Yet another mass compromise going on recently folks (yep, surprise surprise). This time, the malicious code leads to a URL in the format;
Where ** are letters based on the date/time. Yesterday (27th), these were clickmen[a-z].fileave.com, and today these are rather predictably, clickmeo[a-z].fileave.com.
Yesterdays were reported to both Network Solutions, and to FileAve (Ripside), but so far, they're all still live. Until Fileave.com get off their backsides, I'd personally suggest putting a block on either *.fileave.com or 126.96.36.199, which is the IP these are using.
All hostnames redirect to an MITM, that redirects again, to the blackhole exploit. These have already been detailed as far as what is served up, so I'll save going through that.
clickmep*.fileave.com is already active, and no doubt q-z will follow.
I forgot to add the following references (provided by a friend on a private sec list), that reported the initial compromises;
Prestashop blog - Please Read: Security Procedure
Prestashop forum - footer.tpl vulnerability
Reddit - Did someone just hack into my computer? Help me find these guys.