Translate

2/28/2014

Category MALICIOUS IP: 67.225.146.147 (wpnoupfront.authenticbd.com)
Infected with a spam or malware forwarding link - Botnet
(UNITED STATES & RUSSIAN FEDERATION)

The IP address 67.225.146.147 (listed in the CBL (Composite Blocking List)) corresponds to a web site that is infected with a spam or malware forwarding link. The website's host name is "wpnoupfront.authenticbd.com", and this link is an example of the redirect: "http://wpnoupfront.authenticbd.com/invigorating.htm". In other words the website "wpnoupfront.authenticbd.com" has been hacked. Usually, the redirect takes the user's browser to a spam or malware site. It's usually fake russian pills or pornography.

No Time to lay back...
In several cases, particularly with older compromises, the criminals that hacked this site will have uploaded a wide variety of spamming and other compromise tools. Therefore, the account corresponding to "wpnoupfront.authenticbd.com" needs to be examined very carefully for signs of tampering. Further, the criminal will even modify existing web pages (particularly http://wpnoupfront.authenticbd.com itself) to have hidden references to pill/drug/porn sites.

It is believed that the malicious redirects are done by altering web server access control mechanisms (example, ".htaccess" files on Apache web servers), and causing the redirect to occur on all "404 url not found" errors.

Related Post: http://stayaway2.blogspot.com/2014/02/us-phishing-visitor-to-this-blog.html

REFERENCES:
67.225.146.147
  • https://www.virustotal.com/de/url/30de5a071652e44f8f6003ab0c22553e72808bfec8aa5982ae23fb7badde4857/analysis/1393510660/
LISTED AT SPAMHAUS (CBL):
  • http://www.spamhaus.org/query/bl?ip=67.225.146.147
LISTED AT CBL:
  • http://cbl.abuseat.org/lookup.cgi?ip=67.225.146.147
----------------------------------------------------------

http://wpnoupfront.authenticbd.com/
  • https://www.virustotal.com/de/url/1fb32860105dea70846f611020d9ba6c2a4557c5337ded5e1dcbe83b51b9641d/analysis/1393517602/
  • http://urlquery.net/report.php?id=9691230
http://wpnoupfront.authenticbd.com/invigorating.htm
  • https://www.virustotal.com/de/url/071ca9f4199a95b2d2824d0207e8c6287c20458ad1f87b80ac37a9a36ec2de9b/analysis/1393517601/
HTML:RedirME-inf [Trj]
  • https://www.virustotal.com/de/file/5f0925c559ea8e1285877f550f361a92770d54528f8800ab181bdc1a0c039427/analysis/1393520355/
  • (GETFILE: http://jsunpack.jeek.org/dec/getfile?hash=8ff9/ed8ea2a207c8f4ae5c70dac68556d6ff425a)
---> REDIRECTS TO
http://doctorxonft.ru/
  • https://www.virustotal.com/de/url/0512b24fcc96129c9951e4f5103bfed2312c9fe359403ed3a6ec36e6ced2e962/analysis/
HTML (PUA.JS.Obfus-7)
  • https://www.virustotal.com/de/file/8aad19003d4937d93cf60ff7f8457c231e4b72110d380a4c6a2e133b1e169fae/analysis/1393521420/
  • http://virusscan.jotti.org/de/scanresult/baf1b8fc0d963713dd61f1f9549226321e068189

FULL REPORT:
Document hosting: UploadEdit.com
Eingestellt von um
Labels: , , , , , , , , , , ,
Standort: 67225, Saudi-Arabien

Keine Kommentare:

Kommentar veröffentlichen

Abonnieren Kommentare zum Post (Atom)