msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Evict Hackers

   30 Dec 09   Filed in General

Last week, I wrote about the latest mutation of the website hack that has been active (mostly in form of iframe injection) throughout this year. I mentioned that for some reason all malicious domain names had been mapped to IP addresses on LeaseWeb and OVH networks. Moreover, LeaseWeb hosted a central site mdvhost .com (hidden behind reverse-proxies) for at least 3 months.

LeaseWeb reaction

Fortunately, such posts sometimes make difference. The same day Alex de Joode, LeaseWeb’ Security Officer, left a comment, explaining their company’s abuse handling policy and showing that they were ready to address malware issues. What more important is I can see the results: mdvhost.com domain name no longer resolve. And none of the malicious domains is currently mapped to IP addresses on the LeaseWeb network. Thanks Alex! And thanks Maxim Weinstein (StopBadware.org) who helped to draw attention to this issue.

The attack is still active

The loss of the mdvhost .com server didn’t stop the attack though. Apparently, hackers have back-up servers to replace the missing one. Anyway, this switch requires reconfiguring reverse-proxies and have probably slowed down the propagation of the malware. And by the way, in the beginning of this week I noticed a temporary decrease in this attack detection in Unmask Parasites. Or was it just a coincidence?

However, the attack is still active. Currently, malicious servers reside mostly on OVH network and on some German networks (for some reason hackers choose European hosting providers)

Here is a sample output of the dig command:

viewhomesale.ru. 432 IN A 85.25.73.243 Germany Berlin Bsb-service Gmbh
viewhomesale.ru. 432 IN A 91.121.49.129 France Paris Ovh Sas
viewhomesale.ru. 432 IN A 94.23.14.110 France Clermont-ferrand Ovh Sas
viewhomesale.ru. 432 IN A 94.23.89.95 Poland Ovh Sp. Z O. O
viewhomesale.ru. 432 IN A 94.23.206.229 France Ovh Sas

Some more IPs:

62.75.184.40 Germany Berlin Vserver – Virtual Dedicated Server-hosting
77.37.19.43 Germany Star-hosting E.k. – Vserver I
91.121.142.111 France Paris Ovh Sas
188.72.199.24 Germany Berlin De-netdirect
213.186.57.19  France Paris Ovh Sas

I hope OVH and the German hosting providers will follow LeaseWeb and finally sweep hackers away from their networks.

To hosting providers

The IPs in this post belong to compromised dedicated and virtual dedicated servers where hackers managed to install nginx on port 8080 (they work as reverse-proxies). It would be great if you find the nginx configuration files and determine the address of the central site where they get all the malicious stuff from. You can either post your findings here or contact me directly. Alternatively, you can contact the hosting provider of that malicious server yourselves.

P.S. Happy New Year!

Related posts:

Reader's Comments (%)

  1. |

    [...] This post was mentioned on Twitter by Denis, Test feed. Test feed said: Evict Hackers | Unmask Parasites. Blog.: The IPs in this post belong to compromised dedicated and virtual dedicated… http://bit.ly/6PALwh [...]