Archive for October, 2008

Posted in Mebroot, sql injection on October 21, 2008 by s3cu

this sql-injected domain retrieves iframe from

The malicious iframe exploits a number of typical vulnerabilities.

The VT analysis of the malicious file is here. ThreatExpert here.

Other domains sharing the same IP are,


cookie sql-injection domains

Posted in sql injection on October 17, 2008 by s3cu

these 2 domains are used in the cookie sql-injection attacks


The above 2 domains will iframe to where the exploits are located.

The malicious executable is at The VT analysis is here.

Posted in sql injection on October 13, 2008 by s3cu

another round of sql-injection

Posted in sql injection on October 7, 2008 by s3cu

the obfuscation method has been improved to defeat eval() overloading.
check out

The final decoded JS is as follows:
Continue reading

Posted in sql injection on October 1, 2008 by s3cu

Hot on the heels of the new sql-injected domain in SANS report of
, there comes another domain that iframe back to the same IP address.

Continue reading