New sql injection site with fastflux hosting
One of our frequent contributors notified us of a new sql injection site.
hxxp://en-us18.com/b.js is being injected via sql into websites.
When I googled for it I saw 560 injected webpages.
“b.js injects an iFrame which points to
hxxp://en-us18.com/cgi-bin/index.cgi?ad
which in turn embeds two Flash files:
advert.swf:
http://www.virustotal.com/analisis/d6ffe290e9938d3e646f82c536abd0c7
banner.swf:
http://www.virustotal.com/analisis/83be3d4d30eb60d92272625634a3babc”
This appears to be fast fluxed or at least setup to change rapidly based on this dig output.
dig www.en-us18.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4, ADDITIONAL: 1
;; QUERY SECTION:
;; www.en-us18.com, type = A, class = IN
;; ANSWER SECTION:
www.en-us18.com. 10M IN A 156.17.227.218
www.en-us18.com. 10M IN A 84.121.210.189
www.en-us18.com. 10M IN A 99.194.80.27
www.en-us18.com. 10M IN A 69.65.91.5
www.en-us18.com. 10M IN A 83.27.126.102
www.en-us18.com. 10M IN A 99.225.66.211
www.en-us18.com. 10M IN A 82.159.61.76
www.en-us18.com. 10M IN A 85.53.64.13
www.en-us18.com. 10M IN A 148.81.132.211
www.en-us18.com. 10M IN A 83.23.188.93
www.en-us18.com. 10M IN A 216.170.109.251
www.en-us18.com. 10M IN A 62.21.81.188
www.en-us18.com. 10M IN A 83.242.74.153
www.en-us18.com. 10M IN A 87.205.33.92
;; AUTHORITY SECTION:
en-us18.com. 1d18h57m52s IN NS ns3.en-us18.com.
en-us18.com. 1d18h57m52s IN NS ns2.en-us18.com.
en-us18.com. 1d18h57m52s IN NS ns4.en-us18.com.
en-us18.com. 1d18h57m52s IN NS ns1.en-us18.com.
;; ADDITIONAL SECTION:
ns1.en-us18.com. 1d21h10m38s IN A 75.110.190.181
A second dig a few minutes later produced similar but slightly different results.
So this domain is changing. I guess they got tired of people blackholing their ip address.
So in that case I would recommend you dns blackhole that domain.
Comments