Comments for s3c-watch

Comment on deabak.com/z.js by Tina

Tina — Fri, 27 Feb 2009 18:07:44 +0000

Thanks for your response. I have a question, is there any way the hacker can find out all files in the directory? I’ve put the code to prevent URL injection, but I have some hidden files which can only be accessed by registered user does not have the protection. So I wonder hacker might found those pages and attack it from there.

Comment on deabak.com/z.js by s3cu

s3cu — Fri, 27 Feb 2009 14:38:49 +0000

sanitize and validate all data passed through URL, cookies and post data.

Comment on deabak.com/z.js by Tina

Tina — Thu, 26 Feb 2009 19:28:43 +0000

Hi, I just got this SQL injection to my database today. Can you tell me how do they inject this script? I’ve put code in to all variables passing through URL. But I still got this. If you can help, that’ll be great!

Thanks in advance.

Tina

Comment on IE 0-day exploit by s3cu

s3cu — Thu, 18 Dec 2008 15:49:49 +0000

The patch to the IE vulnerability is already released – http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx

If you are still procrastinating, maybe this report about IE exploit via Word doc may change your mind – http://www.avertlabs.com/research/blog/index.php/2008/12/17/ie-7-exploit-reloaded-the-new-face-of-drive-by-attacks-using-doc-files/

Comment on cbp7t.cn by Ilion

Ilion — Tue, 21 Oct 2008 08:35:07 +0000

Other domains:
batyu.cn
chshun.cn
dae3.cn
empty1.cn
empty52.cn
hap1.cn
kan31ni.cn
kao17.cn
log5it.cn
meto1.cn
pcca4.cn
sfz22.cn
showwo2.cn

Comment on www.ok2bstr8.com/index_13.html by s3cu

s3cu — Fri, 12 Sep 2008 17:20:00 +0000

first, strip html entities off the “index.cgi?script” content.

second, create a stub file, stub.js, with the following contents:
function eval(a) {print(a);}
location = new Object();
location.href = “http://92prt.ru/cgi-bin/index.cgi?script”;
document= new Object();
document = {write:print};
navigator = new Object();
navigator.appMinorVersion = “;SP2;”
navigator.systemLanguage = “en-us”

then issue command “js -f stub.js index.cgi\?script”

Comment on www.ok2bstr8.com/index_13.html by RS

RS — Fri, 12 Sep 2008 15:19:37 +0000

Hello, wondering if you’ve been able to decode the new script being used by asprox. Sample @ http://92prt.ru/cgi-bin/index.cgi?script

I have not been able to do so using spider monkey wondering if you’ve done some analysis on this before.

Thanks,

Comment on cdm1djeni.com/cgi-bin/index.cgi?dx by s3cu

s3cu — Mon, 08 Sep 2008 14:08:41 +0000

Based on robtex lookup, the following domains share the same IP address:
cdm1djeni.com
daadhevif.com
den2djeni.com
dtd1eni.com
etcyght.com
eue2eni.com
gvryehght.com
hiepdjeni.com
jjgyght.com

Comment on jjmaobuduo.3322.org/csrss/w.js by chris

chris — Sun, 24 Aug 2008 23:52:02 +0000

rondll32.exe will go out and grab ack.htm.
ack.htm downloads 4 executables:
beauty.exe
sss.exe
sl.exe
fengxiang.exe

Comment on additional domains with hhr2ehght.com by hmm

hmm — Fri, 22 Aug 2008 21:24:20 +0000

anyygfxes.com A 74.50.108.226