Thursday, 8 November 2012
getyourbet.org injection attack
Registrant Postal Code:519000
Registrant Phone Ext.:
Registrant FAX Ext.:
The domain was created on 12th October. The IP address is in Russia (PIN-DEDICATEDSERVERS-NET).
This is a two stage attack, if getyourbet.org is called with the correct referrer parameters then the victim ends up at another server at 220.127.116.11 (Hostforweb, US) that tries to serve up a malicious payload. This server contains a bunch of subdomains from a hacked GoDaddy account.
I've seen this sort of abuse of GoDaddy domains before, the main "www" domain resolves OK, but the subdomains get pointed elsewhere. There's either a problem with GoDaddy or this is done through a phish.
Anyway, block 18.104.22.168 and 22.214.171.124 if you can to prevent further attacks.