[donotclick]kfc.i.illuminationes.com/snitch
This is hosted on 91.226.33.54. The exploit is not clear at this point, but some sources say that this is some sort of TDS kit. The URLquery transaction flowchart shows the attack in action.
The injected script sends the keywords and referring site upstream, for example:
[donotcliick]kfc.i.illuminationes.com/snitch?default_keyword=Team%20Tyra%20%7C%20The%20most%20popular%20equestrian%20website%20in%20Sweden%2FEurope&referrer=&se_referrer=&source=www.teamtyra.seAlthough the attacks in the past few days only seem to have utilised 91.226.33.54, an analysis of the netblock [pastebin] shows several bad or spammy sites in 91.226.32.0/23, so my recommendation is that you banish this range from your network.
UPDATE:
ZScaler are also tracking their infection, an analysis of what it does can be found here.
6 comments:
Hi there, one of my sites was affected with attack, so, I blocked this ip address in my hosting like you recommended. Please keep us informed about this attack.
Thanks a lot.
I would recommend reading https://wordpress.org/support/topic/js-injection-after-wp
This is on my website too! I am on Wordpress 4.3.1 with Zerif Pro theme. Looking forward to a solution.
As he managed to solve this problem?
By wordfence block IP range. 91.226.32.0/23, but the problem continues. (Wordpress 4.3.1)
Img
I do not have WordPress on this computer.
Getting from F-Secure "Security Suite" provided by ISP (Charter Cable/TV/Internet)
Harmful web site http://b6d5x.i.illuminationes.com/jsnitch?default_keyword=Campaign%20News&se_referrer=http%3A%2F%2Fwww.clyburnforcongress.com%2Fcontact.html&source=www.clyburnforcongress.com blocked
Is www.clyburnforcongress.com a target
and I have entered that URL in my Navigation Bar
I used the following commands to locate and remove
malware from our wordpress multisite server. Your
milage may vary but this worked for me. Be sure to
look for malware in the very first line of PHP files
(Turn wordwrap ON this malware conceals itself by
inserting spaces in front of it). Also check any
'theme' files for malware inserted immediately
before the 'close head' html tag. Always suspect
any file named '404.php'. Good luck!
- UnklAdM
grep -R .1.=.......0.=.......3.=.......2.=.......5.= ~/*
egrep -Rl function.*for.*strlen.*isset ~/
egrep -Rl '\$GLOBALS.*\\x' ~/
find ~/public_html/wp-content -name \*php
find ~/ -name \*suspected
ls -Rl ~/ | grep "rw\- "
find ~/ -name \*php -exec grep -Hn \#\#\#\: {} \;
find ~/ -perm -2 ! -type l -ls
find ~/ -nouser -o -nogroup -print
find ~/ -name \*php -exec grep -l cb5a4300 {} \;
find ~/ -name \*php -exec grep -l systemeprod {} \;
find ~/ -name \*php -exec grep -l snt2014 {} \;
find ~/ -name \*php -exec grep -l s52c67fe5 {} \;
find ~/ -name \*php -exec grep -l q7445d11b {} \;
find ~/ -name \*php -exec grep -l i9a93871 {} \;
find ~/ -name \*php -exec grep -l j7acd {} \;
find ~/ -name \*php -exec grep -l z8fea2 {} \;
find ~/ -name \*php -exec grep -l ff4ee7 {} \;
find ~/ -name \*php -exec grep -l r085355 {} \;
find ~/ -name \*php -exec grep -l qe7e2714e {} \;
find ~/ -name \*php -exec grep -l r93c9cd9 {} \;
find ~/ -name \*php -exec grep -l e019d {} \;
find ~/ -name \*php -exec grep -l w8356921 {} \;
Post a Comment