by robertmoore
about 1 year ago

Recently dealing with a similiar issue.

Few different things on this..

One it appears to effect older wordpress installs.
Its also a link injection that appends code to the end of files specifically named index.php

It also looks for body tags and appends a line at that level.

It is a link injection, meaning they don’t have ftp or root access to the site.

We are still investigating this issue and as more information is available we will post it for you.

Added…

Couple of things to note..

The website that it tries to shoot you to and registration information.

Domain Name: shopmovielife.cn
ROID: 20081007s10001s46382980-cn
Domain Status: clientTransferProhibited
Registrant Organization: Scott Bell
Registrant Name: Scott Bell
Administrative Email:
Sponsoring Registrar: 广东时代互联科技有限公司
Name Server:ns1.freednshostway.com
Name Server:ns2.freednshostway.com
Registration Date: 2008-10-07 04:53
Expiration Date: 2009-10-07 04:53

Then the freednshostway.com [ their possible provider ]
Domain Tools
Whois
Domain Search Domain Suggestions For Sale Sales History Auction Search Aftermarket.com Live Auctions Domain Monitor
Domain Directory Ping
Traceroute
My IP Address Domain Parking Cheap Domain Name Registration Bulk Check Domain Typo Generator more >
Power Tools: Reverse IP Domain History Mark Alert Name Server Spy Hosting History Registrant Search Registrant Alert

Main Content

Whois Record for Freednshostway.com ( Free Dns Hostway ) Change Word Breaks

Front Page Information
Website Title: None given.
AboutUs: Wiki article on Freednshostway.com

Indexed Data
Alexa Trend/Rank: #4,680,283: Up 31,979 ranks over the last three months.

Registry Data
ICANN Registrar: ONLINENIC, INC.
Created: 2009-02-19
Expires: 2010-02-19
Updated: 2009-05-10
Registrar Status: ok
Name Server: NS1.FREEDNSHOSTWAY.COM (has 3 domains)
Name Server: NS2.FREEDNSHOSTWAY.COM (has 3 domains)
Whois Server: whois.onlinenic.com

Server Data
IP Address: 95.129.144.210 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location – United Kingdom – Ventrex Llp Customers
Response Code:
Domain Status: Registered And Active Website

DomainTools Exclusive
Registrant Search: “Pavel Eroshkin” owns about 439 other domains
Registrar History: 1 registrar
NS History: 2 changes on 3 unique name servers over 0 year.
IP History: 2 changes on 3 unique name servers over 0 years.
Whois History: 9 records have been archived since 2009-02-20.
Reverse IP: 1 other site is hosted on this server.
Monitor Domain: Set Free Alerts on freednshostway.com
Free Tool: Download DomainTools for Windows

Whois Record
Registrant:
Pavel Eroshkin +7.8464331773
Pavel Eroshkin
50 Let Oktyabrya str. d.69 kv.46
Syzran,Samarskaya,RU 446000

Domain Name:freednshostway.com
Record last updated at 2009-05-10 13:54:49
Record created on 2009/2/19
Record expired on 2010/2/19

Domain servers in listed order:
ns1.freednshostway.com ns2.freednshostway.com

Administrator:
Pavel Eroshkin +7.8464331773
Pavel Eroshkin
50 Let Oktyabrya str. d.69 kv.46
Syzran,Samarskaya,RU 446000

Technical Contactor:
Pavel Eroshkin +7.8464331773
Pavel Eroshkin
50 Let Oktyabrya str. d.69 kv.46
Syzran,Samarskaya,RU 446000

Billing Contactor:
Pavel Eroshkin +7.8464331773
Pavel Eroshkin
50 Let Oktyabrya str. d.69 kv.46
Syzran,Samarskaya,RU 446000

Registration Service Provider:
name: dnregistrar.ru
tel: +7.4955041111
fax: +7.4955041111
web:http://www.dnregistrar.ru

The FreeDNShostway – seems bogus, odds are its just a webfront to catch abuse emails before sending to the actual provider.

The owner of the last recorded ip for that server is

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 95.0.0.0 – 95.255.255.255
CIDR: 95.0.0.0/8
NetName: 95-RIPE
NetHandle: NET-95-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS2.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2007-07-30
Updated: 2009-05-18

Also we already submitted an abuse report to them.
<del>-</del>————————————————————-
Robert Moore
Senior Technician
Digital Insights
http://www.digitalinsights.biz
by robertmoore
about 1 year ago

Two things to note from the hosting provider side.

You need to make sure

disable the entries in /usr/local/lib/php.ini file.
============
root@web01 [~]# grep register_globals /usr/local/lib/php.ini
register_globals = Off

root@web01 [~]# grep allow_url_fopen /usr/local/lib/php.ini
allow_url_fopen = Off
============

the lines above tell you how to check

They should be OFF

<hr />

also the default install of mod_security prevents this attack from crossing to multiple users.
Robert Moore
Senior Technician
Digital Insights
http://www.digitalinsights.biz
by anirban
about 1 year ago

all good points. :-)

-A

Dr. Anirban Banerjee,
Jaal LLC, Riverside, CA.
www.stopthehacker.com
Jaal: Protecting the Internet, one website at a time™
About Contact Us Terms & Conditions Privacy Policy Copyright