There seems to be an injection attack doing the rounds, the injected domain is getyourbet.org hosted on 31.184.192.237. The domain registration details are:
Registrant ID:TOD-42842658
Registrant Name:ChinSec
Registrant Organization:ChinSec
Registrant Street1:Beijing
Registrant Street2:
Registrant Street3:
Registrant City:Beijing
Registrant State/Province:BJ
Registrant Postal Code:519000
Registrant Country:CN
Registrant Phone:+86.5264337745
Registrant Phone Ext.:
Registrant FAX:+86.5264337745
Registrant FAX Ext.:
Registrant Email:chinseccdomains@yahoo.com
The domain was created on 12th October. The IP address is in Russia (PIN-DEDICATEDSERVERS-NET).
This is a two stage attack, if getyourbet.org is called with the correct referrer parameters then the victim ends up at another server at 64.202.123.3 (Hostforweb, US) that tries to serve up a malicious payload. This server contains a bunch of subdomains from a hacked GoDaddy account.
pin.panacheswimwear.co.uk
physical.oneandonlykanuhura.com
pig.onmailorder.com
picture.onlyplussizes.com
person.nypersonaltrainers.com
pipe.payday-loanstoday.com
I've seen this sort of abuse of GoDaddy domains before, the main "www" domain resolves OK, but the subdomains get pointed elsewhere. There's either a problem with GoDaddy or this is done through a phish.
Anyway, block 64.202.123.3 and 31.184.192.237 if you can to prevent further attacks.
3 comments:
Ḧow is the injection done?
@Ben, I'm not sure how the injection is being done, sorry.
Post a Comment