Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ===============================
- #MalwareMustDie -
- How a good sites also use iframe
- with checking reference &
- params....(-.- );;
- Sat Nov 10 02:03:25 JST 2012
- ===============================
- // blacklistings url was checked....looping in normal access..
- --01:36:07-- h00p://centatu.com/count26.php
- => `count26.php'
- Resolving centatu.com... 204.13.160.107
- Connecting to centatu.com|204.13.160.107|:80... connected.
- HTTP request sent, awaiting response... No data received.
- Retrying.
- --01:36:07-- http://centatu.com/count26.php
- (try: 2) => `count26.php'
- Connecting to centatu.com|204.13.160.107|:80... connected.
- HTTP request sent, awaiting response... No data received.
- Retrying.
- --01:36:07-- http://centatu.com/count26.php
- (try: 3) => `count26.php'
- Connecting to centatu.com|204.13.160.107|:80... connected.
- HTTP request sent, awaiting response... Read error (Connection reset by peer) in
- headers.
- Retrying.
- --01:36:08-- http://centatu.com/count26.php
- (try: 4) => `count26.php'
- Connecting to centatu.com|204.13.160.107|:80... connected.
- HTTP request sent, awaiting response... Read error (Connection reset by peer) in
- headers.
- Retrying.
- --01:36:08-- http://centatu.com/count26.php
- (try: 5) => `count26.php'
- Connecting to centatu.com|204.13.160.107|:80... connected.
- HTTP request sent, awaiting response... Read error (Connection reset by peer) in
- headers.
- Retrying.
- // using myfetch + tor + full params.. 1st time effort grabbed
- --01:39:27-- http://centatu.com/count26.php
- => `./sample'
- Connecting to 192.168.7.11:8118... connected.
- Proxy request sent, awaiting response... 200 (OK)
- Length: 1,888 (1.8K) [text/html]
- 01:39:32 (6.36 KB/s) - `./sample' saved [1888/1888]
- // let's see what this file have....
- $ cat sample | grep $strangecode..
- <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
- <frame src="http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA" name="centatu.com">
- </frameset>
- <noframes>
- <body><a href="http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA">Click here to go to centatu.com</a>.</body>
- </noframes>
- // iframe with http://centatu.com?epl=SI1J... requests looks intereting...
- --01:42:13-- http://centatu.com/?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0Wwty
- LSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEs
- WuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWw
- kAAGC7fwBZUyZZQTE2aFpChwAAAPA
- => `./sample'
- Connecting to 192.168.7.11:8118... connected.
- Proxy request sent, awaiting response... 200 (OK)
- Length: 97,718 (95K) [text/html]
- 35% [===========> ] 34,260 8.99K/s ETA 00:46
- 01:42:21 (8.98 KB/s) - Connection closed at byte 34260. Retrying.
- --01:42:21-- http://centatu.com/?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0Wwty
- LSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEs
- WuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWw
- kAAGC7fwBZUyZZQTE2aFpChwAAAPA
- (try: 2) => `./sample'
- Connecting to 192.168.7.11:8118... connected.
- Proxy request sent, awaiting response... 200 (OK)
- Length: 97,089 (95K) [text/html]
- 01:42:27 (53.61 KB/s) - `./sample' saved [97089/97089]
- //making short...===> http://cdn.dsultra.com/js/main.js & www.google-analytics.com/ga.js
- ;; QUESTION SECTION:
- ;cdn.dsultra.com. IN ANY
- ;; ANSWER SECTION:
- cdn.dsultra.com. 1372 IN CNAME oversee.vo.llnwd.net.
- ;; AUTHORITY SECTION:
- dsultra.com. 1372 IN NS ns-1295.awsdns-33.org.
- dsultra.com. 1372 IN NS ns-1606.awsdns-08.co.uk.
- dsultra.com. 1372 IN NS ns-749.awsdns-29.net.
- dsultra.com. 1372 IN NS ns-491.awsdns-61.com.
- ;; ADDITIONAL SECTION:
- ns-491.awsdns-61.com. 1372 IN A 205.251.193.235
- ns-749.awsdns-29.net. 1745 IN A 205.251.194.237
- ns-1295.awsdns-33.org. 1372 IN A 205.251.197.15
- ns-1606.awsdns-08.co.uk. 1406 IN A 205.251.198.70
- // let's see what code is that....
- --01:54:34-- http://cdn.dsultra.com/js/main.js
- => `main.js'
- Resolving cdn.dsultra.com... 203.77.188.253, 203.77.188.254
- Connecting to cdn.dsultra.com|203.77.188.253|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 24,326 (24K) [application/x-javascript] <=====//clean ones....
- //Just to be sure....simulate...
- [HTTP] URL: http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA (Status: 200, Referrer: None)
- [HTTP] URL: http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA (Content-type: text/html, MD5: 3f9a4d3490d486acd1878323980bc0bc)
- <meta content="text/html;charset=utf-8" http-equiv="Content-Type"/>
- <meta content="" http-equiv="keywords"/>
- <meta content="" http-equiv="description"/>
- <link href="http://cdn.dsultra.com/favicon/mi_favicon.ico" rel="shortcut icon" type="image/x-icon"/>
- [HTTP] URL: http://cdn.dsultra.com/favicon/mi_favicon.ico (Status: 200, Referrer: http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA)
- [HTTP] URL: http://cdn.dsultra.com/favicon/mi_favicon.ico (Content-type: text/plain; charset=UTF-8, MD5: 1cdecc190b122a232e64945332de0546)
- <link href="http://cdn.dsultra.com/css/11800/landing/ja.css" rel="stylesheet" type="text/css"/>
- [HTTP] URL: http://cdn.dsultra.com/css/11800/landing/ja.css (Status: 200, Referrer: http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA)
- [HTTP] URL: http://cdn.dsultra.com/css/11800/landing/ja.css (Content-type: text/css, MD5: 703670399c78cbec350d4b8704b8da44)
- [HTTP] URL: http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js (Status: 200, Referrer: http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA)
- [HTTP] URL: http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js (Content-type: text/javascript; charset=UTF-8, MD5: 5f4ccf13367a04a1678a8d2ef9c5d2ad)
- [HTTP] URL: http://googleads.g.doubleclick.net/apps/domainpark/domainpark.cgi?callback=_google_json_callback&output=js&client=ca-dp-oversee-rs_js&domain_name=centatu.com&hl=en&channel=007390&adtest=off&s=centatu.com&kw=free%2520forex%2520signal&kw_type=broad&num_ads=0&num_radlinks=18&dt=1352480258529&u_tz=540&u_his=1&u_w=800&frm=0&ref=about%3Ablank (Status: 200, Referrer: http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA)
- [HTTP] URL: http://googleads.g.doubleclick.net/apps/domainpark/domainpark.cgi?callback=_google_json_callback&output=js&client=ca-dp-oversee-rs_js&domain_name=centatu.com&hl=en&channel=007390&adtest=off&s=centatu.com&kw=free%2520forex%2520signal&kw_type=broad&num_ads=0&num_radlinks=18&dt=1352480258529&u_tz=540&u_his=1&u_w=800&frm=0&ref=about%3Ablank (Content-type: application/javascript; charset=UTF-8, MD5: 8625b0e4b333765613e5b14bf64010fc)
- [Navigator URL Translation] /?epl=G9UAB46BtH-n6Z_EhT81_ITsSoxAQuEUyV38IQZp1HWu1pYGSTmo9WI--FCEBcNIDCF1Li71nkBJpF6to7El8M3MSosC8w3NPoHA9kKyCXIdPC3iPMRoh1ZyT6QQiFahnoS9dlwAla31j0qJlXMO4mwh1YmCXYm1ECMFtBSe8r96bPMW5lhDRkmbSKhIa9DgTVz2fYAlQijkUGBBpc3AYH3aYHfxriJSZgXtXAHD4f7cYONp_Ru_Nn4_gRt0DamH9iCwRu7YyIQUIjCxORW9ktcRZwoOIA8Qqm5QdZQBiAIbdd1OGMJpPNsNOjsl1HffMwedbHPNGtEE4q8yKoqDXwgoGiJPFwYAxCBTTxoa9UQmU4MGAPUgpokeNaGfajI91aAG05DJ0ERPI5mapxraVINVDQEw4P_vvwCA8v8BQQBAgFscAAAhuxIjWVMmWUExNmhaQqABAADw --> http://centatu.com/?epl=G9UAB46BtH-n6Z_EhT81_ITsSoxAQuEUyV38IQZp1HWu1pYGSTmo9WI--FCEBcNIDCF1Li71nkBJpF6to7El8M3MSosC8w3NPoHA9kKyCXIdPC3iPMRoh1ZyT6QQiFahnoS9dlwAla31j0qJlXMO4mwh1YmCXYm1ECMFtBSe8r96bPMW5lhDRkmbSKhIa9DgTVz2fYAlQijkUGBBpc3AYH3aYHfxriJSZgXtXAHD4f7cYONp_Ru_Nn4_gRt0DamH9iCwRu7YyIQUIjCxORW9ktcRZwoOIA8Qqm5QdZQBiAIbdd1OGMJpPNsNOjsl1HffMwedbHPNGtEE4q8yKoqDXwgoGiJPFwYAxCBTTxoa9UQmU4MGAPUgpokeNaGfajI91aAG05DJ0ERPI5mapxraVINVDQEw4P_vvwCA8v8BQQBAgFscAAAhuxIjWVMmWUExNmhaQqABAADw
- [HTTP] URL: http://centatu.com/?epl=G9UAB46BtH-n6Z_EhT81_ITsSoxAQuEUyV38IQZp1HWu1pYGSTmo9WI--FCEBcNIDCF1Li71nkBJpF6to7El8M3MSosC8w3NPoHA9kKyCXIdPC3iPMRoh1ZyT6QQiFahnoS9dlwAla31j0qJlXMO4mwh1YmCXYm1ECMFtBSe8r96bPMW5lhDRkmbSKhIa9DgTVz2fYAlQijkUGBBpc3AYH3aYHfxriJSZgXtXAHD4f7cYONp_Ru_Nn4_gRt0DamH9iCwRu7YyIQUIjCxORW9ktcRZwoOIA8Qqm5QdZQBiAIbdd1OGMJpPNsNOjsl1HffMwedbHPNGtEE4q8yKoqDXwgoGiJPFwYAxCBTTxoa9UQmU4MGAPUgpokeNaGfajI91aAG05DJ0ERPI5mapxraVINVDQEw4P_vvwCA8v8BQQBAgFscAAAhuxIjWVMmWUExNmhaQqABAADw (Status: 200, Referrer: http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA)
- [HTTP] URL: http://centatu.com/?epl=G9UAB46BtH-n6Z_EhT81_ITsSoxAQuEUyV38IQZp1HWu1pYGSTmo9WI--FCEBcNIDCF1Li71nkBJpF6to7El8M3MSosC8w3NPoHA9kKyCXIdPC3iPMRoh1ZyT6QQiFahnoS9dlwAla31j0qJlXMO4mwh1YmCXYm1ECMFtBSe8r96bPMW5lhDRkmbSKhIa9DgTVz2fYAlQijkUGBBpc3AYH3aYHfxriJSZgXtXAHD4f7cYONp_Ru_Nn4_gRt0DamH9iCwRu7YyIQUIjCxORW9ktcRZwoOIA8Qqm5QdZQBiAIbdd1OGMJpPNsNOjsl1HffMwedbHPNGtEE4q8yKoqDXwgoGiJPFwYAxCBTTxoa9UQmU4MGAPUgpokeNaGfajI91aAG05DJ0ERPI5mapxraVINVDQEw4P_vvwCA8v8BQQBAgFscAAAhuxIjWVMmWUExNmhaQqABAADw (Content-type: text/javascript, MD5: f2a0d8767d74481ffec29e69d7389105)
- [HTTP] URL: http://cdn.dsultra.com/js/main.js (Status: 200, Referrer: http://centatu.com?epl=SI1JFrfBZHQDnd_oLKackACw3T8ASCicIrmLP0WwtyLSGbLqY3OT4UZfoWEGGIMdA3iWiorrO7mUNMaai6RgpkCamAl07JKNuGmGmCDFqUesB0NFgmCDeCETEsWuFdzxQGcJ64qNW_VTE5WKMnogqOlHmp6QRtM8FaE2TaYBQNOk6amHRhF1ACCg_uevAIDy_wEAAECAWwkAAGC7fwBZUyZZQTE2aFpChwAAAPA)
- [HTTP] URL: http://cdn.dsultra.com/js/main.js (Content-type: application/x-javascript, MD5: 73106b24a1eb9fc9fd35fa65b9f189e5)
- //↑same result... no infectoess......
- ------
- #MalwareMustDie
- @unixfreaxjp | Sat Nov 10 02:03:25 JST 2012
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement