Blog for hpHosts, and whatever else I feel like writing about ....

Saturday, 27 August 2011

ALERT: clickme**.fileave.com

Yet another mass compromise going on recently folks (yep, surprise surprise). This time, the malicious code leads to a URL in the format;

clickme**.fileave.com

Where ** are letters based on the date/time. Yesterday (27th), these were clickmen[a-z].fileave.com, and today these are rather predictably, clickmeo[a-z].fileave.com.

Yesterdays were reported to both Network Solutions, and to FileAve (Ripside), but so far, they're all still live. Until Fileave.com get off their backsides, I'd personally suggest putting a block on either *.fileave.com or 64.62.181.43, which is the IP these are using.

All hostnames redirect to an MITM, that redirects again, to the blackhole exploit. These have already been detailed as far as what is served up, so I'll save going through that.

Yesterdays

http://clickmena.fileave.com
http://clickmenb.fileave.com
http://clickmenc.fileave.com
http://clickmend.fileave.com
http://clickmene.fileave.com
http://clickmenf.fileave.com
http://clickmeng.fileave.com
http://clickmenh.fileave.com
http://clickmeni.fileave.com
http://clickmenj.fileave.com
http://clickmenk.fileave.com
http://clickmenl.fileave.com
http://clickmenm.fileave.com
http://clickmenn.fileave.com
http://clickmeno.fileave.com
http://clickmenp.fileave.com
http://clickmenq.fileave.com
http://clickmenr.fileave.com
http://clickmens.fileave.com
http://clickment.fileave.com
http://clickmenu.fileave.com
http://clickmenv.fileave.com
http://clickmenw.fileave.com
http://clickmenx.fileave.com
http://clickmeny.fileave.com
http://clickmenz.fileave.com


Todays

http://clickmeoa.fileave.com
http://clickmeob.fileave.com
http://clickmeoc.fileave.com
http://clickmeod.fileave.com
http://clickmeoe.fileave.com
http://clickmeof.fileave.com
http://clickmeog.fileave.com
http://clickmeoh.fileave.com
http://clickmeoi.fileave.com
http://clickmeoj.fileave.com
http://clickmeok.fileave.com
http://clickmeol.fileave.com
http://clickmeom.fileave.com
http://clickmeon.fileave.com
http://clickmeoo.fileave.com
http://clickmeop.fileave.com
http://clickmeoq.fileave.com
http://clickmeor.fileave.com
http://clickmeos.fileave.com
http://clickmeot.fileave.com
http://clickmeou.fileave.com
http://clickmeov.fileave.com
http://clickmeow.fileave.com
http://clickmeox.fileave.com
http://clickmeoy.fileave.com
http://clickmeoz.fileave.com


clickmep*.fileave.com is already active, and no doubt q-z will follow.

http://clickmepa.fileave.com
http://clickmepb.fileave.com
http://clickmepc.fileave.com
http://clickmepd.fileave.com
http://clickmepe.fileave.com
http://clickmepf.fileave.com
http://clickmepg.fileave.com
http://clickmeph.fileave.com
http://clickmepi.fileave.com
http://clickmepj.fileave.com
http://clickmepk.fileave.com
http://clickmepl.fileave.com
http://clickmepm.fileave.com
http://clickmepn.fileave.com
http://clickmepo.fileave.com
http://clickmepp.fileave.com
http://clickmepq.fileave.com
http://clickmepr.fileave.com
http://clickmeps.fileave.com
http://clickmept.fileave.com
http://clickmepu.fileave.com
http://clickmepv.fileave.com
http://clickmepw.fileave.com
http://clickmepx.fileave.com
http://clickmepy.fileave.com
http://clickmepz.fileave.com


/edit

I forgot to add the following references (provided by a friend on a private sec list), that reported the initial compromises;

Prestashop blog - Please Read: Security Procedure
http://www.prestashop.com/blog/article/please_read_security_procedure/

Prestashop forum - footer.tpl vulnerability
http://www.prestashop.com/forums/topic/125798-footertpl-vulnerability/

Reddit - Did someone just hack into my computer? Help me find these guys.
http://www.reddit.com/r/webdev/comments/jroo1/did_someone_just_hack_into_my_computer_help_me/

No comments: