Sponsored by..

Monday, 24 August 2015

Popular German wesite dwdl.de hacked, serving malware via 94.142.140.222

Popular German media website dwdl.de has been hacked and is serving up malware, according to this URLquery report.

URLquery's IDS function detects what looks like the RIG Exploit kit:


The exploit is in injected code pointing to a server at 94.142.140.222 (Marosnet Telecommunication Company, Russia) which in the example is using filter.michiganbeerhops.com which is a hijacked GoDaddy domain.

The exploit only appears to work if the site is accessed via a search engine, which looks like a classic .htaccess hack. URLquery's script relationship chart shows this in action:




VirusTotal gives an overview of other malicious domains on this server. It indicates that the following domains have been hijacked and malicious subdomains set up:

123goled.com
123gooled.com
123homeautomation.com
123oled.com
135warranty.com
1drones.com
4ktechsupport.com
audiovideoalternatives.com
audiovideoinsight.com
autonomouscontrolsystem.com
autonomouscontrolsystems.com
autonomousinterface.com
avioav.com
birminghamaudiovideo.com
birminghamtheatercompany.com
birminghamtheatersystems.com
cleanlittleengine.com
cleanpowercell.com
cleansunpower.com
clearviewelectronic.com
clearviewelectronic.net
clearviewelectronics.info
clearviewelectronics.me
clearviewelectronics.net
clearviewelectronics.org
crazyoled.com
daddybeer.com
devilscrotchhotsauce.com
dreamybikini.com
educationdrone.com
efgled.com
energeticled.com
ferndalebar.com
hometheaterlogistics.com
hopsmichigan.com
imagerled.com
inwallsoundbar.com
ledgest.com
ledimager.com
ledisme.com
ledrefill.com
ledrequired.com
ledstuf.com
lightsusingled.com
michiganbeerhops.com
timeandplacephotos.com
torredelpainelandscapes.com
travelersvisions.com
travelerviews.net
travelervisions.com
travelervisions.net
triadthinking.com
turkeylight.com
turkishlandscapes.com
tuscanycolor.com
understandinglight.com
urbanchina.info
veniciancolor.com
venicianlight.com
viewartsandsciences.com
viewevolution.com
viewevolution.net
viewevolution.org
viewhumanities.com
viewliberalarts.com
viewnaturalsciences.com
viewprocess.org
viewsocialsciences.com
visionandthought.com
visioningmind.com
visioningmind.net
visioningplace.com
visioningplace.net
visionofchina.net
visionofchina.org
visquest.info
visualcreativethinking.com
visualcreativethinking.net
visualcreativity.info
visualizationfuture.com
visualizationthinking.com
visualizingmaps.net
visualknowledge.org
visualmexico.net
vizmodeling.com
vizmodels.com
vizsee.com
vizthought.com
volgadeutsch.com
wallartbycountry.com
wayfindingadventure.com
wayfindingtravel.com
waysofthinking.com
waysofthinking.net
waystosee.net
webviews.info
westerneuropelandscapes.com
wilkiephotos.com
worldwallart.com
worldwallart.net
xianspirit.com
yunnanlandscapes.com
yunnanlight.com
zocaloscenes.com

3 comments:

Unknown said...

Thanks for your report. We've cleaned up our htaccess-file, so the problem should not appear any more

Conrad Longmore said...

Excellent, thank you :) I suspect many other sites will have been hit in the same way..

Conrad Longmore said...

@Uwe.. although you need to address whatever the actually security flaw is too. Nobody external should be able to access the .htaccess file.