I received a comment to the 2009 blog. This one houses a variation of the MO used that I outlined in part 1 (was not going to be a part 2, but it's got a few changes that warranted it).
The MO in this case, is;
1. Site A
There's no MITMs this time. There's also a slight change in the code used on the exploit page itself, though curiously, it's even easier to decode than the last one (only 3 lines needing commented out this time).
I've not got the headers for this one, but the e-mail apparently contains;
thefire.org lives at;
IP PTR: Resolution failed
ASN: 10532 22.214.171.124/18 RACKSPACE - Rackspace Hosting
This redirects to;
Which is living on Infium IP space;
IP PTR: ip-188-190-99-26.hosted-in.infiumhost.com
ASN: 197145 126.96.36.199/19 ASINFIUM Infium Ltd.
In the case of this variation, all you need to do is comment out the following lines;
From here it's the same as the last one - locate the line containing "?f=" to get the value you'll need for the payload (in this case, /w.php?f=17).
Blackhole exploit: For those wondering