Last week, I wrote about the latest mutation of the website hack that has been active (mostly in form of iframe injection) throughout this year. I mentioned that for some reason all malicious domain names had been mapped to IP addresses on LeaseWeb and OVH networks. Moreover, LeaseWeb hosted a central site mdvhost .com (hidden behind reverse-proxies) for at least 3 months.
Fortunately, such posts sometimes make difference. The same day Alex de Joode, LeaseWeb’ Security Officer, left a comment, explaining their company’s abuse handling policy and showing that they were ready to address malware issues. What more important is I can see the results: mdvhost.com domain name no longer resolve. And none of the malicious domains is currently mapped to IP addresses on the LeaseWeb network. Thanks Alex! And thanks Maxim Weinstein (StopBadware.org) who helped to draw attention to this issue.
The loss of the mdvhost .com server didn’t stop the attack though. Apparently, hackers have back-up servers to replace the missing one. Anyway, this switch requires reconfiguring reverse-proxies and have probably slowed down the propagation of the malware. And by the way, in the beginning of this week I noticed a temporary decrease in this attack detection in Unmask Parasites. Or was it just a coincidence?
However, the attack is still active. Currently, malicious servers reside mostly on OVH network and on some German networks (for some reason hackers choose European hosting providers)
Here is a sample output of the dig command:
viewhomesale.ru. 432 IN A 220.127.116.11 Germany Berlin Bsb-service Gmbh
viewhomesale.ru. 432 IN A 18.104.22.168 France Paris Ovh Sas
viewhomesale.ru. 432 IN A 22.214.171.124 France Clermont-ferrand Ovh Sas
viewhomesale.ru. 432 IN A 126.96.36.199 Poland Ovh Sp. Z O. O
viewhomesale.ru. 432 IN A 188.8.131.52 France Ovh Sas
Some more IPs:
184.108.40.206 Germany Berlin Vserver – Virtual Dedicated Server-hosting
220.127.116.11 Germany Star-hosting E.k. – Vserver I
18.104.22.168 France Paris Ovh Sas
22.214.171.124 Germany Berlin De-netdirect
126.96.36.199 France Paris Ovh Sas
I hope OVH and the German hosting providers will follow LeaseWeb and finally sweep hackers away from their networks.
The IPs in this post belong to compromised dedicated and virtual dedicated servers where hackers managed to install nginx on port 8080 (they work as reverse-proxies). It would be great if you find the nginx configuration files and determine the address of the central site where they get all the malicious stuff from. You can either post your findings here or contact me directly. Alternatively, you can contact the hosting provider of that malicious server yourselves.
P.S. Happy New Year!