Blog for hpHosts, and whatever else I feel like writing about ....

Saturday, 27 August 2011

ALERT: clickme**

Yet another mass compromise going on recently folks (yep, surprise surprise). This time, the malicious code leads to a URL in the format;


Where ** are letters based on the date/time. Yesterday (27th), these were clickmen[a-z], and today these are rather predictably, clickmeo[a-z]

Yesterdays were reported to both Network Solutions, and to FileAve (Ripside), but so far, they're all still live. Until get off their backsides, I'd personally suggest putting a block on either * or, which is the IP these are using.

All hostnames redirect to an MITM, that redirects again, to the blackhole exploit. These have already been detailed as far as what is served up, so I'll save going through that.



clickmep* is already active, and no doubt q-z will follow.


I forgot to add the following references (provided by a friend on a private sec list), that reported the initial compromises;

Prestashop blog - Please Read: Security Procedure

Prestashop forum - footer.tpl vulnerability

Reddit - Did someone just hack into my computer? Help me find these guys.

No comments: