bookmark_borderServer-wide iframe injections

Dennis (from unmask) posted about some iframe injections that he has beenseeing lately: RFI: Server-wide iframe injections.

The post is interesting, so read that first. We are also seeing many variationsof this attack, always with the iframes being injected as domain.com/[randomnumbers].html and redirecting the user to Fake AV. This are some of the URLs we are seeing:

     15 http://tiergefluester.ch/37624443.html
      8 http://qmg2.com/96344443.html
      6 http://52943578.nl.strato-hosting.eu/49404443.html
      5 http://nw-transporte.de/31374443.html
      4 http://soka.saitama-eastern.jp/68844443.html
      3 http://tvhr9.com/59304443.html
      3 http://tvhr9.com/48204443.html
      3 http://tijerasycosmetica.es/32154443.html
      3 http://sepatch.org/74734443.html
      3 http://qmg2.com/51204443.html
      3 http://photopassion34.eu/84364443.html
      2 http://sipsnstrokesstudios.com/90144443.html
      2 http://relance-clients.com/18304443.html
      2 http://langaz.pl/28074443.html
      2 http://kopian.net.pl/10344443.html
      2 http://huskiesfootball.ca/54924443.html
      2 http://humourr.com/77204443.html
      2 http://fam-vandenberg.nl/33604443.html
      2 http://dev.look-whos-talking.co.uk/75584443.html
      2 http://cadeauxentreprise.ca/40104443.html
      1 http://www.sportman.nl/44554443.html
      1 http://vanaden.nl/76644443.html
      1 http://tvhr9.com/92824443.html
      1 http://tvhr9.com/15374443.html
      1 http://tijerasycosmetica.es/68134443.html
      1 http://tiergefluester.ch/71834443.html
      1 http://tiergefluester.ch/47254443.html
      1 http://thomasvillefurnishings.ca/66124443.html
      1 http://soka.saitama-eastern.jp/76924443.html
      1 http://soka.saitama-eastern.jp/31164443.html
      1 http://sipsnstrokesstudios.com/82464443.html
      1 http://shopmassive.com/72534443.html
      1 http://shopmassive.com/60754443.html
      1 http://shopmassive.com/50284443.html
      1 http://sepatch.org/58814443.html
      1 http://sepatch.org/35224443.html
      1 http://sepatch.org/14244443.html
      1 http://santeayurveda.com/48804443.html
      1 http://sacem.com.tr/95534443.html
      1 http://s1050444.iie.nl/76384443.html
      1 http://roswitha-jacobi.de/67874443.html
      1 http://roswitha-jacobi.de/52194443.html
      1 http://roswitha-jacobi.de/22914443.html
      1 http://roswitha-jacobi.de/15584443.html
      1 http://reisendefamilie.net/70004443.html
      1 http://rectol.com/76084443.html
      1 http://rectol.com/11154443.html
      1 http://radiocanvas.co.uk/97984443.html
      1 http://qmg2.com/82474443.html
      1 http://qmg2.com/76574443.html
      1 http://qmg2.com/74054443.html
      1 http://qmg2.com/34794443.html
      1 http://qmg2.com/20054443.html
      1 http://qmg2.com/14934443.html
      1 http://pohlgruppe.de/89314443.html
      1 http://pohlgruppe.de/73684443.html
      1 http://photopassion34.eu/93154443.html
      1 http://photopassion34.eu/35484443.html
      1 http://ozturannakliyat.com/94564443.html
      1 http://opracowaniagraficzne.pl/10474443.html
      1 http://nw-transporte.de/96284443.html
      1 http://mukogawa.jp/98984443.html
      1 http://moodle.fortpointdesign.com/31844443.html
      1 http://missweekderbesten.nl/12714443.html
      1 http://lojastelefrio.com.br/18854443.html
      1 http://linkeddoc.com/31974443.html
      1 http://langaz.pl/16524443.html
      1 http://kulycap.fr/63464443.html
      1 http://kopian.net.pl/69004443.html
      .. many many more ...

Note that all (or most) of these sites are compromised and being used by the attackers to spread malware botnet style. Dennis also questioned how are these sites being hacked.

Initially, all of them were running Plesk (at least I could access it as site.com:8443). However, as the infection is growing, I am seeing many sites not using Plesk with this type of malware, so we can\’t know for sure. We assume it is a mix of attacks (brute force FTP + outdated Plesk + anything they can find).

bookmark_borderFake AV redirections .ru -> .pl

We posted yesterday about the Blackmuscats .htaccess redirection that was affecting thousands of web sites.

They are still happening (and growing), but the attackers decided to switch names to nonalco, mimosa and otherrandom keywords for their files:

1251    redirections    http://fitnes-corp.ru/shurimuri?5
1093    redirections    http://infofitnes.ru/interactive?5
818 redirections    http://fitnes-company.ru/interactive?5
817 redirections    http://mir-fitnes.ru/interactive?5
802 redirections    http://info-fitnes.ru/interactive?5
788 redirections    http://fitnescompany.ru/interactive?5
268 redirections    http://fitnes-corp.ru/shurimuri?5
220 redirections    http://infofitnes.ru/interactive?5
188 redirections    http://cofitnes.ru/mimosa?5
177 redirections    http://mir-fitnes.ru/interactive?5
168 redirections    http://fitnes-company.ru/interactive?5
165 redirections    http://info-fitnes.ru/interactive?5
162 redirections    http://fitnescompany.ru/interactive?5
79  redirections    http://fitnescorp.ru/shurimuri?5
40  redirections    http://nashfitnes.ru/nonalco?5
37  redirections    http://cofitnes.ru/mimosa?5
1191    redirections    http://nashfitnes.ru/nonalco?5
981 redirections    http://nash-fitnes.ru/nonalco?5
953 redirections    http://supasweb.ru/blackmuscats?5
920 redirections    http://nashifitnes.ru/nonalco?5
895 redirections    http://nashafitnes.ru/nonalco?5
878 redirections    http://nasha-fitnes.ru/nonalco?5
555 redirections    http://fitnes-ltd.ru/shurimuri?5
261 redirections    http://nashfitnes.ru/nonalco?5
208 redirections    http://supasweb.ru/blackmuscats?5
199 redirections    http://nash-fitnes.ru/nonalco?5
190 redirections    http://nashafitnes.ru/nonalco?5
189 redirections    http://nashifitnes.ru/nonalco?5
180 redirections    http://nasha-fitnes.ru/nonalco?5
116 redirections    http://fitnes-ltd.ru/shurimuri?5

The redirection is still the same, going from those .ru domains, to additional second level .ru domains and themto a .pl:

http://russian-fitnes.ru/prunus/cerasus.php
http://www1.vulnerabilitytoolssolver.pl/18o8e9/al/1fedfba29dd0193d/pr2/0/
http://www1.antivirusworrydanger.pl/370l3591/al/1fedfba29dd0193d/pr2/0/
http://minimizerprocessesdebugger.pl/b6l1s/al/78dee9e271084cb2/pr2/238/
http://www1.stabilityprotectionscanner.pl/n9044s5/al/1fedfba29dd0193d/pr2/0/

So far we have identified more than 17,000 sites with this type of malware. More details as we track them.