3b3.org/c.js

Posted in sql injection on April 16, 2009 by s3cu

This sql-injected script src has been around for some time.

The interesting point of this script is that it behaves differently if the injected site is from “.gov.cn” or “.edu.cn”. Code as shown below: Continue reading

cn0093.cn/v.js

Posted in sql injection on March 9, 2009 by s3cu

following previous post, a new injected script has emerged that resolves to same IP.

v.js retrieves another iframe src http://www.vieio.cn/i.htm.

This exploitation kit tries to avoid detection by splitting each respective exploit into 2 files. One .htm and .js

tsnse.cn/i.js

Posted in sql injection on March 5, 2009 by s3cu

This sql-injected script calls iframe http://www.gomne.cn/yh.htm

Continue reading

deabak.com/z.js

Posted in sql injection on February 26, 2009 by s3cu

this is a new script that are being sql-injected.

z.js contains a iframe from http://www.893500.cn/2/index.htm

Continue reading

iwdown.com/inc/e.js

Posted in sql injection on January 22, 2009 by s3cu

this sql-injected URL contains iframes to http://www.advpoints.com.
Seems to be profiting thru referrals rather than injecting malware.

u.winzxm.com

Posted in sql injection on January 21, 2009 by s3cu

another sql-injected domain….this one works.
Iterating through the obfuscated JS, it finally exploits ├że typical set of vulnerabilities like IE7, flash, snapshot view etc.

allspaces.com/z.js

Posted in sql injection on January 19, 2009 by s3cu

this is another sql-injected URL. However z.js does not seem to be accessible.