Dynamoo's Blog: Tainted Network: "kfc.i.illuminationes.com/snitch" and VPS Hosting of Latvia (91.226.32.0/23)

Monday 21 September 2015

Tainted Network: "kfc.i.illuminationes.com/snitch" and VPS Hosting of Latvia (91.226.32.0/23)

I've been seeing some injection attacks since last week utilising hosting services of VPS Hosting in Latvia. These are continuing today, with attacks like this one [URLquery] which sends traffic to:

[donotclick]kfc.i.illuminationes.com/snitch

This is hosted on 91.226.33.54. The exploit is not clear at this point, but some sources say that this is some sort of TDS kit. The URLquery transaction flowchart shows the attack in action.

The injected script sends the keywords and referring site upstream, for example:

[donotcliick]kfc.i.illuminationes.com/snitch?default_keyword=Team%20Tyra%20%7C%20The%20most%20popular%20equestrian%20website%20in%20Sweden%2FEurope&referrer=&se_referrer=&source=www.teamtyra.se

Although the attacks in the past few days only seem to have utilised 91.226.33.54, an analysis of the netblock [pastebin] shows several bad or spammy sites in 91.226.32.0/23, so my recommendation is that you banish this range from your network.

UPDATE:
ZScaler are also tracking their infection, an analysis of what it does can be found here.

6 comments:

nelsinchi23 September 2015 at 05:45
Hi there, one of my sites was affected with attack, so, I blocked this ip address in my hosting like you recommended. Please keep us informed about this attack.
Thanks a lot.
ReplyDelete
Replies
Unknown24 September 2015 at 18:22
I would recommend reading https://wordpress.org/support/topic/js-injection-after-wp
ReplyDelete
Replies
cjcblogger7 October 2015 at 18:48
This is on my website too! I am on Wordpress 4.3.1 with Zerif Pro theme. Looking forward to a solution.
ReplyDelete
Replies
Unknown14 October 2015 at 22:52
As he managed to solve this problem?

By wordfence block IP range. 91.226.32.0/23, but the problem continues. (Wordpress 4.3.1)

Img
ReplyDelete
Replies
Jack Taylor19 October 2015 at 11:40
I do not have WordPress on this computer.
Getting from F-Secure "Security Suite" provided by ISP (Charter Cable/TV/Internet)

Harmful web site http://b6d5x.i.illuminationes.com/jsnitch?default_keyword=Campaign%20News&se_referrer=http%3A%2F%2Fwww.clyburnforcongress.com%2Fcontact.html&source=www.clyburnforcongress.com blocked

Is www.clyburnforcongress.com a target
and I have entered that URL in my Navigation Bar
ReplyDelete
Replies
UnklAdM11 November 2015 at 17:36
I used the following commands to locate and remove
malware from our wordpress multisite server. Your
milage may vary but this worked for me. Be sure to
look for malware in the very first line of PHP files
(Turn wordwrap ON this malware conceals itself by
inserting spaces in front of it). Also check any
'theme' files for malware inserted immediately
before the 'close head' html tag. Always suspect
any file named '404.php'. Good luck!

- UnklAdM

grep -R .1.=.......0.=.......3.=.......2.=.......5.= ~/*
egrep -Rl function.*for.*strlen.*isset ~/
egrep -Rl '\$GLOBALS.*\\x' ~/
find ~/public_html/wp-content -name \*php
find ~/ -name \*suspected
ls -Rl ~/ | grep "rw\- "
find ~/ -name \*php -exec grep -Hn \#\#\#\: {} \;
find ~/ -perm -2 ! -type l -ls
find ~/ -nouser -o -nogroup -print
find ~/ -name \*php -exec grep -l cb5a4300 {} \;
find ~/ -name \*php -exec grep -l systemeprod {} \;
find ~/ -name \*php -exec grep -l snt2014 {} \;
find ~/ -name \*php -exec grep -l s52c67fe5 {} \;
find ~/ -name \*php -exec grep -l q7445d11b {} \;
find ~/ -name \*php -exec grep -l i9a93871 {} \;
find ~/ -name \*php -exec grep -l j7acd {} \;
find ~/ -name \*php -exec grep -l z8fea2 {} \;
find ~/ -name \*php -exec grep -l ff4ee7 {} \;
find ~/ -name \*php -exec grep -l r085355 {} \;
find ~/ -name \*php -exec grep -l qe7e2714e {} \;
find ~/ -name \*php -exec grep -l r93c9cd9 {} \;
find ~/ -name \*php -exec grep -l e019d {} \;
find ~/ -name \*php -exec grep -l w8356921 {} \;
ReplyDelete
Replies

Add comment