Sponsored by..

Monday 21 September 2015

Tainted Network: "kfc.i.illuminationes.com/snitch" and VPS Hosting of Latvia (91.226.32.0/23)

I've been seeing some injection attacks since last week utilising hosting services of VPS Hosting in Latvia. These are continuing today, with attacks like this one [URLquery] which sends traffic to:

[donotclick]kfc.i.illuminationes.com/snitch

This is hosted on 91.226.33.54. The exploit is not clear at this point, but some sources say that this is some sort of TDS kit. The URLquery transaction flowchart shows the attack in action.


The injected script sends the keywords and referring site upstream, for example:

[donotcliick]kfc.i.illuminationes.com/snitch?default_keyword=Team%20Tyra%20%7C%20The%20most%20popular%20equestrian%20website%20in%20Sweden%2FEurope&referrer=&se_referrer=&source=www.teamtyra.se
Although the attacks in the past few days only seem to have utilised 91.226.33.54, an analysis of the netblock [pastebin] shows several bad or spammy sites in 91.226.32.0/23, so my recommendation is that you banish this range from your network.

UPDATE:
ZScaler are also tracking their infection, an analysis of what it does can be found here.

6 comments:

nelsinchi said...

Hi there, one of my sites was affected with attack, so, I blocked this ip address in my hosting like you recommended. Please keep us informed about this attack.
Thanks a lot.

Unknown said...

I would recommend reading https://wordpress.org/support/topic/js-injection-after-wp

cjcblogger said...

This is on my website too! I am on Wordpress 4.3.1 with Zerif Pro theme. Looking forward to a solution.

Unknown said...

As he managed to solve this problem?

By wordfence block IP range. 91.226.32.0/23, but the problem continues. (Wordpress 4.3.1)

Img

Jack Taylor said...

I do not have WordPress on this computer.
Getting from F-Secure "Security Suite" provided by ISP (Charter Cable/TV/Internet)

Harmful web site http://b6d5x.i.illuminationes.com/jsnitch?default_keyword=Campaign%20News&se_referrer=http%3A%2F%2Fwww.clyburnforcongress.com%2Fcontact.html&source=www.clyburnforcongress.com blocked

Is www.clyburnforcongress.com a target
and I have entered that URL in my Navigation Bar

UnklAdM said...

I used the following commands to locate and remove
malware from our wordpress multisite server. Your
milage may vary but this worked for me. Be sure to
look for malware in the very first line of PHP files
(Turn wordwrap ON this malware conceals itself by
inserting spaces in front of it). Also check any
'theme' files for malware inserted immediately
before the 'close head' html tag. Always suspect
any file named '404.php'. Good luck!

- UnklAdM

grep -R .1.=.......0.=.......3.=.......2.=.......5.= ~/*
egrep -Rl function.*for.*strlen.*isset ~/
egrep -Rl '\$GLOBALS.*\\x' ~/
find ~/public_html/wp-content -name \*php
find ~/ -name \*suspected
ls -Rl ~/ | grep "rw\- "
find ~/ -name \*php -exec grep -Hn \#\#\#\: {} \;
find ~/ -perm -2 ! -type l -ls
find ~/ -nouser -o -nogroup -print
find ~/ -name \*php -exec grep -l cb5a4300 {} \;
find ~/ -name \*php -exec grep -l systemeprod {} \;
find ~/ -name \*php -exec grep -l snt2014 {} \;
find ~/ -name \*php -exec grep -l s52c67fe5 {} \;
find ~/ -name \*php -exec grep -l q7445d11b {} \;
find ~/ -name \*php -exec grep -l i9a93871 {} \;
find ~/ -name \*php -exec grep -l j7acd {} \;
find ~/ -name \*php -exec grep -l z8fea2 {} \;
find ~/ -name \*php -exec grep -l ff4ee7 {} \;
find ~/ -name \*php -exec grep -l r085355 {} \;
find ~/ -name \*php -exec grep -l qe7e2714e {} \;
find ~/ -name \*php -exec grep -l r93c9cd9 {} \;
find ~/ -name \*php -exec grep -l e019d {} \;
find ~/ -name \*php -exec grep -l w8356921 {} \;