Sponsored by..

Tuesday 14 May 2013

Something evil on 94.242.198.16

I'm not entirely sure what this is, I think it's an injection attack leading to a malware server on 94.242.198.16 (Root SA, Luxemburg) which is using various stealth techniques to avoid detection.

This is what I'm seeing.. code is getting injected into sites referring to [donotclick]fryzjer.me/hpoxqnj.php (report) or [donotclick]stempelxpress.nl/vechoix.php (report) which (if called in the correct way) tries to forward the victim to
[donotclick]ice.zoloni-kemis.info/lyxtp?ftqvixid=94764 or [donotclick]ice.zoloni-kemis.info/lifym?ftypyok=947645 hosted on 94.242.198.16.

VirusTotal reports this as a bad IP, and out of several domains associated with this IP, almost all are red-flagged by Google for malware. The site contains several subdomains of the following domains.. I would recommend the following blocklist:
94.242.198.16
integrate-koleiko.com
integrate-koleiko.org
integrate-koleiko.net
muroi-uroi-loi.info
muroi-uroi-loi.org
muroi-uroi-loi.net
zoloni-kemis.info

Subdomains spotted include:
dde.integrate-koleiko.com
drom.muroi-uroi-loi.info
helm.muroi-uroi-loi.org
ice.zoloni-kemis.info
lopre.integrate-koleiko.org
maj.muroi-uroi-loi.net
nop.integrate-koleiko.org
oi.integrate-koleiko.net
vyo.integrate-koleiko.net
xs.integrate-koleiko.com

No comments: