Friday, January 22, 2010

CVE-2010-0249 in the wild - xx222.8866.org and others – part 0


(22/01/2010)

hxxxxxxxxxxtp://www.babooa562.com/xp/48/au.htm
(AS30058 FDCSERVERS AS for FDC Servers)

image


hxxxxxxxxxxtp://www.tsqzsb.cn/xp/13/au.htm
(AS4134 CHINA-TELECOM China Telecom)

image


hxxxxxxxxxp://www.fsus.cn:85/ss/au.htm
(AS35908  - VPLSNET)

image


 hxxxxxxxxxp://googleie2.23sys23.cn/pz/au.htm
(AS4213 VPLSNET)

image


hxxxxxxxxxp://www.ms8.cc/MyM/Cache/Tpl/safe.htm?13
(AS38356 TimeNet BeiJing Sincerity)

image


hxxxxxxxxxp://malegebi251.21sys21.cn/pz/au.htm
(AS4213 VPLSNET)

image

hxxxxxxxxxp://news.21npc.com/meteor/ver/ver.htm?772
(AS4134 CHINA-TELECOM China Telecom)

image




(20/01/2010)
Using Google with the information released by McAfee LABS Blog(http://bit.ly/69Pl4g)  may be trivial found others.  
 
In this case i’ve found this: hxxxxxxp://xx222.8866.org:2988/dz/ie.html  

s0000342

Wepawet doesn’t detect.

Other URLs implicated in the 1st spreading stage:

hxxxxxxp://xx222.8866.org:2988/dz/what.jpg    (shellcode)
hxxxxxxp://xx222.8866.org:2988/dz/Element
hxxxxxxp://xx222.8866.org:2988/dz/sdfasdfasdfafasdfafasdf.GIF

Others hosts:
hxxxxxxxp://tempxxp.3322.org:8277/log.css
hxxxxxxxxxp://201003.8866.org:2988/log/ie.html
hxxxxxxxxp://22cc.8866.org:2988/dz/ie.html
hxxxxxxxxp://201003.6600.org:2988/log/ie.html
hxxxxxxxxtp://201003.8800.org:2988/log/ie.html

(this post is under update)

No comments:

Post a Comment