Sponsored by..

Thursday 9 October 2014

Nuclear EK active on 178.79.182.106

It looks like the Nuclear exploit kit is active on 178.79.182.106 (Linode, UK), using hijacked subdomains of legitimate domains using AFRAID.ORG nameservers. I can fee the following sites active on that IP:

fuhloizle.tryzub-it.co.uk
fuhloizle.pgaof39.com
fuhloizle.cusssa.org


"fuhloizle" is a pretty distinctive search string to look for in your logs. It looks like the bad sites might be down at the moment (or the kit is hardened against analysis), but blocking this IP address as a precaution might be a good idea.

No comments: