Advertisement
unixfreaxjp

RedKit Infector Domain : qaqipwel.ru

Sep 16th, 2012
75
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. RedKit Infector Domain : qaqipwel.ru
  2. Investigation Log #MalwareMustDie!!!!
  3. URL: h00p://qaqipwel.ru/count22.php
  4. ---------------------------------take 1-------------------------------------
  5. --15:35:30-- h00p://qaqipwel.ru/count22.php
  6. => `count22.php'
  7. Resolving qaqipwel.ru... 77.38.198.12
  8. Connecting to qaqipwel.ru|77.38.198.12|:80... connected.
  9. HTTP request sent, awaiting response... 302
  10. Location: h00p://sa-wan.com/93020006.html [following]
  11. --15:35:33-- h00p://sa-wan.com/93020006.html
  12. => `93020006.html'
  13. Resolving sa-wan.com... 72.167.232.75
  14. Connecting to sa-wan.com|72.167.232.75|:80... connected.
  15. HTTP request sent, awaiting response... 404 Not Found
  16. 15:35:47 ERROR 404: Not Found.
  17.  
  18. -----------------------------------take 2-------------------------------------
  19.  
  20. --15:49:39-- h00p://qaqipwel.ru/count22.php
  21. => `count22.php.1'
  22. Resolving qaqipwel.ru... 77.90.120.34
  23. Connecting to qaqipwel.ru|77.90.120.34|:80... connected.
  24. HTTP request sent, awaiting response... 200
  25. Length: 146 []
  26. 15:49:40 (0.00 B/s) - `count22.php' saved [146/146]
  27.  
  28. GET /count22.php HTTP/1.0
  29. User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008092416 Firefox/3.0.3
  30. Accept: */*
  31. Host: qaqipwel.ru
  32. Connection: Keep-Alive
  33.  
  34. HTTP/1.1 200
  35. Server: Apache
  36. Content-Length: 142
  37. Content-Type:
  38. Last-Modified: .., 16 ... 2012 06:42:12 GMT
  39. Accept-Ranges: bytes
  40. Server:nginx/0.8.34
  41. Date:Sun, 16 Sep 2012 06:42:15 GMT
  42. X-Powered-By:PHP/5.3.2
  43.  
  44. <!DOCTYPE HTML><html><head>
  45. <script type="text/javascript">parent.location.href = "h00p://goherdscan.com/";</script>
  46. </head><body></body></html>
  47.  
  48.  
  49. --15:52:40-- h00p://goherdscan.com/ <--- Canadian Pharmacy
  50. => `index.html'
  51. Resolving goherdscan.com... 78.129.177.19
  52. Connecting to goherdscan.com|78.129.177.19|:80... connected.
  53. HTTP request sent, awaiting response... 200 OK
  54. Length: unspecified [text/html]
  55. [ <=> ] 53,472 165.25K/s
  56. 15:52:43 (165.07 KB/s) - `index.html' saved [53472]
  57.  
  58. GET / HTTP/1.0
  59. User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008092416 Firefox/3.0.3
  60. Accept: */*
  61. Host: goherdscan.com
  62. Connection: Keep-Alive
  63.  
  64. HTTP/1.1 200 OK
  65. Server: nginx/1.2.3
  66. Date: Sun, 16 Sep 2012 06:50:29 GMT
  67. Content-Type: text/html; charset=ISO-8859-1
  68. Connection: close
  69. X-Powered-By: PHP/5.3.3
  70. Set-Cookie: PHPSESSID=jvo0smm5b6fapcif93v0bn67q4; path=/
  71. Expires: Thu, 19 Nov 1981 08:52:00 GMT
  72. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  73. Pragma: no-cache
  74. Vary: Accept-Encoding,User-Agent
  75.  
  76. --------------------------------take 3------------------------------------------
  77.  
  78.  
  79. --2012-09-16 15:16:04-- h00p://qaqipwel.ru/count22.php
  80. Resolving localhost (localhost)... 127.0.0.1, ::1
  81. Connecting to localhost (localhost)|::1|:8118... connected.
  82. Proxy request sent, awaiting response... 302
  83. Location: h00p://cestasefloresluana.com.br/30400006.html [following]
  84. --2012-09-16 15:16:12-- h00p://cestasefloresluana.com.br/30400006.html
  85. Connecting to localhost (localhost)|::1|:8118... connected.
  86. Proxy request sent, awaiting response... 404 Not Found
  87. 2012-09-16 15:16:23 ERROR 404: Not Found.
  88.  
  89. ----------------------------------take 4-----------------------------------------
  90.  
  91. --2012-09-16 15:20:10-- h00p://qaqipwel.ru/count22.php
  92. Resolving localhost (localhost)... 127.0.0.1, ::1
  93. Connecting to localhost (localhost)|::1|:8118... connected.
  94. Proxy request sent, awaiting response... 200
  95. Length: 146 []
  96. Saving to: `count22.php'
  97. 100%[=============>] 146 361B/s in 0.4s
  98. Last-modified header invalid -- time-stamp ignored.
  99. 2012-09-16 15:20:12 (361 B/s) - `count22.php' saved [146/146]
  100.  
  101. $ cat count22.php
  102.  
  103. <!DOCTYPE HTML><html><head>
  104. <script type="text/javascript">parent.location.href = "h00p://mytabletcialis.com/";</script>
  105. </head><body></body></html>
  106.  
  107. Cialis? Drug Site...
  108.  
  109. ---------------------------------------------------------------------------------
Advertisement
RAW Paste Data Copied
Advertisement