[nsp-sec] 130K+ Infected Ips on ~3600 ASNs

[Carlos Fragoso Mariscal]

Hi there!

By the way, any request to ...

> http://lmageshack.org/img/*

... is redirected (HTTP redirection moved temporarily) to the same file:

> http://rapidshare.com/files/287132647/pic9879.pif



> $ wget http://lmageshack.org/img/whatthefuckareyoutalkingabout
> --2009-10-02 13:58:41--  http://lmageshack.org/img/whatthefuckareyoutalkingabout
> Resolviendo lmageshack.org... 76.73.37.250
> Connecting to lmageshack.org|76.73.37.250|:80... conectado.
> Petición HTTP enviada, esperando respuesta... 302 Found
> Localización: http://rapidshare.com/files/287132647/pic9879.pif  
> [siguiendo]

> --2009-10-02 13:58:42--  http://rapidshare.com/files/287132647/pic9879.pif
> Resolviendo rapidshare.com... 195.122.131.9, 195.122.131.10,  
> 195.122.131.11, ...
> Connecting to rapidshare.com|195.122.131.9|:80... conectado.
> Petición HTTP enviada, esperando respuesta... 302 Moved Temporarily
> Localización: http://rs478cg.rapidshare.com/files/287132647/pic9879.pif 
>  [siguiendo]

> --2009-10-02 13:58:42--  http://rs478cg.rapidshare.com/files/287132647/pic9879.pif
> Resolviendo rs478cg.rapidshare.com... 82.129.33.79
> Connecting to rs478cg.rapidshare.com|82.129.33.79|:80... conectado.
> Petición HTTP enviada, esperando respuesta... 200 OK
> Longitud: 151552 (148K) [application/octet-stream]
> Saving to: `pic9879.pif.6'
>
> 100%[======================================>] 151.552     67,5K/s    
> in 2,2s
>
> 2009-10-02 13:58:45 (67,5 KB/s) - `pic9879.pif.1' saved  
> [151552/151552]

> $ file pic9879.pif.2
> pic9879.pif.2: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

> $ md5 pic9879.pif
> MD5 (pic9879.pif) = f504e5f7bdb4200f43e00ef7605e4c78

> $ md5 pic9879.pif.2
> MD5 (pic9879.pif.2) = f504e5f7bdb4200f43e00ef7605e4c78

Regards,

-- Carlos

El 02/10/2009, a las 09:21, Scott A. McIntyre escribió:

> // lmageshack. org/img/imgxoor.jpg