clickme**.fileave.com
Where ** are letters based on the date/time. Yesterday (27th), these were clickmen[a-z].fileave.com, and today these are rather predictably, clickmeo[a-z].fileave.com.
Yesterdays were reported to both Network Solutions, and to FileAve (Ripside), but so far, they're all still live. Until Fileave.com get off their backsides, I'd personally suggest putting a block on either *.fileave.com or 64.62.181.43, which is the IP these are using.
All hostnames redirect to an MITM, that redirects again, to the blackhole exploit. These have already been detailed as far as what is served up, so I'll save going through that.
Yesterdays
http://clickmena.fileave.com
http://clickmenb.fileave.com
http://clickmenc.fileave.com
http://clickmend.fileave.com
http://clickmene.fileave.com
http://clickmenf.fileave.com
http://clickmeng.fileave.com
http://clickmenh.fileave.com
http://clickmeni.fileave.com
http://clickmenj.fileave.com
http://clickmenk.fileave.com
http://clickmenl.fileave.com
http://clickmenm.fileave.com
http://clickmenn.fileave.com
http://clickmeno.fileave.com
http://clickmenp.fileave.com
http://clickmenq.fileave.com
http://clickmenr.fileave.com
http://clickmens.fileave.com
http://clickment.fileave.com
http://clickmenu.fileave.com
http://clickmenv.fileave.com
http://clickmenw.fileave.com
http://clickmenx.fileave.com
http://clickmeny.fileave.com
http://clickmenz.fileave.com
http://clickmenb.fileave.com
http://clickmenc.fileave.com
http://clickmend.fileave.com
http://clickmene.fileave.com
http://clickmenf.fileave.com
http://clickmeng.fileave.com
http://clickmenh.fileave.com
http://clickmeni.fileave.com
http://clickmenj.fileave.com
http://clickmenk.fileave.com
http://clickmenl.fileave.com
http://clickmenm.fileave.com
http://clickmenn.fileave.com
http://clickmeno.fileave.com
http://clickmenp.fileave.com
http://clickmenq.fileave.com
http://clickmenr.fileave.com
http://clickmens.fileave.com
http://clickment.fileave.com
http://clickmenu.fileave.com
http://clickmenv.fileave.com
http://clickmenw.fileave.com
http://clickmenx.fileave.com
http://clickmeny.fileave.com
http://clickmenz.fileave.com
Todays
http://clickmeoa.fileave.com
http://clickmeob.fileave.com
http://clickmeoc.fileave.com
http://clickmeod.fileave.com
http://clickmeoe.fileave.com
http://clickmeof.fileave.com
http://clickmeog.fileave.com
http://clickmeoh.fileave.com
http://clickmeoi.fileave.com
http://clickmeoj.fileave.com
http://clickmeok.fileave.com
http://clickmeol.fileave.com
http://clickmeom.fileave.com
http://clickmeon.fileave.com
http://clickmeoo.fileave.com
http://clickmeop.fileave.com
http://clickmeoq.fileave.com
http://clickmeor.fileave.com
http://clickmeos.fileave.com
http://clickmeot.fileave.com
http://clickmeou.fileave.com
http://clickmeov.fileave.com
http://clickmeow.fileave.com
http://clickmeox.fileave.com
http://clickmeoy.fileave.com
http://clickmeoz.fileave.com
http://clickmeob.fileave.com
http://clickmeoc.fileave.com
http://clickmeod.fileave.com
http://clickmeoe.fileave.com
http://clickmeof.fileave.com
http://clickmeog.fileave.com
http://clickmeoh.fileave.com
http://clickmeoi.fileave.com
http://clickmeoj.fileave.com
http://clickmeok.fileave.com
http://clickmeol.fileave.com
http://clickmeom.fileave.com
http://clickmeon.fileave.com
http://clickmeoo.fileave.com
http://clickmeop.fileave.com
http://clickmeoq.fileave.com
http://clickmeor.fileave.com
http://clickmeos.fileave.com
http://clickmeot.fileave.com
http://clickmeou.fileave.com
http://clickmeov.fileave.com
http://clickmeow.fileave.com
http://clickmeox.fileave.com
http://clickmeoy.fileave.com
http://clickmeoz.fileave.com
clickmep*.fileave.com is already active, and no doubt q-z will follow.
http://clickmepa.fileave.com
http://clickmepb.fileave.com
http://clickmepc.fileave.com
http://clickmepd.fileave.com
http://clickmepe.fileave.com
http://clickmepf.fileave.com
http://clickmepg.fileave.com
http://clickmeph.fileave.com
http://clickmepi.fileave.com
http://clickmepj.fileave.com
http://clickmepk.fileave.com
http://clickmepl.fileave.com
http://clickmepm.fileave.com
http://clickmepn.fileave.com
http://clickmepo.fileave.com
http://clickmepp.fileave.com
http://clickmepq.fileave.com
http://clickmepr.fileave.com
http://clickmeps.fileave.com
http://clickmept.fileave.com
http://clickmepu.fileave.com
http://clickmepv.fileave.com
http://clickmepw.fileave.com
http://clickmepx.fileave.com
http://clickmepy.fileave.com
http://clickmepz.fileave.com
http://clickmepb.fileave.com
http://clickmepc.fileave.com
http://clickmepd.fileave.com
http://clickmepe.fileave.com
http://clickmepf.fileave.com
http://clickmepg.fileave.com
http://clickmeph.fileave.com
http://clickmepi.fileave.com
http://clickmepj.fileave.com
http://clickmepk.fileave.com
http://clickmepl.fileave.com
http://clickmepm.fileave.com
http://clickmepn.fileave.com
http://clickmepo.fileave.com
http://clickmepp.fileave.com
http://clickmepq.fileave.com
http://clickmepr.fileave.com
http://clickmeps.fileave.com
http://clickmept.fileave.com
http://clickmepu.fileave.com
http://clickmepv.fileave.com
http://clickmepw.fileave.com
http://clickmepx.fileave.com
http://clickmepy.fileave.com
http://clickmepz.fileave.com
/edit
I forgot to add the following references (provided by a friend on a private sec list), that reported the initial compromises;
Prestashop blog - Please Read: Security Procedure
http://www.prestashop.com/blog/article/please_read_security_procedure/
Prestashop forum - footer.tpl vulnerability
http://www.prestashop.com/forums/topic/125798-footertpl-vulnerability/
Reddit - Did someone just hack into my computer? Help me find these guys.
http://www.reddit.com/r/webdev/comments/jroo1/did_someone_just_hack_into_my_computer_help_me/
No comments:
Post a Comment