Also Related: ET TROJAN Malicious Office Doc CnC Beacon
| IP Address | Port | Hostname | |
|---|---|---|---|
| Source | (local) | 64155 | |
| Destination | 205.134.241.107 (United States) | http (80) | sellercore.com |
Description:
- These signatures detect a particular URL pattern (php?id=) issued from the browser in an Office Document.
More Info:
| url | http://sellercore.com/image.php?id=17262 | ||||
| Host | sellercore.com | ||||
| Accept | */* | ||||
| Connection | Keep-Alive | ||||
| User-Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.2; MSOffice 12) | ||||
| query_string |
|
||||
| Accept-Encoding | gzip, deflate | ||||
| req_or_response | GET /image.php?id=17262 HTTP/1.1 |
False Positive:
- YES
- sellercore.com sells templates for auction postings. This is likely a word template which calls out to the triggering URL.
- curl against the URL with the same User-Agent returns identical content.
- The associated picture/business has an ebay presence.
- Many other business have similar images on sellercore.com.
- Against the 'yes' - this is shared hosting and what looks like an old WP version. Also, this shared hosting site has clearly been compromised before.
Action:
- None
Comments