Just an update on the previous blog. Gerhard (Clean-MX) and Anthony (MalwareURL) have also identified quite a few more compromised hosts;
And why am I not surprised to see Lunarpages customers in there (hat tip to Anthony ;o)). You'll no doubt remember the last blog on the LP subject.
As was mentioned in the previous blog, the Lunarpages domains checked STILL contain the exploit code;
This is now 4 months after Lunarpages were notified, and nothing seems to have been done to either cleanup the affected domains, or prevent it happening again (as evident by the new ones that have turned up). The domains below, courtesy of Anthony at MalwareURL, show those affected at Lunarpages (and there's likely alot more we've not yet identified).
Those I checked have an iFrame leading to microsotf.cn, which thankfully hasn't resolved since July 9th, or an iFrame leading to dakilfu.com (IP: 18.104.22.168 - 79-112-224-45.rdsnet.ro, RO-RCS-RDS-FIBERLINK - AS8708), which then loads 2 more iFrames to;
thestatsdata.com/static.php?q5432 - 22.214.171.124 (89-149-251-84.internetserviceteam.com, NetDirekt - AS28753)
seekandhide365.info/t.php - 126.96.36.199 (79-112-224-45.rdsnet.ro, RO-RCS-RDS-FIBERLINK - AS8708)
thestatsdata.com is returning a 500 error at present, but seekandhide365.info goes on to load several more iFrames from seekandhide365.info;
Along with 2 more from click.rontraffic.com (IP: 188.8.131.52, IPNAP (GigeNET - ECOMD));
That lovely bit of Base64 decodes to;
Which shows a connection to 141.pub.adfirmative.com (IP: 184.108.40.206 & 220.127.116.11 - LF Media, Inc MZIMA08-CUST-LEADSANDFEEDS01).
The fact they're still carrying the malicious code however, irrespective of the fact the target doesn't exist anymore, means they should still be blacklisted as there's nothing stopping those that hacked them in the first place, updating the code to point to new locations.