How a good sites also check http params & redirect w/ frame

1. ===============================
2. #MalwareMustDie -
3. How a good sites also use iframe
4. with checking reference &
5. params....(-.- );;
6. Sat Nov 10 02:03:25 JST 2012
7. ===============================
8.  
9. // blacklistings url was checked....looping in normal access..
10.  
11. --01:36:07-- h00p://centatu.com/count26.php
12. => `count26.php'
13. Resolving centatu.com... 204.13.160.107
14. Connecting to centatu.com|204.13.160.107|:80... connected.
15. HTTP request sent, awaiting response... No data received.
16. Retrying.
17.  
18. --01:36:07-- http://centatu.com/count26.php
19. (try: 2) => `count26.php'
20. Connecting to centatu.com|204.13.160.107|:80... connected.
21. HTTP request sent, awaiting response... No data received.
22. Retrying.
23.  
24. --01:36:07-- http://centatu.com/count26.php
25. (try: 3) => `count26.php'
26. Connecting to centatu.com|204.13.160.107|:80... connected.
27. HTTP request sent, awaiting response... Read error (Connection reset by peer) in
28. headers.
29. Retrying.
30.  
31. --01:36:08-- http://centatu.com/count26.php
32. (try: 4) => `count26.php'
33. Connecting to centatu.com|204.13.160.107|:80... connected.
34. HTTP request sent, awaiting response... Read error (Connection reset by peer) in
35. headers.
36. Retrying.
37.  
38. --01:36:08-- http://centatu.com/count26.php
39. (try: 5) => `count26.php'
40. Connecting to centatu.com|204.13.160.107|:80... connected.
41. HTTP request sent, awaiting response... Read error (Connection reset by peer) in
42. headers.
43. Retrying.
44.  
45. // using myfetch + tor + full params.. 1st time effort grabbed
46.  
47. --01:39:27-- http://centatu.com/count26.php
48. => `./sample'
49. Connecting to 192.168.7.11:8118... connected.
50. Proxy request sent, awaiting response... 200 (OK)
51. Length: 1,888 (1.8K) [text/html]
52. 01:39:32 (6.36 KB/s) - `./sample' saved [1888/1888]
53.  
54. // let's see what this file have....
55.  
56. $ cat sample | grep $strangecode..
57.  
58. <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
59. <frame src="http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA" name="centatu.com">
60. </frameset>
61. <noframes>
62. <body><a href="http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA">Click here to go to centatu.com</a>.</body>
63. </noframes>
64.  
65. // iframe with http://centatu.com?epl=SI1J... requests looks intereting...
66.  
67.  
68. --01:42:13-- http://centatu.com/?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0Wwty
69. LSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEs
70. WuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWw
71. kAAGC7fwBZUyZZQTE2aFpChwAAAPA
72. => `./sample'
73. Connecting to 192.168.7.11:8118... connected.
74. Proxy request sent, awaiting response... 200 (OK)
75. Length: 97,718 (95K) [text/html]
76.  
77. 35% [===========> ] 34,260 8.99K/s ETA 00:46
78.  
79. 01:42:21 (8.98 KB/s) - Connection closed at byte 34260. Retrying.
80.  
81. --01:42:21-- http://centatu.com/?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0Wwty
82. LSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEs
83. WuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWw
84. kAAGC7fwBZUyZZQTE2aFpChwAAAPA
85. (try: 2) => `./sample'
86. Connecting to 192.168.7.11:8118... connected.
87. Proxy request sent, awaiting response... 200 (OK)
88. Length: 97,089 (95K) [text/html]
89. 01:42:27 (53.61 KB/s) - `./sample' saved [97089/97089]
90.  
91.  
92. //making short...===> http://cdn.dsultra.com/js/main.js & www.google-analytics.com/ga.js
93.  
94.  
95. ;; QUESTION SECTION:
96. ;cdn.dsultra.com. IN ANY
97.  
98. ;; ANSWER SECTION:
99. cdn.dsultra.com. 1372 IN CNAME oversee.vo.llnwd.net.
100.  
101. ;; AUTHORITY SECTION:
102. dsultra.com. 1372 IN NS ns-1295.awsdns-33.org.
103. dsultra.com. 1372 IN NS ns-1606.awsdns-08.co.uk.
104. dsultra.com. 1372 IN NS ns-749.awsdns-29.net.
105. dsultra.com. 1372 IN NS ns-491.awsdns-61.com.
106.  
107. ;; ADDITIONAL SECTION:
108. ns-491.awsdns-61.com. 1372 IN A 205.251.193.235
109. ns-749.awsdns-29.net. 1745 IN A 205.251.194.237
110. ns-1295.awsdns-33.org. 1372 IN A 205.251.197.15
111. ns-1606.awsdns-08.co.uk. 1406 IN A 205.251.198.70
112.  
113.  
114. // let's see what code is that....
115.  
116. --01:54:34-- http://cdn.dsultra.com/js/main.js
117. => `main.js'
118. Resolving cdn.dsultra.com... 203.77.188.253, 203.77.188.254
119. Connecting to cdn.dsultra.com|203.77.188.253|:80... connected.
120. HTTP request sent, awaiting response... 200 OK
121. Length: 24,326 (24K) [application/x-javascript] <=====//clean ones....
122.  
123.  
124. //Just to be sure....simulate...
125.  
126. [HTTP] URL: http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA (Status: 200, Referrer: None)
127. [HTTP] URL: http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA (Content-type: text/html, MD5: 3f9a4d3490d486acd1878323980bc0bc)
128. <meta content="text/html;charset=utf-8" http-equiv="Content-Type"/>
129. <meta content="" http-equiv="keywords"/>
130. <meta content="" http-equiv="description"/>
131. <link href="http://cdn.dsultra.com/favicon/mi_favicon.ico" rel="shortcut icon" type="image/x-icon"/>
132. [HTTP] URL: http://cdn.dsultra.com/favicon/mi_favicon.ico (Status: 200, Referrer: http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA)
133. [HTTP] URL: http://cdn.dsultra.com/favicon/mi_favicon.ico (Content-type: text/plain; charset=UTF-8, MD5: 1cdecc190b122a232e64945332de0546)
134. <link href="http://cdn.dsultra.com/css/11800/landing/ja.css" rel="stylesheet" type="text/css"/>
135. [HTTP] URL: http://cdn.dsultra.com/css/11800/landing/ja.css (Status: 200, Referrer: http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA)
136. [HTTP] URL: http://cdn.dsultra.com/css/11800/landing/ja.css (Content-type: text/css, MD5: 703670399c78cbec350d4b8704b8da44)
137. [HTTP] URL: http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js (Status: 200, Referrer: http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA)
138. [HTTP] URL: http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js (Content-type: text/javascript; charset=UTF-8, MD5: 5f4ccf13367a04a1678a8d2ef9c5d2ad)
139. [HTTP] URL: http://googleads.g.doubleclick.net/apps/domainpark/domainpark.cgi?callback=_google_json_callback&output=js&client=ca-dp-oversee-rs_js&domain_name=centatu.com&hl=en&channel=007390&adtest=off&s=centatu.com&kw=free%2520forex%2520signal&kw_type=broad&num_ads=0&num_radlinks=18&dt=1352480258529&u_tz=540&u_his=1&u_w=800&frm=0&ref=about%3Ablank (Status: 200, Referrer: http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA)
140. [HTTP] URL: http://googleads.g.doubleclick.net/apps/domainpark/domainpark.cgi?callback=_google_json_callback&output=js&client=ca-dp-oversee-rs_js&domain_name=centatu.com&hl=en&channel=007390&adtest=off&s=centatu.com&kw=free%2520forex%2520signal&kw_type=broad&num_ads=0&num_radlinks=18&dt=1352480258529&u_tz=540&u_his=1&u_w=800&frm=0&ref=about%3Ablank (Content-type: application/javascript; charset=UTF-8, MD5: 8625b0e4b333765613e5b14bf64010fc)
141. [Navigator URL Translation] /?epl=G9UAB46BtH-n6Z_EhT81_ITsSoxAQuEUyV38IQZp1HWu1pYGSTmo9WI--FCEBcNIDCF1Li71nkBJpF6to7El8M3MSosC8w3NPoHA9kKyCXIdPC3iPMRoh1ZyT6QQiFahnoS9dlwAla31j0qJlXMO4mwh1YmCXYm1ECMFtBSe8r96bPMW5lhDRkmbSKhIa9DgTVz2fYAlQijkUGBBpc3AYH3aYHfxriJSZgXtXAHD4f7cYONp_Ru_Nn4_gRt0DamH9iCwRu7YyIQUIjCxORW9ktcRZwoOIA8Qqm5QdZQBiAIbdd1OGMJpPNsNOjsl1HffMwedbHPNGtEE4q8yKoqDXwgoGiJPFwYAxCBTTxoa9UQmU4MGAPUgpokeNaGfajI91aAG05DJ0ERPI5mapxraVINVDQEw4P_vvwCA8v8BQQBAgFscAAAhuxIjWVMmWUExNmhaQqABAADw --> http://centatu.com/?epl=G9UAB46BtH-n6Z_EhT81_ITsSoxAQuEUyV38IQZp1HWu1pYGSTmo9WI--FCEBcNIDCF1Li71nkBJpF6to7El8M3MSosC8w3NPoHA9kKyCXIdPC3iPMRoh1ZyT6QQiFahnoS9dlwAla31j0qJlXMO4mwh1YmCXYm1ECMFtBSe8r96bPMW5lhDRkmbSKhIa9DgTVz2fYAlQijkUGBBpc3AYH3aYHfxriJSZgXtXAHD4f7cYONp_Ru_Nn4_gRt0DamH9iCwRu7YyIQUIjCxORW9ktcRZwoOIA8Qqm5QdZQBiAIbdd1OGMJpPNsNOjsl1HffMwedbHPNGtEE4q8yKoqDXwgoGiJPFwYAxCBTTxoa9UQmU4MGAPUgpokeNaGfajI91aAG05DJ0ERPI5mapxraVINVDQEw4P_vvwCA8v8BQQBAgFscAAAhuxIjWVMmWUExNmhaQqABAADw
142. [HTTP] URL: http://centatu.com/?epl=G9UAB46BtH-n6Z_EhT81_ITsSoxAQuEUyV38IQZp1HWu1pYGSTmo9WI--FCEBcNIDCF1Li71nkBJpF6to7El8M3MSosC8w3NPoHA9kKyCXIdPC3iPMRoh1ZyT6QQiFahnoS9dlwAla31j0qJlXMO4mwh1YmCXYm1ECMFtBSe8r96bPMW5lhDRkmbSKhIa9DgTVz2fYAlQijkUGBBpc3AYH3aYHfxriJSZgXtXAHD4f7cYONp_Ru_Nn4_gRt0DamH9iCwRu7YyIQUIjCxORW9ktcRZwoOIA8Qqm5QdZQBiAIbdd1OGMJpPNsNOjsl1HffMwedbHPNGtEE4q8yKoqDXwgoGiJPFwYAxCBTTxoa9UQmU4MGAPUgpokeNaGfajI91aAG05DJ0ERPI5mapxraVINVDQEw4P_vvwCA8v8BQQBAgFscAAAhuxIjWVMmWUExNmhaQqABAADw (Status: 200, Referrer: http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA)
143. [HTTP] URL: http://centatu.com/?epl=G9UAB46BtH-n6Z_EhT81_ITsSoxAQuEUyV38IQZp1HWu1pYGSTmo9WI--FCEBcNIDCF1Li71nkBJpF6to7El8M3MSosC8w3NPoHA9kKyCXIdPC3iPMRoh1ZyT6QQiFahnoS9dlwAla31j0qJlXMO4mwh1YmCXYm1ECMFtBSe8r96bPMW5lhDRkmbSKhIa9DgTVz2fYAlQijkUGBBpc3AYH3aYHfxriJSZgXtXAHD4f7cYONp_Ru_Nn4_gRt0DamH9iCwRu7YyIQUIjCxORW9ktcRZwoOIA8Qqm5QdZQBiAIbdd1OGMJpPNsNOjsl1HffMwedbHPNGtEE4q8yKoqDXwgoGiJPFwYAxCBTTxoa9UQmU4MGAPUgpokeNaGfajI91aAG05DJ0ERPI5mapxraVINVDQEw4P_vvwCA8v8BQQBAgFscAAAhuxIjWVMmWUExNmhaQqABAADw (Content-type: text/javascript, MD5: f2a0d8767d74481ffec29e69d7389105)
144. [HTTP] URL: http://cdn.dsultra.com/js/main.js (Status: 200, Referrer: http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA)
145. [HTTP] URL: http://cdn.dsultra.com/js/main.js (Content-type: application/x-javascript, MD5: 73106b24a1eb9fc9fd35fa65b9f189e5)
146.  
147. //↑same result... no infectoess......
148.  
149. ------
150. #MalwareMustDie
151. @unixfreaxjp | Sat Nov 10 02:03:25 JST 2012