Sponsored by..

Wednesday 12 October 2011

Something evil on 66.197.235.245 (Exp/20100840-B)

There is currently a poorly detected (VirusTotal reports 1/43) Java exploit being distributed by 66.197.235.245 via injection attacks. One example is injected obfuscated code pointing to tualette.ce.ms/content/field.jar but there are probably lots of these. Currently only Sophos detects this as Exp/20100840-B.

Blocking all traffic to 66.197.235.245 is the quickest way to protect against this particular attack, it might be worth blocking 66.197.235.240/28 as in case this is a bad block.

The domains on 66.197.235.245 are a mix of crappy free domains, hijacked GoDaddy domains and a few others. I have identified the following sites, although I suspect there are many more:

abra.ce.ms
arenda3213.ce.ms
billyfuns.net
cherrychat.ru
e-casher.ru
fastresource.in
footporntube.com
gavni.usa.cc
goldmail.in
guano.ce.ms
jobtrue.ru
max5clock.net
naxnax.ce.ms
oilsintetyc.ru
osiki.osa.pl
plumcrazy-media.net
rijeguni.co.tv
samsusams.net
sharki.osa.pl
sortirka.osa.pl
trusiki.345.pl
tualette.ce.ms
usapornotube.com
vedroskofun.com
web.mlep.com
xmlnetwork.in

No comments: