Sponsored by..

Thursday, 16 January 2014

Cushion Redirect sites using hijacked GoDaddy domains to block

A very quick write-up about some suspect activity on 194.28.175.129 (BESTHOSTING-AS ON-LINE Ltd, Ukraine) which appears to be hosting some Cushion Redirect domains (explained here) which is being injected into certain sites such as the one in this URLquery report.

A brief examination of the server shows several subdomains of hijacked GoDaddy domains being used for malicious redirects:

d6ld9uir6jgsgasgtfpoff7.yourchicagohummerlimo.com
ht6u1tyyljcketu4b938smf50395383e2197583fa67bd84d474af039.yourbestpartybus.com
770pa3hd21uo1q7wqa5thgh.amateurloginfree.com
d6ld9uir6jgsgasgtfpoff74159538404f0858918145d34c8200d5a7.yourchicagohummerlimo.com
xxctp7yqtwncubsewi6t7pp.yourchicagocarservice.com
63t31l30mdhlep1d0kx82tn70845384049a336c6dc8d7ede92b1d341.yourchicagogranite.com
qxwnnzei6redpxlwbfz1cxg.amateurloginfree.com
ht6u1tyyljcketu4b938smf.amateurloginfree.com
ht6u1tyyljcketu4b938smf50395383e20f64a2782cfdac4ee94285a.yourbestpartybus.com
y1ji3w0l1teth2ydh2k0epj.allgaysitespassfree.com

The hijacked GoDaddy domains in question are:
allgaysitespassfree.com
amateurloginfree.com
yourchicagocarservice.com
yourchicagogranite.com
yourchicagohummerlimo.com
yourbestpartybus.com

A quick look at the Google stats for AS42655 indicate to me personally that blocking 194.28.172.0/22 might be a prudent idea if you don't have any reason to send traffic to Ukrainian sites.

1 comment:

PC.Tech said...

Still pumping malware...
- https://www.virustotal.com/en-gb/ip-address/194.28.175.129/information/
2014.01.17
.