水曜日, 9月 26, 2012

#OCJP-066: 「RAT Co.,Ltdネットワーク/27.96.16.176」ハッキングされたWPサイト(Plugin脆弱性あり)、ツイッター薬アカウントへ転送

脆弱性を早めに直して下さい。さっそく下記は証拠です↓
感染されたURL↓
hxxp://sekiyuhuanhita.ktbha.net/wp-content/plugins/zjhaemcrkom/google.html?qs=zfs.gio&fgw=gyh.jyg&fob=ogrh
調査のダウンロードログ↓
Resolving sekiyuhuanhita.ktbha.net... 27.96.16.176 (RAT Co.,Ltd/RAT-INFRA1/HW3966JP)
Connecting to sekiyuhuanhita.ktbha.net|27.96.16.176|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 226 [text/html]
下記のiframe発見↓
<iframe allowtransparency="true" frameborder="0" scrolling="no" 
src="hxxp://platform.twitter.com/widgets/follow_button.html?screen_name=foxnewshealth&show_screen_name=true&show_count=true" 
style="width:300px; height:20px; margin: 0 0 10px;"></iframe>
ブラウザーセッションのログ↓
[hxxp] URL: hxxp://sekiyuhuanhita.ktbha.net/wp-content/plugins/zjhaemcrkom/google.html?qs=zfs.gio&fgw=gyh.jyg&fob=ogrh (Status: 200, Referrer: None)
<meta content="0; url=hxxp://www.foxnews.com.happyhcgultracustomers.new.12newsclock.com" hxxp-equiv="refresh"/>
[hxxp] URL: hxxp://www.foxnews.com.happyhcgultracustomers.new.12newsclock.com (Status: 200, Referrer: hxxp://sekiyuhuanhita.ktbha.net/wp-content/plugins/zjhaemcrkom/google.html?qs=zfs.gio&fgw=gyh.jyg&fob=ogrh)
[hxxp] URL: hxxp://www.foxnews.com.happyhcgultracustomers.new.12newsclock.com (Status: 200, Referrer: hxxp://sekiyuhuanhita.ktbha.net/wp-content/plugins/zjhaemcrkom/google.html?qs=zfs.gio&fgw=gyh.jyg&fob=ogrh)
[hxxp] URL: hxxps://s-static.ak.fbcdn.net/rsrc.php/v2/yr/r/Q9960T8nf3v.js (Status: 200, Referrer: hxxp://sekiyuhuanhita.ktbha.net/wp-content/plugins/zjhaemcrkom/google.html?qs=zfs.gio&fgw=gyh.jyg&fob=ogrh)
<iframe allowtransparency="true" frameborder="0" scrolling="no" src="hxxp://platform.twitter.com/widgets/follow_button.html?screen_name=foxnewshealth&show_screen_name=true&show_count=true" style="width:300px; height:20px; margin: 0 0 10px;"></iframe>
[iframe redirection] hxxp://sekiyuhuanhita.ktbha.net/wp-content/plugins/zjhaemcrkom/google.html?qs=zfs.gio&fgw=gyh.jyg&fob=ogrh -> hxxp://platform.twitter.com/widgets/follow_button.html?screen_name=foxnewshealth&show_screen_name=true&show_count=true
[hxxp] URL: hxxp://platform.twitter.com/widgets/follow_button.html?screen_name=foxnewshealth&show_screen_name=true&show_count=true (Status: 200, Referrer: hxxp://sekiyuhuanhita.ktbha.net/wp-content/plugins/zjhaemcrkom/google.html?qs=zfs.gio&fgw=gyh.jyg&fob=ogrh)
Posted by unixfreaxjp at 6:45 午後

0 件のコメント:

コメントを投稿

登録: コメントの投稿 (Atom)