Sponsored by..

Friday 23 September 2011

dfrgcc.com injection attack in progress

Thousands of sites are currently being hit by an injection attack pointing to dfrgcc.com/ur.php a domain registered to someone using the infamous hotmailbox.com domain for email.

   JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

The site is hosted on 188.229.88.103 which is the equally infamous Netserv Consult SRL in Romania. 188.229.88.103 hosts the following sites:

bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
booknunu.com
bookvila.com
bookzula.com
dfrgcc.com
file-dl.com
xxxtubes8.com


These domains are pretty familiar, having previously been hosted in Lithuania. This marks them out as the same people behind the infamous LizaMoon attack.

Netserv Consult SRL host a wide variety of bad sites. Blocking 188.229.0.0/17 (188.229.0.0 - 188.229.127.255) will probably do you no harm.

4 comments:

jekung said...
This comment has been removed by the author.
jekung said...

is this url used by analytics?

Conrad Longmore said...

No, it is not analytics. The payload is some sort of virus.

David Hall said...

nbnjki.com/urchin.js has also been noticed with this whois