The Latest in IT Security

yahlink.php / DreamHost hack


Almost identical in every way to this injection attack, several Dreamhost sites have been compromised with a page called yahlink.php (it was yahoolink.php before), which is being spammed out through compromised AOL accounts.

It isn’t just Dreamhost hosted sites that are being spammed out in this way, but it does appear that well over half the sites are on Dreamhost. It looks like some GoDaddy customers might have been hit too.

In this case, the spammed link directs to which is hosted on which appears to be iomart Hosting Ltd in the UK. All the sites on that server appear to have have fake registrant details, so you can assume that they are bogus:

Users are then directed to another host in Romania, which belongs to Netserv Consult SRL. It is my opinion that there is nothing of value in the entire range and you can safely block access to the entire lot.

The final step is to a host called hosted on which looks like a broadband connection in the Czech Republic. The site isn’t loading for me, but I guess it’s just pharma spam. These other sites are hosted on the same server:

Dreamhost have been informed of the issue but don’t appear to have done anything to secure their users. Blocking Dreamhost IPs might be something worth considering depending on what kind of shop you run. I have spotted malicious activity in the following IP ranges:

..although blocking access to the Romanian block would also pretty much acheive the same thing without blocking access to any legitimate sites that might be on Dreamhost.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments