Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMustDie! #RedKit Infected site/urls
- //
- // Searched by GooDork、Ref: http://code.google.com/p/malwaremustdie/wiki/MalwareMustDie_GooDork_Tips
- // @unixfreaxjp ~]$ date
- // Sat Jul 13 23:13:23 JST 2013
- //
- // Infection pattern (REGEX):
- \/[a-z]{7}\.php
- ^^^^^^^^
- ↑IN RANDOM CHARS
- // You can search in URLQuery by below regex (noted: FP also appears):
- \.[a-z]{2,}\/[a-z]{7}\.php$
- ^^^^^^^^
- ↑IN RANDOM CHARS
- // Latest URL...
- // these URL are UP and ALIVE
- // The below sites are infected.
- // Cleanup the ones related to your network..
- h00p://www.masthotels.gr/hdwicao.php
- h00p://ural.zz.mu/fplityv.php
- h00p://ural.zz.mu/qbccdim.php
- h00p://true-point.co.uk/ulqqwmt.php
- h00p://true-point.co.uk/updcqfo.php
- h00p://paschkemetal.com/jitfahd.php
- h00p://natarelke.net/kuyspcu.php
- h00p://msw67.cafe24.com/ehttfnt.php
- h00p://dunakanyarse.hu/pkwgvoq.php
- h00p://danovabud.net/rotxtrw.php
- h00p://danovabud.net/ylxdvll.php
- h00p://coitaoc.org/nlsnkvj.php
- h00p://bgcarshop.com/ejtejrl.php
- h00p://msw67.cafe24.com/fdcrgjb.php
- h00p://bgcarshop.com/ybkndpa.php
- h00p://a1144104.sites.myregisteredsite.com/eipkalp.php
- h00p://danjayair.com/wuqiclh.php
- h00p://maviceu.com/xeksbrw.php
- h00p://shkolavokala-nn.ru/nxrvmfy.php
- h00p://juleta.ru/ajfxqpd.php
- h00p://svoystyle.org/tunkebf.php
- h00p://corydora.nl/qcubbfv.php
- h00p://sektorsolutions.com/gcikihm.php
- h00p://nepcw.com/qhmnmdf.php
- h00p://bitboyz.com/wcjofek.php
- h00p://zs-pardubicky.cz/ajghuyr.php
- h00p://www.masthotels.gr/ewnyvrw.php
- h00p://takaradukakanban.ciao.jp/vcolrvf.php
- h00p://sunatable.sunnyday.jp/nbwqrnw.php
- h00p://8014d74c3f5c9f62.lolipop.jp/qqovfdp.php
- h00p://324c888c03da2c5.lolipop.jp/rsarctj.php
- h00p://mf3japan.jp/psikcqs.php
- h00p://katagi-weblogs.lolipop.jp/oklkxlp.php
- h00p://1224c888e2371310.lolipop.jp/yfsojxy.php
- h00p://sekkousaisei.sakura.ne.jp/arcwqjl.php
- h00p://4234fb991c1f110e.lolipop.jp/dpurctv.php
- h00p://dp22165320.lolipop.jp/lpjbgkm.php
- h00p://7344ee9a4ebb9132.lolipop.jp/nmtcehf.php
- [...] there are more of these for sure... no time to check one by one
- // UP & ALIVE PoC:
- --2013-07-13 22:41:03-- h00p://juleta.ru/ajfxqpd.php
- Resolving juleta.ru... seconds 0.00, 188.64.175.152
- Caching juleta.ru => 188.64.175.152
- Connecting to juleta.ru|188.64.175.152|:80... seconds 0.00, connected.
- :
- GET /ajfxqpd.php h00p/1.0
- Referer: h00p://www.google.com/search?q=youtube
- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Host: juleta.ru
- Connection: keep-alive
- Keep-Alive: 300
- Accept-Language: en-us,en;q=0.5
- Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
- h00p request sent, awaiting response...
- :
- h00p/1.1 200 OK
- Date: Sat, 13 Jul 2013 13:41:00 GMT
- Server: Apache
- X-Powered-By: PHP/5.2.17
- Connection: close
- Content-Type: text/html
- 200 OK
- Length: unspecified [text/html]
- Saving to: `ajfxqpd.php'
- --2013-07-13 22:43:58-- h00p://svoystyle.org/tunkebf.php
- Resolving svoystyle.org... seconds 0.00, 78.108.86.79
- Caching svoystyle.org => 78.108.86.79
- Connecting to svoystyle.org|78.108.86.79|:80... seconds 0.00, connected.
- :
- GET /tunkebf.php h00p/1.0
- Referer: h00p://www.google.com/search?q=youtube
- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Host: svoystyle.org
- Connection: keep-alive
- Keep-Alive: 300
- Accept-Language: en-us,en;q=0.5
- Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
- h00p request sent, awaiting response...
- :
- h00p/1.1 200 OK
- Date: Sat, 13 Jul 2013 13:43:55 GMT
- Server: Apache/2.2.22 (FreeBSD) PHP/5.2.17 mod_ssl/2.2.22 OpenSSL/0.9.8q DAV/2
- X-Powered-By: PHP/5.2.17
- Connection: close
- Content-Type: text/html
- 200 OK
- Length: unspecified [text/html]
- Saving to: `tunkebf.php'
- --2013-07-13 22:46:04-- h00p://corydora.nl/qcubbfv.php
- Resolving corydora.nl... seconds 0.00, 178.251.28.24
- Caching corydora.nl => 178.251.28.24
- Connecting to corydora.nl|178.251.28.24|:80... seconds 0.00, connected.
- Created socket 1896.
- Releasing 0x00a27488 (new refcount 1).
- :
- GET /qcubbfv.php h00p/1.0
- Referer: h00p://www.google.com/search?q=youtube
- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Host: corydora.nl
- Connection: keep-alive
- Keep-Alive: 300
- Accept-Language: en-us,en;q=0.5
- Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
- h00p request sent, awaiting response...
- :
- h00p/1.1 200 OK
- Date: Sat, 13 Jul 2013 13:46:14 GMT
- Server: Apache/2
- X-Powered-By: PHP/5.2.17
- Vary: Accept-Encoding,User-Agent
- Content-Length: 2
- Keep-Alive: timeout=1, max=100
- Connection: Keep-Alive
- Content-Type: text/html
- :
- 200 OK
- Registered socket 1896 for persistent reuse.
- Length: 2 [text/html]
- Saving to: `qcubbfv.php'
- :
- etc etc..
- ----
- #MalwareMustDie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement