Sponsored by..

Friday 24 October 2008

Asprox: 47mode.name, berjke.ru, 81dns.ru

There has been a shift overnight in the domains used in the Asprox SQL injection attack, the ones to look for are:

  • 47mode.name
  • berjke.ru
  • 81dns.ru
Registration for the .ru domains looks like this:

domain: 81DNS.RU
type: CORPORATE
nserver: ns1.81dns.ru. 76.240.151.177
nserver: ns2.81dns.ru. 76.182.187.206
nserver: ns3.81dns.ru. 69.62.229.141
state: REGISTERED, DELEGATED
person: Private Person
phone: +3 212 7721130
fax-no: +3 212 7721130
e-mail: igorlsoloti@yahoo.com
registrar: NAUNET-REG-RIPN
created: 2008.10.23
paid-till: 2009.10.23
source: TC-RIPN
47mode.name is different:

Registration Service Provided By: RESELL.BIZ
Contact: +1.3124476810
Website: http://Resell.biz

Domain Name: 47MODE.NAME

Registrant:
Kimberly Maupin
Kimberly Maupin (pampaser@socialworker.net)
136 Lawndale Lane
Sneads Ferry
North Carolina,28640
US
Tel. +5.9103818739

Creation Date: 21-Oct-2008
Expiration Date: 21-Oct-2009

Domain servers in listed order:
ns3.47mode.name
ns2.47mode.name
ns1.47mode.name

Administrative Contact:
Kimberly Maupin
Kimberly Maupin (pampaser@socialworker.net)
136 Lawndale Lane
Sneads Ferry
North Carolina,28640
US
Tel. +5.9103818739

Technical Contact:
Kimberly Maupin
Kimberly Maupin (pampaser@socialworker.net)
136 Lawndale Lane
Sneads Ferry
North Carolina,28640
US
Tel. +5.9103818739

Billing Contact:
Kimberly Maupin
Kimberly Maupin (pampaser@socialworker.net)
136 Lawndale Lane
Sneads Ferry
North Carolina,28640
US
Tel. +5.9103818739

Status:ACTIVE
It looks like "Kimberly Maupin" might well be a real person living in Sneads Ferry, who's identity has been "borrowed". However, the ZIP code is incorrect and the telephone number appears to be in Bolivia.

Anyway, block these domains or check your logs for them.

3 comments:

Piyush said...

I am a site owner and my site has been hacked by berjke.ru. When someone visits my site, Firefox says "Reported attack site". berjke.ru has a script that is being downloaded upon visiting my site. Do you have any idea what I can do about it? Thanks.

Jan Boom said...

Seems I have the same problem - inserts scripts after my sql entries, tried to clean db, but soon new script was inserted, this time it calls the 81dns.ru link. Would really like to stop this, thanks.

Conrad Longmore said...

It's not a straightforward fix. Have a look on Google for preventing sql injection attacks. Basically you need a code rewrite to clean up queries coming in the the web.. how you do that will vary. It might be a good idea to get back to the developer and see if they can add some additional code.