cNotes 検索 一覧 カテゴリ

XANGAからのメッセージを騙る - wp-local.htm

Published: 2012/06/09

観測日: 2012/6/8

通数: 400通/day

手法: 文中の誘導URL

目的: マルウェア感染

特徴:

改竄サイトに設置されるファイル名が「wp-local.htm」または「wp-config.htm」。

また、このタイプの手法の攻撃が増えています。


このような文面で、新しいコメントが書き込まれたことの通知メッセージを騙ります。

利用されるURL
URL
http://209.15.236.194/acepo/wp-content/uploads/wp-config.htm
http://design.fibovietnam.com/phucevent/wp-content/uploads/wp-config.htm
http://huawei.stagingserver.com.au/wp-content/uploads/wp-config.htm
http://insurance.gibl.in/wp-content/themes/esp/wp-local.htm
http://soranekonikki.com/wp/wp-content/themes/esp/wp-local.htm
http://thehifijournal.com/blog/wp-content/themes/esp/wp-local.htm
http://www.10000mile.com/main/wp-content/themes/esp/wp-local.htm
http://www.ballerina-to-go.com/wp-content/uploads/wp-config.htm
http://www.blog.nimbus.de/wp-content/uploads/wp-config.htm
http://www.blog.swdubs.co.uk/wp-content/themes/esp/wp-local.htm
http://www.cactxsurfaces.com/wp-content/uploads/wp-config.htm
http://www.ctchealthcare.co.uk/wp-content/themes/esp/wp-local.htm
http://www.customjewelleryco.com.au/wp-content/themes/esp/wp-local.htm
http://www.destinationfood.com.au/wp-content/uploads/wp-config.htm
http://www.elita-sport.kiev.ua/wp-content/uploads/wp-config.htm
http://www.enivoile.fr/wp-content/uploads/wp-config.htm
http://www.inbramed.ind.br/hiperbarica/wp-content/uploads/wp-local.htm
http://www.nosleeptillboogie.com/wp-content/uploads/wp-local.htm
http://www.powerking.it/wp-content/uploads/wp-local.htm
http://www.preferencecases.com/book/wp-content/themes/esp/wp-local.htm
http://www.raywhiteonline.com/invest/wp-content/uploads/wp-local.htm
http://www.restol.co.uk/wp-content/themes/esp/wp-local.htm
http://www.sabrewulf.fr/blog/wp-content/themes/esp/wp-local.htm
http://www.san-pedro.org/wordpress/wp-content/themes/esp/wp-config.htm
http://www.saraangel.ca/wp-content/themes/esp/wp-config.htm
http://www.textwrite.ru/idvlad/wp-content/themes/esp/wp-config.htm
http://www.tintaverde.net/wp-content/themes/esp/wp-config.htm
http://www.trendog.com/blog/wp-content/themes/esp/wp-config.htm

これ以降の攻撃内容は4月頃の内容とほぼ同じ。

 http://puleneprobivaemye.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c	   
 http://puleneprobivaemye.ru:8080/forum/Set.jar
 http://puleneprobivaemye.ru:8080/forum/data/ap2.php

ドメインに関する情報。

domainIP逆引きASASnamecountry
209.15.236.194209.15.236.194NONE13768PEER1_-_Peer_1_Network_Inc.UnitedStates
design.fibovietnam.com118.69.199.13server13.fibo.vn.18403FPT-AS-AP_The_Corporation_for_Financing_&_Promoting_TechnologyVietnam
huawei.stagingserver.com.au173.236.38.146rudder.captainsoft.com.32475SINGLEHOP-INC_-_SingleHopUnitedStates
insurance.gibl.in115.112.191.106115.112.191.106.static-idc-hyderabad.vsnl.net.in.4755TATACOMM-AS_TATA_Communications_formerly_VSNL_is_Leading_ISPIndia
soranekonikki.com210.172.144.27lb06.virt.lolipop.jp.7506INTERQ_GMO_InternetIncJapan
thehifijournal.com77.92.73.4NONE13213UK2NET-AS_UK-2_Ltd_Autonomous_SystemUnitedKingdom
www.10000mile.com203.150.8.121203-150-8-121.inter.net.th.4618INET-TH-AS_Internet_Thailand_Company_LimitedThailand
www.ballerina-to-go.com80.237.133.12wp243.webpack.hosteurope.de.20773HOSTEUROPE-AS_Host_Europe_GmbHGermany
www.blog.nimbus.de85.236.42.252skip-intro.net.15456INTERNETX-AS_InterNetX_GmbHGermany
www.blog.swdubs.co.uk173.254.28.93just93.justhost.com.46606BLUEHOST-AS-2_-_Bluehost_Inc.UnitedStates
www.cactxsurfaces.com74.208.194.114portallabs.com.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
www.ctchealthcare.co.uk184.106.55.11NONE19994RACKSPACE_-_Rackspace_HostingUnitedStates
www.customjewelleryco.com.au202.124.241.200zeus.netregistry.net.24446NETREGISTRY-AS-AP_NetRegsitry_Pty_Ltd.Australia
www.destinationfood.com.au69.194.195.176cp2.ssl1.us.14670SOLAR-VPS_-_Solar_VPSUnitedStates
www.elita-sport.kiev.ua72.55.178.196ip-72-55-178-196.static.privatedns.com.32613IWEB-AS_-_iWeb_Technologies_Inc.Canada
www.enivoile.fr217.16.9.102mrs53.hosteur.com.48809ABCONNECT_AB_CONNECTFrance
www.inbramed.ind.br204.3.26.64www.inbramed.ind.br.2914NTT-COMMUNICATIONS-2914_-_NTT_America_Inc.UnitedStates
www.nosleeptillboogie.com184.172.189.63184.172.189.63-static.reverse.softlayer.com.36351SOFTLAYER_-_SoftLayer_Technologies_Inc.UnitedStates
www.powerking.it188.165.225.223ns212641.ovh.net.16276OVH_OVH_SystemsFrance
www.preferencecases.com98.138.19.88p8p.geo.vip.ne1.yahoo.com.36646YAHOO-NE1_-_YahooUnitedStates
www.raywhiteonline.com113.20.9.121server1.dtrade.net.au.24557AUSSIEHQ-AS-AP_AussieHQ_Pty_LtdAustralia
www.restol.co.uk99.198.109.18web10.justhost.com.32475SINGLEHOP-INC_-_SingleHopUnitedStates
www.sabrewulf.fr109.234.160.11jen.o2switch.net.50474O2SWITCH_o2switch_SARLFrance
www.san-pedro.org62.149.140.177webx167.aruba.it.31034ARUBA-ASN_Aruba_S.p.A._-_NetworkItaly
www.saraangel.ca64.13.192.153acmkokecqm.gs01.gridserver.com.31815MEDIATEMPLE_-_Media_Temple_Inc.UnitedStates
www.textwrite.ru188.65.211.15vh5.radiushost.ru.6719KNOPP-AS_Limited_Liability_Company_KNOPPRussianFederation
www.tintaverde.net67.23.240.127smx12.hostdime.com.mx.33182DIMENOC---HOSTDIME_-_HostDime.com_Inc.UnitedStates
www.trendog.com69.65.10.232server308.webhostingpad.com.32181ASN-GIGENET_-_GigeNETUnitedStates

[カテゴリ:spam観察日記]

by jyake