BBB - company.html
Published: 2012/02/18
観測日:2/17 1日だけ
通数:596
BBBネタは以前もありましたが、繰り返し利用されています。
Better Business Bureau - CVE2011-3544
基本は同じ手法ですが、攻撃の中身も含め、微妙に変化させてきてます。
このような文面
リンクはこんな感じで今回の特徴は「company.html」
http://andletmedance.net/wp-includes/company.html
company.htmlの中身はこんな感じで
スクリプト部分はこんな感じに解読されるので
リンクをクリックすると、こんな画像の表示とともに
裏側では別サイトにアクセス。
http://synergyledlighting.net/main.php?page=d3XXXXXXXXXXX
ファイルの中身はこう。
以下はいままでと同じ。
ダウンロードされファイル。
jav.jar
(0/43) 昨日は(1/43)だったが。。。
obe.jar
(2/43) これも減ってる。
w.php?f=61&e=6
(12/43)
文面のリンクに使われているドメイン。主にUS。
domain | ip | 逆引き | AS | AS Name | 国 |
---|---|---|---|---|---|
dev.minuto30.com | 66.239.209.31 | server.minuto30.com. | 2828 | XO-AS15_-_XO_Communications | UnitedStates |
dejuliusandcompany.com | 63.250.48.129 | unix02.hsphere.cc. | 4906 | FDS-01_-_Frontline_Data_Services_Inc | UnitedStates |
andletmedance.net | 87.106.152.85 | kundenserver.de. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
noticiasmexico.theandroidgeek.com | 74.208.248.119 | perfora.net. | 8560 | ONEANDONE-AS_1&1_Internet_AG | UnitedStates |
sperske.com | 74.208.24.44 | perfora.net. | 8560 | ONEANDONE-AS_1&1_Internet_AG | UnitedStates |
losugen.com | 116.0.23.219 | hyperion.instanthosting.com.au. | 9280 | CIA-AS_connect_infobahn_australia_(CIA) | Australia |
besttabletbuy.com | 122.155.16.84 | ns1-15516084.dragonhispeed.com. | 9931 | CAT-AP_The_Communication_Authoity_of_Thailand_CAT | Thailand |
billyhornsby.com | 216.104.172.39 | missiontips.com. | 10732 | TIERRANET_-_TierraNet_Inc. | UnitedStates |
cardonations.freehostia.com | 66.40.52.242 | NONE | 11388 | MAXIM_-_Peer_1_Dedicated_Hosting | UnitedStates |
guard-dog-security.co.uk | 77.92.73.4 | NONE | 13213 | UK2NET-AS_UK-2_Ltd_Autonomous_System | UnitedKingdom |
nanaimofishingcharters.com | 69.90.137.67 | cpanel7.onlinemountain.com. | 13768 | PEER1_-_Peer_1_Network_Inc. | Canada |
casinos-mangas.com | 80.247.233.98 | jefaismesachats.nfrance.com. | 15826 | NFRANCE_NFRANCE_CONSEIL | France |
chrisball45.com | 67.18.3.50 | savannah.websitewelcome.com. | 21844 | THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc. | UnitedStates |
cuddleupblankets.com | 74.53.108.34 | pulsar.websitewelcome.com. | 21844 | THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc. | UnitedStates |
kitchencurtain-s.us | 174.133.72.194 | host3.asianbrainserver.com. | 21844 | THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc. | UnitedStates |
vhfb.org | 174.120.169.221 | dd.a9.78ae.static.theplanet.com. | 21844 | THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc. | UnitedStates |
weeklytopnews.info | 174.132.151.114 | 72.97.84ae.static.theplanet.com. | 21844 | THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc. | UnitedStates |
aussiesmokers.com | 173.236.150.230 | apache2-daisy.algenib.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
christinabernales.com | 69.163.159.54 | apache2-prance.wasp.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
copyaccess.com | 173.236.169.216 | apache2-quack.mamoudzou.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
cornerstoneword.org | 173.236.169.76 | apache2-zoo.mamoudzou.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
funtimems.com | 173.236.169.216 | apache2-quack.mamoudzou.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
i.diskovered.com | 173.236.201.72 | apache2-jolly.aldhanab.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
juleimages.com | 69.163.128.84 | apache2-zoo.constantine.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
localglobalnetwork.org | 69.163.150.132 | apache2-ichiban.bujumbura.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
mmoenquirer.com | 173.236.233.189 | apache2-sith.menchib.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
plumbcrazykansas.com | 173.236.145.161 | ps29273.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
rosangelaimoveis.com | 67.205.31.82 | apache2-ugly.bugsy.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
vertent.net | 173.236.129.150 | apache2-quack.jayturser.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
votaguz.com | 67.205.52.83 | apache2-pat.silversurfer.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
zazagroup.com | 69.163.150.90 | apache2-jiffy.bujumbura.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
zendz.com | 67.205.28.59 | apache2-jolly.bugsy.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
maryjanesocialmedia.com | 184.168.173.1 | p3nlhg232c1232.shr.prod.phx3.secureserver.net. | 26496 | AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_Inc. | UnitedStates |
spokanehousepainting.com | 97.74.46.128 | p3nlhg100c1100.shr.prod.phx3.secureserver.net. | 26496 | AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_Inc. | UnitedStates |
tisti.ca | 208.109.254.214 | ip-208-109-254-214.ip.secureserver.net. | 26496 | AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_Inc. | UnitedStates |
holr.net | 206.130.119.252 | artofdomaining.com. | 29854 | WESTHOST_-_WestHost_Inc. | UnitedStates |
stagandpheasant.co.uk | 85.13.221.34 | slc0019.pickaweb.co.uk. | 31708 | COREIX-UK-AS_Coreix_Limited | UnitedKingdom |
rajeu.com | 66.116.176.2 | NONE | 32392 | OPENTRANSFER-ECOMMERCE_-_Ecommerce_Corporation | UnitedStates |
lankagazette.com | 69.175.50.172 | gurukulla.com. | 32475 | SINGLEHOP-INC_-_SingleHop | UnitedStates |
stebbings-archive.net | 69.175.71.66 | cx01.supergreenhosting.com. | 32475 | SINGLEHOP-INC_-_SingleHop | UnitedStates |
latestnewstrends.net | 174.142.97.91 | server1.ebizpromo.com. | 32613 | IWEB-AS_-_iWeb_Technologies_Inc. | Canada |
extremewordpress.com | 119.18.57.42 | NONE | 33480 | WEBWERKSAS1_-_Web_Werks | India |
carvillvending.com | 188.65.115.2 | bajor.servers.rbl-mer.misp.co.uk. | 35732 | UKWEBHOSTING-AS_UK_Webhosting_Ltd_-_Autonomous_System | UnitedKingdom |
hermajestymontreal.com | 50.22.112.96 | ns2798.hostgator.com. | 36351 | SOFTLAYER_-_SoftLayer_Technologies_Inc. | UnitedStates |
news.prohyipdesign.com | 93.114.41.181 | rabbithost.ro. | 39743 | VOXILITY-AS_Voxility_SRL | Romania |
magnoliapair.com | 66.147.244.232 | box732.bluehost.com. | 46606 | BLUEHOST-AS-2_-_Bluehost_Inc. | UnitedStates |
yorksmith.co.uk | 94.126.40.144 | webpool1.lcn.com. | 50056 | AI-NET_Advantage_Interactive_Limited | UnitedKingdom |
攻撃サイトのドメインの例。攻撃直前に取得。
Domain Name: SYNERGYLEDLIGHTING.NET Registrar: NETWORK SOLUTIONS, LLC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com/en_US/ Name Server: NS1.GRAPECOMPUTERS.NET Name Server: NS1.HIRING-DECISIONS.COM Status: clientTransferProhibited Updated Date: 15-feb-2012 Creation Date: 07-feb-2012 Expiration Date: 07-feb-2013 115.249.190.46 inetnum: 115.249.0.0 - 115.249.255.255 netname: RCOM-Static-DIA country: IN descr: RCOM-Static-DIA admin-c: AH406-AP tech-c: AH406-AP status: ASSIGNED NON-PORTABLE changed: antiabuse.support@relianceada.com 20101022 mnt-by: MAINT-IN-SN source: APNIC
インドですね。
by jyake