'[Emerging-Sigs] 51.la:82'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] 51.la:82
From:       mcholste () gmail ! com (Martin Holste)
Date:       2011-04-27 14:16:16
Message-ID: BANLkTi=dWR5Q30QUGOoVtfrtrkHbmCSD4A () mail ! gmail ! com
[Download RAW message or body]

Baidu.com, the Google of the Far East, is listed alongside 51.la and
cnzz.com on that malware report.  Baidu is a known "good" site (still
crappy compared to Google, but not overtly criminal in nature).  All
of this evidence is circumstantial and hearsay.  Can anyone
definitively find anything inherently malicious (not guilty by
association) for 51.la or cnzz.com?

On Wed, Apr 27, 2011 at 3:36 AM, Kevin Ross <kevross33 at googlemail.com> wrote:
> Another hit like was mentioned yesterday for a 51.la domain on port 82 as
> mentioned yesterday. Fired this sig: ET TROJAN RiskTool.Win32.WFPDisabler
> Reporting. Not sure yet if FP or not. The URL does appear here though for
> the MD5 8fd8340e9241c6af0695ed5bc1295d3b so I think it might be a genuine
> hit:
> http://www.malware-control.com/statics-pages/8fd8340e9241c6af0695ed5bc1295d3b.php
>
> 000 : 47 45 54 20 68 74 74 70 3A 2F 2F 77 65 62 31 2E   GET http://web1.
> 010 : 35 31 2E 6C 61 3A 38 32 2F 67 6F 2E 61 73 70 3F   51.la:82/go.asp?
> 020 : 73 76 69 64 3D 32 30 26 69 64 3D 34 31 31 35 33   svid &idA153
> 030 : 33 39 26 74 70 61 67 65 73 3D 31 26 74 74 69 6D   39&tpages=1&ttim
> 040 : 65 73 3D 31 26 74 7A 6F 6E 65 3D 31 26 74 63 6F   es=1&tzone=1&tco
> 050 : 6C 6F 72 3D 33 32 26 73 53 69 7A 65 3D 31 32 38   lor2&sSize8
> 060 : 30 2C 39 36 30 26 72 65 66 65 72 72 65 72 3D 68   0,960&referrer=h
> 070 : 74 74 70 25 33 41 2F 2F 77 77 77 2E 67 6F 6F 67   ttp%3A//www.goog
> 080 : 6C 65 2E 63 6F 2E 75 6B 2F 73 65 61 72 63 68 25   le.co.uk/search%
> 090 : 33 46 71 25 33 44 74 61 6E 67 6C 65 77 6F 6F 64   3Fq%3Dtanglewood
> 0a0 : 54 57 31 34 35 2B 53 43 2B 62 75 7A 7A 69 6E 67   TW145+SC+buzzing
> 0b0 : 25 32 36 62 74 6E 47 25 33 44 53 65 61 72 63 68   %26btnG%3DSearch
> 0c0 : 25 32 36 68 6C 25 33 44 65 6E 25 32 36 73 6F 75   %26hl%3Den%26sou
> 0d0 : 72 63 65 25 33 44 68 70 25 32 36 73 61 66 65 25   rce%3Dhp%26safe%
> 0e0 : 33 44 61 63 74 69 76 65 25 32 36 61 71 25 33 44   3Dactive%26aq%3D
> 0f0 : 66 25 32 36 61 71 69 25 33 44 25 32 36 61 71 6C   f%26aqi%3D%26aql
> 100 : 25 33 44 25 32 36 6F 71 25 33 44 26 76 70 61 67   %3D%26oq%3D&vpag
> 110 : 65 3D 68 74 74 70 25 33 41 2F 2F 77 77 77 2E 75   e=http%3A//www.u
> 120 : 6C 74 69 6D 61 74 65 2D 67 75 69 74 61 72 2E 63   ltimate-guitar.c
> 130 : 6F 6D 2F 66 6F 72 75 6D 2F 73 68 6F 77 74 68 72   om/forum/showthr
> 140 : 65 61 64 2E 70 68 70 25 33 46 74 25 33 44 37 37   ead.php%3Ft%3D77
> 150 : 30 30 30 36 20 48 54 54 50 2F 31 2E 31 0D 0A 56   0006 HTTP/1.1..V
> 160 : 69 61 3A 20 31 2E 31 20 52 45 48 2D 49 53 41 31   ia: 1.1
> REMOVED-PROXY
> 170 : 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70 3A   ..Referer: http:
> 180 : 2F 2F 77 77 77 2E 75 6C 74 69 6D 61 74 65 2D 67   //www.ultimate-g
> 190 : 75 69 74 61 72 2E 63 6F 6D 2F 66 6F 72 75 6D 2F   uitar.com/forum/
> 1a0 : 73 68 6F 77 74 68 72 65 61 64 2E 70 68 70 3F 74   showthread.php?t
> 1b0 : 3D 37 37 30 30 30 36 0D 0A 55 73 65 72 2D 41 67   w0006
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>

[prev in list] [next in list] [prev in thread] [next in thread] 