Starting sometime around November 6th, many attacks were observed coming from strangely named domains such as us.bf9.info, us.bp0.info, us.bn3.info, etc. The attackers employed some code splitting techniques to make their scripts more stealthy by moving suspicious shellcode from inside the primary exploit script to a secondary script. The attacks were being delivered through advertisements which [...]
|
|||||
|
I’m a few days late for posting this but the HostExploit team has produced another report, this time on an attack dubbed “MalFI” for malicious file inclusion. This encompasses remote file inclusion (RFI), local file inclusion (LFI) and Cross Server Attack (XSA). The report had been in the works for quite some time and while [...] A couple of days ago I was investigating an attack that a reader submitted to me that was related to the recent nine ball attacks as reported by WebSense. (Part 1 | Part 2) As a follow up to my previous post, here is the next video depicting the second portion of the attack. For URLs, Virustotal results, etc refer back to Part 1. All analysis is conducted with Malzilla. To give you some additional insight into the attack, I am also able to share the contents of a hacked [...] A reader was gracious enough to share some information with me on the events surrounding the compromise of a website of his. The site was compromised via stolen FTP credentials which has been a technique employed by major Internet threats such as Gumblar and Nine-ball recently. This will be a two part post. In a previous post I discussed using the technique of watching for the transfer of executable files around the network as a method of intrusion detection. This is a great way of discovering machines that were attacked where IDS failed to detect the exploit(s) due to obfuscation. |
|||||
|
Copyright © 2010 Andrew Martin - All Rights Reserved |
|||||