Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # MalwareMustDie - Malvertisement check
- # Jan 27th 2014 | @unifreaxjp
- # THE FAIL ATTEMPT LOG
- // The suspect:
- h00p://ftp.southernvac.com/bibliographic/index.html
- // Source = Spam's link from Spambot (template)
- pic: http://goo.gl/h1uKmf
- // FULL URL accessed record:
- http://ftp.southernvac.com/bibliographic/index.html
- http://img.sedoparking.com/js/jquery-1.4.2.min.js
- http://www.google.com/adsense/domains/caf.js
- http://www.google.com/ads/search/module/ads/1.0/e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82/n/domains.js
- http://www.google.com/adsense/domains/caf.js
- http://img.sedoparking.com/templates/brick_gfx/1/logo_white.png
- http://www.google.com/ads/search/module/ads/1.0/e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82/n/domains.js
- http://www.gstatic.com/domainads/tracking/caf.gif?ts=1390811702612&rid=6678328
- http://dp.g.doubleclick.net/static/caf/slave.html#slave-2-1
- http://dp.g.doubleclick.net/static/caf/slave.html#slave-1-1
- http://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=dp-sedo93&channel=auxa-control-1%2C406102&hl=ja&adtest=off&r=m&kw=southernvac&drid=as-drid-2799107389033096&oe=UTF-8&ie=UTF-8&fexp=21404&format=p5%7Cr10%7Cs&ad=a5&adrep=2&num=0&output=caf&domain_name=southernvac.com&v=3&allwcallad=1&adext=as1%2Csr1%2Cctc1&u_his=5&u_tz=540&dt=1390811702634&u_w=1366&u_h=768&biw=769&bih=569&psw=769&psh=378&frm=0&ui=uv3aTsLsRcC-af3st24sd16sv16sa14lt28ld18lv18-st22sa14lt26-&rurl=http%3A%2F%2Fftp.southernvac.com%2Fbibliographic%2Findex.html#master-1
- http://ftp.southernvac.com/search/tsc.php?&ses=13908117012ad7f58e8d84f54b21bae1aa45bda581&200=MTkyMjYzNzcx&21=MTIzLjE5OC45NC4xNDM=&681=MTM5MDgxMTcwMTJhZDdmNThlOGQ4NGY1NGIyMWJhZTFhYTQ1YmRhNTgx&682=&616=&crc=2b27b276b0262d28416c7cba9a4e5104b50a2a92&cv=1
- http://www.google.com/adsense/domains/caf.js
- http://www.google.com/ads/search/module/ads/1.0/e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82/n/domains.js
- http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=aD.1%3Aexists&cem=fsnbtGSB2&nc1390811702873
- http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.b%3Aexists&cem=fsnbtGSB2&nc1390811702875
- http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.aFS%3Aexists&cem=fsnbtGSB2&nc1390811702876
- http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.aDULT%3Aexists&cem=fsnbtGSB2&nc1390811702879
- http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.fL%3Aexists&cem=fsnbtGSB2&nc1390811702880
- http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.tM%3Aexists&cem=fsnbtGSB2&nc1390811702882
- http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.nR%3Aexists&cem=fsnbtGSB2&nc1390811702883
- http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.eC%3Aexists&cem=fsnbtGSB2&nc1390811702884
- http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=master-1.hA%3Aexists&cem=fsnbtGSB2&nc1390811702885
- http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=master-1.h%3Aexists&cem=fsnbtGSB2&nc1390811702886
- http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=master-1.aC%3Aexists&cem=fsnbtGSB2&nc1390811702887
- http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-1-1.hA%3Aexists&cem=fsnbtGSB2&nc1390811702887
- http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-1-1.h%3Aexists&cem=fsnbtGSB2&nc1390811702888
- http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-1-1.aC%3Aexists&cem=fsnbtGSB2&nc1390811702889
- http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-2-1.hA%3Aexists&cem=fsnbtGSB2&nc1390811702890
- http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-2-1.h%3Aexists&cem=fsnbtGSB2&nc1390811702891
- http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-2-1.aC%3Aexists&cem=fsnbtGSB2&nc1390811702893
- // All GET requests' list
- GET /bibliographic/index.html
- GET /adsense/domains/caf.js
- GET /js/jquery-1.4.2.min.js
- GET /ads/search/module/ads/1.0/e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82/n/domains.js
- GET /templates/brick_gfx/1/logo_white.png
- GET /static/caf/slave.html
- GET /domainads/tracking/caf.gif?ts=1390811702612&rid=6678328
- GET /apps/domainpark/domainpark.cgi?client=dp-sedo93&channel=auxa-control-1%2C406102&hl=ja&adtest=off&r=m&kw=southernvac&drid=as-drid-2799107389033096&oe=UTF-8&ie=UTF-8&fexp=21404&format=p5%7Cr10%7Cs&ad=a5&adrep=2&num=0&output=caf&domain_name=southernvac.com&v=3&allwcallad=1&adext=as1%2Csr1%2Cctc1&u_his=5&u_tz=540&dt=1390811702634&u_w=1366&u_h=768&biw=769&bih=569&psw=769&psh=378&frm=0&ui=uv3aTsLsRcC-af3st24sd16sv16sa14lt28ld18lv18-st22sa14lt26-&rurl=http%3A%2F%2Fftp.southernvac.com%2Fbibliographic%2Findex.html
- GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.b%3Aexists&cem=fsnbtGSB2&nc1390811702875
- GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=aD.1%3Aexists&cem=fsnbtGSB2&nc1390811702873
- GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.aFS%3Aexists&cem=fsnbtGSB2&nc1390811702876
- GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.aDULT%3Aexists&cem=fsnbtGSB2&nc1390811702879
- GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.fL%3Aexists&cem=fsnbtGSB2&nc1390811702880
- GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.tM%3Aexists&cem=fsnbtGSB2&nc1390811702882
- GET /search/tsc.php?&ses=13908117012ad7f58e8d84f54b21bae1aa45bda581&200=MTkyMjYzNzcx&21=MTIzLjE5OC45NC4xNDM=&681=MTM5MDgxMTcwMTJhZDdmNThlOGQ4NGY1NGIyMWJhZTFhYTQ1YmRhNTgx&682=&616=&crc=2b27b276b0262d28416c7cba9a4e5104b50a2a92&cv=1
- GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.nR%3Aexists&cem=fsnbtGSB2&nc1390811702883
- GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=master-1.hA%3Aexists&cem=fsnbtGSB2&nc1390811702885
- GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.eC%3Aexists&cem=fsnbtGSB2&nc1390811702884
- GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=master-1.h%3Aexists&cem=fsnbtGSB2&nc1390811702886
- GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-1-1.hA%3Aexists&cem=fsnbtGSB2&nc1390811702887
- GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-1-1.aC%3Aexists&cem=fsnbtGSB2&nc1390811702889
- GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-2-1.hA%3Aexists&cem=fsnbtGSB2&nc1390811702890
- GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-1-1.h%3Aexists&cem=fsnbtGSB2&nc1390811702888
- GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-2-1.h%3Aexists&cem=fsnbtGSB2&nc1390811702891
- GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-2-1.aC%3Aexists&cem=fsnbtGSB2&nc1390811702893
- GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=master-1.aC%3Aexists&cem=fsnbtGSB2&nc1390811702887
- // snapshot
- pic: http://goo.gl/muiaPb
- // dive..
- --2014-01-27 16:22:44-- http://ftp.southernvac.com/bibliographic/index.html
- Resolving ftp.southernvac.com... seconds 0.00, 82.98.86.179
- Caching ftp.southernvac.com => 82.98.86.179
- Connecting to ftp.southernvac.com|82.98.86.179|:80... seconds 0.00, connected.
- ---request begin---
- GET /bibliographic/index.html HTTP/1.0
- Host: ftp.southernvac.com
- HTTP request sent, awaiting response...
- ---response begin---
- HTTP/1.0 200 OK
- Date: Mon, 27 Jan 2014 07:22:45 GMT
- Server: Apache
- X-Powered-By: PHP/5.3.3-7+squeeze17
- Expires: Mon, 26 Jul 1997 05:00:00 GMT
- Last-Modified: Mon, 27 Jan 2014 07:22:45 GMT
- Cache-Control: no-store, no-cache, must-revalidate
- Cache-Control: post-check=0, pre-check=0
- Pragma: no-cache
- Set-Cookie: tu=e63e3b9270c5c09378346e8de69b277e; expires=Tue, 31-Dec-2019 23:00:00 GMT; path=/; domain=southernvac.com;httponly
- X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_RPgiFxDqSFIiVdV/hBv9vivShzE309uojuvF5cPC92cJgi8bDuG8txTE+vVGcqOl/L1LcDru/dAut7Mrvq0lnA==
- Vary: User-Agent,Accept-Encoding
- Content-Type: text/html
- X-Cache: MISS from 220143
- Connection: close
- ---response end---
- 200 OK
- Stored cookie southernvac.com -1 (ANY) / <permanent> <insecure> [expiry 2020-01-01 08:00:00] tu e63e3b9270c5c09378346e8de69b277e
- Length: unspecified [text/html]
- Saving to: `index.html'
- 2014-01-27 16:22:46 (668 KB/s) - `index.html' saved [23506]
- // cookie:
- # HTTP cookie file.
- .southernvac.com TRUE / FALSE 1577833200 tu e63e3b9270c5c09378346e8de69b277e
- // in the last part there is a script, to be auto executed to GET:
- http://ftp.southernvac.com/search/tsc.php?&ses=1390807365f7d8fabb1efc200587f15a25c1e391cf&200=MTkyMjYzNzcx&21=MTIzLjE5OC45NC4xNDM=&681=MTM5MDgwNzM2NWY3ZDhmYWJiMWVmYzIwMDU4N2YxNWEyNWMxZTM5MWNm&682=&616=&crc=5d59035def968c12d36c094c262f4f662ac13cb8&cv=1
- // checks:
- ---request begin---
- GET /search/tsc.php?&ses=1390807365f7d8fabb1efc200587f15a25c1e391cf&200=MTkyMjYzNzcx&21=MTIzLjE5OC45NC4xNDM=&681=MTM5MDgwNzM2NWY3ZDhmYWJiMWVmYzIwMDU4N2YxNWEyNWMxZTM5MWNm&682=&616=&crc=5d59035def968c12d36c094c262f4f662ac13cb8&cv=1 HTTP/1.0
- Host: ftp.southernvac.com
- HTTP request sent, awaiting response...
- ---response begin---
- HTTP/1.0 200 OK
- Date: Mon, 27 Jan 2014 07:28:14 GMT
- Server: Apache
- X-Powered-By: PHP/5.3.3-7+squeeze17
- Vary: User-Agent,Accept-Encoding
- Content-Length: 0
- Content-Type: text/html
- X-Cache: MISS from 230350
- Connection: close
- ---response end---
- 200 OK
- Length: 0 [text/html] // DOH!.
- // PCAP: http://www.mediafire.com/download/yrqy80dj3dj7p8a/001(2).pcap
- // Verdict:
- A wtf suspicious TDS..
- ----
- #MalwareMustDie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement