Researching what appears to be a malicious injection I wanted to poke at the bad site - piz[dot]de[dot]tf . Obviously, this seems malicious to me and I have still not identified where the injection is at (I need to pull .css files .etc from the cafecoronado page).
(This is related to the Sutra TDS. Thanks to Darren for the help on identifying the threat.)
I tried to wget the in.cgi?2 at the above mentioned domain and here is the output:
$ wget hxxp://piz.de.tf/in.cgi?2
--2012-02-06 10:42:54-- hxxp://piz.de.tf/in.cgi?2
Resolving piz.de.tf (piz.de.tf)... 31.184.192.6
Connecting to piz.de.tf (piz.de.tf)|31.184.192.6|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: hxxp://188.72.213.185/c/bot.js [following]
--2012-02-06 10:42:55-- hxxp://188.72.213.185/c/bot.js
Connecting to 188.72.213.185:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `bot.js'
[ <=> ] 7 --.-K/s in 0s
2012-02-06 10:42:55 (273 KB/s) - `bot.js' saved [7]
$ cat bot.js
GOTCHA!$
Yes, I was found and have laughed a few times at this response.
Pretty funny stuff.
-Paul
@demon117
Monday, February 6, 2012
A "Gotcha!" moment, literally
Labels:
attack,
cybercrime,
Exploit Kit,
Exploit Pack,
infosec,
malware,
Sutra TDS,
TDS,
threat,
webbased
Subscribe to:
Post Comments (Atom)
Same for hxxp://188.72.213.183/c/bot.js
ReplyDeleteBut there must be way to get the real javascript.
This fucking code infected my computer with "Internet security Designed to protect".
Ha! Gotta love when the bad guy has a sense of humor!
ReplyDelete