Almost identical in every way to this injection attack, several Dreamhost sites have been compromised with a page called yahlink.php (it was yahoolink.php before), which is being spammed out through compromised AOL accounts.
It isn’t just Dreamhost hosted sites that are being spammed out in this way, but it does appear that well over half the sites are on Dreamhost. It looks like some GoDaddy customers might have been hit too.
In this case, the spammed link directs to krokodilius8.com/gosem11.php which is hosted on 220.127.116.11 which appears to be iomart Hosting Ltd in the UK. All the sites on that server appear to have have fake registrant details, so you can assume that they are bogus:
Users are then directed to another host in Romania, 18.104.22.168 which belongs to Netserv Consult SRL. It is my opinion that there is nothing of value in the entire 22.214.171.124/17 range and you can safely block access to the entire lot.
The final step is to a host called drugstorehealthrisks.net hosted on 126.96.36.199 which looks like a broadband connection in the Czech Republic. The site isn’t loading for me, but I guess it’s just pharma spam. These other sites are hosted on the same server:
Dreamhost have been informed of the issue but don’t appear to have done anything to secure their users. Blocking Dreamhost IPs might be something worth considering depending on what kind of shop you run. I have spotted malicious activity in the following IP ranges:
..although blocking access to the Romanian 188.8.131.52/17 block would also pretty much acheive the same thing without blocking access to any legitimate sites that might be on Dreamhost.
Leave a reply