[Dshield] need help decoding.

Skyler.Bingham at londen-insurance.com Skyler.Bingham at londen-insurance.com
Thu Sep 20 16:18:37 GMT 2007


If you use wget (or curl, etc.) to retrieve the page, make sure to change
the user-agent (-U for wget, -A for curl) header to a real browser's
user-agent string or the web server won't serve you the real payload (I
overlooked this at first as well).  The server appears to be checking the
user-agent header and if it sees that it is not a "real" browser, it will
tell you the page does not exist.


Skyler Bingham
skyler.bingham at londen-insurance.com
(602) 957-1650 x1139

             Sent by:                                                   To 
             list-bounces at list         <list at lists.dshield.org>            
             s.dshield.org                                              cc 
             09/19/2007 06:21          Re: [Dshield] need help decoding.   
             Please respond to                                             
              General DShield                                              
              Discussion List                                              
             <list at lists.dshie                                             

Hi Dan,


The script decodes to an IFRAME leading to:


The page is _still_ empty though... (Good thing you saw this. Nipped in
the bud perhaps.)

whois query for marcobernardoni.com...

Results returned from whois.internic.net:

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Registrar: ONLINENIC, INC.
   Whois Server: whois.35.com
   Referral URL: http://www.OnlineNIC.com
   Name Server: NS1.NAMESELF.COM
   Name Server: NS2.NAMESELF.COM
   Status: clientTransferProhibited
   Updated Date: 08-jul-2007
   Creation Date: 28-may-2007
   Expiration Date: 28-may-2008


Ivan Macalintal
Senior Threat Analyst
Trend Micro Inc.

The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail
or telephone and delete the original message from your mail system.

SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
SANS top instructors.  http://www.sans.org/info/9346

This e-mail and files transmitted with it are confidential, and are
intended solely for the use of the individual or entity to whom this e-mail
is addressed.  If you are not the intended recipient, or the employee or
agent responsible to deliver it to the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this
communication is strictly prohibited.  If you are not one of the named
recipient(s) or otherwise have reason to believe that you received this
message in error, please immediately notify security at londen-insurance.com
 by e-mail, and destroy the original message.  Thank You.

More information about the list mailing list