Sponsored by..

Showing posts with label PHP. Show all posts
Showing posts with label PHP. Show all posts

Thursday 14 July 2011

yahlink.php / DreamHost hack

Almost identical in every way to this injection attack, several Dreamhost sites have been compromised with a page called yahlink.php (it was yahoolink.php before), which is being spammed out through compromised AOL accounts.

It isn't just Dreamhost hosted sites that are being spammed out in this way, but it does appear that well over half the sites are on Dreamhost. It looks like some GoDaddy customers might have been hit too.

In this case, the spammed link directs to krokodilius8.com/gosem11.php which is hosted on which appears to be iomart Hosting Ltd in the UK. All the sites on that server appear to have have fake registrant details, so you can assume that they are bogus:


Users are then directed to another host in Romania, which belongs to Netserv Consult SRL. It is my opinion that there is nothing of value in the entire range and you can safely block access to the entire lot.

The final step is to a host called drugstorehealthrisks.net hosted on which looks like a broadband connection in the Czech Republic. The site isn't loading for me, but I guess it's just pharma spam. These other sites are hosted on the same server:


Dreamhost have been informed of the issue but don't appear to have done anything to secure their users. Blocking Dreamhost IPs might be something worth considering depending on what kind of shop you run. I have spotted malicious activity in the following IP ranges:

..although blocking access to the Romanian block would also pretty much acheive the same thing without blocking access to any legitimate sites that might be on Dreamhost.

Sunday 26 June 2011

yahoolink.php / DreamHost hack

It appears that a lot of DreamHost (New Dream Network LLC) sites have been hacked with malicious pages added to them. The issue impacts multiple servers at different DreamHost datacenters. Some sample IPs with infected sites include:

Given that the hacked pages all contain the string yahoolink.php then it is possible that these attacks are using a PHP vulnerability. The pages are then promoted through spam email. You can simply (carefully) search for  "yahoolink.php" in your favourite search engine to see the scope of the problem.

People who click on the link get redirected through several steps:


(no domain)
Securvera SRL, Romania

Cover Sun Design SRL, Romania

The endpoint appears to be a standard fake pharmacy site, I couldn't see any malicious code but that could always change.

With Romanians hosts I recommend a one-strike policy.. i.e. block the whole lot as soon as you come across a netblock with malicious activity. Unless you have business dealings with Romania, then any traffic to a Romanian host is likely to be malware or spam related. So in this case, blocking and will probably do no harm.