tsnse.cn/i.js « s3c-watch

tsnse.cn/i.js

This sql-injected script calls iframe www.gomne.cn/yh.htm

yh.htm has the same vulnerability exploits as the previous post. Most likely from the same kit.

The exploits download malicious executable from www.at820.cn/wins.exe [VT results]

CWSandbox analysis of wins.exe shows further download such as rootkit www.at820.cn/ie.exe [VT results]

Note that all 3 domains tsnse.cn, www.gomne.cn and www.at820.cn resolve to the same IP address 120.50.35.138.

This entry was posted on March 5, 2009 at 11:37 pm and is filed under sql injection . You can follow any responses to this entry through the RSS 2.0 feed You can leave a response, or trackback from your own site.

s3c-watch

tsnse.cn/i.js

Leave a Reply