Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 28 June 2011

Alert: Exploits on 78.111.51.100

If you've not already done so, you'll want to block 78.111.51.100 asap. It's currently housing a plethora of domains that are serving malware via exploit.

Payloads are coming from paths such as;

thujkdswg.tld.tc/k.php?f=20&e=3
-> about.exe
--> 3c6d68ea89512089df0cd7629439c378

You'll no doubt notice the usual suspects as far as the ccTLD branches (redirection services serving off of ccTLDs such as .cc) are concerned. Reports are being fired off to the host and various service providers as I write this, and should hopefully be down soon.

69babes69.cz.cc/k.php?f=20&e=3
abjffdyk.co.tv/k.php?f=20&e=3
askfjru98.co.be/k.php?f=20&e=3
berlinrayban.com/k.php?f=20&e=3
bfjasdfsfhj.cz.cc/k.php?f=20&e=3
bsdfgradehhha.tld.tc/k.php?f=20&e=3
buxlviiei.co.tv/k.php?f=20&e=3
cosgr1.com/k.php?f=20&e=3
cvyhkbdetyhswerfg.cz.cc/k.php?f=20&e=3
cyjdyawertyaery.tld.tc/k.php?f=20&e=3
dacakulon.tld.tc/k.php?f=20&e=3
ddcpgdacbq.co.tv/k.php?f=20&e=3
dgibuti9102.co.be/k.php?f=20&e=3
dhwrtjwrtqergdfg.cz.cc/k.php?f=20&e=3
dsgjhdfgath.cz.cc/k.php?f=20&e=3
dtbjtkaesrf.co.be/k.php?f=20&e=3
ehjlafil.co.tv/k.php?f=20&e=3
ellic0.com/k.php?f=20&e=3
esformofset.com/k.php?f=20&e=3
eukmzlcpqg.co.tv/k.php?f=20&e=3
eximdbldgt.co.tv/k.php?f=20&e=3
fccqdkg.co.tv/k.php?f=20&e=3
fhxucibqay.co.tv/k.php?f=20&e=3
fileuplarc.com/k.php?f=20&e=3
fyfjswtgqertd.tld.tc/k.php?f=20&e=3
fzbopyr.co.tv/k.php?f=20&e=3
gigapornsexy.com/k.php?f=20&e=3
gigaporntube2.com/k.php?f=20&e=3
gqergadejrbdfg.cz.cc/k.php?f=20&e=3
grah1m.com/k.php?f=20&e=3
gratiswerbungfueralle.cz.cc/k.php?f=20&e=3
groovymeal.ru/k.php?f=20&e=3
howmanyoffers.com/k.php?f=20&e=3
hpmqymz.co.tv/k.php?f=20&e=3
hunterdriveez.com/k.php?f=20&e=3
innessphoto.com/k.php?f=20&e=3
ioipbyhi.co.tv/k.php?f=20&e=3
jcpkgykg.co.tv/k.php?f=20&e=3
kzaklic.co.tv/k.php?f=20&e=3
localcover.ru/k.php?f=20&e=3
midsouthrailroadservice.com/k.php?f=20&e=3
mndngbngnbd.in/k.php?f=20&e=3
motorssmonito.com/k.php?f=20&e=3
mywebspace5.tld.tc/k.php?f=20&e=3
nfervkx.co.tv/k.php?f=20&e=3
nnmsdffgsdfgefg.cz.cc/k.php?f=20&e=3
nutri1.com/k.php?f=20&e=3
ohhmrve.co.tv/k.php?f=20&e=3
pfnknqg.co.tv/k.php?f=20&e=3
qasxfstjtyk.tld.tc/k.php?f=20&e=3
qdrthytkjsdhy.tld.tc/k.php?f=20&e=3
qqsfgxcgadfyhjf.cz.cc/k.php?f=20&e=3
qsdcgsdtgjhdjk.cz.cc/k.php?f=20&e=3
qvdgtgfjlfghft.gv.vg/k.php?f=20&e=3
request4ns.com/k.php?f=20&e=3
rjhomesolutions.com/k.php?f=20&e=3
rmkrmxoyi.co.tv/k.php?f=20&e=3
sctgjvefyhjdfg.cz.cc/k.php?f=20&e=3
sddghdskfgjr.cz.cc/k.php?f=20&e=3
sivassigorta.com/k.php?f=20&e=3
sjkkkudafasdf.tld.tc/k.php?f=20&e=3
soha.us/k.php?f=20&e=3
spor58.com/k.php?f=20&e=3
spqwmnorcv.co.tv/k.php?f=20&e=3
ssxprqzhr.co.tv/k.php?f=20&e=3
thujkdswg.tld.tc/k.php?f=20&e=3
tracksups.net/k.php?f=20&e=3
uigvezomi.co.tv/k.php?f=20&e=3
varealestateblog.com/k.php?f=20&e=3
wer.kolimarti.ind.in/k.php?f=20&e=3
wholesaleperfumebargains.com/k.php?f=20&e=3
wikifreetour.me/k.php?f=20&e=3
wiw.bagdireta.firm.in/k.php?f=20&e=3
wod3.charanira.net.in/k.php?f=20&e=3
wop.avanosama.ind.in/k.php?f=20&e=3
wps.daratira.net.in/k.php?f=20&e=3
wsplevlpv.co.tv/k.php?f=20&e=3
ww2.darzilasa.firm.in/k.php?f=20&e=3
wwf.bumbaraza.net.in/k.php?f=20&e=3
www.request4ns.com/k.php?f=20&e=3
xastred-monst.cz.cc/k.php?f=20&e=3
xazadanol.tld.tc/k.php?f=20&e=3
xhintcb.co.tv/k.php?f=20&e=3
yazonalon.tld.tc/k.php?f=20&e=3
yzflujt.co.tv/k.php?f=20&e=3
zsqeiosiq.co.tv/k.php?f=20&e=3
zxicqcv.co.tv/k.php?f=20&e=3


/edit

Just had permission from my friend William (GoDaddy abuse dept), to properly credit him publicly, for notifying me of the IP.

No comments: