#MalwareMustDie! #RedKit Infection Campaign /[a-z]{7}.php

1. // #MalwareMustDie! #RedKit Infected site/urls
2. //
3. // Searched by GooDork、Ref: http://code.google.com/p/malwaremustdie/wiki/MalwareMustDie_GooDork_Tips
4. // @unixfreaxjp ~]$ date
5. // Sat Jul 13 23:13:23 JST 2013
6. //
7. // Infection pattern (REGEX):
8. \/[a-z]{7}\.php
9. ^^^^^^^^
10. ↑IN RANDOM CHARS
11.  
12. // You can search in URLQuery by below regex (noted: FP also appears):
13. \.[a-z]{2,}\/[a-z]{7}\.php$
14. ^^^^^^^^
15. ↑IN RANDOM CHARS
16.  
17. // Latest URL...
18. // these URL are UP and ALIVE
19. // The below sites are infected.
20. // Cleanup the ones related to your network..
21.  
22. h00p://www.masthotels.gr/hdwicao.php
23. h00p://ural.zz.mu/fplityv.php
24. h00p://ural.zz.mu/qbccdim.php
25. h00p://true-point.co.uk/ulqqwmt.php
26. h00p://true-point.co.uk/updcqfo.php
27. h00p://paschkemetal.com/jitfahd.php
28. h00p://natarelke.net/kuyspcu.php
29. h00p://msw67.cafe24.com/ehttfnt.php
30. h00p://dunakanyarse.hu/pkwgvoq.php
31. h00p://danovabud.net/rotxtrw.php
32. h00p://danovabud.net/ylxdvll.php
33. h00p://coitaoc.org/nlsnkvj.php
34. h00p://bgcarshop.com/ejtejrl.php
35. h00p://msw67.cafe24.com/fdcrgjb.php
36. h00p://bgcarshop.com/ybkndpa.php
37. h00p://a1144104.sites.myregisteredsite.com/eipkalp.php
38. h00p://danjayair.com/wuqiclh.php
39. h00p://maviceu.com/xeksbrw.php
40. h00p://shkolavokala-nn.ru/nxrvmfy.php
41. h00p://juleta.ru/ajfxqpd.php
42. h00p://svoystyle.org/tunkebf.php
43. h00p://corydora.nl/qcubbfv.php
44. h00p://sektorsolutions.com/gcikihm.php
45. h00p://nepcw.com/qhmnmdf.php
46. h00p://bitboyz.com/wcjofek.php
47. h00p://zs-pardubicky.cz/ajghuyr.php
48. h00p://www.masthotels.gr/ewnyvrw.php
49. h00p://takaradukakanban.ciao.jp/vcolrvf.php
50. h00p://sunatable.sunnyday.jp/nbwqrnw.php
51. h00p://8014d74c3f5c9f62.lolipop.jp/qqovfdp.php
52. h00p://324c888c03da2c5.lolipop.jp/rsarctj.php
53. h00p://mf3japan.jp/psikcqs.php
54. h00p://katagi-weblogs.lolipop.jp/oklkxlp.php
55. h00p://1224c888e2371310.lolipop.jp/yfsojxy.php
56. h00p://sekkousaisei.sakura.ne.jp/arcwqjl.php
57. h00p://4234fb991c1f110e.lolipop.jp/dpurctv.php
58. h00p://dp22165320.lolipop.jp/lpjbgkm.php
59. h00p://7344ee9a4ebb9132.lolipop.jp/nmtcehf.php
60. [...] there are more of these for sure... no time to check one by one
61.  
62. // UP & ALIVE PoC:
63.  
64. --2013-07-13 22:41:03-- h00p://juleta.ru/ajfxqpd.php
65. Resolving juleta.ru... seconds 0.00, 188.64.175.152
66. Caching juleta.ru => 188.64.175.152
67. Connecting to juleta.ru|188.64.175.152|:80... seconds 0.00, connected.
68. :
69. GET /ajfxqpd.php h00p/1.0
70. Referer: h00p://www.google.com/search?q=youtube
71. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
72. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
73. Host: juleta.ru
74. Connection: keep-alive
75. Keep-Alive: 300
76. Accept-Language: en-us,en;q=0.5
77. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
78. h00p request sent, awaiting response...
79. :
80. h00p/1.1 200 OK
81. Date: Sat, 13 Jul 2013 13:41:00 GMT
82. Server: Apache
83. X-Powered-By: PHP/5.2.17
84. Connection: close
85. Content-Type: text/html
86. 200 OK
87. Length: unspecified [text/html]
88. Saving to: `ajfxqpd.php'
89.  
90.  
91. --2013-07-13 22:43:58-- h00p://svoystyle.org/tunkebf.php
92. Resolving svoystyle.org... seconds 0.00, 78.108.86.79
93. Caching svoystyle.org => 78.108.86.79
94. Connecting to svoystyle.org|78.108.86.79|:80... seconds 0.00, connected.
95. :
96. GET /tunkebf.php h00p/1.0
97. Referer: h00p://www.google.com/search?q=youtube
98. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
99. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
100. Host: svoystyle.org
101. Connection: keep-alive
102. Keep-Alive: 300
103. Accept-Language: en-us,en;q=0.5
104. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
105. h00p request sent, awaiting response...
106. :
107. h00p/1.1 200 OK
108. Date: Sat, 13 Jul 2013 13:43:55 GMT
109. Server: Apache/2.2.22 (FreeBSD) PHP/5.2.17 mod_ssl/2.2.22 OpenSSL/0.9.8q DAV/2
110. X-Powered-By: PHP/5.2.17
111. Connection: close
112. Content-Type: text/html
113. 200 OK
114. Length: unspecified [text/html]
115. Saving to: `tunkebf.php'
116.  
117. --2013-07-13 22:46:04-- h00p://corydora.nl/qcubbfv.php
118. Resolving corydora.nl... seconds 0.00, 178.251.28.24
119. Caching corydora.nl => 178.251.28.24
120. Connecting to corydora.nl|178.251.28.24|:80... seconds 0.00, connected.
121. Created socket 1896.
122. Releasing 0x00a27488 (new refcount 1).
123. :
124. GET /qcubbfv.php h00p/1.0
125. Referer: h00p://www.google.com/search?q=youtube
126. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
127. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
128. Host: corydora.nl
129. Connection: keep-alive
130. Keep-Alive: 300
131. Accept-Language: en-us,en;q=0.5
132. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
133. h00p request sent, awaiting response...
134. :
135. h00p/1.1 200 OK
136. Date: Sat, 13 Jul 2013 13:46:14 GMT
137. Server: Apache/2
138. X-Powered-By: PHP/5.2.17
139. Vary: Accept-Encoding,User-Agent
140. Content-Length: 2
141. Keep-Alive: timeout=1, max=100
142. Connection: Keep-Alive
143. Content-Type: text/html
144. :
145. 200 OK
146. Registered socket 1896 for persistent reuse.
147. Length: 2 [text/html]
148. Saving to: `qcubbfv.php'
149. :
150. etc etc..
151.  
152. ----
153. #MalwareMustDie!