More CNET Sites Under IFRAME Attack
What has changed for the past 24 hours, despite that the now over 51,900 pages at zdnetasia.com continue to be indexed by search engines? The folks at ZDNet Asia have taken care of the IFRAME issue, so that such injection is no longer possible.More here.
However, the same IPs used in this IFRAME campaign, including two new domains introduced have been injected, and are loading at TV.com, News.com and MySimon.com, again pushing the rogue XP AntiVirus, the rogue Spyshredderscanner, as well as another fake codec MediaTubeCodec.exe, hosted and distributed under two new domains.
Which sites are currently targeted?
ZDNet Asia - currently has 51,900 injected pages
TV.com - 49,600 locally hosted IFRAME injected pages
News.com - 167 locally hosted pages, injection is ongoing
MySimon.com - currently 4 pages, the campaign is ongoing
Which domains and IPs are behind the IFRAMEs?
do-t-h-e.com (69.50.167.166)
rx-pharmacy.cn (82.103.140.65)
m5b.info (124.217.253.6)
89.149.243.201
89.149.243.202
72.232.39.252
195.225.178.21
Notes: Hmm, let's look at this batch:
69.50.167.166: InterCage, Inc. (Concord, California)
82.103.140.65: EasySpeedy ApS (Denmark)
124.217.253.6: PIRADIUS NET (Singapore)
89.149.243.201, 89.149.243.202: netdirekt e.K. (Germany)
72.232.39.252: Layered Technologies, Inc. (Plano, Texas)
195.225.178.21: Netcat Hosting (Panama)
Looks like I have a few incident notifications to send... - ferg
posted by Fergie @ 3/06/2008 02:06:00 PM
0 Comments:
Post a Comment
<< Home