Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: New sql injection site with fastflux hosting SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New sql injection site with fastflux hosting

One of our frequent contributors notified us of a new sql injection site.
hxxp://en-us18.com/b.js is being injected via sql into websites.

When I googled for it I saw 560 injected webpages.
“b.js injects an iFrame which points to
hxxp://en-us18.com/cgi-bin/index.cgi?ad
which in turn embeds two Flash files:

advert.swf:
http://www.virustotal.com/analisis/d6ffe290e9938d3e646f82c536abd0c7
banner.swf:
http://www.virustotal.com/analisis/83be3d4d30eb60d92272625634a3babc” 

This appears to be fast fluxed or at least setup to change rapidly based on this dig output. 

dig www.en-us18.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4, ADDITIONAL: 1
;; QUERY SECTION:
;;      www.en-us18.com, type = A, class = IN
;; ANSWER SECTION:
www.en-us18.com.        10M IN A        156.17.227.218
www.en-us18.com.        10M IN A        84.121.210.189
www.en-us18.com.        10M IN A        99.194.80.27
www.en-us18.com.        10M IN A        69.65.91.5
www.en-us18.com.        10M IN A        83.27.126.102
www.en-us18.com.        10M IN A        99.225.66.211
www.en-us18.com.        10M IN A        82.159.61.76
www.en-us18.com.        10M IN A        85.53.64.13
www.en-us18.com.        10M IN A        148.81.132.211
www.en-us18.com.        10M IN A        83.23.188.93
www.en-us18.com.        10M IN A        216.170.109.251
www.en-us18.com.        10M IN A        62.21.81.188
www.en-us18.com.        10M IN A        83.242.74.153

www.en-us18.com.        10M IN A        87.205.33.92
;; AUTHORITY SECTION:
en-us18.com.            1d18h57m52s IN NS  ns3.en-us18.com.
en-us18.com.            1d18h57m52s IN NS  ns2.en-us18.com.

en-us18.com.            1d18h57m52s IN NS  ns4.en-us18.com.
en-us18.com.            1d18h57m52s IN NS  ns1.en-us18.com.
;; ADDITIONAL SECTION:
ns1.en-us18.com.        1d21h10m38s IN A  75.110.190.181 

A second dig a few minutes later produced similar but slightly different results.
So this domain is changing. I guess they got tired of people blackholing their ip address.
So in that case I would recommend you dns blackhole that domain.

donald

206 Posts
Jun 2nd 2008

Sign Up for Free or Log In to start participating in the conversation!