Archive for October, 2008

cbp7t.cn

Posted in Mebroot, sql injection on October 21, 2008 by s3cu

this sql-injected domain retrieves iframe from http://www.jmlrmg.com/index.htm

The malicious iframe exploits a number of typical vulnerabilities.

The VT analysis of the malicious file http://www.jmlrmg.com/chanm/yahoo.exe is here. ThreatExpert here.

Other domains sharing the same IP are jsani.cn, woshow11.cn

cookie sql-injection domains

Posted in sql injection on October 17, 2008 by s3cu

these 2 domains are used in the cookie sql-injection attacks

  • hanrou7.cn
  • me1me.cn

The above 2 domains will iframe to http://www.wow088.com/wang/index.htm where the exploits are located.

The malicious executable is at http://www.wow088.com/wang/ms.exe. The VT analysis is here.

www2.s800qn.cn/csrss/w.js

Posted in sql injection on October 13, 2008 by s3cu

another round of sql-injection

bdydcketn.com/cgi-bin/index.cgi?mentat

Posted in sql injection on October 7, 2008 by s3cu

the obfuscation method has been improved to defeat eval() overloading.
check out https://s3cwatch.wordpress.com/de-obfuscate-javascript-2/

The final decoded JS is as follows:
Continue reading

drmyy.cn

Posted in sql injection on October 1, 2008 by s3cu

Hot on the heels of the new sql-injected domain in SANS report of ytgw123.cn
, there comes another domain that iframe back to the same IP address.

Continue reading