Sponsored by..

Sunday, 26 June 2011

yahoolink.php / DreamHost hack

It appears that a lot of DreamHost (New Dream Network LLC) sites have been hacked with malicious pages added to them. The issue impacts multiple servers at different DreamHost datacenters. Some sample IPs with infected sites include:

67.205.1.63
67.205.3.51
67.205.3.230
69.163.168.135
69.163.169.247
69.163.181.205
69.163.184.86
75.119.217.8

Given that the hacked pages all contain the string yahoolink.php then it is possible that these attacks are using a PHP vulnerability. The pages are then promoted through spam email. You can simply (carefully) search for  "yahoolink.php" in your favourite search engine to see the scope of the problem.

People who click on the link get redirected through several steps:

vedrozhuk7.com
63.226.210.102
NETPOINT, Utah

(no domain)
188.229.90.71
Securvera SRL, Romania

www.medi-corp24-7.com
94.60.121.34
Cover Sun Design SRL, Romania

The endpoint appears to be a standard fake pharmacy site, I couldn't see any malicious code but that could always change.

With Romanians hosts I recommend a one-strike policy.. i.e. block the whole lot as soon as you come across a netblock with malicious activity. Unless you have business dealings with Romania, then any traffic to a Romanian host is likely to be malware or spam related. So in this case, blocking 188.229.90.0/23 and 94.60.120.0/22 will probably do no harm.

No comments: