The Electronic Payments Association spam
Published: 2011/11/24
これもACH Payment系のバリエーションです。
このような文面
docファイルに見えますが、下記のようなサイトへのリンクです。
http://vaatsalya.co.in/9ecdb1/index.html
index.htmlファイルの中身はこれ。
js.jsファイルの中身はこれ。
ajaxm.jsファイルの中身はこれ。
ダウンロードされるファイルの中身はこれ
攻撃に利用されるのはCVE-2010-1885のようです。
とりだされるリンクはこれ
http://westarray.com/content/g43kb6j34kblq6jh34kb6j3kl4.jar
g43kb6j34kblq6jh34kb6j3kl4.jar の正体はこれ。(4/43)
メール文面で利用されるURLの例。
host | path |
---|---|
01644a4.netsolhost.com | /gbh4d6u/index.html |
01644a4.netsolhost.com | /oc78i9/index.html |
01644a4.netsolhost.com | /tok750x/index.html |
01644a4.netsolhost.com | /uq81jv/index.html |
01833b7.netsolhost.com | /e3cxwx/index.html |
01ee56c.netsolhost.com | /0mq1ilq/index.html |
01ee56c.netsolhost.com | /72g48d/index.html |
01f5928.netsolhost.com | /0m6slvp/index.html |
01f5928.netsolhost.com | /b1igabe/index.html |
01f5928.netsolhost.com | /gnrqqf/index.html |
029a017.netsolhost.com | /6pzw0f9/index.html |
029a017.netsolhost.com | /khubgqx/index.html |
029a017.netsolhost.com | /m2tpxa/index.html |
029a017.netsolhost.com | /whprsvs/index.html |
02b8d82.netsolhost.com | /be9q6zc/index.html |
02b8d82.netsolhost.com | /rycr38/index.html |
02c20c8.netsolhost.com | /47245dt/index.html |
02c20c8.netsolhost.com | /4pz6len/index.html |
02c20c8.netsolhost.com | /az9mr9/index.html |
02c20c8.netsolhost.com | /nil789/index.html |
222.242.196.216.DED-DSL.fuse.net | /bsju53/index.html |
222.242.196.216.DED-DSL.fuse.net | /okwnzi/index.html |
222.242.196.216.DED-DSL.fuse.net | /zuuvxq/index.html |
60gp.ovh.net | /~neonatcr/1vayp23/index.html |
alexreineck.com | /43xrbe/index.html |
alexreineck.com | /aylvx4p/index.html |
alexreineck.com | /s56ea9/index.html |
autoforum-portal.de | /6hfri9/index.html |
autoforum-portal.de | /ftkbai/index.html |
autoforum-portal.de | /w5uqph/index.html |
bhaktiamerica.com | /3teetv/index.html |
bhaktiamerica.com | /b34sptb/index.html |
bhaktiamerica.com | /nfd59hk/index.html |
bhaktiamerica.com | /zriretj/index.html |
bipolarhomebusiness.com | /9iet27/index.html |
bipolarhomebusiness.com | /q052ow/index.html |
bipolarhomebusiness.com | /vjsbtvd/index.html |
cbe360.com | /346x9ao/index.html |
cbe360.com | /6tslsp/index.html |
cbe360.com | /eguqsi/index.html |
cbe360.com | /y04qmq5/index.html |
cobblawfirm.com | /ike9t9/index.html |
cpanel03.blueyellow.nl | /~ocibvnl/uvmqz5/index.html |
dehesadeituero.com | /5sdla5w/index.html |
dehesadeituero.com | /mfpxssc/index.html |
dehesadeituero.com | /nwht4x/index.html |
die-schokoseite.de | /g4jyabz/index.html |
die-schokoseite.de | /kz5be9/index.html |
die-schokoseite.de | /py5y68/index.html |
die-schokoseite.de | /sxyfl1/index.html |
earnfreemoneyonline.co.uk | /1bjyhg1/index.html |
earnfreemoneyonline.co.uk | /6dkyh2q/index.html |
elektroauto-news.net | /v0syqd1/index.html |
elektroauto-news.net | /xvh9hq/index.html |
entdeckeschweden.de | /qw7lmy/index.html |
entdeckeschweden.de | /rqctvuz/index.html |
fastreplyers.net | /qwzmkq/index.html |
fastreplyers.net | /ztu08a/index.html |
filetest2.nuzoka.com | /eke5sl6/index.html |
filetest2.nuzoka.com | /gd375j/index.html |
filetest2.nuzoka.com | /zfdg0v/index.html |
forexitalia.net | /cr3ded/index.html |
forexitalia.net | /kk5bhd/index.html |
forexitalia.net | /ohgc02/index.html |
hasanbaba-kebabhaus.de | /8wvjvv/index.html |
hasanbaba-kebabhaus.de | /9j62cu/index.html |
hasanbaba-kebabhaus.de | /eu467cl/index.html |
hasanbaba-kebabhaus.de | /h85kkx4/index.html |
hasanbaba-kebabhaus.de | /l6q9h1/index.html |
hasanbaba-kebabhaus.de | /lwrt29v/index.html |
hasanbaba-kebabhaus.de | /rzo1ul/index.html |
howtobeholy.1unlimited.net | /9abwm1h/index.html |
howtobeholy.1unlimited.net | /9inq57/index.html |
ingenious-jewellery.co.uk | /elfg0ax/index.html |
ingenious-jewellery.co.uk | /lg0uwhh/index.html |
joelnapril.com | /5y8qz3/index.html |
joelnapril.com | /8qfu9zy/index.html |
joelnapril.com | /jwizmp/index.html |
joelnapril.com | /v878vj/index.html |
livinginternational.es | /7nyq83o/index.html |
maxundsunny.de | /0qupgr/index.html |
maxundsunny.de | /3n49s9w/index.html |
maxundsunny.de | /nvmaz2p/index.html |
maxundsunny.de | /q03844/index.html |
maxundsunny.de | /tf4zqg/index.html |
mikkavanilla.com | /0hf7hd/index.html |
mikkavanilla.com | /2ov6cp/index.html |
mikkavanilla.com | /eomqdp/index.html |
mikkavanilla.com | /hsuyty/index.html |
mmwluise.unlimitedhost.tk | /duccn2/index.html |
mmwluise.unlimitedhost.tk | /pycwwy/index.html |
mmwluise.unlimitedhost.tk | /xf4618i/index.html |
mtsmifa.net.tc | /fz1rdh/index.html |
mtsmifa.net.tc | /hca7al/index.html |
naomifox.com | /z3dwpk/index.html |
netramfoundation.org | /4318ip1/index.html |
netramfoundation.org | /48llx9/index.html |
networkmarketingmalaysia.biz | /sgpqthd/index.html |
nexalt.com | /rzgc7bf/index.html |
nextribu.com | /6phhb0/index.html |
nihadragab.com | /elif16/index.html |
nihadragab.com | /ozk761/index.html |
nintendorevolutionfan.com | /s6f2pfx/index.html |
nla.com.gh | /ad7g650/index.html |
nla.com.gh | /zxnaq2/index.html |
nphs.co.in | /3raovf/index.html |
nphs.co.in | /zyyc4es/index.html |
nriassetprotection.com | /pkke1jg/index.html |
nrkinfotech.com | /4en45zj/index.html |
nrkinfotech.com | /mphbmq/index.html |
nrkinfotech.com | /t9yy0c/index.html |
nsoftsolution.com | /gjmym60/index.html |
nsoftsolution.com | /sui6x6n/index.html |
ntf.thealliswell.com | /84unvd/index.html |
ntf.thealliswell.com | /e7lgyae/index.html |
ntf.thealliswell.com | /uuz46y/index.html |
nutrihealthsystems.co.in | /0bpxt5/index.html |
nwod.nw.funpic.de | /ct5ihe/index.html |
nwod.nw.funpic.de | /l7lykhp/index.html |
nwod.nw.funpic.de | /xsgzov/index.html |
oaklandyellowcab.com | /bk5cr9/index.html |
oaklandyellowcab.com | /mm9520y/index.html |
oaklandyellowcab.com | /wm8s0sl/index.html |
obcseu.nl.siteprotect.net | /51z4rlz/index.html |
obcseu.nl.siteprotect.net | /jvkqnj/index.html |
obcseu.nl.siteprotect.net | /pb29b2/index.html |
obitech.de | /jdjqdd0/index.html |
obitech.de | /m7w6x2/index.html |
obitech.de | /oykcqt/index.html |
obitech.eu | /5h9m9hm/index.html |
obitech.eu | /yewwn25/index.html |
objectif-plongee.gp | /ldt1dcj/index.html |
objectif-plongee.gp | /xs6ra5/index.html |
oc.aawebsolutions.com | /8i3qi3/index.html |
oc.aawebsolutions.com | /~ocaaweb/l7f961/index.html |
ocalmauritius.com | /sr43xl/index.html |
ocalmauritius.com | /w2xrjr/index.html |
ocalmauritius.com | /ynuyed/index.html |
odnokassniki.zxq.net | /9wc3bb/index.html |
odnokassniki.zxq.net | /pznr727/index.html |
officialempirecloset.com | /4u5gjgh/index.html |
offsports.com | /1g4gxv/index.html |
offsports.com | /taa7dq/index.html |
photo-bollengier.com | /5c09o6/index.html |
photo-bollengier.com | /duvynlw/index.html |
photo-bollengier.com | /gcjdjyb/index.html |
pumaracing.co.uk | /1ki6wg/index.html |
pumaracing.co.uk | /5z7zmzv/index.html |
pumaracing.co.uk | /cc81ddz/index.html |
pumaracing.co.uk | /nruae5e/index.html |
purepleasure-music.de | /~newstuff/jpy2l2o/index.html |
purepleasure-music.de | /~newstuff/sz4mck1/index.html |
s344134048.onlinehome.us | /av3vbn/index.html |
s344134048.onlinehome.us | /c7x6h2/index.html |
s344134048.onlinehome.us | /x0phqmg/index.html |
staging.njblog.nl | /rv7ime8/index.html |
ubertyindia.com | /b8npwq/index.html |
ubertyindia.com | /fjlha8/index.html |
ubertyindia.com | /jl1s6v/index.html |
ucrania.dattaweb.com | /~uc000724/kp3zawx/index.html |
ucrania.dattaweb.com | /~uc000724/uw233c/index.html |
ucrania.dattaweb.com | /~uc000724/wfh93l/index.html |
uefacupsl.ue.ohost.de | /5u8s5pu/index.html |
uefacupsl.ue.ohost.de | /r2zequ/index.html |
yolohagopor.com | /3g5qjij/index.html |
yolohagopor.com | /6blkjcr/index.html |
各ドメインのAS情報をまとめるとこんな感じ。
host | IP | name | AS | AS name | country |
---|---|---|---|---|---|
01644a4.netsolhost.com | 206.188.193.214 | vux.netsolhost.com. | 6245 | NETWORK-SOLUTIONS_-_InterNIC_Registration_Services | UnitedStates |
01833b7.netsolhost.com | 206.188.192.1 | vux.netsolhost.com. | 6245 | NETWORK-SOLUTIONS_-_InterNIC_Registration_Services | UnitedStates |
01ee56c.netsolhost.com | 206.188.192.252 | vux.netsolhost.com. | 6245 | NETWORK-SOLUTIONS_-_InterNIC_Registration_Services | UnitedStates |
01f5928.netsolhost.com | 205.178.152.27 | w2k3-web27.prod.netsolhost.com. | 6245 | NETWORK-SOLUTIONS_-_InterNIC_Registration_Services | UnitedStates |
029a017.netsolhost.com | 206.188.192.178 | vux.netsolhost.com. | 6245 | NETWORK-SOLUTIONS_-_InterNIC_Registration_Services | UnitedStates |
02b8d82.netsolhost.com | 206.188.192.244 | vux.netsolhost.com. | 6245 | NETWORK-SOLUTIONS_-_InterNIC_Registration_Services | UnitedStates |
02c20c8.netsolhost.com | 205.178.152.48 | w2k3-web48.prod.netsolhost.com. | 6245 | NETWORK-SOLUTIONS_-_InterNIC_Registration_Services | UnitedStates |
222.242.196.216.DED-DSL.fuse.net | 216.196.242.222 | 222.242.196.216.DED-DSL.fuse.net. | 6181 | FUSE-NET_-_Cincinnati_Bell_Telephone | UnitedStates |
60gp.ovh.net | 213.186.33.19 | cluster010.ovh.net. | 16276 | OVH_OVH_Systems | France |
alexreineck.com | 97.74.144.112 | p3nlh112.shr.prod.phx3.secureserver.net. | 26496 | PAH-INC_-_GoDaddy.com_Inc. | UnitedStates |
autoforum-portal.de | 87.106.158.100 | hosting.web.de. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
bhaktiamerica.com | 74.208.249.56 | perfora.net. | 8560 | ONEANDONE-AS_1&1_Internet_AG | UnitedStates |
bipolarhomebusiness.com | 97.74.49.202 | ip-97-74-49-202.ip.secureserver.net. | 26496 | PAH-INC_-_GoDaddy.com_Inc. | UnitedStates |
cbe360.com | 74.86.127.248 | 74.86.127.248-static.reverse.softlayer.com. | 36351 | SOFTLAYER_-_SoftLayer_Technologies_Inc. | UnitedStates |
cobblawfirm.com | 205.178.152.20 | w2k3-web20.prod.netsolhost.com. | 6245 | NETWORK-SOLUTIONS_-_InterNIC_Registration_Services | UnitedStates |
cpanel03.blueyellow.nl | 85.158.253.163 | cpanel03.blueyellow.nl. | 51949 | IT-ERNITY-AS_IT-Ernity_Internet_Services_BV | Netherlands |
dehesadeituero.com | 217.160.225.108 | clienteservidor.es. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Spain |
die-schokoseite.de | 87.238.192.83 | sh2083.evanzo-server.de. | 24989 | IXEUROPE-DE-FRANKFURT-ASN_Equinix_Germany_(Previously_IX_Europe_Germany_AS) | Germany |
earnfreemoneyonline.co.uk | 87.106.156.204 | kundenserver.de. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
elektroauto-news.net | 87.106.158.74 | hosting.web.de. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
entdeckeschweden.de | 87.238.192.92 | sh2092.evanzo-server.de. | 24989 | IXEUROPE-DE-FRANKFURT-ASN_Equinix_Germany_(Previously_IX_Europe_Germany_AS) | Germany |
fastreplyers.net | 82.165.84.80 | kundenserver.de. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
filetest2.nuzoka.com | 31.170.163.177 | 31-170-163-177.main-hosting.com. | 47583 | HOSTING-MEDIA_Aurimas_Rapalis_trading_as__II_Hosting_Media_ | UnitedStates |
forexitalia.net | 81.31.145.15 | da31.joomlahost.it. | 47242 | COLTENGINE_COLT_Engine_S.r.l. | Italy |
hasanbaba-kebabhaus.de | 82.165.204.243 | kundenserver.de. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
howtobeholy.1unlimited.net | 31.170.163.204 | 31-170-163-204.main-hosting.com. | 47583 | HOSTING-MEDIA_Aurimas_Rapalis_trading_as__II_Hosting_Media_ | UnitedStates |
ingenious-jewellery.co.uk | 82.165.116.210 | kundenserver.de. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
joelnapril.com | 50.21.189.219 | perfora.net. | 8560 | ONEANDONE-AS_1&1_Internet_AG | UnitedStates |
livinginternational.es | 217.160.232.247 | clienteservidor.es. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Spain |
maxundsunny.de | 194.117.254.45 | ud05.udmedia.de. | 8495 | INTERNET_AG_INTERNET_AG_Global_Network | Germany |
mikkavanilla.com | 213.165.76.233 | kundenserver.de. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
mmwluise.unlimitedhost.tk | 31.170.163.217 | 31-170-163-217.main-hosting.com. | 47583 | HOSTING-MEDIA_Aurimas_Rapalis_trading_as__II_Hosting_Media_ | UnitedStates |
mtsmifa.net.tc | NULL | 31-170-163-217.main-hosting.com. | NONE | HOSTING-MEDIA_Aurimas_Rapalis_trading_as__II_Hosting_Media_ | NONENONE |
naomifox.com | 80.82.124.23 | NONE | 41357 | UK-34SP-AS_34SP.com_Ltd. | UnitedKingdom |
netramfoundation.org | 64.71.131.88 | falcon.hrn9.com. | 6939 | HURRICANE_-_Hurricane_Electric_Inc. | UnitedStates |
networkmarketingmalaysia.biz | 110.4.45.135 | poseidon.mschosting.com. | 46015 | EXABYTES-AS-AP_Exa_Bytes_Network_Sdn.Bhd. | Malaysia |
nexalt.com | 208.76.82.235 | chicago.tchmachines.com. | 25767 | WAVEFORM_-_Waveform_Technology_LLC | UnitedStates |
nextribu.com | 89.188.129.90 | net.89.188.129.ip.90.ss.televideocom.com. | 39887 | TELEVIDEOCOM-AS_TELEVIDEOCOM_SRL | Italy |
nihadragab.com | 174.121.79.98 | r4-dallas.webserversystems.com. | 21844 | THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc. | UnitedStates |
nintendorevolutionfan.com | 194.28.84.41 | ct41.fastbighost.net. | 21219 | DATAGROUP_PRIVATE_JOINT_STOCK_COMPANY__DATAGROUP_ | Ukraine |
nla.com.gh | 76.12.166.136 | nla.com.gh. | 20021 | LNH-INC_-_HostMySite | UnitedStates |
nriassetprotection.com | 182.18.128.250 | mail.quick2host.org. | 18229 | CTRLS-AS-IN_CtrlS_Datacenters_Ltd. | India |
nrkinfotech.com | 173.193.200.240 | 173.193.200.240-static.reverse.softlayer.com. | 36351 | SOFTLAYER_-_SoftLayer_Technologies_Inc. | UnitedStates |
nsoftsolution.com | 209.25.195.86 | altar12.supremepanel12.com. | 11388 | MAXIM_-_Peer_1_Dedicated_Hosting | UnitedStates |
ntf.thealliswell.com | 74.220.207.190 | host190.hostmonster.com. | 46606 | BLUEHOST-AS-2_-_Bluehost_Inc. | UnitedStates |
nutrihealthsystems.co.in | 50.22.200.152 | mail.prelnx-u.securehostdns.com. | 36351 | SOFTLAYER_-_SoftLayer_Technologies_Inc. | UnitedStates |
nwod.nw.funpic.de | 213.202.225.75 | 213.202.225.75.rdns.funpic.de. | 13301 | UNITEDCOLO-AS_UNITED_COLO_GmbH | Germany |
oaklandyellowcab.com | 118.139.186.1 | sg2nlhg268c1268.shr.prod.sin2.secureserver.net. | 26496 | PAH-INC_-_GoDaddy.com_Inc. | Singapore |
obcseu.nl.siteprotect.net | 84.40.53.32 | lsh103.ams.nl.siteprotect.com. | 24679 | SSERV-AS_Hostway_Deutschland_GmbH | Germany |
obitech.de | 81.169.142.214 | kaleidoskop-sky.info. | 6724 | STRATO_STRATO_AG | Germany |
obitech.eu | 81.169.142.214 | kaleidoskop-sky.info. | 6724 | STRATO_STRATO_AG | Germany |
objectif-plongee.gp | 213.186.33.19 | cluster010.ovh.net. | 16276 | OVH_OVH_Systems | France |
oc.aawebsolutions.com | 206.51.237.182 | stewie.aawebsolutions.com. | 29802 | HVC-AS_-_HIVELOCITY_VENTURES_CORP | UnitedStates |
ocalmauritius.com | 204.93.174.143 | carrera11.mochahost.com. | 23352 | SERVERCENTRAL_-_Server_Central_Network | UnitedStates |
odnokassniki.zxq.net | 67.220.217.235 | 67-220-217-235.hosted.static.webnx.com. | 18450 | WEBNX_-_WebNX | UnitedStates |
officialempirecloset.com | 208.109.78.34 | linhostjava31.prod.mesa1.secureserver.net. | 26496 | PAH-INC_-_GoDaddy.com_Inc. | UnitedStates |
offsports.com | 217.76.132.146 | llgf842.servidoresdns.net. | 20718 | AS_ARSYS-EURO-1_arsys.es | Spain |
photo-bollengier.com | 82.165.117.245 | kundenserver.de. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
pumaracing.co.uk | 82.165.102.105 | kundenserver.de. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
purepleasure-music.de | 85.25.36.135 | static-ip-85-25-36-135.inaddr.ip-pool.com. | 8972 | PLUSSERVER-AS_PlusServer_AG_Germany | Germany |
s344134048.onlinehome.us | 74.208.131.56 | perfora.net. | 8560 | ONEANDONE-AS_1&1_Internet_AG | UnitedStates |
staging.njblog.nl | 85.112.18.224 | host224.85-112-18.ixs.dedigate.com. | 23148 | TERREMARK_Terremark | Netherlands |
ubertyindia.com | 209.25.195.86 | altar12.supremepanel12.com. | 11388 | MAXIM_-_Peer_1_Dedicated_Hosting | UnitedStates |
ucrania.dattaweb.com | 200.58.119.71 | ucrania.dattaweb.com. | 27823 | Dattatec.com | Argentina |
uefacupsl.ue.ohost.de | 213.202.225.44 | 213.202.225.44.rdns.funpic.de. | 13301 | UNITEDCOLO-AS_UNITED_COLO_GmbH | Germany |
yolohagopor.com | 50.61.255.149 | stats.reindeer.arvixe.com. | 25653 | FORTRESSITX_-_FortressITX | UnitedStates |
Domain Name: FATONAVDIU.COM Registrar: GODADDY.COM, INC. Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS27.DOMAINCONTROL.COM Name Server: NS28.DOMAINCONTROL.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 22-feb-2011 Creation Date: 07-dec-2010 Expiration Date: 07-dec-2011 173.201.216.72 NetRange: 173.201.0.0 - 173.201.255.255 CIDR: 173.201.0.0/16 OriginAS: AS26496 NetName: GO-DADDY-SOFTWARE-INC NetHandle: NET-173-201-0-0-1 Parent: NET-173-0-0-0-0 NetType: Direct Allocation Comment: Please send abuse complaints to abuse@godaddy.com RegDate: 2009-09-18 Updated: 2009-09-18
dolinski.be Domain: dolinski Status: REGISTERED Registered: Mon Jan 3 2011 Agent Technical Contacts: Last Name: Gandi admin1 Company Name: Gandi SAS Language: en Country: FR 178.77.66.252 inetnum: 178.77.64.0 - 178.77.71.255 remarks: INFRA-AW netname: DE-HE-LVPS-CGN3-NET descr: Host Europe GmbH descr: hostmaster@hosteurope.de country: DE
clubtaurinogracurris.es 213.194.159.55 inetnum: 213.194.144.0 - 213.194.159.255 netname: ES-IBERCOM descr: WWW Ibercom SL descr: http://www.ibercom.com country: ES
www.wellingtonyogacentre.co.nz 202.191.34.89 inetnum: 202.191.32.0 - 202.191.39.255 netname: ISERVE descr: iSERVE Limited descr: PO Box 47-020 descr: Wellington descr: New Zealand country: NZ
by jyake