Sponsored by..

Thursday 8 November 2012

getyourbet.org injection attack

There seems to be an injection attack doing the rounds, the injected domain is getyourbet.org hosted on The domain registration details are:

Registrant ID:TOD-42842658
Registrant Name:ChinSec
Registrant Organization:ChinSec
Registrant Street1:Beijing
Registrant Street2:
Registrant Street3:
Registrant City:Beijing
Registrant State/Province:BJ
Registrant Postal Code:519000
Registrant Country:CN
Registrant Phone:+86.5264337745
Registrant Phone Ext.:
Registrant FAX:+86.5264337745
Registrant FAX Ext.:
Registrant Email:chinseccdomains@yahoo.com

The domain was created on 12th October. The IP address is in Russia (PIN-DEDICATEDSERVERS-NET).

This is a two stage attack, if  getyourbet.org is called with the correct referrer parameters then the victim ends up at another server at (Hostforweb, US) that tries to serve up a malicious payload. This server contains a bunch of subdomains from a hacked GoDaddy account.


I've seen this sort of abuse of GoDaddy domains before, the main "www" domain resolves OK, but the subdomains get pointed elsewhere. There's either a problem with GoDaddy or this is done through a phish.

Anyway, block and if you can to prevent further attacks.


Unknown said...

Ḧow is the injection done?

Unknown said...
This comment has been removed by the author.
Conrad Longmore said...

@Ben, I'm not sure how the injection is being done, sorry.