The IP address 217.74.66.183 (listed in the CBL (Composite Blocking List)) corresponds to a web site that is infected with a spam or malware forwarding link. The website's host name is "komsta.biz", and this link is an example of the redirect: "http://komsta.biz/xmlrpc/r1.php". In other words the website "komsta.biz" has been hacked. Usually, the redirect takes the user's browser to a spam or malware site. It's usually fake russian pills or pornography.
Most probably, the infection is a Cpanel, Plesk, Joomla or Wordpress CMS install, that has become infected either through a vulnerability (meaning the CMS software is out of date and needs patching), or the owner of "komsta.biz" has had their account information (userids/passwords) compromised. Then malicious software/files are being uploaded by ftp or ssl.
In many cases, particularly with older compromises, the criminals that hacked this site will have uploaded a wide variety of spamming and other compromise tools. Therefore, the account corresponding to "komsta.biz" needs to be examined very carefully for signs of tampering. Further, the criminals will even modify existing web pages (particularly http://komsta.biz itself) to have hidden references to pill/drug/porn sites.
It is believed that the malicious redirects are done by altering web server access control mechanisms (example, ".htaccess" files on Apache web servers), and causing the redirect to occur on all "404 url not found" errors.
REFERENCES:
217.74.66.183
- https://www.virustotal.com/de/url/0a6cbec1348cf0d336786144d8ac8b3392a06044ea45210c1ff7164b935138d3/analysis/1391867416/
- http://www.spamhaus.org/query/bl?ip=217.74.66.183
- http://cbl.abuseat.org/lookup.cgi?ip=217.74.66.183
komsta.biz
- https://www.virustotal.com/de/url/d075ee0a046bf5b9061d6516f74a2a8a896f6d645b500b82b8e5621cdd347af3/analysis/1391868630/
komsta.biz/xmlrpc/r1.php
- https://www.virustotal.com/de/url/13fe2e198d34cfb1180de459f3cdc711cd35315653a442f5ea4cfae49d771803/analysis/
Other Malicious Domains connected to this IP:
mecsohesti.strefa.pl
- https://www.virustotal.com/de/url/7b8461c8134626cc15ae094d9ae3c6fa82c82a417cc6936693dbaac78829481e/analysis/1391866196/
mecsohesti.strefa.pl/908juare3rm.js
- https://www.virustotal.com/de/url/e953124d50e1310dd2812e263931848b00d462470c676a634e4cb399cfa6b92a/analysis/1391866188/
- https://www.virustotal.com/de/file/b16b4bdb5699e781801c38303ff0843681d622683b1edfaefe7d9255da7cdc36/analysis/1391865764/
- http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=mecsohesti.strefa.pl
berlokava.strefa.pl
- https://www.virustotal.com/de/url/3ade4568cc4b8450928f22fdc2ef3961f253073f5854b1cecc26274ddce8afc6/analysis/1391865399/
INFECTED WITH: HTML:Script-inf
- https://www.virustotal.com/de/file/1b9c71d4ede9b1b74f6a228fd391b1532e2dbe90c78ef3bbb77effbebac9693c/analysis/1391865730/
- http://wepawet.iseclab.org/view.php?hash=f54d99392772ab74cc133e0920e5a658&t=1391865424&type=js
- http://zulu.zscaler.com/submission/show/4f05692eb30713ac8402cef9ce93cb06-1391865434
Keine Kommentare:
Kommentar veröffentlichen