-11D3-B153-00C04F79FAA6
Headers;

Code: [Select]
HTTP/1.1 302 Found
Date: Sat, 04 Apr 2009 16:58:59 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.8
X-Powered-By: PHP/5.2.8
Set-Cookie: alreadyvisited=1; expires=Sun, 05-Apr-2009 02:58:59 GMT
Location: http://beststabilityscans.com/hitin.php?land=20&affid=07100
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

HTTP/1.1 302 Found
Date: Sat, 04 Apr 2009 16:59:11 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.6
location: index.php?affid=07100
Content-Length: 0
Content-Type: text/html

HTTP/1.1 200 OK
Date: Sat, 04 Apr 2009 16:59:11 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.6
Transfer-Encoding: chunked
Content-Type: text/html
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 04, 2009, 05:15:31 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 04, 2009, 05:16:54 pm
Reply #2

sowhat-x

  • Guest
I noticed this ip earlier this morning (94.247.3.3 -> zlkon.lv,what a surprize,heh...),but some of the sites there hadn't even been configured yet...  ;)

April 04, 2009, 05:23:23 pm
Reply #3

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 04, 2009, 05:27:48 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I noticed this ip earlier this morning (94.247.3.3 -> zlkon.lv,what a surprize,heh...),but some of the sites there hadn't even been configured yet...  ;)

I'm wondering why nobody pulls the plug from zlkon. I haven't seen any legitimate site from this net.
You have probably already noticed that I haved started topics for each of their hosts to document the badness.

When I look to your signature then I think you agree. ;)
Ruining the bad guy's day

April 04, 2009, 05:30:00 pm
Reply #5

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 04, 2009, 06:28:50 pm
Reply #6

sowhat-x

  • Guest
Quote
When I look to your signature then I think you agree.  ;)
Changed slightly my signature in a somewhat less "politically correct" statement,in order to show my 100% agreement...  ;)

April 04, 2009, 06:31:59 pm
Reply #7

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
hehe should really be;

Code: [Select]
Scum of the earth: Zlkon.lv Domain List---> 94.247.0.0/22
;) (those lot and the IST are the two worst offenders atm)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net