Sponsored by..

Friday 13 June 2008

One to watch: js.users.51.la

What the heck is js.users.51.la? In fact, where the heck is .la anyway? And why am I asking?

As I've mentioned before, there are possibly two gangs carrying out the current round of SQL Injection attacks, one possibly based in China and one based in Russia. Their techniques are very similar, but the seem to have distinct differences.

js.users.51.la appears in many of the "Chinese" exploits - 51.la itself appears to be a legitimate web counter site. Presumably part of the bad guys' statistical tracking system the js.users.51.la domain is combined with what appears to be a randomly named .js file.

This doesn't appear to be a malware site in itself, but it could be a useful thing to look for in your proxy logs as it may well help track down machines that have visited infected sites. Either search for js.users.51.la or perhaps just 51.la as part of your normal audit process.

Where is .la? Officially it is Laos, but the TLD is also being punted as "Los Angeles" by www.la. No clue there, but the fact that all the signups for 51.la are in Chinese really does indicate that there's a Chinese connection here.


Unknown said...

how can we clean this malware?

Do you have any existing solution?

Conrad Longmore said...

@Pavan - wow, this blog post is from five years ago! I didn't know it was still going on. This isn't malware itself, but it is a marker for potentially compromised web pages. It is something useful to audit.

Arseny Levin said...

This domain is still very much alive and still does malicious redirects. Personally I've seen it do so on and off for the past 3 years. it's 2015 now. wtf.

Rakesh said...

"web.51.la" looking same.Is this a maleware ?

Lucas said...

I have got the malware anti-virus app on my computer and every so often malicious website thing keeps popping up and the ip is : js.users.51.la and im trying to get rid of it