Despite all the combinations (a list is at the bottom of the post if you want to paste it in somewhere), there are only a small number of IP addresses involved:
66.221.212.92
66.221.212.94
66.221.212.96
66.221.212.98
66.221.212.99
69.13.73.203
69.13.73.205
69.13.73.248
69.13.73.250
69.13.154.250
69.13.154.251
All of those IPs belong to C I Host, some seem to have legitimate sites hosted on them.
One one domain (mybar.us) is not anonymised:
Registrar URL (registration services): www.publicdomainregistry.com Domain Status: clientTransferProhibited Registrant ID: DI_11638984 Registrant Name: Andrew Black Registrant Organization: N/A Registrant Address1: 555 Taylor Rd. Registrant City: Enfield Registrant State/Province: Connecticut Registrant Postal Code: 06082 Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +860.7492291 Registrant Email: dday.rabbit@gmail.com Registrant Application Purpose: P1 Registrant Nexus Category: C11
Although the address and phone number are no doubt fake, the email address of dday.rabbit@gmail.com is known.
The next hop uses a subdomain of a legitimate domain registered at GoDaddy that appears to have been phished: out.outdoorkitchendistributors.com - this site is hosted on 94.75.243.31.. it's just worth pausing to note that the legitimate domain specchart.com also appears to have been hijacked via a GoDaddy phish and moved to this server.
The endpoint is a Java exploit on a server at 79.135.152.194 belonging to microlines.lv (AS2588 / 79.135.128.0/19) which appears to be a pretty evil network. How the hell they got a /19 is a mystery when I can't see any verifiably legitimate sites.
If you want to block the intermediate domains, they are:
vagi.adsnet.biz
vain.adsnet.biz
vale.adsnet.biz
vars.adsnet.biz
vary.adsnet.biz
vasa.adsnet.biz
vaut.adsnet.biz
vavs.adsnet.biz
viny.adsnet.biz
viol.adsnet.biz
vrow.adsnet.biz
vugs.adsnet.biz
vuln.adsnet.biz
vagi.toolbarcom.org
vain.toolbarcom.org
vale.toolbarcom.org
vars.toolbarcom.org
vary.toolbarcom.org
vasa.toolbarcom.org
vaut.toolbarcom.org
vavs.toolbarcom.org
viny.toolbarcom.org
viol.toolbarcom.org
vrow.toolbarcom.org
vugs.toolbarcom.org
vuln.toolbarcom.org
vagi.mybar.us
vain.mybar.us
vale.mybar.us
vars.mybar.us
vary.mybar.us
vasa.mybar.us
vaut.mybar.us
vavs.mybar.us
viny.mybar.us
viol.mybar.us
vrow.mybar.us
vugs.mybar.us
vuln.mybar.us
vagi.freead.name
vain.freead.name
vale.freead.name
vars.freead.name
vary.freead.name
vasa.freead.name
vaut.freead.name
vavs.freead.name
viny.freead.name
viol.freead.name
vrow.freead.name
vugs.freead.name
vuln.freead.name
Thanks for posting this, it helped me find some injected code in one of our mootools js files.
ReplyDeletei think i have it on my site, okdork.com but i have NO idea how to find it...any help? help [at] okdork.com
ReplyDeleteHKagan, I'm in the same boat. I have no idea how to find the injected code. Anyone out there have any ideas?
ReplyDeleteThanks in advance.
To find the code search each of your Javascript files on your site for the following code (only an edit so is not dangerous):
ReplyDeleteunescape("%6e%67%74%68")
which is the word ngth encoded. I also used the JSUNPACK site to decode any suspicious lookig files I found - it is very good
http://jsunpack.jeek.org/
We used JSUNPACK http://jsunpack.jeek.org/ to decode each of our sites' Javascript files to see if any of the files contained domains like those mentioned above and then deleted/replaced with new the infected file.
ReplyDeleteYou can also search for the string
unescape("%43%6f%64%65%41%74")
which is the word CodeAt and can identify the obfusticated Javascript