No surprise at all here...
Today found a strange behaviour on a Sakura EK :
http://sakura_host_on.co.cc/iniframe/e9cabf10dd[.......]
http://sakura_host_on.co.cc/?b=1
http://sakura_host_on.co.cc/forum/detect/mm.js
http://sakura_host_on.co.cc/forum/gotit.php?i=1&key=a58ba56a2d655e30366fd62f173595d0
http://sakura_host_on.co.cc/forum/New.class
http://sakura_host_on.co.cc/forum/Ini.class
http://sakura_host_on.co.cc/forum/Ini/class.class
http://sakura_host_on.co.cc/forum/New/class.class
New what ? let's guess....
http://sakura_host_on.co.cc/forum/spl/Expression.jar
a893f42b0884d58c6c481e0f23fc014b
 |
| CVE-2012-4681 piece of code almost identical to POC in a jar file found on a Sakura EK |
What else could we expect... CVE-2012-4681
Note that i was not able to trigger it so not sure it's already fully operational. Sure we can make a post like this one for each Exploit Kit.
"конкуренты - подтягивайтесь" - Paunch
