Sponsored by..

Showing posts with label .htaccess. Show all posts
Showing posts with label .htaccess. Show all posts

Tuesday, 29 July 2014

Something evil on 31.210.96.155, 31.210.96.156, 31.210.96.157 and 31.210.96.158 (31.210.96.152/29)

[Note, an update to this can be found here]

I don't know quite what the exploit kit of the month is here, but the IP addresses 31.210.96.155, 31.210.96.156, 31.210.96.157 and 31.210.96.158 are currently serving up malware using hijacked GoDaddy domains, and are targeting victim websites by altering their .htaccess files to intercept traffic coming from search engines such as Google.

These IP addresses have been used for malware for some time and certainly historically they have been used for Ponmocup. I can't confirm that this is still the case, but given the bad IP and the obvious .htaccess hijack then it passed the Duck Test.

These IPs are allocated to Radore Veri Merkezi Hizmetleri A.S. in Turkey who control 31.210.64.0/18 which is a large block, so these IPs are probably a customer or even a customer of a customer.

VirusTotal reports for these IPs are pretty poor [1] [2] [3] [4]. I assume that they form part of an allocation 31.210.96.152/29 which I would very strongly recommend blocking that range, or indeed the entire /24 looks pretty worth

These domains all use the GoDaddy domaincontrol.com nameservers, which naturally means most of them are GoDaddy domains.. but not all of them, some are from other registrars. This list [pastebin] includes a selection of active subdomains that I can find.

I recommend permablocking the following IP range and temporarily blocking the following domains:

31.210.96.152/29
12stepdates.com
2cuonline.com
4runnerliftkits.com
8jutawan.com
advertisementdevil.com
allknowingpsychic.com
alloyfurnacerolls.com
alloymuffles.com
alloyradianttubes.com
allprodelta.com
alternateolympics.com
alternativeolympics.com
ancestorworshippublishing.com
antonzuponcic.com
aredietsok.com
assistlist.com
atvguidebooks.com
atvtrailguides.com
autoeventregistration.com
automotiveeventregistration.com
automotiveservicesavings.com
autoserviceevent.com
aylesburyironing.com
bahenasteel.com
barbeveragesla.com
basicmechanical.net
be3ne.com
be3ni.com
be3ny.com
benahavisrealestate.com
bestsilvercufflinks.com
blurlight.com
boeckman.net
bristolblog.com
buynewaz.com
bvvk.com
caninecolorgenetics.com
castlelawpa.com
charlesawells.com
chrisvessey.com
concept-kw.com
connectmetv.com
coreywasley.com
craigslistpads.com
cruzeonover.com
custom-chocolate-favors.com
customerdevil.com
dealerholidayevent.com
deliveredbythedevil.com
devilforacause.com
devilwithacause.com
djbobbyktoronto.com
drinkbluphoria.com
drinkcalories.net
dunstablekitchens.com
egunt.com
ellagphotography.com
encepha.net
enhancementlasers.com
enhancementlasers.net
e-squares.com
exceltoner.com
fantasyintro.com
fathersnsons.com
fatlosstoolkit.com
fortheloveofgadgets.com
gamezalot.com
gaybeefcake.com
gaybromance.com
gayconspiracy.com
gillspools.com
girlsgoneglamis.com
gliscastings.net
gliscentrifugal.com
glisfabrications.com
glisinc.com
golfironworks.com
golfnewsarkansas.com
golfnewscolorado.com
golfnewsconnecticut.com
golfnewsdelaware.com
golfnewsgeorgia.com
golfnewsindiana.com
golfnewsiowa.com
golfnewskansas.com
golfnewslouisiana.com
golfnewsmississippi.com
golfnewsmontana.com
golfnewsnebraska.com
golfnewsnewengland.com
golfnewsnewhampshire.com
golfnewsnewjersey.com
golfnewsnewyork.com
golfnewsohio.com
golfnewsoklahoma.com
golfnewssouthcarolina.com
golfnewstennessee.com
golfnewsutah.com
golfnewsvermont.com
golfnewswestvirginia.com
golfnewswisconsin.com
grafikcase.com
grafik-devils.com
gravittyproductions.com
greatserviceforless.com
gregorylknox.net
gryphonaz.com
gryphonus.com
gssportspics.com
hartford-capital.com
heattreatalloy.com
historyhobbybooks.com
hockeydoneright.com
hugesavingsevent.com
imfamousontheinternet.com
inboccaproductions.com
ingressgamer.com
inkandtonersale.com
italy-in-bocca.com
javaemulator.com
jaysonkrausenetwork.com
joannheilman.com
joeamericashow.com
joechenphoto.com
joeywilliamsdrums.com
jordandowney.com
jordandowney.net
juddnelsonstudio.com
kaitlinsplayground.com
killpoet.com
kokobon.com
ksupridewrestling.com
ksuwrestling.net
lakehousetimberranch.com
laser-enhancements.com
letseatinitaly.com
lifestylology.com
lindseytoothman.com
lionizetheworld.com
lions-mark.com
lsclinks.com
magicalmoods.com
makingwaves-salon.com
matthewstarner.com
memorialdaysavingsevent.com
menbeingsexy.com
middlefieldma.net
midnightastronomy.com
momsagainstmercury.com
mrsstyleseeker.com
musicjester.com
mwhiteman.com
myabadi.com
mycameraleash.com
myfuturephysique.com
mygaycrush.com
mystagingbox.com
myteacuppiggies.com
nacprint.com
newcarsat.com
newlogiq.com
newyorkjester.com
newyorkmascot.com
ngage-games.com
nutritionbydesign.com
oharvest.net
omobia.net
onlybetterdeal.com
organixharvest.com
panochevalleysolar.net
pascocountyhitmen.com
paxamericanaspirits.com
peekaboopumpkin.com
prestigehonda.net
propertiespain.com
realdealpsychic.com
reikisolar.com
renzograciemexico.com
restoremystuff.com
rled.net
roaringlion.com
room-depot.com
savedalyfield.com
schonbjj.com
sciencehunk.com
searchengineverified.com
secretmanclub.com
sellitandforgetittoday.com
snuffbottleworld.net
softmn.com
southvalleyrugby.com
sportdoneright.com
springcleaningevent.com
stainlessfabrications.com
strongpsychic.com
sullivan-county.com
tagdeed-translation.com
techsupportauction.com
telecomchicago.com
telecomillinois.com
telecomindiana.com
telecommichigan.com
thecinema6.com
thecollegeaddressshop.com
theeveningjoker.com
theknowledgekingdom.com
thenightlyjoker.com
thinkadmit.com
thisishowthisworks.com
thruellaseyes.com
timkennywebdesign.com
timsicecreamtruck.com
timsroadtrip.com
tri-swelding.com
uksportbook.com
usedcarsat.com
usedmobi.com
valentinesalesevent.com
vehicleexchangeprogram.com
vehicleservicediscount.com
vipoverload.com
virtualsofts.com
webrunchhard.com
wenerdhard.com
whhholdingusainc.com
whhusainc.net
whichcameratookthis.com
whybuyanewhome.com
workoutebook.com
worldblogsite.com
wrightdunbar.com
xn--80afcbdab0arg8e4c.com
xn--h1adlaje.net
yourcakedecoratingclass.com
yourcrystalball.com
yourspartanmovers.com
zoomtoner.com
zoopoints.com
z-sat.com

Note that the following domains have been cleaned up and are probably now safe.
apossibletruth.com
arrozconbeans.com
brads-test-site.com
casabodamia.com
catclinicgreensboro.com
charlestonremembered.com
chelseyfatula.com
creepyninja.com
ditchwindows.com
drdekloet.com
ebookleads.com
electhillary2016.com
evergentleonmymind.com
fasttwitterfollowers.com
foreverlivingon.com
gaycharacter.com
goldenpridewrestling.com
greensboroveterinarian.net
jcbsunglasses.com
jpcolton.com
kalkaneventfactory.com
newskase.com
pitstopmotorclub.com
registerforautoevent.com
remembercharleston.com
ridchinacne.com
saving53k.com
southernwakeautomotive.com
theneighborhoodaddressshop.com
ux-designer.com
williespage.com
windmuff.com

Tuesday, 2 August 2011

virtualmapping.org redirect

The domain name virtualmapping.org sounds legitimate, but isn't.. it's a redirector used on hacked websites. The first time you visit one of these hacked sites via a Google search, you get redirected to a URL at virtualmapping.org/cgi-bin/r.cgi. Subsequent visits don't seem to trigger this, nor does visiting the site directly. It could be an altered .htaccess file.

virtualmapping.org is hosted on 94.63.149.246 which is unsurprisingly enough in Romania, in a Cobalt IT SRL block suballocated to SC Coral IT Office SRL / xnetworkings.com also in Romania. Sites in these Cobalt ranges are either all evil or are of interest to Romanian visitors only, so one quick and easy way to secure your network is to block the entire 94.60.0.0/14 range.. at the very least, block 94.63.149.0/24, 94.63.244.0/24 and 94.60.123.0/24 which are especially toxic.

After hitting virtualmapping.org, visitors are then redirected to one of the following sites on 95.168.178.206, hosted at Netdirekt in Frankfurt but actually allocated to a host called inferno.name (Sogreev Anton, Serbia). 95.168.178.0/24 is full of Russian porn sites, so probably a good thing to block in any case.

Some of the domains that are loading the malware are:
could0.nc-9.com
gets1.nc-9.com
realized2.nc-9.com
summer3.nc-9.com
principle4.nc-9.com
watching4.nc-9.com
and5.nc-9.com
electric6.nc-9.com
plane6.nc-9.com
show7.nc-9.com
fig8.nc-9.com
ever8.nc-9.com
feet8.nc-9.com
league9.nc-9.com
event9.nc-9.com
became0.nc-9.com
sense4.nc-9.com

Basically, anything in the nc-9.com domain apart from nc-9.com and www.nc-9.com has been hijacked and is pointing to the IP address in Frankfurt. It's not a surprise to see that nc-9.com is actually a legitimate domain registered at GoDaddy that appears to have been hijacked.

The payload is a nasty trojan according to various analysis tools (ThreatExpert, Comodo, Anubis). Detection rates are very low. The analysis tools might help you to clean up your PC if you have somehow become infected.

Of some interest, the trojan alters the HOSTS file to block access to popular torrent sites such as the Pirate Bay. It also calls home to two domains, assistancebeside.com (78.159.100.32) and imagehut4.cn which was actually deleted last year, but was registered to the scumbags at Real Host Ltd.

There's quite a lot to block here, the highest priorities are:
94.63.149.246
95.168.178.206
78.159.100.32
*.nc-9.com
assistancebeside.com
virtualmapping.org

I see no harm in blocking the following /24s:
94.63.149.0/24
95.168.178.0/24

And if you're not afraid to block really quite large address ranges:
94.60.0.0/14

Friday, 15 July 2011

Christwire.org hacked with sokoloperkovuske.com redirect

Update: this site is now clean :)

Christwire.org is a satirical site about religion, not a million miles away from The Onion in terms of content. It's quite a popular site in the US.

Unfortunately, the site has been hacked and the .htaccess file has been altered. Visitors Googling from "Christwire" (I suggest that you don't try this!) get redirected to a URL at sokoloperkovuske.com/in.php?pp=138 .. but if you visit the site directly, then you don't see anything. This type of trickery is quite common as it make it harder for the site owner to detect the problem.



sokoloperkovuske.com is registered with fake registration details and is hosted on 91.220.0.19 which is SIA Business Aviation Service in Latvia (Latvia is a common place for the bad guys to hang out). I would recommend blocking the entire 91.220.0.0/24 range to be on the safe side.. the SiteVet report shows a sharp uptick in malicious activity for this AS.

Visitors are then redirected to a fake anti-virus site at www2.bestaholder.co.cc which is multihomed on 112.175.243.24, 112.175.243.21, 112.175.243.22 and 112.175.243.23 in Korea. Those servers have a lot of .co.cc sites.. it's worth blocking access to ALL .co.cc sites if you can.


Other potentially malicious sites on the Korean cluster are:
3adalat.co.cc
440amg.co.cc
4ggw.com
9movies.co.cc
alldir.co.cc
alynwap.co.cc
anjatan.co.cc
arai.owner.linuxmaster.co.cc
araup.co.cc
articleinfo.co.cc
asiancatchy.co.cc
astrazeneca.co.cc
baby.d0ll.co.cc
bacha.chutiya.co.cc
baithuctap.co.cc
bangkokmusic.co.cc
bayer-ah.co.cc
bayerhealthcare.co.cc
bayeryoungenvoy.co.cc
bestmusic4u.co.cc
bharwa.ghashti.ka.bacha.chutiya.co.cc
bokepmurah.co.cc
cafeislam.co.cc
campingalhassan.co.cc
cardio-bayer.co.cc
cardplanet.co.cc
carolebayersager.co.cc
cbm64.co.cc
cclmail.co.cc
chitthumyar.co.cc
chutiya.co.cc
cialislevitrasalesviagra.co.cc
cimahi.co.cc
cuimu.com
cyberwhitestar.co.cc
d0ll.co.cc
danielm2.co.cc
davidsaw.co.cc
dc-fansite.co.cc
deafdating.co.cc
desidigg.co.cc
diane.co.cc
dianearbus.co.cc
dianebishtv.co.cc
dianekruger.co.cc
dianelanenude.co.cc
dianestanley.co.cc
dianeturton.co.cc
dnf2683.com
dogs4u.co.cc
ebookprovider.co.cc
ecstechnologies.net
evanj8.co.cc
exicorp.co.cc
exs-ti.co.cc
faceboox.co.cc
femalelife.co.cc
filmesgratis.co.cc
forward.lookup.co.cc
free-mature-pics.co.cc
fullmusick.co.cc
funadult.co.cc
gamebazaar.co.cc
gameslowd.com
getarticles.co.cc
ghashti.ka.bacha.chutiya.co.cc
gocthethao.co.cc
gombel.co.cc
guapunye.nick.arai.owner.linuxmaster.co.cc
hdytaufik.co.cc
hesitate.with.malaysian-hackers.co.cc
hk.co.cc
hot.k1ss.co.cc
igratatin.co.cc
ilman-media.co.cc
intercambiosvirtuales.co.cc
iosdiy.com
jawamark.co.cc
jeff-dunham.co.cc
jilnul.co.cc
k1ss.co.cc
ka.bacha.chutiya.co.cc
kecoakwap.co.cc
kn4h.co.cc
kutopersada.co.cc
lanxess-europe.co.cc
la-videoteca.co.cc
law4u.co.cc
leechouse.co.cc
lenadianejennings-blogspot.co.cc
levitravardenafilhcl.co.cc
limsadiane.co.cc
linuxmaster.co.cc
look.sexy.with.baby.d0ll.co.cc
mail.chitthumyar.co.cc
mail.co.cc
mail.kecoakwap.co.cc
mail.pvpdestiny.co.cc
malaysian-hackers.co.cc
malekmaktabi.co.cc
marshadianearnold.co.cc
mastineedz-com.co.cc
maturecunt.veronichka.co.cc
mdacom.co.cc
me.hot.k1ss.co.cc
microchip123.co.cc
misiondejesus.com
mobitech-forums.co.cc
moccainside.co.cc
moneysukh.co.cc
my-exploit.co.cc
name-server.co.cc
navanblog.co.cc
nestle.co.cc
nestle-gifts.co.cc
nestle-icecream.co.cc
neswangy.co.cc
nick.arai.owner.linuxmaster.co.cc
nutricys.com
outerxcircle.co.cc
owner.linuxmaster.co.cc
pacar.yang.sangat.perhatian.co.cc
paltak-vip.co.cc
paullzn.com
perely.co.cc
perhatian.co.cc
picallo.co.cc
pkfc.co.cc
pprox.co.cc
proxy999.co.cc
purwokerto-allnet.co.cc
pvpdestiny.co.cc
radiowahrheit.co.cc
rafaelius.co.cc
rapiddown.co.cc
rawbeen.co.cc
realoiltd.co.cc
richardwalean.co.cc
rodrigoecheverry.co.cc
r-o-o-t.co.cc
rumbayan.co.cc
sangat.perhatian.co.cc
sawa7.co.cc
sawomanis.co.cc
sexy.with.baby.d0ll.co.cc
shibukg.co.cc
smabugil.co.cc
smppanderman.co.cc
sweetlady.co.cc
tablat.co.cc
techcenter-lanxess.co.cc
tintob.co.cc
tjssr.com
torrentmovies.co.cc
traviansoftware.co.cc
uatu.co.cc
veronichka.co.cc
viancom.co.cc
vipfashiononline.com
viuu.co.cc
vobase.com
webkontes.co.cc
wiredtree.co.cc
with.baby.d0ll.co.cc
with.malaysian-hackers.co.cc
woman-fucking-animals.veronichka.co.cc
woshiyezhu.net
xuanye.tw
yahgoo.co.cc
yang.sangat.perhatian.co.cc
yasmindavidds.co.cc
ycmi-med.co.cc
zipwaves.co.cc