Tweet Week: July 12-18, 2010
Selected short messages and links you might have missed if you don’t follow me on Twitter.
nginx as reverse proxy, WP redirects on MediaTemple, Image search spam … »»
Evict Hackers
Last week, I wrote about the latest mutation of the website hack that has been active (mostly in form of iframe injection) throughout this year. I mentioned that for some reason all malicious domain names had been mapped to IP addresses on LeaseWeb and OVH networks. Moreover, LeaseWeb hosted a central site mdvhost .com (hidden behind reverse-proxies) for at least 3 months.
LeaseWeb reaction »»
Dynamic DNS and Botnet of Zombie Web Servers
It’s always interesting to watch how malware attacks evolve over time.
Since this spring, when I started to distinguish it from other attacks, this hidden iframe injection attack has always been among “leaders”.
- They started with gambling-related .cn domains (like cheapslotplay .cn).
- They introduced several new domains names every day so that you couldn’t hardcode them in your scanners. At this point, my records contain several hundred domains used in this attack.
- They also changed campaign names (parameters they specify in iframe URLs) regularly: mozila, banner, cocacola, pepsi, open, reopen, income.
- They used port 8080 (presumably to game dumb traffic filters that only inspect traffic on port 80).
- In the end of July, they started to use 3-letter .ru, .pl, .in and .at domains (e.g. x3y .ru, f7y .at, q5n .in, a3j .pl).
- And, finally, if you follow me on Twitter, you know that this week I started to notice 3rd-level domains registered with free dynamic DNS services.
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
