SHARE
TWEET

PoC +Guide to confirm a legit service hacked by BHEK at 8080

MalwareMustDie Dec 24th, 2012 165 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustDie - Crusaders diary
  2. // @unixfreaxjp of MMD is responsible 100% of this check.
  3. // A Guide of confirming a hacked legit service by Blackhole Exploit Kit.
  4. //
  5. // Background:
  6. // while I was checking malicious domain bilainkos.ru, found out DNS was renewed just now.
  7. // I remembered the reminder of fellow crusader asked me about hacked IP in TW,
  8. // so let's use this opportunity to proof it:
  9.  
  10. //Malicious Host targeted
  11. bilainkos.ru     A      91.224.135.20
  12. bilainkos.ru     A      187.85.160.106
  13. bilainkos.ru     A      210.71.250.131
  14.  
  15. //SOA
  16. bilainkos.ru
  17.         origin = ns1.bilainkos.ru
  18.         mail addr = root.bilainkos.ru
  19.         serial = 2012010101
  20.         refresh = 604800
  21.         retry = 1800
  22.         expire = 1800
  23.         minimum = 60
  24.  
  25. //WHOIS
  26. domain:        BILAINKOS.RU
  27. nserver:       ns1.bilainkos.ru. 62.76.186.24
  28. nserver:       ns2.bilainkos.ru. 110.164.58.250
  29. nserver:       ns3.bilainkos.ru. 42.121.116.38
  30. nserver:       ns4.bilainkos.ru. 41.168.5.140
  31. state:         REGISTERED, DELEGATED, UNVERIFIED
  32. person:        Private Person
  33. registrar:     NAUNET-REG-RIPN
  34. admin-contact: https://client.naunet.ru/c/whoiscontact
  35. created:       2012.12.16
  36. paid-till:     2013.12.16
  37. free-date:     2014.01.16
  38. source:        TCI
  39. Last updated on 2012.12.25 05:51:35 MSK <===========  HERE, JUST RENEWED
  40.  
  41.  
  42. // Let's check the infection of 210.71.250.131
  43. // URLQuery of 210.71.250.131 :
  44. // http://urlquery.net/search.php?q=210.71.250.131&type=string&start=2012-12-10&end=2012-12-25&max=50
  45.  
  46. 2012-12-23 01:17:02     http://bilainkos.ru:8080/forum/links/column.php [Taiwan] 210.71.250.131
  47. 2012-12-22 01:18:03     http://bilainkos.ru:8080/forum/links/column.php [Taiwan] 210.71.250.131
  48. 2012-12-21 05:50:54     http://akionokao.ru:8080/forum/links/public_version.php [Taiwan] 210.71.250.131
  49. 2012-12-20 23:20:48     http://akionokao.ru:8080/forum/links/public_version.php [Taiwan] 210.71.250.131
  50. 2012-12-20 18:46:22     http://apendiksator.ru:8080/forum/links/column.php      [Taiwan] 210.71.250.131
  51. 2012-12-20 04:21:25     http://akionokao.ru/forum/links/public_version.php      [Taiwan] 210.71.250.131
  52. 2012-12-19 20:53:24     http://akionokao.ru:8080/forum/links/public_version.php [Taiwan] 210.71.250.131
  53.  
  54. // A second opinion checks, dns requests aimed for 210.71.250.131
  55.  
  56. bunakaranka.ru   A      210.71.250.131
  57. afjdoospf.ru     A      210.71.250.131
  58. angelaonfl.ru    A      210.71.250.131
  59. akionokao.ru     A      210.71.250.131
  60. apendiksator.ru  A      210.71.250.131
  61. bilainkos.ru     A      210.71.250.131
  62.  
  63. // realizing the status of 210.71.250.131 bind to legit Taiwan business page:
  64. // http://www.tecom.com.tw/
  65.  
  66. // what/where's 210.71.250.131 ?
  67.  
  68. /Backbone:
  69. AS Number:      AS3462
  70. inetnum:        210.71.128.0 - 210.71.255.255
  71. netname:        HINET-TW
  72. descr:          CHTD, Chunghwa Telecom Co.,Ltd.
  73. descr:          Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
  74. descr:          Taipei Taiwan 100
  75. country:        TW
  76. admin-c:        HN27-AP
  77. tech-c:         HN28-AP
  78.  
  79. //IP Owner:
  80. inetnum:        210.71.250.131 - 210.71.250.131
  81. netname:        TECOM-921-TW
  82. descr:          Taipei Taiwan
  83. country:        TW
  84. admin-c:        JS1343-TW
  85. tech-c:         JS1343-TW
  86. mnt-by:         MAINT-TW-TWNIC
  87.  
  88. ====================
  89. PoC is here...
  90. It is proved that the legit server can
  91. be implemented a proxy (in this case is 8080)
  92. which is served Blackhole Exploit Kit
  93. ====================
  94.  
  95. // send normal http request to 210.71.250.131:80
  96.  
  97. --2012-12-25 11:26:05--  http://210.71.250.131/
  98. Connecting to 210.71.250.131:80... connected.
  99. Created socket 3.
  100. GET / HTTP/1.1
  101. User-Agent: Mozilla 5.0 (WinNT 6.0; IE 6.0)
  102. Accept: */*
  103. Host: 210.71.250.131
  104. Connection: Keep-Alive
  105. HTTP request sent, awaiting response...
  106.  
  107. ---response begin---
  108. HTTP/1.1 302 Found
  109. Date: Tue, 25 Dec 2012 02:24:57 GMT
  110. Server: Apache/2.2.3 (CentOS)
  111. X-Powered-By: PHP/5.2.10
  112. Location: http://www.tecom.com.tw/en/
  113. Content-Length: 0
  114. Connection: close
  115. Content-Type: text/html; charset=UTF-8  // A legit reply!
  116.  
  117.  
  118. // So let's send debug request to port 8080 of same IP:
  119. // I the latest infection URL structure to make sure that-
  120. // I aimed a page:
  121.  
  122. --2012-12-25 11:21:47--  
  123. h00p://210.71.250.131:8080/forum/links/column.php
  124. Connecting to 210.71.250.131:8080... connected.
  125. GET /forum/links/column.php HTTP/1.1
  126. User-Agent: Mozilla 5.0 (WinNT 6.0; IE 6.0)
  127. Accept: */*
  128. Host: 210.71.250.131:8080
  129. Connection: Keep-Alive
  130. HTTP request sent, awaiting response...
  131.  
  132. ---response begin---
  133. HTTP/1.1 500 Internal Server Error
  134. Server: nginx/1.0.10
  135. Date: Tue, 25 Dec 2012 02:20:39 GMT
  136. Content-Type: text/html; charset=CP-1251
  137. Connection: keep-alive
  138. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  139. Vary: Accept-Encoding
  140. Content-Length: 0            // It is a Blackhole service/
  141.  
  142. ---
  143. #MalwareMustDie
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top