Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: New sql injection site with fastflux hosting - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New sql injection site with fastflux hosting

One of our frequent contributors notified us of a new sql injection site.
hxxp://en-us18.com/b.js is being injected via sql into websites.

When I googled for it I saw 560 injected webpages.
“b.js injects an iFrame which points to
hxxp://en-us18.com/cgi-bin/index.cgi?ad
which in turn embeds two Flash files:

advert.swf:
http://www.virustotal.com/analisis/d6ffe290e9938d3e646f82c536abd0c7
banner.swf:
http://www.virustotal.com/analisis/83be3d4d30eb60d92272625634a3babc” 

This appears to be fast fluxed or at least setup to change rapidly based on this dig output. 

dig www.en-us18.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4, ADDITIONAL: 1
;; QUERY SECTION:
;;      www.en-us18.com, type = A, class = IN
;; ANSWER SECTION:
www.en-us18.com.        10M IN A        156.17.227.218
www.en-us18.com.        10M IN A        84.121.210.189
www.en-us18.com.        10M IN A        99.194.80.27
www.en-us18.com.        10M IN A        69.65.91.5
www.en-us18.com.        10M IN A        83.27.126.102
www.en-us18.com.        10M IN A        99.225.66.211
www.en-us18.com.        10M IN A        82.159.61.76
www.en-us18.com.        10M IN A        85.53.64.13
www.en-us18.com.        10M IN A        148.81.132.211
www.en-us18.com.        10M IN A        83.23.188.93
www.en-us18.com.        10M IN A        216.170.109.251
www.en-us18.com.        10M IN A        62.21.81.188
www.en-us18.com.        10M IN A        83.242.74.153

www.en-us18.com.        10M IN A        87.205.33.92
;; AUTHORITY SECTION:
en-us18.com.            1d18h57m52s IN NS  ns3.en-us18.com.
en-us18.com.            1d18h57m52s IN NS  ns2.en-us18.com.

en-us18.com.            1d18h57m52s IN NS  ns4.en-us18.com.
en-us18.com.            1d18h57m52s IN NS  ns1.en-us18.com.
;; ADDITIONAL SECTION:
ns1.en-us18.com.        1d21h10m38s IN A  75.110.190.181 

A second dig a few minutes later produced similar but slightly different results.
So this domain is changing. I guess they got tired of people blackholing their ip address.
So in that case I would recommend you dns blackhole that domain.

donald

206 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!