Last visit was: Fri Jul 04, 2014 6:51 pm
It is currently Fri Jul 04, 2014 6:51 pm

Is this site dangerous?


All times are UTC - 5 hours [ DST ]


 [ 5 posts ] 
Author Message
 PostPosted: Sun Jun 19, 2011 1:17 pm   
Spam Investigator
User avatar

Joined: Fri Jan 23, 2009 12:28 pm
Posts: 300
I received spam from cardershop.cc. That domain is described as 'dangerous' at urlvoid.com/scan/cardershop.cc , which refers to a listing at hpHosts which indeed exists. The information on hp Hosts (AS41947) is meaningless to me. On http://vurldissect.co.uk/?url=1597541 I then see "hpHosts Status: Not listed". And submission to wepawet also shows nothing malicious. The pagesource of cardershop.cc is:
<HTML><HEAD><SCRIPT language="javascript" src="/sc_db873705ba52b51ac0e39e06e32b5613.js"></SCRIPT></HEAD><BODY onload="scf('3942'+'ccc6','/');"></BODY></HTML>. Can somebody (SIL maybe?) explain why this site is listed as dangerous, and what the JavaScript does?


Top
 Profile  
 PostPosted: Sun Jun 19, 2011 7:19 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
I also got spam on this.

I captured the load using CURL and got something similar in format but different in content
Code:
<HTML><HEAD><SCRIPT language="javascript" src="/sc_c6565a86baa172e45aff5d66b49c4b69.js"></SCRIPT></HEAD>
<BODY onload="scf('fe6a'+'1df7','/');"></BODY></HTML>


The javascript referenced above contains
Code:
function scf(hsh,uri) {document.cookie="sitechrx" + "=" + escape(hsh + "33046fc8c787b81fde12b1ed") + ";Path=/";window.location=uri;}


Krebs on Security featured the similar site carders.cc in May last year
http://krebsonsecurity.com/2010/05/frau ... cc-hacked/


Top
 Profile WWW  
 PostPosted: Sun Jun 19, 2011 9:24 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Thu Mar 01, 2007 3:01 am
Posts: 5915
I think it's a joe job.


Top
 Profile  
 PostPosted: Sun Jun 19, 2011 10:00 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
I agree that it is a joe-job. Unlike most joe-jobs, this looks like a particularly unpalatable site.
"Open VPN and Socks Service"

I am also intrigued by the javascript, but I can not determine that it has anything malicious.


Top
 Profile WWW  
 PostPosted: Mon Jun 20, 2011 12:14 am   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
The same peculiar code is used by another domain on the same IP 77.91.227.124

st0re.cc

And knuddels.me
Code:
<HTML><HEAD><SCRIPT language="javascript" src="/sc_861b7b6e2ac3659a1d8e7b7efb3da525.js"></SCRIPT></HEAD><BODY onload="scf('338c'+'7e68','/');"></BODY></HTML>

"Domain suspended"


Top
 Profile WWW  
 [ 5 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Wayback machine and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008