Thursday, May 23

ตามล่ามัลแวร์ iframe injection เว็บไซต์ในไทย

ตรวจมัลแวร์ Redkit exploit kit iframe injection
++++++++++++++++++++++++++++++++++++++++++++++
พบเหตุการณ์
++++++++++++++++++++++++++++++++++++++++++++++
ที่ http://www.cru.ac.th/cru_web/
ตรวจสอบจากเครือข่ายแม่ข่าย
++++++++++++++++++++++++++++++++++++++++++++++
Nmap scan report for 110.77.220.122
Host is up (0.31s latency).
Not shown: 992 filtered ports
PORT    STATE  SERVICE  VERSION
20/tcp  closed ftp-data
21/tcp  open   ftp      vsftpd (before 2.0.8) or WU-FTPD
|_banner: 220 Welcome to CRU FTP services.
22/tcp  open   ssh      OpenSSH 4.3 (protocol 2.0)
|_banner: SSH-2.0-OpenSSH_4.3
25/tcp  closed smtp
80/tcp  open   http     Apache httpd 2.2.3 ((CentOS))
| http-headers: 
|   Date: Tue, 23 Jul 2013 06:40:32 GMT
|   Server: Apache/2.2.3 (CentOS)
|   Last-Modified: Wed, 10 Jul 2013 07:45:56 GMT
|   ETag: "1426800c-1556e-4e12377bfb500"
|   Accept-Ranges: bytes
|   Content-Length: 87406
|   Connection: close
|   Content-Type: text/html
|   
|_  (Request type: GET)
| http-title: xE0xB9x82xE0xB8xA3xE0xB8x87xE0xB9x80xE0xB8xA3xE0xB8xB5xE0xB8xA2xE0xB8x99xE0xB8x8AxE0xB8xA5xE0xB8xA3xE0xB8xB2xE0xB8xA9xE0xB8x8FxE0xB8xA3xE0xB8xADxE0xB8xB3xE0xB8xA3xE0xB8xB8xE0xB8x87 xE0...
|_Requested resource was http://110.77.220.122/cru_web/
110/tcp closed pop3
143/tcp closed imap
443/tcp open   ssl/http Apache httpd 2.2.3 ((CentOS))
| http-headers: 
|_  (Request type: GET)
| ssl-cert: Subject: commonName=Chon1/organizationName=Chonradsadornumrung School/stateOrProvinceName=Chonburi/countryName=TH/emailAddress=cru_school@hotmail.com/localityName=Chonburi/organizationalUnitName=Chonchai
| Issuer: commonName=Chon1/organizationName=Chonradsadornumrung School/stateOrProvinceName=Chonburi/countryName=TH/emailAddress=cru_school@hotmail.com/localityName=Chonburi/organizationalUnitName=Chonchai
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2012-05-14T14:37:18+00:00
| Not valid after:  2032-05-09T14:37:18+00:00
| MD5:   394a 5a16 1dfb f58a 3705 69dc 47a5 4908
| SHA-1: 57c1 542d 00cd 6554 b04d 3d54 13ff bec0 d3fd d194
| -----BEGIN CERTIFICATE-----
| MIICvTCCAiYCCQDdu+DGElp74DANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMC
| VEgxETAPBgNVBAgTCENob25idXJpMREwDwYDVQQHEwhDaG9uYnVyaTEjMCEGA1UE
| ChMaQ2hvbnJhZHNhZG9ybnVtcnVuZyBTY2hvb2wxETAPBgNVBAsTCENob25jaGFp
| MQ4wDAYDVQQDEwVDaG9uMTElMCMGCSqGSIb3DQEJARYWY3J1X3NjaG9vbEBob3Rt
| YWlsLmNvbTAeFw0xMjA1MTQxNDM3MThaFw0zMjA1MDkxNDM3MThaMIGiMQswCQYD
| VQQGEwJUSDERMA8GA1UECBMIQ2hvbmJ1cmkxETAPBgNVBAcTCENob25idXJpMSMw
| IQYDVQQKExpDaG9ucmFkc2Fkb3JudW1ydW5nIFNjaG9vbDERMA8GA1UECxMIQ2hv
| bmNoYWkxDjAMBgNVBAMTBUNob24xMSUwIwYJKoZIhvcNAQkBFhZjcnVfc2Nob29s
| QGhvdG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUNiDSmaZ3
| neIoKKaDubNIT3tKHx8y84L7bfs+xC319iNtgHFv/DsnaQS4tjPVrI3jorK8FDzV
| K9n5TNLIEarayHft7HOzToerNcwYshrArb8qpXrRD7SJoHfmMH5z+CE9TqFQEh22
| fDssKN0+/mA2/GMsxX7P1D5VbAm+BdM95QIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
| AG051xp8Q6hvcW+IhJRXAanVKtod7TXG4ZVQ0Elx8AxsnGdk4rD0mvPXE7vWf7bG
| onvP8eBQKv4SvHLDzee9qxRxwcZAGXsI80TagIG0ekI4q03Nk3RiaycWDgP7kR48
| BOhMR+pMi8RQfZTdjBK14GOD/wgpBVlA2ycvg+87ZOwg
|_-----END CERTIFICATE-----
Aggressive OS guesses: Linux 2.6.18 (92%), Linux 2.6.32 (92%), FreeBSD 6.2-RELEASE (91%), Linux 2.6.9 - 2.6.18 (91%), Cisco UC320W PBX (Linux 2.6) (90%), Linux 2.6.9 (90%), Linux 2.6.22.1-32.fc6 (x86, SMP) (89%), Linux 2.6.5 (89%), Linux 2.6.11 (89%), Linux 2.6.28 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: CRU

Host script results:
| asn-query: 
| BGP: 110.77.220.0/24 and 110.77.208.0/20 | Country: TH
|   Origin AS: 131090 - CAT-IDC-4BYTENET-AS-AP CAT TELECOM Public Company Ltd,CAT
|_    Peer AS: 4651
| dns-blacklist: 
|   SPAM
|_    l2.apews.org - SPAM
| hostmap-ip2hosts: 
|   hosts: 
|     cru.ac.th
|_    www.cru.ac.th

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
การเชื่อมโยง
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
พบสิ่งผิดปกติ
ที่เกิดจาก iframe ซ่อนโดแมนมัลแวร์ในเว็บ
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 width="210" height="210" src="source/swf/clock.swf" quality="high"
pluginspage="http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash"
type="application/x-shockwave-flash">


width="864" height="354" src="source/swf/banner.swf" quality="high"
pluginspage="http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash"
type="application/x-shockwave-flash">


+++++++++++++++++++++++++++++++++++++++++++++++++++++++
ตรวจการเรียกข้อมูล
++++++++++++++++++++++++++++++++++++++++++
URLStatusContent Type
http://www.cru.ac.th/302text/html
 http://www.cru.ac.th/cru_web/200text/html
 http://www.cru.ac.th/cru_web/js/jquery.js200application/x-javascript
 http://mybodybuildingjourney.com/oeef.html?j=3267321301text/html
 http://mikeborge.com/oeef.html?j=3267321200text/html
 http://mikeborge.com/0o4.jar200application/zip
 about:blank200text/html
 http://www.cru.ac.th/cru_web/js/easySlider1.7.js200application/x-javascript
 http://www.cru.ac.th/cru_web/Scripts/AC_RunActiveContent.js200application/x-javascript
 http://www.cru.ac.th/cru_web/source/swf/banner.swf200application/x-shockwave-flash
 http://www.cru.ac.th/cru_web/source/swf/clock.swf200application/x-shockwave-flash
 http://artisticgenepool.com/oaaf.html?j=3267321301text/html
 http://mikeborge.com/oaaf.html?j=3267321404empty
 http://mybodybuildingjourney.com/oeef.html?i=3267321301text/html
 http://mikeborge.com/oeef.html?i=3267321404empty
 http://www.cru.ac.th/cru_web/css/mainMenu.css200text/css
 http://www.cru.ac.th/cru_web/css/screen.css404text/html
 http://www.cru.ac.th/cru_web/css/topMenu.css200text/css
 http://www.cru.ac.th/cru_web/css/personMenu.css404text/html
Redirects
FromTo
http://www.cru.ac.th/http://www.cru.ac.th/cru_web/
http://mybodybuildingjourney.com/oeef.html?j=3267321http://mikeborge.com/oeef.html?j=3267321
http://artisticgenepool.com/oaaf.html?j=3267321http://mikeborge.com/oaaf.html?j=3267321
http://mybodybuildingjourney.com/oeef.html?i=3267321http://mikeborge.com/oeef.html?i=3267321
ActiveX controls
  • D27CDB6E-AE6D-11CF-96B8-444553540000
    NameValue
    Attributesmovie
    source/swf/clock.swf
    jQuery1366577423256
    147.0
    1022.0
    quality
    high
  • =================================
  • ตรวจ HTTP
  • =================================
  • โหลด HTTP Capture แบบ Proxy Request จะเห็นการติดต่อไปที่ เว็บมัลแวร์ mybodybuildingjourney.com

==============================================================
ตรวจ Whois
==============================================================
Domain name: mybodybuildingjourney.com
Registrant Contact:
Pete81
Petri Olsson ()
Fax:
Saarenvainionkatu 15 D 57
Tampere, FIN 33710
FI
Administrative Contact:
Pete81
Petri Olsson (holaluna81@yahoo.com)
+358.405079703
Fax: +1.5555555555
Saarenvainionkatu 15 D 57
Tampere, FIN 33710
FI
Technical Contact:
Pete81
Petri Olsson (holaluna81@yahoo.com)
+358.405079703
Fax: +1.5555555555
Saarenvainionkatu 15 D 57
Tampere, FIN 33710
FI
Status: Locked
Name Servers:
ns3321.hostgator.com
ns3322.hostgator.com
Creation date: 15 Oct 2009 16:41:05
Expiration date: 15 Oct 2013 16:41:05



+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Link 
https://www.virustotal.com/th/url/e23ec6b60262684212b39c1751a04d5fe8c573beb91826b30c50684c257ee39f/analysis/
http://wepawet.iseclab.org/view.php?hash=66100e0d535a4c1119acb647613b4b70&t=1366577405&type=js
http://urlquery.net/report.php?id=2104305
http://checkip.me/whomap.php?domain=mybodybuildingjourney.com

No comments: