Sponsored by..

Wednesday 1 October 2014

Something evil on 87.118.127.230

Quite what exploit kit this is I cannot determine, but there's something evil on 87.118.127.230 (Keyweb, Germany) which is using hijacked GoDaddy-registered subdomains to distribute crap. It's definitely worth blocking this IP. The source looks like some sort of malvertising, but I have incomplete data.

The domains I have seen being abused are:
aacregistry.org
agostjoe.com
apprizse.com
association-connect.com
barnesvillechiro.com
bwclinic.com
chiro-connect.com
ctkblockparty.org
holyhoops.net
josephrobidoux.com
lifeatctk.org
mca-connect.com
midwestartists.org
missouritheater.com
missouritheater.net
missouritheater.org
missouritheatre.com
missouritheatre.net
missouritheatre.org
moveonedegree.com
mvsummerhoops.com
premiermortgagenetwork.info
rapidpricecomparison.com
robidouxrow.com
smallbiz-connect.com
staffing-connect.com
stjoarts.org
stjoearts.com
trailswest.org
tumainiag.com
tumainiag.org
vpmspecialists.com

A list of all the subdomains I have seen can be found here [pastebin]

3 comments:

Arseny Levin said...

Any chance of sharing a full redirection chain?
That would super helpful

Zahni said...

look at

https://www.virustotal.com/de/file/3820747f707d3879d343b580ba46b59d3a4deb71ee4deae14448561cff9cce94/analysis/

(comment section)

and

https://www.virustotal.com/de/file/2cfce19d887de169aeec56fe18d358e5acd1507489a6709df9a8bf95fb42b5e0/analysis/

Conrad Longmore said...

Looks something like this: hxxp://avecat.missouritheatre.org:15106/full/cnstats/clients/stories.php?wink=322