Dancmec/Asprox more or less ripped off the automated SQL injection attack idea but this one is not Asprox/Danmec. Appears to be one of the Chinese malware sites. Successful exploit results in download of:
hxxp://www.ppexe.com/csrss/rondll32.exe [b2691d9b4f5e6cd89d14cd4511dbe003] - which is relatively old file now We (mostly Mike with help from others) keep an updated list of the various SQL injected domains Asprox/Danmec or otherwise at this URL if you're interested: http://www.shadowserver.org/wiki/uploads/Calendar/sql-inj-list.txt Steven On Fri, 29 Aug 2008 11:48:11 -0500, "Brack o'Malley" <[EMAIL PROTECTED]> wrote: > I harvested > 1700 sql injection attempts by danmec related infectors. > targets included >200 exposed honeypots (er, oops , I mean "client > maintained servers") dispersed across widely varied address ranges. In > every case this URL was the download point: > http://www0.douhunqn.cn/csrss/w.js > > > > > brack > > _______________________________________________ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
