I loaded the site up, and did a search for the word "hphosts", and sure enough, it was highlighted. If we look at the source code for the site, and so far, it only appears to be the defense. that is affected by this, we see alot of extra code and links, all pointing to giojewelry.com;
http://vurl.mysteryfcm.co.uk/?url=690082
giojewelry.com resolves to 93.84.112.110, which is on the Beltelecom network (AS6697), and is also the same IP that firemicrosoft.net (amongst others) is hosted at.
Given that defense.foreignpolicyblogs.com is still using a very old version of WordPress with known vulnerabilities (according to the source code, they're still using 2.7.1), I think it's pretty safe to say how they were able to get in, when of course this happened, is a different matter (I've not been able to find anything on the many hacker/skiddie forums referencing the site). I'm trying to get in touch with them to get them both cleaned up, and upgraded, I'll report back if I'm successful (and get the ISC involved if I'm not).
As for giojewelry.com, nothing new there I'm afraid, it's your typical OEM software scam site.
WhoIs details:
Registrant:
Boris Hinstein
Kalinina str 3-15
Minsk, Minsk 220124
Belarus
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: GIOJEWELRY.COM
Created on: 19-Sep-02
Expires on: 19-Sep-09
Last Updated on: 26-Sep-08
Administrative Contact:
Hinstein, Boris lstsoft@yandex.ru
Kalinina str 3-15
Minsk, Minsk 220124
Belarus
375297504299 Fax --
Technical Contact:
Hinstein, Boris lstsoft@yandex.ru
Kalinina str 3-15
Minsk, Minsk 220124
Belarus
375297504299 Fax --
Domain servers in listed order:
NS201.JEK.BZ
NS202.JEK.BZ
Boris Hinstein
Kalinina str 3-15
Minsk, Minsk 220124
Belarus
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: GIOJEWELRY.COM
Created on: 19-Sep-02
Expires on: 19-Sep-09
Last Updated on: 26-Sep-08
Administrative Contact:
Hinstein, Boris lstsoft@yandex.ru
Kalinina str 3-15
Minsk, Minsk 220124
Belarus
375297504299 Fax --
Technical Contact:
Hinstein, Boris lstsoft@yandex.ru
Kalinina str 3-15
Minsk, Minsk 220124
Belarus
375297504299 Fax --
Domain servers in listed order:
NS201.JEK.BZ
NS202.JEK.BZ
Net-block details:
WhoIs details:
inetnum: 93.84.112.0 - 93.84.119.255
netname: BELTELECOM-DATACENTER
descr: MCC & REGIONAL DCs
country: BY
admin-c: DK2210-RIPE
tech-c: IS2093-RIPE
status: ASSIGNED PA
mnt-by: AS6697-MNT
remarks: INFRA-AW
source: RIPE # Filtered
person: Dmitry Komarov
address: 220088, Minsk
address: 55, Zaharova str.,
address: RUE Beltelecom
phone: +375 17 2171799
fax-no: +375 17 2100259
e-mail: dimon@mck.beltelecom.by
nic-hdl: DK2210-RIPE
mnt-by: AS6697-MNT
source: RIPE # Filtered
person: Ivan Semernik
address: 220088, Minsk
address: 55, Zaharova str.,
address: RUE Beltelecom
phone: +375 17 2171799
fax-no: +375 17 2100259
e-mail: ivan.semernik@dc.beltelecom.by
nic-hdl: IS2093-RIPE
mnt-by: AS6697-MNT
source: RIPE # Filtered
% Information related to '93.84.0.0/15AS6697'
route: 93.84.0.0/15
descr: DELEGATED FROM BELPAK
origin: AS6697
mnt-by: AS6697-MNT
source: RIPE # Filtered
netname: BELTELECOM-DATACENTER
descr: MCC & REGIONAL DCs
country: BY
admin-c: DK2210-RIPE
tech-c: IS2093-RIPE
status: ASSIGNED PA
mnt-by: AS6697-MNT
remarks: INFRA-AW
source: RIPE # Filtered
person: Dmitry Komarov
address: 220088, Minsk
address: 55, Zaharova str.,
address: RUE Beltelecom
phone: +375 17 2171799
fax-no: +375 17 2100259
e-mail: dimon@mck.beltelecom.by
nic-hdl: DK2210-RIPE
mnt-by: AS6697-MNT
source: RIPE # Filtered
person: Ivan Semernik
address: 220088, Minsk
address: 55, Zaharova str.,
address: RUE Beltelecom
phone: +375 17 2171799
fax-no: +375 17 2100259
e-mail: ivan.semernik@dc.beltelecom.by
nic-hdl: IS2093-RIPE
mnt-by: AS6697-MNT
source: RIPE # Filtered
% Information related to '93.84.0.0/15AS6697'
route: 93.84.0.0/15
descr: DELEGATED FROM BELPAK
origin: AS6697
mnt-by: AS6697-MNT
source: RIPE # Filtered
No comments:
Post a Comment