Sponsored by..

Showing posts with label Injection Attacks. Show all posts
Showing posts with label Injection Attacks. Show all posts

Tuesday 7 May 2013

Something evil on 151.248.123.170, Part III

I've covered 151.248.123.170 (Reg.ru, Russia) a couple of times in the past month [1] [2], and it's still actively pushing out malware via dynamic DNS domains, many of which are injection attacks on hacked sites.

There are hundreds or possibly thousands of malicious domains on this IP. Blocking them individually is likely to be problematic, the best approach is to block all traffic to 151.248.123.170 or to the Dynamic DNS domains involved.. although this might potentially block access to some legitimate sites.

These are the Dynamic DNS domains being abused (you should consider blocking them in my opinion):
3utilities.com
4mydomain.com
4pu.com
changeip.org
ddns.ms
ddns.us
dns04.com
dsmtp.com
dynamicdns.biz
dynamic-dns.net
freeddns.com
ftpserver.biz
ikwb.com
itemdb.com
jetos.com
lflinkup.net
mefound.com
myddns.com
myftp.org
myfw.us
mypicture.info
mysecondarydns.com
myvnc.com
ninth.biz
no-ip.biz
no-ip.info
no-ip.org
ns01.biz
ns01.info
ns02.us
ns3.name
ocry.com
organiccrap.com
otzo.com
port25.biz
redirectme.net
servebeer.com
serveblog.net
servecounterstrike.com
serveftp.com
servegame.com
servehalflife.com
servehttp.com
servemp3.com
servepics.com
servequake.com
serveusers.com
xxuz.com
youdontcare.com

These are the domains that I can detect on the IP, but there are probably many, many more.
0j6nlxx1.myftp.org
0x0ipb74i.myvnc.com
162u8ugl.servehttp.com
1wupkdyz.no-ip.org
2fwujpyj78.servehttp.com
2j9smce4.myvnc.com
3b51lly0.serveftp.com
3lejjwtbog.no-ip.info
3s5c4v.no-ip.org
3xdt4ejh6.servegame.com
4ur8266w.servebeer.com
6a3wfiznv.servepics.com
6lb311je7.servegame.com
6r69m9b5.serveftp.com
6vdsce2.myvnc.com
7rhw1bpqw.redirectme.net
8dcfv6ba.servepics.com
8f3rkuz.servehttp.com
8k4y6s14g.servequake.com
8kli99kzom.servehalflife.com
8vf9eijal.servehttp.com
9jss9fkfz.servebeer.com
9t2ok1w.servehttp.com
9trcul.3utilities.com
acqdpoqlhtlt.myfw.us
acydtk.itemdb.com
ae6s7iq.servemp3.com
aeqxvegity.changeip.org
agbrtjbdmn.dsmtp.com
ah8d1itwz4.servehalflife.com
ahbedbxyo.myfw.us
aivcdizhr.myfw.us
alspyjnx.serveusers.com
anghootuveg.myfw.us
aqbpswfpj.myfw.us
aqmcuaegy.mefound.com
aqydiv.mefound.com
arziphhrov.dsmtp.com
ass6j8glsg.servehalflife.com
astvrbbad.4pu.com
ataiyhhx.xxuz.com
attxrhs.ns3.name
auhjlwn.ftpserver.biz
aupmbeutcbr.myfw.us
awuddyedd.myfw.us
awxtfktz.youdontcare.com
ayfmlz.changeip.org
aywejlbwn.4pu.com
azxbxx.organiccrap.com
bamwkq.ikwb.com
bawhla.otzo.com
bemtknoufs.4pu.com
bfatsqv.organiccrap.com
bfvidbvewl.mypicture.info
bgmya4t.no-ip.biz
biwqqkzcsa.dynamic-dns.net
bkgeepguwu.youdontcare.com
bnnpvmf.4pu.com
bofapqngse.ddns.us
briirddzbn.myfw.us
btpqyb1p7a.servebeer.com
bzyphcsjcrhs.myfw.us
chlcsqnh.myddns.com
ckbqvlouqe.serveusers.com
cnsycrdv.organiccrap.com
cqunky.xxuz.com
csggbzz.ikwb.com
cttjhki.dynamicdns.biz
cuhadjcnyl.myfw.us
cuimcgv.dns04.com
cundqzpc.youdontcare.com
cuupggih.4pu.com
cvgjzgjabfzz.myfw.us
cwabkfjsh.organiccrap.com
cwfbslqwj.organiccrap.com
cymkwqz.ftpserver.biz
cysbagz.mysecondarydns.com
czbzcx.jetos.com
czjgxkcbf.freeddns.com
czyllsokwi.dynamic-dns.net
ddamrkgie.mypicture.info
ddmvubybx.myfw.us
ddzcvtvglpgb.myfw.us
detnqgkbjahg.myfw.us
dgdgfs.dynamicdns.biz
djgoaf.mysecondarydns.com
dkpdfe.port25.biz
dmfqtxoqvmbe.myfw.us
dnvkizwemfmy.myfw.us
dpwmvwqa.ftpserver.biz
dqmbhghc.itemdb.com
drxjqr.serveusers.com
drzvmd.ns3.name
dtjkin.ns01.info
dukr7abe6.serveftp.com
dumqgfkodvko.myfw.us
dxexzx.port25.biz
eajwozhkn.myfw.us
ecqhffsix.youdontcare.com
edbjaepjg.myfw.us
edefwbh.ftpserver.biz
eeerrtnzii.ftpserver.biz
ehaxoe.mysecondarydns.com
eifmydan.organiccrap.com
ekmlvqvc.dns04.com
emhkyc.ns3.name
encrtggml.youdontcare.com
eogxekpdtcvb.myfw.us
epllsmxckoo.myfw.us
erygtbkshcz.myfw.us
esmiqsq.mysecondarydns.com
eufdldv.mypicture.info
evbntlv.dynamicdns.biz
evkhegeue.myftp.org
exrjzleph.myfw.us
ezbbhtfo.freeddns.com
ezrzmcnmwkl.myfw.us
ezzbnjwtz.changeip.org
fbwlwfnboll.myfw.us
ferzds.ns01.info
fhlswqcai.4pu.com
fitiioenutsp.myfw.us
fjbcsk.otzo.com
fkvqztwwitsm.myfw.us
fmdetqh.dsmtp.com
fntqexnwhjdz.myfw.us
fqbiankg.ikwb.com
fqguhzwcasmj.myfw.us
fqzbwstxyypa.myfw.us
fryjpao.myddns.com
frzfhndxw.itemdb.com
fum22fhpi.servegame.com
fxkooknk.itemdb.com
fxxpnp.itemdb.com
fyuccxbvon.jetos.com
fzeypa.ns3.name
g5fm891.3utilities.com
gaaemoaa.itemdb.com
gaolppjyq.myfw.us
gblfhdwbegow.myfw.us
gdlvqfak.4pu.com
getbwoedccls.myfw.us
gexurmmntx.changeip.org
gfdwowolvt.myfw.us
gfwmxzpvnp.myfw.us
ggpmov.ddns.us
gidnmygaum.ddns.us
gjsqbsqawb.myfw.us
gnbaamarlyit.myfw.us
gpqfskqe.lflinkup.net
gtvqed.organiccrap.com
gtyvjhvw.port25.biz
gumyfsjo.itemdb.com
gwgz8nz7bu.servepics.com
gwhwyvf.ocry.com
gxdcjg.dynamic-dns.net
gzfbhckcddl.myfw.us
h898k9wo.serveftp.com
hbvqaddxz.myfw.us
hdbbzvxejqn.myfw.us
hdowbe.servehttp.com
hdskfrel.ninth.biz
hdwuuvr.ddns.us
hdzfbnlenp.ninth.biz
hefqgipiv.myfw.us
hfltusb.ocry.com
hgibkcayvxc.myfw.us
hgqsiruxft.myfw.us
hgykiuwwh.organiccrap.com
hopucovetkbn.myfw.us
hpnfoqes.ftpserver.biz
hqvjpdsqa.organiccrap.com
hrwouxktkt.ftpserver.biz
hszdvlv.mefound.com
htensj.xxuz.com
hvdqroibk.port25.biz
hvjmsvfdmeab.myfw.us
hvmkidxvr.dynamic-dns.net
hvywhncmn.itemdb.com
hxqvvy.changeip.org
i74hiyo2y.no-ip.org
iappjftw.itemdb.com
iavvgjkk.ftpserver.biz
idjwfvk.dynamicdns.biz
iftewoyvwpob.myfw.us
ijccqljgr.myfw.us
ilugmefnc.freeddns.com
iqyqszqf.lflinkup.net
iriqvotyaz.ns01.biz
irszbliskh.myddns.com
iskiyiha.ninth.biz
iszibayuer.myddns.com
ithnqo.4pu.com
ituevs.xxuz.com
iub483p4.servegame.com
ivkpydtby.no-ip.org
iwhabdyn.serveusers.com
iypjnpcqw.myfw.us
izdzccr.xxuz.com
jacqvk.lflinkup.net
jaiftyxs.mysecondarydns.com
jaqmastga.itemdb.com
jbtcinyjv.4pu.com
jdfoggkzh.serveusers.com
jeaalexymm.myfw.us
jeldtld.organiccrap.com
jenzxchy.ns01.biz
jflhcqv.ikwb.com
jgbkbtyz.freeddns.com
jirshkrgu.youdontcare.com
jjjpbhx.4pu.com
jlbabnosva.otzo.com
jmiqcslfum.ns01.info
jnpknqp.lflinkup.net
jonaybvvy.itemdb.com
jpqtaqvaln.myfw.us
jpvjaujch.myfw.us
jqkaywyy.myddns.com
jupdsuhoh.youdontcare.com
jw5w8658z.redirectme.net
jxxemgpdyqk.myfw.us
kaavrqisc.myfw.us
kamxaip.mypicture.info
kchergnrxp.myfw.us
kcjbeu.ocry.com
kdeftpvpng.dynamic-dns.net
kejzxgh.4pu.com
knmbrnexxh.mysecondarydns.com
knvspjvyz.itemdb.com
koqlwnbku.serveusers.com
kplfuxjzy.myfw.us
kpvshgdss.ns3.name
krnwhhhtwvh.myfw.us
krwwhoehyl.myfw.us
kukxizdui.4mydomain.com
kycwuhgvc.serveusers.com
kyfmidqmh.4pu.com
kzklrwv.serveusers.com
l1y3o4o.serveblog.net
l2z0i6s1.servehttp.com
lajbbeqj.jetos.com
laqsaui.ns01.info
lclcnkhccdl.myfw.us
ldvdfx.ikwb.com
lhbqxfuvy.ocry.com
ljnanlpatrwd.myfw.us
llbguuda.ikwb.com
llotmdufz.dns04.com
lozbalothmc.myfw.us
lrnqgxgoa.ikwb.com
lsjqlbo.port25.biz
lusvrj.dsmtp.com
luyyyd.mysecondarydns.com
lwnplgpton.dsmtp.com
lwtujojereoi.myfw.us
lxpilprs.myddns.com
lyleqfeq.4pu.com
meuquma.ddns.us
mfdteohcrc.youdontcare.com
mfksblicgi.ocry.com
mfyxqutszl.otzo.com
mikxwsfmj.changeip.org
mkgwgjgwci.ddns.us
mrfltmzyeseg.myfw.us
mrnmqdsxfyze.myfw.us
muqvwvf.freeddns.com
mvdqmecbf.myfw.us
mvjlxlyjp.myfw.us
mvuqao.myddns.com
mwqgxlttg.ns01.biz
mx0t2z.servecounterstrike.com
myhnzszkoe.myfw.us
myijyjux.organiccrap.com
mzikrrzf.jetos.com
mzxkmjmquo.myfw.us
naxfpmhw.ninth.biz
ncywhwofn.dsmtp.com
nczgqdlrys.myfw.us
negkht.changeip.org
nhzgjm.dynamic-dns.net
nmwikbwrxia.myfw.us
nnufbc.dynamicdns.biz
npfhqlsm.dynamic-dns.net
npphmnxy.ddns.us
nqusbcphiby.myfw.us
nrpfyekqlk.dynamic-dns.net
nrqmusuueb.serveusers.com
ntbdeedkj.dsmtp.com
nuzmis.itemdb.com
nxcgynyedfs.myfw.us
oatg31.servehalflife.com
ocrrwieqzlha.myfw.us
ohustyl.mysecondarydns.com
okbriapkfb.mefound.com
okeqqnzcge.myfw.us
oliwkndvyxw.myfw.us
omuiekhqjg.myfw.us
oonfrqcocu.myfw.us
oonqydmt.ikwb.com
opaalghwxqlt.myfw.us
opsypzduo.myfw.us
oqccjqk.ikwb.com
oreywhh.serveusers.com
otcdaq.ns02.us
otnblbzjo.serveusers.com
otrshugxco.dynamic-dns.net
otsgcgz.servehttp.com
outwlswin.4mydomain.com
ouurcv.4mydomain.com
ovamujvhsa.dsmtp.com
owljtjpwb.myfw.us
ownowavbfj.ns01.info
oykqbk5bqf.servemp3.com
oywwrii.organiccrap.com
ozgaoshpd.mefound.com
ozxvjdyz.changeip.org
p9kc1ha4.servemp3.com
panvscen.ddns.us
pcafwnm.ikwb.com
pddcmcvof.mysecondarydns.com
peusfapdz.myfw.us
pjhzlriy.ninth.biz
pjrkvghqg.ocry.com
pjvcoazluq.dsmtp.com
pkyowjrjycw.myfw.us
pluowrgpl.myfw.us
pmkihqq.mypicture.info
ppakfotxhpy.myfw.us
ppmdbwqxcrv.myfw.us
ppsjpvzmjg.serveusers.com
prdjva.otzo.com
ptyxbmzkz.itemdb.com
pwkbuuor.xxuz.com
pwkwxztpaj.myfw.us
pyyxiapoxv.myfw.us
qcwkznq.dsmtp.com
qdfjptc.ns01.info
qfawknwtl.myfw.us
qfvrlt.4pu.com
qhfxww.dns04.com
qiwxwwy.dns04.com
qjhdnvjrn.changeip.org
qmnouatnlelp.myfw.us
qmnrup.mysecondarydns.com
qnljeztgg.changeip.org
qnwycifjfl.myfw.us
qplgaurnspl.myfw.us
qtbxjkot.ocry.com
qvvefzzj.ocry.com
qwwxtgojc.ninth.biz
qxp9xez9.3utilities.com
qzlkluald.myfw.us
qzsoegkp.dsmtp.com
r4g6m2.servehttp.com
ramtaky.4pu.com
rbnumsmbygqb.myfw.us
rcezlgb.ns3.name
rclmhzj.mefound.com
rdhrrxlyu.port25.biz
rebcdbgzic.ftpserver.biz
reoenqybu.myfw.us
rgtyavgys.freeddns.com
rhxiepm.ns3.name
ricznb.port25.biz
rjolnrlnpn.serveusers.com
rkaseooypl.myfw.us
rnordfancw.mefound.com
rnrbdynkblyb.myfw.us
rpbdqzdemsu.myfw.us
rtxektc.xxuz.com
rujaafdzwq.xxuz.com
rutqjnsex.myfw.us
rwscdhnhn.4mydomain.com
rxnirgmhsgwv.myfw.us
rxuvkq.mefound.com
rygsjmlss.dsmtp.com
rzreau.myddns.com
sb0y2h.myftp.org
sbjbuclp.dns04.com
seronwzic.myfw.us
serszgynbi.mysecondarydns.com
sgcdujudgzm.myfw.us
simiawbsilu.myfw.us
sjjcmisyd.mysecondarydns.com
skfynaq.serveusers.com
slcnxx.dynamic-dns.net
slcvzheogxph.myfw.us
smjyq1vm.serveftp.com
snediezzlsq.myfw.us
snozgi.organiccrap.com
sopnxhpyjb.port25.biz
sozsybvook.myfw.us
sozuzt.ddns.us
sqdgixmrki.dynamicdns.biz
sqqttryu.itemdb.com
swvgvgldodz.myfw.us
swxxruj.dynamicdns.biz
szsitxy.4pu.com
taokofzze.dynamic-dns.net
tbpsuzdk.port25.biz
tbrfrz.lflinkup.net
tcdcyjxit.ddns.ms
tcutixej.ikwb.com
tfqvhdg.otzo.com
tfywivnfc.myfw.us
tlasuq.itemdb.com
tlggqcgx.ftpserver.biz
tmipoitnfj.myfw.us
tq5wmetanb.servecounterstrike.com
tqzhbfaoy.ns02.us
tsxkxilw.ikwb.com
tufslzazbs.mypicture.info
tuvyov.changeip.org
uegnytqslcm.myfw.us
uelrmywt.ddns.us
uftmrikaydi.myfw.us
ugrhad.dynamic-dns.net
umogoraqz.myfw.us
unkcwjcrmh.otzo.com
utcdmox.dynamic-dns.net
uttptbyvgr.organiccrap.com
uucnwdbptssb.myfw.us
uufqumjr.youdontcare.com
uw35u18.servemp3.com
uwivsj.mefound.com
uwoyvvwvz.myfw.us
uyblrr.dsmtp.com
uyubmke.ns02.us
uzaqlbvvw.ninth.biz
vajoznzefrpt.myfw.us
vawhnrazl.organiccrap.com
vbgbbbjkr.mefound.com
vbhxqbwpt.myfw.us
vdbcdlmwie.port25.biz
ve57fs4.no-ip.org
vgyxuawyxb.myfw.us
vhfemrmovaiq.myfw.us
viptao.ddns.us
viqvti.ns01.info
vktlhllldxz.myfw.us
vpogbb.ns01.info
vpxnbn.organiccrap.com
vtzetcj.ftpserver.biz
vyjhuhol.ftpserver.biz
vysanjugba.changeip.org
wbgavjt.port25.biz
wbhglzsnqe.mypicture.info
wbjnmudcekl.myfw.us
wcxqvknrd.myfw.us
wenrtsjzbc.myfw.us
wfgjxiai.jetos.com
wfjktwnlfx.4mydomain.com
wgolucqns.myfw.us
whaumhrm.organiccrap.com
whpiiimwpodx.myfw.us
whsdoygqm.myfw.us
wilompgsaf.myfw.us
wjdakob.serveusers.com
wkbmaebigy.xxuz.com
wlrdvucbw.myfw.us
wmfqnjimufe.myfw.us
wmhvxsyex.dynamic-dns.net
wmjjdhqfev.myfw.us
wmnrrskry.myfw.us
wnxran.itemdb.com
wpjbcs.ns3.name
wtaumavodr.mysecondarydns.com
wthsard.dsmtp.com
wtriylabiccu.myfw.us
wuamrecon.myfw.us
wzjaaohoigzj.myfw.us
wzkjljfhfx.myfw.us
xcltzwbpmf.4mydomain.com
xfhhefpp.ns01.info
xicrkcb.dynamic-dns.net
xjtkbawsfc.ninth.biz
xkfrazfa.changeip.org
xkxbhbnc.organiccrap.com
xlhppgpktfrq.myfw.us
xosjtax.itemdb.com
xrjwwo.dsmtp.com
xtjypuoa.ftpserver.biz
xtkwuntrv.organiccrap.com
xufntdrj.ns01.info
xujepnjhas.dns04.com
xvsfuixww.organiccrap.com
xwnnmn.ns01.info
xygvilyksie.myfw.us
xzbqujbaj.ocry.com
xzphozmjxqsd.myfw.us
ybcpncmnea.ddns.ms
ydadyu.serveusers.com
yffrfdbkaq.myfw.us
yirlmqgnl.ns3.name
yjrpzzveovi.myfw.us
ynoljubnwos.myfw.us
ynskejsvl.myfw.us
ypccsuwr.ns3.name
yqkdkhqlei.ns01.info
yrtbvvytij.myfw.us
ys9hh20i.servehttp.com
yupbgt.4pu.com
yvwyrbgaji.serveusers.com
yxkudyzfnuv.myfw.us
yywgvpqrpeym.myfw.us
yzmgroem.changeip.org
yzytnygb.ftpserver.biz
yzzihzpo.mysecondarydns.com
zbauqs.ns01.info
zbirjhbbwb.ocry.com
zc287xl.servepics.com
zcauzvzqm.ftpserver.biz
zenxdduid.myfw.us
zhdlzrwzlw.myfw.us
zhudyeczk.myfw.us
zixxjxpc.mefound.com
zjbihpktdn.myfw.us
zkaowad.ddns.ms
zklseo.ddns.us
zmrycmomb.jetos.com
znfrriscgl.myfw.us
zphazatgvuob.myfw.us
zqt4wnw.myftp.org
zrizzrhxcmy.myfw.us
zrqkczmec.dynamic-dns.net
ztvbimxeq.myddns.com
zviwqprs.dynamic-dns.net
zwnovqmrquml.myfw.us
zxjczhjvq.otzo.com
zyttqhhvc.ns3.name
zzifxrfob.dynamicdns.biz
zznbfpbjpqpm.myfw.us

Wednesday 24 April 2013

Something evil on 151.248.123.170

151.248.123.170 (Reg.Ru, Russia) is currently hosting a number of malicious sites being used in injection attacks (example 1, example 2). These domains appear to be almost all dynamic DNS domains which I would recommend blocking, I also recommend blocking the IP address. Trying to block individual domains would probably be ineffective.

Recommended blocklist:
151.248.123.170
ns3.name
zapto.org
hopto.org
no-ip.org
changeip.org
myftp.org
servemp3.com
dns04.com
itemdb.com
ikwb.com
myvnc.com
mefound.com
servehalflife.com
servequake.com
servecounterstrike.com
servegame.com
youdontcare.com
4mydomain.com
otzo.com
organiccrap.com
serveftp.com
dsmtp.com
servehttp.com
servebeer.com
servepics.com
3utilities.com
freeddns.com
mysecondarydns.com
jetos.com
serveusers.com
4pu.com
ocry.com
xxuz.com
ns01.info
mypicture.info
no-ip.info
ddns.ms
ns02.us
ddns.us
myfw.us
redirectme.net
serveblog.net
lflinkup.net
sytes.net
dynamic-dns.net
no-ip.biz

Detected domains (almost all of these are marked as unsafe by Google)
1aj1l2.redirectme.net
2l9cy2.myftp.org
3lejjwtbog.no-ip.info
4g8v7cg.no-ip.org
598l7qdz.3utilities.com
71dalp61hx.servequake.com
78mudv.redirectme.net
7fht7r.redirectme.net
81jtjlit.3utilities.com
8bqve7sn.servebeer.com
8mau1o8kl7.servepics.com
93rpglw.servequake.com
agapcpaa.ns01.info
ahbedbxyo.myfw.us
aivcdizhr.myfw.us
akkly1t.servemp3.com
aqbpswfpj.myfw.us
arhecexdij.mypicture.info
aturlejd.dns04.com
aupmbeutcbr.myfw.us
azxbxx.organiccrap.com
bdkvtjss.mysecondarydns.com
bdtrehpi.dsmtp.com
bfmkeke.servebeer.com
bgmya4t.no-ip.biz
bietzhsh.mefound.com
biirnrxhz.mypicture.info
bksthi5.servegame.com
briirddzbn.myfw.us
bzyphcsjcrhs.myfw.us
ckbqvlouqe.serveusers.com
ckowva.mypicture.info
clwjaqmz.ocry.com
ctgqrapvt.4pu.com
cxubqrtqv.dynamic-dns.net
cybaqwzoai.jetos.com
cyt4n83.zapto.org
djrarpcpp.organiccrap.com
dousvpd.mysecondarydns.com
dwsfdgem.mysecondarydns.com
ecrbtc.mefound.com
efterbiwkc.freeddns.com
ehvrwxyev.ns3.name
elxvpf6prq.myvnc.com
eojriwvpt.serveusers.com
esmiqsq.mysecondarydns.com
exrjzleph.myfw.us
fgcnxamjp.ddns.us
fm7vxw.serveblog.net
fmdetqh.dsmtp.com
fqguhzwcasmj.myfw.us
fxbjpg.itemdb.com
fyuccxbvon.jetos.com
fz1a9crr7i.no-ip.info
gbeonh.servehttp.com
gclpzkt.mefound.com
gcojpbiwb.mefound.com
getbwoedccls.myfw.us
gipjuqnyp.mysecondarydns.com
gpbqicpq.ns01.info
gpqhomgo.ocry.com
gtpjrnkte.itemdb.com
gwhwyvf.ocry.com
gykobwnn.ddns.ms
gyxjclzy.dsmtp.com
hbjadoipd.mefound.com
hdbbzvxejqn.myfw.us
hdygywog.youdontcare.com
hidzgz.otzo.com
hiweya.lflinkup.net
hmkdmjn.ikwb.com
hsqyvzz.ddns.ms
iolwnr.freeddns.com
iuvrmzszjx.ns02.us
j7h9c34fip.servehalflife.com
jayrkypqxx.ns02.us
jkjehvt4k6.servegame.com
jnsvbykd.ns02.us
joukprhng.ocry.com
jpwhgfrc.dynamic-dns.net
jwufzame.youdontcare.com
jxrxuuqs.ddns.ms
jxxaoeufjs.serveusers.com
k05c1jx3lm.sytes.net
k23901iiv.no-ip.org
k40q5bx.servemp3.com
k6fgu8.hopto.org
klmgaqrtem.jetos.com
kmxxvdey.dsmtp.com
krnwhhhtwvh.myfw.us
kuebyfoh.ddns.us
kukxizdui.4mydomain.com
kunwxont.ikwb.com
kzbeyyvkl.jetos.com
kzfxvrz.ns02.us
ladmbbwxmm.no-ip.info
lrymhkrah.dsmtp.com
m938c18.no-ip.info
meaymayetx.organiccrap.com
meuquma.ddns.us
mfbovxps.serveftp.com
mgz0bf6g46.servehttp.com
mpqeydocoiq.myfw.us
mpwtwer.ns01.info
mrnmqdsxfyze.myfw.us
mvdqmecbf.myfw.us
mztlzbd.dynamic-dns.net
ncopbisrmn.xxuz.com
ndmvpgslci.itemdb.com
ngyuwfpaa.dsmtp.com
nmwikbwrxia.myfw.us
nngbpjevv.mefound.com
nuzmis.itemdb.com
nxcgynyedfs.myfw.us
odybreg.ikwb.com
ojew5yj.servecounterstrike.com
okbriapkfb.mefound.com
opxphpg.dns04.com
oqpslwchym.ns3.name
ortqptto.organiccrap.com
ou5hiad9.redirectme.net
owljtjpwb.myfw.us
ozyiivww.youdontcare.com
pbsezsidc.ns01.info
peifdnc.4pu.com
pmjqkxgxz.ddns.us
pmkihqq.mypicture.info
ppmdbwqxcrv.myfw.us
pwemctzvq.ns02.us
pwkwxztpaj.myfw.us
pzcbqmnxv.ddns.ms
qfnisv1h.servehttp.com
qgfs3q0.redirectme.net
qntfwt.changeip.org
qnwycifjfl.myfw.us
qsbmgof.ns3.name
qtbxjkot.ocry.com
quludwdcaq.mypicture.info
qzlkluald.myfw.us
r6x4yz.no-ip.org
rbnumsmbygqb.myfw.us
rcezlgb.ns3.name
rcumgx.jetos.com
rkaseooypl.myfw.us
rkhcyhk4o3.servecounterstrike.com
rnrbdynkblyb.myfw.us
rpbdqzdemsu.myfw.us
seronwzic.myfw.us
sgcdujudgzm.myfw.us
sglrpbgnvl.freeddns.com
sjsw9ne.servecounterstrike.com
slcvzheogxph.myfw.us
sozsybvook.myfw.us
sppbfcemw.jetos.com
synvmclp.dynamic-dns.net
tfqvhdg.otzo.com
tgckjiq.mysecondarydns.com
tin57d1.sytes.net
tlq8aw7lxc.servequake.com
tlvayh.4mydomain.com
tmipoitnfj.myfw.us
tnfzfdd.mypicture.info
trgcrumzlo.xxuz.com
tuewfxrwos.xxuz.com
uegnytqslcm.myfw.us
uftmrikaydi.myfw.us
umhlefsfo.dynamic-dns.net
uniomlciyi.otzo.com
uttptbyvgr.organiccrap.com
uucnwdbptssb.myfw.us
uureflcf.lflinkup.net
vbhxqbwpt.myfw.us
vesooyzw.serveusers.com
vewvfb.ikwb.com
vgyxuawyxb.myfw.us
voskghrg.ns3.name
vpogbb.ns01.info
vpxnbn.organiccrap.com
wdpyffpv.dsmtp.com
whaumhrm.organiccrap.com
whpiiimwpodx.myfw.us
wmnrrskry.myfw.us
wobxsdlv5r.no-ip.info
wrnkzkxjea.servemp3.com
wtriylabiccu.myfw.us
wucsutja.servecounterstrike.com
wwrhxrrvx2.serveftp.com
wywiapwvh.dns04.com
xkfrazfa.changeip.org
xlumergew.ns02.us
xugjnwfw.dsmtp.com
xxyneb.4pu.com
xygvilyksie.myfw.us
xzbqujbaj.ocry.com
ybdrgilms.4pu.com
ybywobw.mysecondarydns.com
yywgvpqrpeym.myfw.us
zakiie.ocry.com
zhudyeczk.myfw.us
zihoqd.ns3.name
zkgctmm4h.myftp.org
znhkad.xxuz.com
zqieuqgwt.ns3.name
zylzvbn.ns02.us
zyzniusdlq.ns01.info

Wednesday 3 April 2013

Something evil on 151.248.123.170

151.248.123.170 (Reg.ru, Russia) appears to be active in an injection attack at the moment. In the example I saw, the hacked site has injected code pointing to [donotclick]fdozwnqdb.4mydomain.com/jquery/get.php?ver=jquery.latest.js which then leads to a landing page on [donotclick]db0umfdoap.servegame.com/xlawr/next/requirements_anonymous_ordinary.php (report here but times out) which from the URL looks very much like a BlackHole Exploit kit.

This server hosts a lot of sites using various Dynamic DNS domains. I would recommend blocking the Dynamic DNS domains as a block rather than trying to chase down these bad sites individually. In my experience, Dynamic DNS services are being abuse to such an extent that pre-emptive blocking is probably the safest approach.

These are the domains I can see:
41y7kr.servehttp.com
96ztorwy89.serveblog.net
aehwmcqgx.myddns.com
ahbedbxyo.myfw.us
aivcdizhr.myfw.us
b57idtwn.servehalflife.com
bjtujinsl.changeip.org
bu3l0d4s.serveftp.com
bunahyfba.dns04.com
c9c7gldpp.serveblog.net
cigtdye.changeip.org
cuhadjcnyl.myfw.us
d15txn.servepics.com
db0umfdoap.servegame.com
dzrdmz.youdontcare.com
fapqdfckws.serveusers.com
fdozwnqdb.4mydomain.com
fdqeeo.freeddns.com
fxtloji.serveusers.com
geiuut.itemdb.com
grtyxl.xxuz.com
gxodzugrgq.mypicture.info
hgibkcayvxc.myfw.us
hrxivk.ddns.us
hyjantahjuc.myfw.us
hzfkim.ns01.info
idapjl.port25.biz
igwvypnsne.ftpserver.biz
jghdbtvxgj.ns3.name
jjjpbhx.4pu.com
jziirhsxi.dns04.com
keuiawjhbb.itemdb.com
kptslcbrbg.dsmtp.com
lgjkvp.ddns.us
motxke.dns04.com
mzfpmox.mysecondarydns.com
ngt5lcgnp.3utilities.com
objdjjhjpw.port25.biz
ozcffpa.jetos.com
ppmvfcrlw.youdontcare.com
ptdvlxyn.dsmtp.com
qcoidxrbod.ns02.us
rpsbccts.jetos.com
simiawbsilu.myfw.us
smysfr.ddns.ms
sufgrgzpj.ns3.name
swsdsr.mypicture.info
tbrfrz.lflinkup.net
toqmibzken.dynamicdns.biz
uouxhr.serveusers.com
uv985f.no-ip.info
vnlvrwkat.port25.biz
voc0cjieh.servehttp.com
vvecozzd.ns3.name
w5zik4js.sytes.net
wenrtsjzbc.myfw.us
yupbgt.4pu.com
zenj6u.no-ip.org
zjbihpktdn.myfw.us

This is what I recommend that you block:
151.248.123.170
3utilities.com
4mydomain.com
4pu.com
changeip.org
ddns.ms
ddns.us
dns04.com
dsmtp.com
dynamicdns.biz
freeddns.com
ftpserver.biz
itemdb.com
jetos.com
lflinkup.net
myddns.com
myfw.us
mypicture.info
mysecondarydns.com
no-ip.info
no-ip.org
ns01.info
ns02.us
ns3.name
port25.biz
serveblog.net
serveftp.com
servegame.com
servehalflife.com
servehttp.com
servepics.com
serveusers.com
sytes.net
xxuz.com
youdontcare.com

Tuesday 5 March 2013

Something evil on 5.9.196.3 and 5.9.196.6

Two IPs in the 5.9.196.0/28 block that you probably want to avoid are 5.9.196.3 and 5.9.196.6. The first of these IPs is being used in an injection attack (in this case via [donotclick]frasselt-kalorama.nl/relay.php) leading to two identified malware landing pages:

[donotclick]kisielius.surfwing.me/world/explode_conscious-scandal.jar (report here)
[donotclick]alkalichlorideasenteeseen.oyunhan.net/world/romance-apparatus_clinical_repay.php (report here)

Domains visible on 5.9.196.3 include:
alkalichlorideasenteeseen.oyunhan.net
kisielius.surfwing.me
dificilmentekvelijitten.surfwing.me
kisielius.surfwing.me
befool-immatriculation.nanovit.me
locoburgemeester.toys2bsold.com
ratiocination-wselig.smithsisters.us

A few IPs along is 5.9.196.6 which hosts the following domain that also looks highly suspect:
inspegrafstatkakukano.creatinaweb.com

Blocking these domains completely is probably a good idea:
oyunhan.net
surfwing.me
nanovit.me
toys2bsold.com
smithsisters.us
creatinaweb.com

5.9.196.0/28 is a Hetzner IP allocated to:

inetnum:        5.9.196.0 - 5.9.196.15
netname:        PQCSERVICE-LLC
descr:          pqcservice llc
country:        DE
admin-c:        VS4214-RIPE
tech-c:         VS4214-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
source:         RIPE # Filtered

person:         Vadim Sheyin
address:        pqcservice llc
address:        Universitetskaya 2a
address:        61091 Kharkov
address:        UKRAINE
phone:          +380506268399
nic-hdl:        VS4214-RIPE
mnt-by:         HOS-GUN
source:         RIPE # Filtered


I haven't seen anything of value in this /28, blocking it may be prudent.

Wednesday 20 February 2013

famagatra.ru injection attack in progress

There seems to be an injection attack in progress, leading visitors to hacked website to a malicious page on the server famagatra.ru.

The payload is at [donotclick]famagatra.ru:8080/forum/links/public_version.php?atd=1n:33:2v:1l:1h&qav=3j&yvxhqg=1j:33:32:1l:1g:1i:1o:1n:1o:1i&jehmppj=1n:1d:1f:1d:1f:1d:1j:1k:1l (report here) which is basically a nasty dose of Blackhole.


84.23.66.74 (EUserv Internet, Germany)
195.210.47.208 (PS Inernet Company, Kazakhstan)
210.71.250.131 (Chungwa Telecom, Taiwan)

The following domains are IPs are all part of the same evil circus:
84.23.66.74
195.210.47.208
210.71.250.131
efjjdopkam.ru
eiiiioovvv.ru
eipuonam.ru
ejiposhhgio.ru
ejjiipprr.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
emmmhhh.ru
enakinukia.ru
epilarikko.ru
epionkalom.ru
errriiiijjjj.ru
esigbsoahd.ru
estipaindo.ru
ewinhdutik.ru
exiansik.ru
exibonapa.ru
famagatra.ru
finalions.ru

Monday 11 February 2013

Something evil on 46.165.206.16

This is a little group of fake analytics sites containing malware (for example), hosted on 46.165.206.16 (Leaseweb, Germany). Sites listed in  red   have already been tagged by Google Safe Browsing diagnostics, presumably the others have stayed below the radar.

adstat150.com
cexstat20.com
katestat77.us
kmstat505.us
kmstat515.us
kmstat530.com
lmstat450.com
mptraf11.info
mptraf2.info
mxstat205.us
mxstat570.com
mxstat740.com
mxstat760.com
rxtraf25.ru
rxtraf26.ru
skeltds.us
vmstat100.com
vmstat120.com
vmstat140.com

vmstat210.com
vmstat230.com
vmstat320.com

Friday 8 February 2013

radarsky.biz and something evil on 5.135.67.160/28

There is currently an injection attack redirecting visitors to a domains radarsky.biz (for example) hosted on 5.135.67.173 (OVH) and suballocated to:

inetnum:        5.135.67.160 - 5.135.67.175
netname:        MMuskatov-FI
descr:          MMuskatov
country:        FI
org:            ORG-OH6-RIPE
admin-c:        OTC15-RIPE
tech-c:         OTC15-RIPE
status:         ASSIGNED PA
mnt-by:         OVH-MNT
source:         RIPE # Filtered


 "MMuskatov" was involved in this attack too, and a quick inspection of 5.135.67.160/28 doesn't look promising, you might want to block it and 5.135.67.144/28 and 5.135.67.192/28 as well. A deeper analysis is in progress.

Thursday 8 November 2012

getyourbet.org injection attack

There seems to be an injection attack doing the rounds, the injected domain is getyourbet.org hosted on 31.184.192.237. The domain registration details are:

Registrant ID:TOD-42842658
Registrant Name:ChinSec
Registrant Organization:ChinSec
Registrant Street1:Beijing
Registrant Street2:
Registrant Street3:
Registrant City:Beijing
Registrant State/Province:BJ
Registrant Postal Code:519000
Registrant Country:CN
Registrant Phone:+86.5264337745
Registrant Phone Ext.:
Registrant FAX:+86.5264337745
Registrant FAX Ext.:
Registrant Email:chinseccdomains@yahoo.com


The domain was created on 12th October. The IP address is in Russia (PIN-DEDICATEDSERVERS-NET).

This is a two stage attack, if  getyourbet.org is called with the correct referrer parameters then the victim ends up at another server at 64.202.123.3 (Hostforweb, US) that tries to serve up a malicious payload. This server contains a bunch of subdomains from a hacked GoDaddy account.

pin.panacheswimwear.co.uk
physical.oneandonlykanuhura.com
pig.onmailorder.com
picture.onlyplussizes.com
person.nypersonaltrainers.com
pipe.payday-loanstoday.com

I've seen this sort of abuse of GoDaddy domains before, the main "www" domain resolves OK, but the subdomains get pointed elsewhere. There's either a problem with GoDaddy or this is done through a phish.

Anyway, block 64.202.123.3 and 31.184.192.237 if you can to prevent further attacks.

Sunday 7 October 2012

Something evil on 5.9.188.54

Here's a nasty bunch of sites being used in injection attacks, all hosted on 5.9.188.54:

nfexfkloawuqlaahsyqrxo.qlvyeviexqzrukyo.waw.pl
nqvzrpyoossmr.qlvyeviexqzrukyo.waw.pl
xfynhovgofzsqueuuprplvv.qlvyeviexqzrukyo.waw.pl
lgrfuqfwz.qlvyeviexqzrukyo.waw.pl
zlqfrypzqyubsedrzugeaf.urblvhnfxzrozzlz.waw.pl
qxggipnnfmnihkic.ru
mvuvchtcxxibeubd.ru



5.9.188.54 is a Hetzner IP address (no surprise there) suballocated to:

inetnum:         5.9.188.32 - 5.9.188.63
netname:         LLC-CYBERTECH
descr:           LLC "CyberTech"
country:         DE
admin-c:         AG6373-RIPE
tech-c:          AG6373-RIPE
status:          ASSIGNED PA
mnt-by:          HOS-GUN
source:          RIPE # Filtered

person:          Alexey Galaev
address:         LLC "CyberTech"
address:         Grizodubova street 4 , build.2
address:         125252 Moscow
address:         RUSSIAN FEDERATION
phone:           +660812703752
nic-hdl:         AG6373-RIPE
remarks:         -------------------------
remarks:         Vpsville.ru working 24x7
remarks:         -------------------------
remarks:         For abuse use admin@vpsville.ru
abuse-mailbox:   admin@vpsville.ru
mnt-by:          HOS-GUN
source:          RIPE # Filtered


You might want to block the whole 5.9.188.32/27 range.. you should certainly block 5.9.188.54 if you can.

Wednesday 1 August 2012

xinthesidersdown.com injection attack in progress

There is currently an injection attack using a script pointing to [donotclick]xinthesidersdown.com/sl.php  doing the rounds. The malicious code is hosted on 194.28.115.150, the same IP address as used in this attack yesterday.

Tuesday 12 June 2012

partyysoon.info injection attack in progress

I haven't had much time to analyse this yet, but there seems to be some sort of injection attack using the domain partyysoon.info. It may be targeting sites in Sweden.

Malicious URLs (don't click these, obviously):
hxxp:||partyysoon.info/index.php
hxxp:||partyysoon.info/js_pa/F.class
hxxp:||partyysoon.info/Set.jar
hxxp:||gotchasworkspaces.in/duquduqu1/font.php
hxxp:||beards.christianmomsgetaways.com/index.php?p=b2e04035f7b91e43

These IPs and domains are all related to the attack:

5.10.65.142 (Spinor J Ltd / Ulrik Sjafalander, Sweden)
partyysoon.info
(Part of a small block of 5.10.65.136 - 5.10.65.143)

141.101.239.97 (Leadertelecom, Russia)
beards.christianmomsgetaways.com
volumea.offerscrate.com
wagea.hcop.com
sexof2a0b5.serveusers.com
sexo41e92f.serveusers.com
beds.fivedollarprogram.info
visitora.legitimatepaidsurveystips.info

69.65.42.35 (Gigenet, US)
gotchasworkspaces.in
kopachrats.info

Blocking access to these IPs might be prudent.

Wednesday 9 May 2012

Something evil on 50.30.47.81

There are a bunch of sites on 50.30.47.81 (Hosting Solutions International, Inc., US) being used to serve Java exploits via injection attacks. Probably worth blocking this one (obviously, don't visit these sites)..

www.gredsa.in
www.bbadkf.in
www.bernitto.in
www.hfsless.in
www.burness.in

Wednesday 25 April 2012

Something evil on 85.17.222.80, lpicture.info and ghjvodka.info

Some sites appear to have been hit by a sophisticated multi-part injection attack that triggers only once per IP (so difficult to track down).

There are two injected elements, one is a .in site hosted on 85.17.222.80 [Leaseweb, Netherlands] which could be one of the following:

sds.vaselisa.in
dds.kiriloid.in
drf.yerevano.in
sddr.margarit.in
cd.fancyclu.in

There's a pretty inconclusive Wepawet report here but be assured that these domains have a malicious payload.

The second injection is a reference to lpicture.info which is hosted on 95.168.173.151, this is a Leasweb Germany IP address suballocated to inferno.name who appear to be a Serbian firm fronted in the UK. I strongly recommend blocking all their IP ranges (listed here) if you can. lpicture.info merely forwards to a malicious payload on ghjvodka.info (report here) and that in turn is listed on 37.59.198.55 (OVH, France) along with some other suspect looking sites that lead be to conclude that this IP address is worth blocking too:

ns2.deftheory.org
abcvodka.info
defvodka.info
ghjvodka.info
abcfree.info
ns1.abcfree.info
deffree.info
ghjfree.info
ns1.ghjfree.info
klmfree.info
opqfree.info
ns1.opqfree.info
rstfree.info
uvwfree.info
ns1.uvwfree.info
xyzfree.info
ns1.xyzfree.info
deflocal.info
ns1.deflocal.info
ghjlocal.info
klmlocal.info
noplocal.info
ghjseat.info
klmseat.info
ns1.klmseat.info

This malware seems to be quite good at avoid analysis. But if you can block these IPs then I strongly recommend that you block them.

Tuesday 24 April 2012

nikjju.com injection attack in progress

The ISC is warning of an injection attack using the domain nikjju.com. The WHOIS details of this domain are very familiar:

Registrant Contact:
   JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

The hotmailbox.com domain is a sign of evil, and these are likely to be the "LizaMoon" crew who have been very active over the past couple of years. nikjju.com is hosted on 31.210.100.242 (INTER NET BILGISAYAR LTD STI, Turkey although blocking the domain will help as well because these malicious sites tend to be highly mobile.

Thursday 12 April 2012

Something evil on 91.230.147.204 / Aldevir Invest

There are a bunch of domains on 91.230.147.204 being used in injection attacks..

entra78ting1.rr.nu
kickp43erryba.rr.nu
ngem44entca.rr.nu
ecei45veda.rr.nu
pingyo18ungmea.rr.nu
lls83sea.rr.nu
ipsre94marka.rr.nu
ownsca11ncerdra.rr.nu
ipme54ntsa.rr.nu
pora96tionb.rr.nu
rhol48dingc.rr.nu
anyco35mmunic.rr.nu
ddispl59ayingad.rr.nu
duni54xdled.rr.nu
ate62bid.rr.nu
losin31gsind.rr.nu
eted47place.rr.nu
stem59lice.rr.nu
ense21sgene.rr.nu
prepa36repre.rr.nu
sbrill22iantte.rr.nu
repres92enteve.rr.nu
stiga68tedef.rr.nu
taxv93italf.rr.nu
ivisi07onbeg.rr.nu
les23leg.rr.nu
citati35onpreg.rr.nu
who97mhig.rr.nu
nit25ionh.rr.nu
long63edhi.rr.nu
gypt73iani.rr.nu
unde52sbank.rr.nu
tank95ersfl.rr.nu
supe54radol.rr.nu
opria79teprol.rr.nu
egulat49ionspl.rr.nu
partia68llyearl.rr.nu
asketb75allmul.rr.nu
ent69aryl.rr.nu
sswhyp63rogramm.rr.nu
otin51gform.rr.nu
tern37etban.rr.nu
asi59ain.rr.nu
conce87ptfin.rr.nu
ing85erin.rr.nu
sadjus10tmentin.rr.nu
yworld22widecon.rr.nu
mpti08ngcon.rr.nu
tril70lion.rr.nu
ini66ngco.rr.nu
meant86lakefo.rr.nu
epopu02latio.rr.nu
ieved92lebano.rr.nu
egis13lato.rr.nu
esa70cto.rr.nu
urdr08eamp.rr.nu
anie49sdar.rr.nu
rical10ibrar.rr.nu
ngnyb99omber.rr.nu
tlongt08ermwer.rr.nu
ggest37power.rr.nu
rswa90rbur.rr.nu
ari90ores.rr.nu
rece69ives.rr.nu
ment54leaks.rr.nu
earal02ltwos.rr.nu
tsp15ers.rr.nu
speakf56eelingt.rr.nu
iesst77atepot.rr.nu
hurric76anereu.rr.nu
elba98nkru.rr.nu
greedc57upelev.rr.nu
duc15edov.rr.nu
ens62how.rr.nu
dustry52dontow.rr.nu
nta17ctex.rr.nu
kelly44array.rr.nu
ns1.hoperjoper.ru
ns2.hoperjoper.ru

This is a dodgy looking /24 allocated to:

inetnum:         91.230.147.0 - 91.230.147.255
netname:         zuzu-net
descr:           OOO "Aldevir Invest"
country:         RU
org:             ORG-OI19-RIPE
admin-c:         KY241-RIPE
tech-c:          KY241-RIPE
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          zuzu-mnt
mnt-routes:      zuzu-mnt
mnt-domains:     zuzu-mnt
source:          RIPE # Filtered

organisation:    ORG-OI19-RIPE
org-name:        OOO "Aldevir Invest"
org-type:        other
address:         192012, St.-Petersburg, Chernova ul., 25, office 12
mnt-ref:         zuzu-mnt
mnt-by:          zuzu-mnt
source:          RIPE # Filtered

person:          Krutko Evgeni Yurevich
address:         192012, St.-Petersburg, Chernova ul., 25, office 12
phone:           +7812850202
nic-hdl:         KY241-RIPE
mnt-by:          zuzu-mnt
source:          RIPE # Filtered

route:           91.230.147.0/24
descr:           Route for DC
origin:          AS5508
mnt-by:          zuzu-mnt
source:          RIPE # Filtered

Some of these domains were previously hosted on Specialist ISP, one of the blackest hat hosting providers that I know of. I would suggest blocking the entire /24 on this to be on the safe side.

For info, the following sites are also in that /24 block:



kleostor.com
prillipapa.biz
prillipapa.com
prillipapa.info
prillipapa.net
prillipapa.org
zeraniko.biz
zeraniko.com
zeraniko.info
zeraniko.net
zeraniko.org
zex-tezx.com
argobuilding.in
mybackdomain888.in
besthostnets.com
firstnethosting.com
highesthostnets.com
tophostnetworks.org
lockandkeyeventsparty.com
thisdomainsmakemetired.info
hashs.ru
allyrboom.com
trisstan-express.org
tropicana-tour.org

Wednesday 4 April 2012

playbill.com hacked

playbill.com covers listings and tickets for theatre events in New York and London. It's a popular site in the US, ranked 3350 according to Alexa.

Unfortunately, the site has been hacked with exploit code for the Java AtomicReferenceArray unsafe typing (CVE-2012-0507) vulnerability (report here), apparently loading malicious components from dezbvu.dyndns-server.com/forum/s1 (62.76.180.69 - ClodoCloud / IT House Ltd, Russia).

Remember you keep your Java up to date to avoid this sort of drive-by attack.

Monday 26 March 2012

gbfhju.com/r.php injection attack in progress

I haven't seen much buzz about this injection attack yet, but several hundred thousand pages have been infected with an injection attack pointing to gbfhju.com/r.php.

According to this Google search there are 236,000 hits for the search string "gbfhju.com/r.php". The sites seem to be randomly distributed through the web, although I couldn't spot any infected UK or US Government or University sites.

The domain gbfhju.com is registered with a set of details that should be familiar to IT security researchers:

Domain name: gbfhju.com

Registrant Contact:
   JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

Administrative Contact:
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

Technical Contact:
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

Billing Contact:
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

DNS:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com

Created: 2012-03-17
Expires: 2013-03-17


These details are connected to the LizaMoon gang. The site is hosted on 91.226.78.148 which is Komplit Plyus in Russia.91.226.78.0/24 is a real sewer of malware sites, money mule and phishing sites and fake pharma outlets and is well worth blocking.

The following domains are hosted on 91.226.78.148 and they can all be assumed to be dangerous:

fgthyj.com
gbfhju.com
hjfghj.com
statsmy.com
stmyst.com
yourpagestat.com
yourpagestats.com


These other domains are also being used in injection attacks (usually overlapping each other). Blocking the IP range will stop any other attacks coming from this hosting provider.

Wednesday 14 March 2012

nu.nl compromised with svitart.in attack

Popular Netherlands news site nu.nl (Global rank 544, NL rank 4 according to Alexa) has been compromised in an injection attack of some sort, leading to an exploit kit hosted on svitart.in.

More here (in Nederlands or Google Translated).

Thursday 16 February 2012

Something evil on 212.95.54.22 (inferno.name)

Something evil is lurking on 212.95.54.22, a server belonging to black hat host inferno.name (mentioned here before).

I've never seen a legitimate site hosted by inferno.name, and I recommend that you block their IP ranges.. I ideidentified the following list last August, I haven't had the change to go back and check it again.

46.22.211.0/25
80.79.124.128/26
92.48.122.32/28
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
188.72.204.0/24
188.72.213.0/24
188.143.232.0/23
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

These are the some of malicious sites hosted on that server, it appears to be some sort of injection attack although it is still being analysed.

*.1905188000.1959caddylimousine.com
*.1959caddylimousine.com
*.2358552833.59caddylimousine.com
*.2851874892.elegantdesign-dfw.org
*.3278164984.elegantdesign-dfw.info
*.59caddylimousine.com
*.alvolo.co.uk.process.1905188000.1959caddylimousine.com
*.ca.redirect.3278164984.elegantdesign-dfw.info
*.co.uk.process.1905188000.1959caddylimousine.com
*.com.process.2851874892.elegantdesign-dfw.org
*.elegantdesign-dfw.info
*.elegantdesign-dfw.org
*.google.ca.redirect.3278164984.elegantdesign-dfw.info
*.google.com.process.2851874892.elegantdesign-dfw.org
*.google.it.process.2358552833.59caddylimousine.com
*.it.process.2358552833.59caddylimousine.com
*.process.1905188000.1959caddylimousine.com
*.process.2358552833.59caddylimousine.com
*.process.2851874892.elegantdesign-dfw.org
*.redirect.3278164984.elegantdesign-dfw.info
*.uk.process.1905188000.1959caddylimousine.com
1905188000.1959caddylimousine.com
212-95-54-22.local
2358552833.59caddylimousine.com
2851874892.elegantdesign-dfw.org
3278164984.elegantdesign-dfw.info
alvolo.co.uk.process.1905188000.1959caddylimousine.com
ca.redirect.3278164984.elegantdesign-dfw.info
co.uk.process.1905188000.1959caddylimousine.com
com.process.2851874892.elegantdesign-dfw.org
europschool.net.url.2523133614.elegantdesign-dfw.net
flyksa.com.redirect.465141941.59caddylimo.com
google.ca.redirect.3278164984.elegantdesign-dfw.info
google.com.process.2851874892.elegantdesign-dfw.org
google.it.process.2358552833.59caddylimousine.com
it.process.2358552833.59caddylimousine.com
oekb36.at.process.340120129.1959caddylimo.com
oekb36.at.redirect.411115172.59cadillaclimousine.com
process.1905188000.1959caddylimousine.com
process.2358552833.59caddylimousine.com
process.2851874892.elegantdesign-dfw.org
redirect.3278164984.elegantdesign-dfw.info
suche.aol.de.search.410468745.elegantdesign-dfw.org
uk.process.1905188000.1959caddylimousine.com
www.alvolo.co.uk.process.1905188000.1959caddylimousine.com
www.berrywestra.nl.search.43565349.1959caddylimousine.com
www.dianaamft.de.search.413644068.59caddylimo.com
www.feuerwehr-schweiz.ch.redirect.461037769.1959caddylimousine.com
www.frnd.de.query.333082952.1959caddylimo.com
www.frnd.de.url.318686353.elegantdesign-dfw.org
www.gaestehaus-schuett-niendorf.de.redirect.411264880.jennyspecialoffer.info
www.google.at.url.4079944488.59caddylimousine.com
www.google.ca.redirect.3278164984.elegantdesign-dfw.info
www.google.com.process.2851874892.elegantdesign-dfw.org
www.google.com.query.3384746824.elegantdesign-dfw.info
www.google.de.process.314184094.1959cadillaclimo.com
www.google.de.process.3384063282.59caddylimo.com
www.google.de.process.3464400104.elegantdesign-dfw.org
www.google.de.process.36453841.59cadillaclimo.com
www.google.de.process.412658054.59cadillaclimousine.com
www.google.de.query.15292270.elegantdesign-dfw.net
www.google.de.query.332541317.59cadillaclimousine.com
www.google.de.query.335211808.elegantdesign-dfw.org
www.google.de.query.3384406282.jennyspecialoffer.info
www.google.de.query.3464386393.59caddylimousine.com
www.google.de.query.464367892.1959caddylimo.com
www.google.de.redirect.3384265678.elegantdesign-dfw.info
www.google.de.redirect.3384350356.1959cadillaclimousine.com
www.google.de.redirect.3464464836.1959cadillaclimo.com
www.google.de.redirect.464534470.1959cadillaclimo.com
www.google.de.search.3384394923.1959cadillaclimo.com
www.google.de.search.3384492708.elegantdesign-dfw.com
www.google.de.search.382410083.1959cadillaclimousine.com
www.google.de.search.393679898.59caddylimousine.com
www.google.de.search.4082654881.1959caddylimousine.com
www.google.de.search.412756816.59caddylimousine.com
www.google.de.search.462774118.elegantdesign-dfw.info
www.google.de.search.463016893.59cadillaclimousine.com
www.google.de.url.15149077.59caddylimo.com
www.google.de.url.2523853156.elegantdesign-dfw.net
www.google.de.url.2531191013.1959cadillaclimousine.com
www.google.de.url.314298327.1959cadillaclimo.com
www.google.de.url.337083412.1959cadillaclimousine.com
www.google.de.url.3375711067.elegantdesign-dfw.net
www.google.es.process.3254798273.1959cadillaclimo.com
www.google.gr.process.11965077.1959cadillaclimousine.com
www.google.it.process.2358552833.59caddylimousine.com
www.google.nl.redirect.455319947.59caddylimo.com
www.google.nl.search.4251017144.1959cadillaclimousine.com
www.kefalonia-animal-trust.de.url.397020850.59cadillaclimousine.com
www.kgse.de.process.465129127.elegantdesign-dfw.info
www.klassik-in-berlin.de.search.464418679.59cadillaclimo.com
www.landwarenshop.de.search.463324361.59cadillaclimo.com
www.losan.de.redirect.318546405.1959cadillaclimousine.com
www.mein-unterrichtsmaterial.de.query.3254956884.1959cadillaclimousine.com
www.rafoeg.de.process.463558035.59caddylimo.com
www.sportfoto-vogler.de.process.337602454.elegantdesign-dfw.com
www.sportfoto-vogler.de.url.337492263.jennyspecialoffer.info
www.torleute.de.redirect.341391517.59caddylimo.com
www.welte.de.search.397762316.1959cadillaclimo.com

Update 15/11/12:
94.100.17.128/26 (94.100.17.128 - 94.100.17.191) is another inferno.name range that you should probably block.

Tuesday 8 November 2011

Something evil on 193.106.174.220 and 91.194.214.66

193.106.174.220 and 91.194.214.66 and are a pair of IP addresses that appear to be involved in injection attacks, possibly distributing the Blackhole exploit kit.

Blocking these two IPs as a precaution is probably a good idea. A full list of the known domains on those two servers is at the bottom of the post, but blocking access to the following domains is an easy shortcut to block most of them:

cu.cc
ddns.me.uk
orge.pl
dyndns-office.com
mrface.com
ns01.us
ns02.us
myftp.name
ddns.name
itsaol.com
port25.biz

Full list:

91.194.214.66
pikapika.cu.cc
adsense-google.cu.cc
mariocart.cu.cc
79574.mynumber.org
ghjgh.ddns.me.uk
rotterdam.osa.pl
1asd-patricia.orge.pl
1benz-pizza.orge.pl
1napoleon-wizard.orge.pl
3mercury-joyce.orge.pl
1pad-george.orge.pl
2melissa-file.orge.pl
1develop-profile.orge.pl
2tomato-june.orge.pl
3fourier-steph.orge.pl
2nagel-earth.orge.pl
1patty-traci.orge.pl
2berliner-mark.orge.pl
3banks-pork.orge.pl
2professor-criminal.orge.pl
1pencil-reagan.orge.pl
3beauty-noreen.orge.pl
3academic-caren.orge.pl
2shuttle-berlin.orge.pl
1gnu-nutrition.orge.pl
1ingrid-eiderdown.orge.pl
1beethoven-uucp.orge.pl
3field-summer.orge.pl
2signature-commrades.orge.pl
3daemon-sharks.orge.pl
1discovery-simpsons.orge.pl
2inna-elephant.orge.pl
3banks-elephant.orge.pl
3surfer-stuttgart.orge.pl
1tammy-nyquist.orge.pl
3memory-new.orge.pl
3kristin-andy.orge.pl
1pork-larry.orge.pl
1arlene-symmetry.orge.pl
1lori-symmetry.orge.pl
1phone-ersatz.orge.pl
zxczxcz.mrface.com
googl933.dyndns-office.com
tested23.acmetoy.com
zelenij.mypicture.info
mobiliti.ns01.us
cxqweq.ns02.us

193.106.174.220
andre12.myftp.name
aswaz.ddns.name
google2.itsaol.com
sw2sa.port25.biz