another sql-injected domain….this one works.
Iterating through the obfuscated JS, it finally exploits þe typical set of vulnerabilities like IE7, flash, snapshot view etc.
u.winzxm.com
Posted in sql injection on January 21, 2009 by s3cuallspaces.com/z.js
Posted in sql injection on January 19, 2009 by s3cuthis is another sql-injected URL. However z.js does not seem to be accessible.
har5launo.com/cgi-bin/index.cgi?dx
Posted in Mebroot on January 8, 2009 by s3cuURL contains malicious javascript which eventually links to Mebroot trojan.
[VT results=4/38]
www.wmpd.ru/style.js and www.mtno.ru/style.js
Posted in sql injection on December 19, 2008 by s3cuStyle.js embeds an iframe to http://79.135.168.18
The index.html page of the iframe contains another obfuscation method.
Read more »
vip.4s3w.cn/vip/I7.htm
Posted in sql injection on December 14, 2008 by s3cuanother IE exploit, but this evasion technique is so cute, take a look:
Read more »
IE 0-day exploit
Posted in sql injection on December 12, 2008 by s3cuok, so the supposedly IE7 vulnerability is also applicable to other versions.
Check out MS advisory 961051
Other domains that are also exploiting this vulnerability are listed in shadowserver.
Notice that the shellcode of 17gamo.com IE7 exploit is encrypted.
ie7 exploit encrypted shellcode
Disassembly of the shellcode shows that each byte is xored with 21h.
To decrypt the shellcode, a simple perl script can be applied to the unicode
s/\%u(..)(..)/(chr(hex($2))^chr(hex(21))).(chr(hex($1))^chr(hex(21)))/ge
A hexdump of the decrypted shellcode shows where it will retrieve the malware:
17gamo.com/1.js
Posted in sql injection on December 10, 2008 by s3cuA new sql-injected URL.
1.js contains iframe src to http://www.17gamo.com/co/index.htm
The index.htm contains several exploits, one of which is the latest ie7 0-day exploit.
The ie7 exploit is at www.17gamo.com/co/ie7.htm
e.nuclear3.com/bbs/ad/
Posted in sql injection on November 26, 2008 by s3cuanother injected domain that resolves to the same IP address as c.8e9.net
c.8e9.net/bbs/ad/
Posted in sql injection on November 25, 2008 by s3cuanother sql-injected domain. So what’s new? The name of the JS file seems to be tied to the site language.
61.31 235.114
Posted in sql injection on November 20, 2008 by s3cufoolishness or desperate? Sql-injection attack which links to an ip address instead of domain.
The injected script link is 61.31.235.114/i.swf
However i.swf currently does not exist on the machine. What exists is 1.swf.
