Slight change in Flashpack URI

— Update 8.10 —

These have changed yet again…

The date tags now look like:

/work300713/
/120713/
/060713/
/040713/
/210613/
/200613/
/150613/

Some of the exploits include:

*/rhino.php*
*/javadb.php*
*/javabyte.php*
*/msie8.php*
*/msie6.php*
*/cgenericelement.php*

Has been active on 192.95.53.232, 192.95.46.244, and 192.95.46.245 the past few days.

See examples of Flashpack URI on Urlquery.net

Flashpack has made some changes…

Examples:

http://792bd051d38cbe978ad8aea2.is-a-libertarian.com/flashpack/ba0306utred/output.php?hash=I3QxI1lZU0E1I3MjOTE5RDkjI3M1OVk5UzlZcjVzIyM5MTkxREQ5WURZc1kjMXJBJkQjREE=
http://792bd051d38cbe978ad8aea2.is-a-libertarian.com/flashpack/ba0306utred/js/deployJava.js

http://lapachka.info/flashpack/krik0906uytre/rotat.php?hash=312e362e302e33393a392e352e352e303a31312e372e3730302e3232343a31333731303332323935
http://lapachka.info/flashpack/krik0906uytre/rotat.php?hash=312e362e302e33393a31312e302e332e33373a31312e372e3730302e3230323a31333731313039373637
http://lapachka.info/flashpack/krik0906uytre/rotat.php?hash=312e362e302e33373a31312e302e302e303a31312e372e3730302e3230323a31333731303730373435
http://lapachka.info/flashpack/ba0306utred/rotat.php?hash=312e372e302e31313a382e322e342e3236383a31312e372e3730302e3230323a31333731323234363234

hex decodes to…

1.7.0.11:8.2.4.268:11.7.700.202:1371224624

which is just…

Java_Version:Reader_Version:Flash_Version:ID_Probably

Looking for these phrases in your logs should find some good things:

/rotat.php?hash=
/output.php?hash=
/flashpack/

A decent regex should be \/[a-z]{2,5}[0-9]{4}[a-z]{2,5}\/[a-z]+\.php\?hash=[A-Za-z0-9=]{60,}$

Have seen activity recently on the following IPs

62.76.179.182
109.236.81.142
62.76.176.67

Thanks to @Set_Abominae for continuing to check up on these!

Comments are closed.