Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMustDie - Crusaders diary
- // @unixfreaxjp of MMD is responsible 100% of this check.
- // A Guide of confirming a hacked legit service by Blackhole Exploit Kit.
- //
- // Background:
- // while I was checking malicious domain bilainkos.ru, found out DNS was renewed just now.
- // I remembered the reminder of fellow crusader asked me about hacked IP in TW,
- // so let's use this opportunity to proof it:
- //Malicious Host targeted
- bilainkos.ru A 91.224.135.20
- bilainkos.ru A 187.85.160.106
- bilainkos.ru A 210.71.250.131
- //SOA
- bilainkos.ru
- origin = ns1.bilainkos.ru
- mail addr = root.bilainkos.ru
- serial = 2012010101
- refresh = 604800
- retry = 1800
- expire = 1800
- minimum = 60
- //WHOIS
- domain: BILAINKOS.RU
- nserver: ns1.bilainkos.ru. 62.76.186.24
- nserver: ns2.bilainkos.ru. 110.164.58.250
- nserver: ns3.bilainkos.ru. 42.121.116.38
- nserver: ns4.bilainkos.ru. 41.168.5.140
- state: REGISTERED, DELEGATED, UNVERIFIED
- person: Private Person
- registrar: NAUNET-REG-RIPN
- admin-contact: https://client.naunet.ru/c/whoiscontact
- created: 2012.12.16
- paid-till: 2013.12.16
- free-date: 2014.01.16
- source: TCI
- Last updated on 2012.12.25 05:51:35 MSK <=========== HERE, JUST RENEWED
- // Let's check the infection of 210.71.250.131
- // URLQuery of 210.71.250.131 :
- // http://urlquery.net/search.php?q=210.71.250.131&type=string&start=2012-12-10&end=2012-12-25&max=50
- 2012-12-23 01:17:02 http://bilainkos.ru:8080/forum/links/column.php [Taiwan] 210.71.250.131
- 2012-12-22 01:18:03 http://bilainkos.ru:8080/forum/links/column.php [Taiwan] 210.71.250.131
- 2012-12-21 05:50:54 http://akionokao.ru:8080/forum/links/public_version.php [Taiwan] 210.71.250.131
- 2012-12-20 23:20:48 http://akionokao.ru:8080/forum/links/public_version.php [Taiwan] 210.71.250.131
- 2012-12-20 18:46:22 http://apendiksator.ru:8080/forum/links/column.php [Taiwan] 210.71.250.131
- 2012-12-20 04:21:25 http://akionokao.ru/forum/links/public_version.php [Taiwan] 210.71.250.131
- 2012-12-19 20:53:24 http://akionokao.ru:8080/forum/links/public_version.php [Taiwan] 210.71.250.131
- // A second opinion checks, dns requests aimed for 210.71.250.131
- bunakaranka.ru A 210.71.250.131
- afjdoospf.ru A 210.71.250.131
- angelaonfl.ru A 210.71.250.131
- akionokao.ru A 210.71.250.131
- apendiksator.ru A 210.71.250.131
- bilainkos.ru A 210.71.250.131
- // realizing the status of 210.71.250.131 bind to legit Taiwan business page:
- // http://www.tecom.com.tw/
- // what/where's 210.71.250.131 ?
- /Backbone:
- AS Number: AS3462
- inetnum: 210.71.128.0 - 210.71.255.255
- netname: HINET-TW
- descr: CHTD, Chunghwa Telecom Co.,Ltd.
- descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
- descr: Taipei Taiwan 100
- country: TW
- admin-c: HN27-AP
- tech-c: HN28-AP
- //IP Owner:
- inetnum: 210.71.250.131 - 210.71.250.131
- netname: TECOM-921-TW
- descr: Taipei Taiwan
- country: TW
- admin-c: JS1343-TW
- tech-c: JS1343-TW
- mnt-by: MAINT-TW-TWNIC
- ====================
- PoC is here...
- It is proved that the legit server can
- be implemented a proxy (in this case is 8080)
- which is served Blackhole Exploit Kit
- ====================
- // send normal http request to 210.71.250.131:80
- --2012-12-25 11:26:05-- http://210.71.250.131/
- Connecting to 210.71.250.131:80... connected.
- Created socket 3.
- GET / HTTP/1.1
- User-Agent: Mozilla 5.0 (WinNT 6.0; IE 6.0)
- Accept: */*
- Host: 210.71.250.131
- Connection: Keep-Alive
- HTTP request sent, awaiting response...
- ---response begin---
- HTTP/1.1 302 Found
- Date: Tue, 25 Dec 2012 02:24:57 GMT
- Server: Apache/2.2.3 (CentOS)
- X-Powered-By: PHP/5.2.10
- Location: http://www.tecom.com.tw/en/
- Content-Length: 0
- Connection: close
- Content-Type: text/html; charset=UTF-8 // A legit reply!
- // So let's send debug request to port 8080 of same IP:
- // I the latest infection URL structure to make sure that-
- // I aimed a page:
- --2012-12-25 11:21:47--
- h00p://210.71.250.131:8080/forum/links/column.php
- Connecting to 210.71.250.131:8080... connected.
- GET /forum/links/column.php HTTP/1.1
- User-Agent: Mozilla 5.0 (WinNT 6.0; IE 6.0)
- Accept: */*
- Host: 210.71.250.131:8080
- Connection: Keep-Alive
- HTTP request sent, awaiting response...
- ---response begin---
- HTTP/1.1 500 Internal Server Error
- Server: nginx/1.0.10
- Date: Tue, 25 Dec 2012 02:20:39 GMT
- Content-Type: text/html; charset=CP-1251
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- Content-Length: 0 // It is a Blackhole service/
- ---
- #MalwareMustDie
Add Comment
Please, Sign In to add comment