this injection attack, several Dreamhost sites have been compromised with a page called yahlink.php (it was yahoolink.php before), which is being spammed out through compromised AOL accounts.
It isn't just Dreamhost hosted sites that are being spammed out in this way, but it does appear that well over half the sites are on Dreamhost. It looks like some GoDaddy customers might have been hit too.
In this case, the spammed link directs to krokodilius8.com/gosem11.php which is hosted on 18.104.22.168 which appears to be iomart Hosting Ltd in the UK. All the sites on that server appear to have have fake registrant details, so you can assume that they are bogus:
Users are then directed to another host in Romania, 22.214.171.124 which belongs to Netserv Consult SRL. It is my opinion that there is nothing of value in the entire 126.96.36.199/17 range and you can safely block access to the entire lot.
The final step is to a host called drugstorehealthrisks.net hosted on 188.8.131.52 which looks like a broadband connection in the Czech Republic. The site isn't loading for me, but I guess it's just pharma spam. These other sites are hosted on the same server:
Dreamhost have been informed of the issue but don't appear to have done anything to secure their users. Blocking Dreamhost IPs might be something worth considering depending on what kind of shop you run. I have spotted malicious activity in the following IP ranges:
..although blocking access to the Romanian 184.108.40.206/17 block would also pretty much acheive the same thing without blocking access to any legitimate sites that might be on Dreamhost.
Thursday, 14 July 2011
Sunday, 26 June 2011
Given that the hacked pages all contain the string yahoolink.php then it is possible that these attacks are using a PHP vulnerability. The pages are then promoted through spam email. You can simply (carefully) search for "yahoolink.php" in your favourite search engine to see the scope of the problem.
People who click on the link get redirected through several steps:
Securvera SRL, Romania
Cover Sun Design SRL, Romania
The endpoint appears to be a standard fake pharmacy site, I couldn't see any malicious code but that could always change.
With Romanians hosts I recommend a one-strike policy.. i.e. block the whole lot as soon as you come across a netblock with malicious activity. Unless you have business dealings with Romania, then any traffic to a Romanian host is likely to be malware or spam related. So in this case, blocking 220.127.116.11/23 and 18.104.22.168/22 will probably do no harm.