[nsp-sec] iframe on OpenX server: similar experiences exploit experiences with AS6851
Carles Fragoso
cfragoso at cesicat.cat
Wed Aug 18 15:33:02 EDT 2010
Hi,
One well-known website here in Catalonia has been recently infected with an iframe on its OpenX Ad server that was pointing to 85.234.190.64. I still don't have the complete info to share.
Anyone has had similar experiences with this AS6851 (ATECH-SAGADE)?
---
6851 | 85.234.190.64 | BKCNET _SIA_ IZZI
inetnum: 85.234.190.0 - 85.234.191.255
netname: ATECH-SAGADE
descr: Sagade Ltd.
descr: Latvia, Rezekne, Darzu 21
descr: +371 20034981
remarks: abuse-mailbox: piotrek89 at gmail.com
country: LV
admin-c: TMCD111-RIPE
tech-c: TMCD111-RIPE
status: ASSIGNED PA
mnt-by: AS6851-MNT
source: RIPE # Filtered
--
I have seen several references already:
http://blog.dynamoo.com/2010/05/evilness-sagade-ltd-atech-sagade.html
http://www.computersecurityarticles.info/security/exploits-malware-and-scareware-courtesy-of-as6851-bkcnet-sagade-ltd/
http://ddanchev.blogspot.com/2010/07/exploits-malware-and-scareware-courtesy.html
Abuse mailbox is a gmail account. If it is feasible, anyone from Google could take a look into this?
Warm regards,
--
Carlos Fragoso
Incident Response Manager (CESICAT-CERT)
More information about the nsp-security
mailing list