Sign in
Follow

ET TROJAN MWI Maldoc Stats Callout Aug 18

 Also Related: ET TROJAN Malicious Office Doc CnC Beacon

 

 IP AddressPortHostname
Source (local) 64155  
Destination 205.134.241.107 (United States) http (80)  sellercore.com

 

Description:

  • These signatures detect a particular URL pattern (php?id=) issued from the browser in an Office Document.

 

More Info:

url http://sellercore.com/image.php?id=17262
Host sellercore.com
Accept */*
Connection Keep-Alive
User-Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.2; MSOffice 12)
query_string
KeyValue
id 17262
Accept-Encoding gzip, deflate
req_or_response GET /image.php?id=17262 HTTP/1.1

 

False Positive:

  • YES
  • sellercore.com sells templates for auction postings. This is likely a word template which calls out to the triggering URL.
  • curl against the URL with the same User-Agent returns identical content.
  • The associated picture/business has an ebay presence.
  • Many other business have similar images on sellercore.com.
  • Against the 'yes' - this is shared hosting and what looks like an old WP version. Also, this shared hosting site has clearly been compromised before. 

 

Action:

  • None

Comments

Powered by Zendesk