Sponsored by..

Showing posts with label LizaMoon. Show all posts
Showing posts with label LizaMoon. Show all posts

Tuesday 24 April 2012

nikjju.com injection attack in progress

The ISC is warning of an injection attack using the domain nikjju.com. The WHOIS details of this domain are very familiar:

Registrant Contact:
   JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

The hotmailbox.com domain is a sign of evil, and these are likely to be the "LizaMoon" crew who have been very active over the past couple of years. nikjju.com is hosted on 31.210.100.242 (INTER NET BILGISAYAR LTD STI, Turkey although blocking the domain will help as well because these malicious sites tend to be highly mobile.

Monday 26 March 2012

gbfhju.com/r.php injection attack in progress

I haven't seen much buzz about this injection attack yet, but several hundred thousand pages have been infected with an injection attack pointing to gbfhju.com/r.php.

According to this Google search there are 236,000 hits for the search string "gbfhju.com/r.php". The sites seem to be randomly distributed through the web, although I couldn't spot any infected UK or US Government or University sites.

The domain gbfhju.com is registered with a set of details that should be familiar to IT security researchers:

Domain name: gbfhju.com

Registrant Contact:
   JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

Administrative Contact:
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

Technical Contact:
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

Billing Contact:
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

DNS:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com

Created: 2012-03-17
Expires: 2013-03-17


These details are connected to the LizaMoon gang. The site is hosted on 91.226.78.148 which is Komplit Plyus in Russia.91.226.78.0/24 is a real sewer of malware sites, money mule and phishing sites and fake pharma outlets and is well worth blocking.

The following domains are hosted on 91.226.78.148 and they can all be assumed to be dangerous:

fgthyj.com
gbfhju.com
hjfghj.com
statsmy.com
stmyst.com
yourpagestat.com
yourpagestats.com


These other domains are also being used in injection attacks (usually overlapping each other). Blocking the IP range will stop any other attacks coming from this hosting provider.

Friday 23 September 2011

dfrgcc.com injection attack in progress

Thousands of sites are currently being hit by an injection attack pointing to dfrgcc.com/ur.php a domain registered to someone using the infamous hotmailbox.com domain for email.

   JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

The site is hosted on 188.229.88.103 which is the equally infamous Netserv Consult SRL in Romania. 188.229.88.103 hosts the following sites:

bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
booknunu.com
bookvila.com
bookzula.com
dfrgcc.com
file-dl.com
xxxtubes8.com


These domains are pretty familiar, having previously been hosted in Lithuania. This marks them out as the same people behind the infamous LizaMoon attack.

Netserv Consult SRL host a wide variety of bad sites. Blocking 188.229.0.0/17 (188.229.0.0 - 188.229.127.255) will probably do you no harm.

Wednesday 8 June 2011

94.244.80.7 / bookpolo.com / booksolo.com / bookgusa.com injection attacks

The crew responsible for the LizaMoon and Worid-Of-Books.com are back with a new set of injection attacks, this time hosted on 94.244.80.7 in Lithuania.

The following domains are currently in use:
bookaros.com
bookarra.com
bookavio.com
bookdolo.com
bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
bookmylo.com
booknunu.com
bookpolo.com
booksgou.com
booksoco.com
booksolo.com
booktuba.com
bookvila.com
bookvivi.com
bookvoxy.com
bookzoul.com
bookzula.com


Registrant details are familiar and fake:

JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 1180
us

Injection attacks seem to be either trying to insert an anchor with the word "book" pointing to one of the bad sites, presumably as a "Worid of Books"-type SEO campaign, or alternatively they are using the ur.php approach the LizaMoon used.

The whole 94.244.64.0/18 block looks toxic and is worth blocking. I'll post more details on that when I get the time.