Have noticed Sakura active on waw.pl root domain.

As @kafeine notes, this is a TDS in front of a particular instance of Sakura.

Examples

adscarl.liabufa.waw. pl/?joke=9
a6johns.omegdia.waw .pl/?joke=9
a2publi.foscidir.waw. pl/?joke=9
99calva.lofnala.waw .pl/?foll=2
7bqjis.triptenlu.waw. pl/?foll=2

Tags seen include joke, poke, moon, foll, good, hera, key, etc.

IPs

50.7.177.254 (fdcservers nl)
50.7.177.253 (fdcservers nl)
50.7.178.13 (fdcservers nl)
85.17.122.119 (leaseweb nl)

Regex for TDS domains

^[a-z0-9]{6,7}\.[a-z]+\.waw\.pl$

Alternate Regex for TDS URI

\.waw\.pl\/\?[a-z]+=[0-9]+?$

Some things that have been useful in catching Sakura lately.

Landing – hq5jj.grantsfork12schools.net:88/forum/he.php
PDF – hq5jj.grantsfork12schools.net:88/forum/late_between.php (application/pdf)
JAR – hq5jj.grantsfork12schools.net:88/forum/late_between.php (application/x-java-archive)
EXE – hq5jj.grantsfork12schools.net:88/forum/8632.htm (application/octet-stream) – likey from pdf

Landing

HTTP Request Method = GET
HTTP URI contains /forum/ OR /articles/ OR /page/ OR /pages/ OR /docs/ OR /blog/ OR /wiki/
Regex HTTP URI for :((8|9)[0-9]|443|9090)\/(forum|articles|pages?|docs|blog|wiki)\/[a-z-_]+\.php$

PDF

HTTP Request Method = GET
HTTP URI contains /forum/ OR /articles/ OR /page/ OR /pages/ OR /docs/ OR /blog/ OR /wiki/
Content type = application/pdf
Regex HTTP URI for :((8|9)[0-9]|443|9090)\/(forum|articles|pages?|docs|wiki)\/[a-z_-]+\.php$

JAR

HTTP Request Method = GET
HTTP URI contains /forum/ OR /articles/ OR /page/ OR /docs/ OR /pages/ OR /blog/ OR /wiki/
Content type = application/x-java-archive
Regex HTTP URI for :((8|9)[0-9]|443|9090)\/(forum|articles|pages?|docs|wiki)\/[a-z-_]+\.php$

EXE

HTTP Request Method = GET
HTTP URI contains /forum/ OR /articles/ OR /page/ OR /pages/ OR /docs/ OR /blog/ OR /wiki/
Content type = application/octet-stream
Regex HTTP URI for :((8|9)[0-9]|443|9090)\/(forum|articles|pages?|docs|blog|wiki)\/

See more examples of Sakura Exploit Kit on URLquery.net

Thanks to @Set_Abominae for helping to keep this up to date!

HTTP Request Method = GET
HTTP URI Strings = “/logstat/forum/” OR “/forum/ldr.php” OR “/forum/vida.php” OR “/forum/bamml.php” OR “/forum/zonyx.php” OR “/forum/dare.php” OR “/forum/viob.php”

See Examples on UrlQuery.com

References:

http://blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html
http://malware.dontneedcoffee.com/2012/08/cve-2012-4681-on-its-way-to-sakura.html
http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html

Here’s a small listing of some kits and what tcp ports they have been using lately. Consider them to be a snapshot of the past 30 days as these are likely to change.

Neutrino EK

:8000/andhbdthgqofr?qdirmw=5283539
:8000/agqfhdo?qlpqjbjvlmud=8201532
:8000/atmjrsds?qgtkrdmghtro=403906

Cool/Styx

@Kafeine has a great in-depth look at this activity at http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html

:754/grateful_partly-panic.html
:754/dissipate-favourite_timing_breath.jar
:754/tshirt_spot.htm

Sakura EK

:38/mark-two_learn.php
:38/weather-begin.php

:443/pages/see.php
:443/pages/its.php
:443/pages/see.php

:52/against.php
:52/produce.php
:52/gone.php

:90/docs/sky.php
:90/docs/space.php

:9090/nothing.php
:9090/nothing.php

:96/docs/at.php
:96/docs/land.php

Sweet Orange EK

:6091/full/contrib/foodsites.php?amazon=82
:6091/profiles/foodsites.php?amazon=82
:6091/bbadmin/acct_login/clickheat/foodsites.php?amazon=82

:3811/vadmind/install.php?virus=221&demos=82&changes=745&pages=379&bugs=798&mapa=203
:3811/stores/competition/ladder/tramadol.php?plugins=33&promos=246&about_us=135&email=499&chapters=82&vote=336&export=225
:3811/upload/loginflat/partners.php?navbar=350&faculty=613&ports=82&training=627&generic=975&experts=19&giftsjob=865

:7149/ajax/internal/campaign.php?readme=454&story=384&voip=831&fonts=82&top_left=610

Glazunov EK

:8080/4856827694/8385.zip
:8080/3819449304/8.zip
:8080/3335683362/2295.zip

Sibhost EK

:85/ipy2nCAsCEymbrnYg0TC2V6lVgn4
:85/I26mpxrs5r0L8XLTyxJXIAHI6J1XyPtjEpLY1.zip

Appears to be redirecting to Sakura Exploit Kit

HTTP Request Method = GET
HTTP URI = */iniframe/*

Regex the referer field

\/iniframe\/[a-f0-9]{32}\/[0-9]+?\/[a-f0-9]{32}\/[a-f0-9]{32}$

Examples:

hxxp://799294ed7a.reokranz.be/iniframe/f56e61c52371689966a6bce3fe6f6e3c/81/bb225f4a2afbb9715f0a959f4639e5f2/7516fd43adaa5e0b8a65a672c39845d2
hxxp://b74ed095f1.reokranz.be/iniframe/ba5bfdbf5874f0863873a17a8caaad8f/83/baf0d61ea2763c1d29e00d12c6b68216/7516fd43adaa5e0b8a65a672c39845d2
hxxp://bddab46581.reokranz.be/iniframe/f56e61c52371689966a6bce3fe6f6e3c/81/0c1bbb4ea4fa82971ac28e1f3e119cac/7516fd43adaa5e0b8a65a672c39845d2
hxxp://799294ed7a.reokranz.be/iniframe/f56e61c52371689966a6bce3fe6f6e3c/81/bb225f4a2afbb9715f0a959f4639e5f2/7516fd43adaa5e0b8a65a672c39845d2
hxxp://654f9f419a.kmadre.info/iniframe/f56e61c52371689966a6bce3fe6f6e3c/81/57e48cfcc3c02ff269ed966fb8397b92/7516fd43adaa5e0b8a65a672c39845d2
hxxp://654f9f419a.kmadre.info/iniframe/f56e61c52371689966a6bce3fe6f6e3c/81/57e48cfcc3c02ff269ed966fb8397b92/7516fd43adaa5e0b8a65a672c39845d2
hxxp://e7ff634389.reokranz.be/iniframe/f56e61c52371689966a6bce3fe6f6e3c/81/81c53e3f8c8bf6b2aaabb22c9390fbe0/7516fd43adaa5e0b8a65a672c39845d2
hxxp://e7ff634389.reokranz.be/iniframe/f56e61c52371689966a6bce3fe6f6e3c/81/81c53e3f8c8bf6b2aaabb22c