August 2012

Dennis (from unmask) posted about some iframe injections that he has beenseeing lately: RFI: Server-wide iframe injections.

The post is interesting, so read that first. We are also seeing many variationsof this attack, always with the iframes being injected as domain.com/[randomnumbers].html and redirecting the user to Fake AV. This are some of the URLs we are seeing:

     15 http://tiergefluester.ch/37624443.html
      8 http://qmg2.com/96344443.html
      6 http://52943578.nl.strato-hosting.eu/49404443.html
      5 http://nw-transporte.de/31374443.html
      4 http://soka.saitama-eastern.jp/68844443.html
      3 http://tvhr9.com/59304443.html
      3 http://tvhr9.com/48204443.html
      3 http://tijerasycosmetica.es/32154443.html
      3 http://sepatch.org/74734443.html
      3 http://qmg2.com/51204443.html
      3 http://photopassion34.eu/84364443.html
      2 http://sipsnstrokesstudios.com/90144443.html
      2 http://relance-clients.com/18304443.html
      2 http://langaz.pl/28074443.html
      2 http://kopian.net.pl/10344443.html
      2 http://huskiesfootball.ca/54924443.html
      2 http://humourr.com/77204443.html
      2 http://fam-vandenberg.nl/33604443.html
      2 http://dev.look-whos-talking.co.uk/75584443.html
      2 http://cadeauxentreprise.ca/40104443.html
      1 http://www.sportman.nl/44554443.html
      1 http://vanaden.nl/76644443.html
      1 http://tvhr9.com/92824443.html
      1 http://tvhr9.com/15374443.html
      1 http://tijerasycosmetica.es/68134443.html
      1 http://tiergefluester.ch/71834443.html
      1 http://tiergefluester.ch/47254443.html
      1 http://thomasvillefurnishings.ca/66124443.html
      1 http://soka.saitama-eastern.jp/76924443.html
      1 http://soka.saitama-eastern.jp/31164443.html
      1 http://sipsnstrokesstudios.com/82464443.html
      1 http://shopmassive.com/72534443.html
      1 http://shopmassive.com/60754443.html
      1 http://shopmassive.com/50284443.html
      1 http://sepatch.org/58814443.html
      1 http://sepatch.org/35224443.html
      1 http://sepatch.org/14244443.html
      1 http://santeayurveda.com/48804443.html
      1 http://sacem.com.tr/95534443.html
      1 http://s1050444.iie.nl/76384443.html
      1 http://roswitha-jacobi.de/67874443.html
      1 http://roswitha-jacobi.de/52194443.html
      1 http://roswitha-jacobi.de/22914443.html
      1 http://roswitha-jacobi.de/15584443.html
      1 http://reisendefamilie.net/70004443.html
      1 http://rectol.com/76084443.html
      1 http://rectol.com/11154443.html
      1 http://radiocanvas.co.uk/97984443.html
      1 http://qmg2.com/82474443.html
      1 http://qmg2.com/76574443.html
      1 http://qmg2.com/74054443.html
      1 http://qmg2.com/34794443.html
      1 http://qmg2.com/20054443.html
      1 http://qmg2.com/14934443.html
      1 http://pohlgruppe.de/89314443.html
      1 http://pohlgruppe.de/73684443.html
      1 http://photopassion34.eu/93154443.html
      1 http://photopassion34.eu/35484443.html
      1 http://ozturannakliyat.com/94564443.html
      1 http://opracowaniagraficzne.pl/10474443.html
      1 http://nw-transporte.de/96284443.html
      1 http://mukogawa.jp/98984443.html
      1 http://moodle.fortpointdesign.com/31844443.html
      1 http://missweekderbesten.nl/12714443.html
      1 http://lojastelefrio.com.br/18854443.html
      1 http://linkeddoc.com/31974443.html
      1 http://langaz.pl/16524443.html
      1 http://kulycap.fr/63464443.html
      1 http://kopian.net.pl/69004443.html
      .. many many more ...

Note that all (or most) of these sites are compromised and being used by the attackers to spread malware botnet style. Dennis also questioned how are these sites being hacked.

Initially, all of them were running Plesk (at least I could access it as site.com:8443). However, as the infection is growing, I am seeing many sites not using Plesk with this type of malware, so we can\’t know for sure. We assume it is a mix of attacks (brute force FTP + outdated Plesk + anything they can find).

1251 redirections http://fitnes-corp.ru/shurimuri?5 1093 redirections http://infofitnes.ru/interactive?5 818 redirections http://fitnes-company.ru/interactive?5 817 redirections http://mir-fitnes.ru/interactive?5 802 redirections http://info-fitnes.ru/interactive?5 788 redirections http://fitnescompany.ru/interactive?5 268 redirections http://fitnes-corp.ru/shurimuri?5 220 redirections http://infofitnes.ru/interactive?5 188 redirections http://cofitnes.ru/mimosa?5 177 redirections http://mir-fitnes.ru/interactive?5 168 redirections http://fitnes-company.ru/interactive?5 165 redirections http://info-fitnes.ru/interactive?5 162 redirections http://fitnescompany.ru/interactive?5 79 redirections http://fitnescorp.ru/shurimuri?5 40 redirections http://nashfitnes.ru/nonalco?5 37 redirections http://cofitnes.ru/mimosa?5 1191 redirections http://nashfitnes.ru/nonalco?5 981 redirections http://nash-fitnes.ru/nonalco?5 953 redirections http://supasweb.ru/blackmuscats?5 920 redirections http://nashifitnes.ru/nonalco?5 895 redirections http://nashafitnes.ru/nonalco?5 878 redirections http://nasha-fitnes.ru/nonalco?5 555 redirections http://fitnes-ltd.ru/shurimuri?5 261 redirections http://nashfitnes.ru/nonalco?5 208 redirections http://supasweb.ru/blackmuscats?5 199 redirections http://nash-fitnes.ru/nonalco?5 190 redirections http://nashafitnes.ru/nonalco?5 189 redirections http://nashifitnes.ru/nonalco?5 180 redirections http://nasha-fitnes.ru/nonalco?5 116 redirections http://fitnes-ltd.ru/shurimuri?5

http://russian-fitnes.ru/prunus/cerasus.php http://www1.vulnerabilitytoolssolver.pl/18o8e9/al/1fedfba29dd0193d/pr2/0/ http://www1.antivirusworrydanger.pl/370l3591/al/1fedfba29dd0193d/pr2/0/ http://minimizerprocessesdebugger.pl/b6l1s/al/78dee9e271084cb2/pr2/238/ http://www1.stabilityprotectionscanner.pl/n9044s5/al/1fedfba29dd0193d/pr2/0/

Month: August 2012

Server-wide iframe injections

Fake AV redirections .ru -> .pl