It appears that a lot of DreamHost (New Dream Network LLC) sites have been hacked with malicious pages added to them. The issue impacts multiple servers at different DreamHost datacenters. Some sample IPs with infected sites include:
Given that the hacked pages all contain the string yahoolink.php then it is possible that these attacks are using a PHP vulnerability. The pages are then promoted through spam email. You can simply (carefully) search for “yahoolink.php” in your favourite search engine to see the scope of the problem.
People who click on the link get redirected through several steps:
Securvera SRL, Romania
Cover Sun Design SRL, Romania
The endpoint appears to be a standard fake pharmacy site, I couldn’t see any malicious code but that could always change.
With Romanians hosts I recommend a one-strike policy.. i.e. block the whole lot as soon as you come across a netblock with malicious activity. Unless you have business dealings with Romania, then any traffic to a Romanian host is likely to be malware or spam related. So in this case, blocking 220.127.116.11/23 and 18.104.22.168/22 will probably do no harm.
Leave a reply