Monday, February 6, 2012

A "Gotcha!" moment, literally

Researching what appears to be a malicious injection I wanted to poke at the bad site - piz[dot]de[dot]tf . Obviously, this seems malicious to me and I have still not identified where the injection is at (I need to pull .css files .etc from the cafecoronado page).

(This is related to the Sutra TDS. Thanks to Darren for the help on identifying the threat.)

I tried to wget the in.cgi?2  at the above mentioned domain and here is the output:



$ wget hxxp://piz.de.tf/in.cgi?2
--2012-02-06 10:42:54--  hxxp://piz.de.tf/in.cgi?2
Resolving piz.de.tf (piz.de.tf)... 31.184.192.6
Connecting to piz.de.tf (piz.de.tf)|31.184.192.6|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: hxxp://188.72.213.185/c/bot.js [following]
--2012-02-06 10:42:55--  hxxp://188.72.213.185/c/bot.js
Connecting to 188.72.213.185:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `bot.js'

    [ <=>                                                                                                                    ] 7           --.-K/s   in 0s     

2012-02-06 10:42:55 (273 KB/s) - `bot.js' saved [7]
                                                                                                                                                
$ cat bot.js                                                                                                                                                   
GOTCHA!$

Yes, I was found and have laughed a few times at this response.

Pretty funny stuff.

-Paul
@demon117