Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 20 July 2010

Alert: geekstogo.com serving exploit

Just a note folks, geekstogo.com has been compromised again, and is currently serving malicious code, via;

hxxp://www.geekstogo.com/blog/wp-includes/js/scriptaculous/effects.js?ver=1.8.3



I've tried calling geekstogo.com but they rejected my call because my number is ex directory, and the host (SoftLayer) wasn't any help.

The exploit itself is loaded from a Hanaro hosted IP address (219.255.13.77), with another exploit loaded from;

75.127.112.107:82/exemple.com/load.php?spl=javas

75.127.112.107 is on a GNAX IP range. I'd suggest blocking both /24's with immediate effect.

/Update 02:14

A little extra digging has shown another IP involved, 109.236.81.40, which is on a well known criminal friendly IP range - WorldStream, and resolves to unoosearch.com.

Registration Service Provided By: RESELLERCLUB
Contact: +1.4152361970

Domain Name: UNOOSEARCH.COM

Registrant:
N/A
Prokopenko Aleksey (alex1978a@bigmir.net)
ul. Lenina, d 4, kv 1.
Ubileyniy
Luhansk Oblast,35631
UA
Tel. +38.0963639642

Creation Date: 27-Mar-2010
Expiration Date: 27-Mar-2011

Domain servers in listed order:
ns4.everydns.net
ns3.everydns.net
ns2.everydns.net
ns1.everydns.net

Administrative Contact:
N/A
Prokopenko Aleksey (alex1978a@bigmir.net)
ul. Lenina, d 4, kv 1.
Ubileyniy
Luhansk Oblast,35631
UA
Tel. +38.0963639642

Technical Contact:
N/A
Prokopenko Aleksey (alex1978a@bigmir.net)
ul. Lenina, d 4, kv 1.
Ubileyniy
Luhansk Oblast,35631
UA
Tel. +38.0963639642

Billing Contact:
N/A
Prokopenko Aleksey (alex1978a@bigmir.net)
ul. Lenina, d 4, kv 1.
Ubileyniy
Luhansk Oblast,35631
UA
Tel. +38.0963639642

Status:LOCKED

3 comments:

spg SCOTT said...

They know now, and have closed the site to fix it

"UPDATE: We have identified our forum software is being targeted by a constant stream of hack attempts, and are in the process of updating our forum software..."

wlrdew said...

I am unable to get to geekstogo today. Is it down today as well?

MysteryFCM said...

I've checked the site, and it appears to be working correctly at the time of writing this.

It's likely it was either a glitch, or was down for maintenance.