Blog for hpHosts, and whatever else I feel like writing about ....

Sunday, 16 August 2009

Update: Google Webalizer exploits

Just an update on the previous blog. Gerhard (Clean-MX) and Anthony (MalwareURL) have also identified quite a few more compromised hosts;

http://www.malwaredomainlist.com/forums/index.php?topic=3230

And why am I not surprised to see Lunarpages customers in there (hat tip to Anthony ;o)). You'll no doubt remember the last blog on the LP subject.

http://hphosts.blogspot.com/2009/05/federal-reserve-goes-luckysploit.html

As was mentioned in the previous blog, the Lunarpages domains checked STILL contain the exploit code;

http://vurl.mysteryfcm.co.uk/?url=614296
PDF: vURL_Online_-_adammcgrath.ca_Results.pdf

This is now 4 months after Lunarpages were notified, and nothing seems to have been done to either cleanup the affected domains, or prevent it happening again (as evident by the new ones that have turned up). The domains below, courtesy of Anthony at MalwareURL, show those affected at Lunarpages (and there's likely alot more we've not yet identified).

Those I checked have an iFrame leading to microsotf.cn, which thankfully hasn't resolved since July 9th, or an iFrame leading to dakilfu.com (IP: 79.112.224.45 - 79-112-224-45.rdsnet.ro, RO-RCS-RDS-FIBERLINK - AS8708), which then loads 2 more iFrames to;

thestatsdata.com/static.php?q5432 - 89.149.251.84 (89-149-251-84.internetserviceteam.com, NetDirekt - AS28753)
seekandhide365.info/t.php - 79.112.224.45 (79-112-224-45.rdsnet.ro, RO-RCS-RDS-FIBERLINK - AS8708)

thestatsdata.com is returning a 500 error at present, but seekandhide365.info goes on to load several more iFrames from seekandhide365.info;

index.php?query=zinc+supplement&submit=Search
index.php?query=Money&submit=Search
index.php?query=trimed+pussy&submit=Search
index.php?query=oklahoma+real+estate&submit=Search
index.php?query=long+distance+mover&submit=Search
index.php?query=transplanting+banana+tree&submit=Search
index.php?query=Conjunctivitis&submit=Search
index.php?query=garage+door+prices&submit=Search


Along with 2 more from click.rontraffic.com (IP: 69.65.43.142, IPNAP (GigeNET - ECOMD));

click.rontraffic.com/re.php?hid=NDQyOTExMjN8fDEyNTA0OTM0NDN8fDIxMi41Ni45NS4yNTN8fHx8MXx8OXx8d2lyZWxlc3MgYWNjZXNzfHxncmltfHx8fDAuMDAwNHx8MC4wMDF8fGh0dHA6Ly93d3cuaGFuZHlzZWVrLmNvbS9qdW1wMS8/YWZmaWxpYXRlPTU2MDEmc3ViaWQ9NyZ0ZXJtcz13aXJlbGVzcyUyMGFjY2VzcyZzaWQ9WjIzMjA0MzczNyU0MCU0MFFNZmRETjVBRE55OFZNd1V6WDJFMlg0ODFNMFF6TTVRRE0xSVRNJmE9Z3ZjY2J2YWducGd2aXImbXI9MSZyYz0w

click.rontraffic.com/re.php?hid=NDQyOTExMjN8fDEyNTA0OTM0NDN8fDIxMi41Ni45NS4yNTN8fHx8MXx8MTl8fHdpcmVsZXNzIGFjY2Vzc3x8Z3JpbXx8fHwwLjAwMDR8fDAuMDA0fHxodHRwOi8vMTQxLnB1Yi5hZGZpcm1hdGl2ZS5jb20vMi5waHA/c2lkPTE0MSZrZXl3b3JkPXdpcmVsZXNzK2FjY2VzcyZnb3RvPTQ4MzcyZDUyOTA3YThmOTViYWFmZDg1ZTk2ZTVhOGI3LXdzU2ZrM0Zra0YlMDlzd3MuU1UuM1Muc1NGJTA5MnZ2UiUzQSUyRiUyRm5ubi5OSUlIakxvMnFvSUZVUy5xTE90JTJGTklqYUUyLlIyUiUwOVJfYU5mdyUwOXdrdyUwOW5xYUlpSU5OJTJCakVFSU5OJTA5UXFZajR3UzM0JTA5MnZ2UiUzQSUyRiUyRkhFLmJRaU5JamFFMi5RcVlqLkV0USUyRkFxTCUyRk9xTG9uMmp2Lm9paSUzRkVpcUVIdjJhdFd6MiUyNjAlM0Q0d1MzNCUyNmIlM0RPaTYlM0JsMWYyWmhENU5yTjFMSGJmeUVEMUc1Yk9admE4VkVMZVFFNjJIaDFGbFM4aFZFZmtQbkV0WllkbTQ1b3U2OEI5N3ZrOEc1Nlc4alN4RlNkOHk1M1dOclpjV0U0VGwyZmJtNVNQUG5rOTdPTkJ3WnVlSTh1eXB3dXV1aGpFV0JrUVElM0JQdFdSYnd3cmZxbEVPJTNCRzI1VlZIMnY0SmJJbEVMdlBSeGxWbkRSSVdPdUxublRsRWFYUVlOd3VrY0RGTDZzbSUzQlBMUE00OG1Ca3R5ajNjSWtGJTI0SiUwOWYuZmZrJTA5ZiUwOXclMDklMDklMDl3JTA5R0xxdklvK2RxTHpvdFElMDk4NSUwOW5ubi5BaXFMSGIuRXQuV0gmb2JqVGltU3RyPTAuNTg1MjQ0MDArMTI1MDQ5MzQ0Mw==


That lovely bit of Base64 decodes to;

44291123||1250493443||212.56.95.253||||1||19||wireless access||grim||||0.0004||0.004||http://141.pub.adfirmative.com/2.php?sid=141&keyword=wireless+access&goto=48372d52907a8f95baafd85e96e5a8b7-wsSfk3FkkF%09sws.SU.3S.sSF%092vvR%3A%2F%2Fnnn.NIIHjLo2qoIFUS.qLOt%2FNIjaE2.R2R%09R_aNfw%09wkw%09nqaIiINN%2BjEEINN%09QqYj4wS34%092vvR%3A%2F%2FHE.bQiNIjaE2.QqYj.EtQ%2FAqL%2FOqLon2jv.oii%3FEiqEHv2atWz2%260%3D4wS34%26b%3DOi6%3Bl1f2ZhD5NrN1LHbfyED1G5bOZva8VELeQE62Hh1FlS8hVEfkPnEtZYdm45ou68B97vk8G56W8jSxFSd8y53WNrZcWE4Tl2fbm5SPPnk97ONBwZueI8uypwuuuhjEWBkQQ%3BPtWRbwwrfqlEO%3BG25VVH2v4JbIlELvPRxlVnDRIWOuLnnTlEaXQYNwukcDFL6sm%3BPLPM48mBktyj3cIkF%24J%09f.ffk%09f%09w%09%09%09w%09GLqvIo+dqLzotQ%0985%09nnn.AiqLHb.Et.WH&objTimStr=0.58524400+1250493443


Which shows a connection to 141.pub.adfirmative.com (IP: 69.174.35.174 & 69.174.35.172 - LF Media, Inc MZIMA08-CUST-LEADSANDFEEDS01).

The fact they're still carrying the malicious code however, irrespective of the fact the target doesn't exist anymore, means they should still be blacklisted as there's nothing stopping those that hacked them in the first place, updating the code to point to new locations.


dccpa.us
dakistech.com
focalpointfoto.com
lynnmariedesigns.com
thelionkingmind.com
aadamsart.com
rinconmineral.com
hlstudiophoto.com
talon-systems.com
gohoot.com
mattandmelissaberg.com
memories-in-thread.net
healingcreative.com
jjfrancis.com
theatreetc.com
whichhue.com.au
windsorbreads.com
milamstreet.com
flashsrealm.com
shankbonemystic.com
designstage.net
erm-energy-ops.com
happycamperhaven.com
house2homeinspections.biz
madnesscoaching.org
otddelivery.com
smilson.com
elevendistant.com
lockwasherdesign.com
michaelweglinski.com
centralboilerservice.com
fishmaldives.com
distantmind.org
maps-online.org
pathontechnologies.com
usapersonaltraining.com
houseofsixten.com
luginbill.net
behindthescenesmarketing.com
box-mag.com
projectconsultingspecialists.com
rosenbergchiropractic.com
mhergert.com
nextquestion.org
vernonmusic.com
yourpartygirls.net
joydragon.com
geekymom.com
billywhitemusic.com
bognorbadmintonclub.org.uk
sgecon.org
inmex-qro.com
urban-smile.com
cameronandlinda.com
drsaliterman.com
wordwacker.com
kellycatchings.com
canoeflorida.com
unruly1.com
vijgeboom.com
wendycass.net
xzonesports.com
selectgold.com
theboehringers.com
amju.com
lauriello.lunarpages.com


Ref:
http://hosts-file.net/misc/hpObserver_-_Lunarpages.html

No comments: