XANGAからのメッセージを騙る - wp-local.htm
Published: 2012/06/09
観測日: 2012/6/8
通数: 400通/day
手法: 文中の誘導URL
目的: マルウェア感染
特徴:
改竄サイトに設置されるファイル名が「wp-local.htm」または「wp-config.htm」。
また、このタイプの手法の攻撃が増えています。
このような文面で、新しいコメントが書き込まれたことの通知メッセージを騙ります。
利用されるURL
URL |
---|
http://209.15.236.194/acepo/wp-content/uploads/wp-config.htm |
http://design.fibovietnam.com/phucevent/wp-content/uploads/wp-config.htm |
http://huawei.stagingserver.com.au/wp-content/uploads/wp-config.htm |
http://insurance.gibl.in/wp-content/themes/esp/wp-local.htm |
http://soranekonikki.com/wp/wp-content/themes/esp/wp-local.htm |
http://thehifijournal.com/blog/wp-content/themes/esp/wp-local.htm |
http://www.10000mile.com/main/wp-content/themes/esp/wp-local.htm |
http://www.ballerina-to-go.com/wp-content/uploads/wp-config.htm |
http://www.blog.nimbus.de/wp-content/uploads/wp-config.htm |
http://www.blog.swdubs.co.uk/wp-content/themes/esp/wp-local.htm |
http://www.cactxsurfaces.com/wp-content/uploads/wp-config.htm |
http://www.ctchealthcare.co.uk/wp-content/themes/esp/wp-local.htm |
http://www.customjewelleryco.com.au/wp-content/themes/esp/wp-local.htm |
http://www.destinationfood.com.au/wp-content/uploads/wp-config.htm |
http://www.elita-sport.kiev.ua/wp-content/uploads/wp-config.htm |
http://www.enivoile.fr/wp-content/uploads/wp-config.htm |
http://www.inbramed.ind.br/hiperbarica/wp-content/uploads/wp-local.htm |
http://www.nosleeptillboogie.com/wp-content/uploads/wp-local.htm |
http://www.powerking.it/wp-content/uploads/wp-local.htm |
http://www.preferencecases.com/book/wp-content/themes/esp/wp-local.htm |
http://www.raywhiteonline.com/invest/wp-content/uploads/wp-local.htm |
http://www.restol.co.uk/wp-content/themes/esp/wp-local.htm |
http://www.sabrewulf.fr/blog/wp-content/themes/esp/wp-local.htm |
http://www.san-pedro.org/wordpress/wp-content/themes/esp/wp-config.htm |
http://www.saraangel.ca/wp-content/themes/esp/wp-config.htm |
http://www.textwrite.ru/idvlad/wp-content/themes/esp/wp-config.htm |
http://www.tintaverde.net/wp-content/themes/esp/wp-config.htm |
http://www.trendog.com/blog/wp-content/themes/esp/wp-config.htm |
これ以降の攻撃内容は4月頃の内容とほぼ同じ。
http://puleneprobivaemye.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c http://puleneprobivaemye.ru:8080/forum/Set.jar http://puleneprobivaemye.ru:8080/forum/data/ap2.php
ドメインに関する情報。
domain | IP | 逆引き | AS | ASname | country |
---|---|---|---|---|---|
209.15.236.194 | 209.15.236.194 | NONE | 13768 | PEER1_-_Peer_1_Network_Inc. | UnitedStates |
design.fibovietnam.com | 118.69.199.13 | server13.fibo.vn. | 18403 | FPT-AS-AP_The_Corporation_for_Financing_&_Promoting_Technology | Vietnam |
huawei.stagingserver.com.au | 173.236.38.146 | rudder.captainsoft.com. | 32475 | SINGLEHOP-INC_-_SingleHop | UnitedStates |
insurance.gibl.in | 115.112.191.106 | 115.112.191.106.static-idc-hyderabad.vsnl.net.in. | 4755 | TATACOMM-AS_TATA_Communications_formerly_VSNL_is_Leading_ISP | India |
soranekonikki.com | 210.172.144.27 | lb06.virt.lolipop.jp. | 7506 | INTERQ_GMO_InternetInc | Japan |
thehifijournal.com | 77.92.73.4 | NONE | 13213 | UK2NET-AS_UK-2_Ltd_Autonomous_System | UnitedKingdom |
www.10000mile.com | 203.150.8.121 | 203-150-8-121.inter.net.th. | 4618 | INET-TH-AS_Internet_Thailand_Company_Limited | Thailand |
www.ballerina-to-go.com | 80.237.133.12 | wp243.webpack.hosteurope.de. | 20773 | HOSTEUROPE-AS_Host_Europe_GmbH | Germany |
www.blog.nimbus.de | 85.236.42.252 | skip-intro.net. | 15456 | INTERNETX-AS_InterNetX_GmbH | Germany |
www.blog.swdubs.co.uk | 173.254.28.93 | just93.justhost.com. | 46606 | BLUEHOST-AS-2_-_Bluehost_Inc. | UnitedStates |
www.cactxsurfaces.com | 74.208.194.114 | portallabs.com. | 8560 | ONEANDONE-AS_1&1_Internet_AG | UnitedStates |
www.ctchealthcare.co.uk | 184.106.55.11 | NONE | 19994 | RACKSPACE_-_Rackspace_Hosting | UnitedStates |
www.customjewelleryco.com.au | 202.124.241.200 | zeus.netregistry.net. | 24446 | NETREGISTRY-AS-AP_NetRegsitry_Pty_Ltd. | Australia |
www.destinationfood.com.au | 69.194.195.176 | cp2.ssl1.us. | 14670 | SOLAR-VPS_-_Solar_VPS | UnitedStates |
www.elita-sport.kiev.ua | 72.55.178.196 | ip-72-55-178-196.static.privatedns.com. | 32613 | IWEB-AS_-_iWeb_Technologies_Inc. | Canada |
www.enivoile.fr | 217.16.9.102 | mrs53.hosteur.com. | 48809 | ABCONNECT_AB_CONNECT | France |
www.inbramed.ind.br | 204.3.26.64 | www.inbramed.ind.br. | 2914 | NTT-COMMUNICATIONS-2914_-_NTT_America_Inc. | UnitedStates |
www.nosleeptillboogie.com | 184.172.189.63 | 184.172.189.63-static.reverse.softlayer.com. | 36351 | SOFTLAYER_-_SoftLayer_Technologies_Inc. | UnitedStates |
www.powerking.it | 188.165.225.223 | ns212641.ovh.net. | 16276 | OVH_OVH_Systems | France |
www.preferencecases.com | 98.138.19.88 | p8p.geo.vip.ne1.yahoo.com. | 36646 | YAHOO-NE1_-_Yahoo | UnitedStates |
www.raywhiteonline.com | 113.20.9.121 | server1.dtrade.net.au. | 24557 | AUSSIEHQ-AS-AP_AussieHQ_Pty_Ltd | Australia |
www.restol.co.uk | 99.198.109.18 | web10.justhost.com. | 32475 | SINGLEHOP-INC_-_SingleHop | UnitedStates |
www.sabrewulf.fr | 109.234.160.11 | jen.o2switch.net. | 50474 | O2SWITCH_o2switch_SARL | France |
www.san-pedro.org | 62.149.140.177 | webx167.aruba.it. | 31034 | ARUBA-ASN_Aruba_S.p.A._-_Network | Italy |
www.saraangel.ca | 64.13.192.153 | acmkokecqm.gs01.gridserver.com. | 31815 | MEDIATEMPLE_-_Media_Temple_Inc. | UnitedStates |
www.textwrite.ru | 188.65.211.15 | vh5.radiushost.ru. | 6719 | KNOPP-AS_Limited_Liability_Company_KNOPP | RussianFederation |
www.tintaverde.net | 67.23.240.127 | smx12.hostdime.com.mx. | 33182 | DIMENOC---HOSTDIME_-_HostDime.com_Inc. | UnitedStates |
www.trendog.com | 69.65.10.232 | server308.webhostingpad.com. | 32181 | ASN-GIGENET_-_GigeNET | UnitedStates |
by jyake