For example:
fwlink.nx7.zedo.com.adslash.com/?alx=a27131939386&td=qcbp71pz=42834&sz=728x90&_zm=359161&st=n1n4&id=131939386&zcw=gh17chl277&xryr=3913771&mp=1460h1
fwlink.nx7.zedo.com.adslash.com/stats_js_e.php?id=131939386
fwlink.nx7.zedo.com.adslash.com/bdb/Health/banner_728.gif
fridayalways.com/kven/index.php
fridayalways.com/kven/js/common.js
fridayalways.com/kven/pdfadmnplay.php
fridayalways.com/kven/files/backoutblack.pdf
or
fwlink.nx7.zedo.com.adslash.com/?alx=a27131959519&td=qcbp71pz=42834&sz=120x600&_zm=359161&st=n1n4&id=131959519&zcw=gh17chl277&xryr=3913771&mp=1460h1
uparms.com/uparmglde/index.php
uparms.com/uparmglde/js/zingvaz.js
uparms.com/uparmglde/sexxhsdtk.php
which then loads a PDF exploit
or
fwlink.nx7.zedo.com.adslash.com/?alx=a27131958218&td=qcbp71pz=42834&sz=300x250&_zm=359161&st=n1n4&id=131958218&zcw=gh17chl277&xryr=3913771&mp=1460h1
setsup.com/setglde/index.php
setsup.com/setglde/js/common.js
setsup.com/setglde/ffcollab.php
setsup.com/setglde/files/slob.pdf
Despite the use of "zedo.com" in the subdomain, there is no evidence that these are being syndicated through Zedo.
Let's look at the WHOIS entry for AdSlash.com first:
Domain name: adslash.com
Registrant Contact:
PublishingAlert
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us
Administrative Contact:
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us
Technical Contact:
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us
Billing Contact:
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us
DNS:
ns1.everydns.net
ns2.everydns.net
Created: 2010-01-04
Expires: 2011-01-04
The address looks kind of legitimate, but there's no Duck Creek Road in Oakland and the phone number is most likely Los Altos, not Oakland. Also the fact that it has been registered just days ago is a clue.. and it turns out that the registrar is BIZCN.COM of China which is an odd choice for a California company.. in other words, the domain registration details are fake.
AdSlash.com is hosted on 217.23.7.6 which is reportedly a Worldstream Data Center in Faro, Portugal. There's a cluster of servers with fake registration details which are probably related:
217.23.7.6
Adslash.com
Dc2way.com
Ispmns.com
Rtcohost.com
Vpsroll.com
217.23.7.7
Net-wisp.com
Realhgost.com
Slhoste.com
217.23.7.8
Inhostin.com
Nx7tech.com
Vpbyte.com
217.23.7.9
Eywtech.com
Qhostin.com
Sslcode.com
Blocking the entire 217.23.7.x range will probably do no harm at all, it is full of typosquatting domains and other crap.
The PDF exploit itself is hosted in Russia on 213.108.56.18 at Infoteh Ltd (UNNET-LINER), there are a bunch of domains serving these exploits up:
- alwaysinwork.com
- fridayalways.com
- runsup.com
- uparms.com
- upmostly.com
The whole UNNET-LINER netblock of 213.108.56.0 - 213.108.63.255 looks fairly sordid, blocking access to it will probably do no harm.
Registrant:
Name: dannis
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 130610
Administrative Contact:
Name: dannis
Organization: privat person
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 130610
Phone: +7.9957737737
Fax: +7.9957737737
Email: moldavimo@safe-mail.net
Technical Contact:
Name: dannis
Organization: privat person
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 130610
As a side note, AdSlash.com did used to be owned by a hosting company called RackSlash, but it expired and was re-registered.
If you are accepting new ad banners - always remember to look closely at WHOIS details and other credentials to ensure that you are dealing with who you think you are.