[nsp-sec] CMS Made Simple compromises redirecting to Fake AV / Pharmacy

Thomas Hungenberg th.lab at hungenberg.net
Tue Jun 28 04:27:56 EDT 2011 

Hi,

I currently see a massive spamvertizing campaign using URLs pointing to pages
created by attackers on compromised websites running CMS Made Simple (CMSMS).

These pages redirect to
hXXp://freeblogpro.org/red97.php
or
hXXp://thebloggin.net/red96.php
which in turn redirect to Fake AV or pharmacy websites.


Domain Name:FREEBLOGPRO.ORG
Sponsoring Registrar:Todaynic.com, Inc. (R1316-LROR)

Domain Name: THEBLOGGIN.NET
Registrar: BIZCN.COM, INC.


freeblogpro.org has address 78.129.132.26
freeblogpro.org has address 79.142.76.77
thebloggin.net has address 78.129.132.26
thebloggin.net has address 79.142.76.77


inetnum:        78.129.132.0 - 78.129.132.255
netname:        iovps_1
descr:          iovps a trading name of iomart Hosting Ltd
country:        GB

inetnum:        79.142.76.0 - 79.142.77.255
netname:        ALTUSHOST-SE-NET
descr:          AltusHost Inc.
country:        SE


Sample spamvertized URLs:

1221    | 58.165.115.136   | AU | http://biggs.poweredbyclear.com/modules/Search/mywork.html | ASN-TELSTRA Telstra Pty Ltd
1759    | 80.222.147.164   | FI | http://koprat.dy.fi/modules/Search/bbc.html | TSF-IP-CORE TeliaSonera Finland IP Network
2200    | 193.49.31.72     | FR | http://c-goods.eigsi.fr/modules/Search/mywork.html | FR-RENATER Reseau National de telecommunications pour la Technologie
3303    | 212.243.197.29   | CH | http://bautagebuch.world-of-web.ch/modules/Search/mysite.html | SWISSCOM Swisscom (Switzerland) Ltd
4854    | 202.45.117.130   | AU | http://cmsms.dev.humanping.net/modules/Search/mywork.html | IINET-AU Netspace Online Systems
6724    | 81.169.145.151   | DE | http://www.wochenmarkt-gesundbrunnen.de/modules/Search/invite.php | STRATO STRATO AG
6724    | 81.169.145.151   | DE | http://www.wochenmarkt-gesundbrunnen.de/modules/Search/mysite.html | STRATO STRATO AG
6724    | 81.169.145.73    | DE | http://www.gab-suedniedersachsen.de/modules/Search/bbc.html | STRATO STRATO AG
7545    | 60.241.58.226    | AU | http://dennphy.pointclark.net/modules/Search/bbc.html | TPG-INTERNET-AP TPG Internet Pty Ltd
7545    | 60.241.58.226    | AU | http://dennphy.pointclark.net/modules/Search/mywork.html | TPG-INTERNET-AP TPG Internet Pty Ltd
8560    | 82.165.114.151   | DE | http://www.tft-lcd-monitor.co.uk/modules/Search/bbc.html | ONEANDONE-AS 1&1 Internet AG
9120    | 212.97.132.166   | DK | http://klvi.krigslive.dk/modules/Search/work.html | COHAESIONET Cohaesio A/S
12322   | 88.191.139.147   | FR | http://school.nadinenelken.de/nadine/school/cmsms/modules/Search/mywork.htm[..] | PROXAD Free SAS
12637   | 217.64.195.213   | IT | http://www.sipdat.it/modules/Search/work.html | SEEWEB Seeweb s.r.l.
12695   | 95.163.67.58     | RU | http://project.v-meste.ru/modules/Search/mywork.html | DINET-AS Digital Network JSC
12739   | 95.130.180.3     | RU | http://www.itmos.ru/modules/Search/mysite.html | NETLINE_AS NetLine Ltd
15081   | 216.206.238.125  | US | http://clydescope.org/modules/Search/mysite.html | ASN-CROS-1 - Computer Resources
16095   | 86.58.132.213    | DK | http://maglev.dk/cms/modules/Search/mywork.html | JAYNET jay.net a/s
16103   | 213.217.10.24    | DE | http://app-leasing.com/modules/Search/mywork.html | IN-ONLINE Ingolstadt Online GmbH
16276   | 213.186.33.18    | FR | http://closdulac.fr/modules/Search/reclink.php | OVH OVH
16276   | 213.186.33.2     | FR | http://vitrerie-vitrier.be/modules/Search/mywork.html | OVH OVH
16276   | 213.186.33.4     | FR | http://www.jce-sudbasrhin.net/modules/Search/bbc.html | OVH OVH
16276   | 213.186.33.87    | FR | http://eglise-langres.fr/modules/Search/bbc.html | OVH OVH
16276   | 213.186.33.87    | FR | http://rentyourapartment.net/modules/Search/mywork.html | OVH OVH
21844   | 174.121.1.140    | US | http://www.ooqoo.com/cms/modules/Search/work.html | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
24940   | 178.63.93.200    | DE | http://fruntsee.bplaced.net/cms/modules/Search/mywork.html | HETZNER-AS Hetzner Online AG RZ
25151   | 93.94.226.59     | NL | http://bipobeertjes.nl/bipo-cms/modules/Search/mysite.html | CYSO-AS Cyso Hosting B.V., Alkmaar, The Netherlands
26496   | 173.201.243.1    | US | http://ddscllc.com/modules/Search/mysite.html | PAH-INC - GoDaddy.com, Inc.
26496   | 208.109.181.6    | US | http://www.mogranidevons.com/modules/Search/bbc.html | PAH-INC - GoDaddy.com, Inc.
26496   | 72.167.183.26    | US | http://www.softwaresupport.net.nz/modules/Search/game.html | PAH-INC - GoDaddy.com, Inc.
26496   | 97.74.144.140    | US | http://copticblood.com/modules/Search/mysite.html | PAH-INC - GoDaddy.com, Inc.
26496   | 97.74.47.128     | US | http://demo.ctthosting.com/modules/Search/mywork.html | PAH-INC - GoDaddy.com, Inc.
29405   | 217.73.17.12     | SK | http://lp-design.lescigales.org/modules/Search/mywork.html | VNET-AS VNET a.s. Bratislava, Slovakia, SK
29854   | 67.212.234.86    | US | http://www.theexecutionmaximizer.com/modules/Search/mysite.html | WESTHOST - WestHost, Inc.
31727   | 79.170.44.115    | GB | http://now-cardiff.co.uk/modules/Search/invite.php | NODE4-AS Node4 Ltd, UK
32392   | 76.163.177.231   | US | http://newco.st3s.com/modules/Search/mywork.html | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
32475   | 173.236.30.250   | US | http://test.bookwormslounge.com/modules/Search/mywork.html | SINGLEHOP-INC - SingleHop
32475   | 184.154.141.210  | US | http://coolmart.in/modules/Search/mywork.html | SINGLEHOP-INC - SingleHop
32475   | 69.175.29.34     | US | http://nmbon.biz/nmbon.biz/modules/Search/bbc.html | SINGLEHOP-INC - SingleHop
33139   | 66.49.220.60     | CA | http://www.wcawebdesign.com/cms/modules/Search/mywork.html | CANACA-210 - Canaca-com Inc.
34011   | 80.67.28.185     | DE | http://gros.de/modules/Search/bbc.html | DOMAINFACTORY domainfactory GmbH
34011   | 80.67.28.65      | DE | http://www.coeno-consult.de/modules/Search/bbc.html | DOMAINFACTORY domainfactory GmbH
34188   | 62.240.71.74     | FI | http://leikkikentta.mine.nu/hoax/cms/modules/Search/mywork.html | OPO-AS Telekarelia Oy
34188   | 62.240.71.74     | FI | http://leikkikentta.mine.nu/hoax/cms/modules/Search/work.html | OPO-AS Telekarelia Oy
35732   | 188.65.112.252   | GB | http://jonmarsh.co.uk/test/modules/Search/mywork.html | UKWEBHOSTING-AS UK Webhosting Ltd - Autonomous System
35732   | 91.208.99.12     | GB | http://denises.me.uk/modules/Search/invite.php | UKWEBHOSTING-AS UK Webhosting Ltd - Autonomous System
41186   | 195.114.18.144   | FR | http://www.messein.fr/modules/Search/bbc.html | ISPFR-AS AZURA NETWORKS
43333   | 188.116.35.23    | PL | http://akademiaaikido.wroclaw.pl/modules/Search/bbc.html | NEPHAX-AS CIS NEPHAX
44652   | 93.93.116.44     | ES | http://lorenzoenlared.com/modules/Search/bbc.html | SYNC-AS SYNC Intertainment
44902   | 109.205.64.85    | FR | http://newfies-normandie.com/modules/Search/mywork.html | COV-ASN Covage Services
47692   | 77.244.243.42    | AT | http://www.dr-becker.biz/modules/Search/mysite.html | NESSUS Nessus Internet Dienstleistungs GmbH
48920   | 195.88.84.69     | FR | http://coachingimmo.toile-libre.org/modules/Search/mysite.html | TOILE-LIBRE Toile-Libre Main AS
51013   | 195.210.29.6     | SK | http://www.vitraz-kotva.sk/modules/Search/mysite.html | WEBSUPPORT-SRO-SK-AS Websupport s.r.o.
53525   | 199.16.155.98    | CA | http://mcreation.info/modules/Search/mywork.html | VCOMP - Venture Computers of Canada


     - Thomas

CERT-Bund Incident Response & Anti-Malware Team

More information about the nsp-security mailing list